The SolarWinds Update
Following our chat about the FireEye breach a few days ago, the plot thickens with a fresh attack on SolarWinds. Join Jim for a coffee and his thoughts on the news that broke today.
Author: Sokada
Interview with Josh Bregman, COO, CyGlass
Overview
Join James Rees and Josh Bregman, COO of CyGlass, as we find out how Josh came to head up one of the industry’s most progressive network defence solutions, his advice for building a career in infosec and his thoughts on what we need to focus on in 2021.
Coffee with Jim
Overview
Grab a cup of coffee and join us for a discussion on the state of infosec in 2020 including the FireEye breach and what we need to learn from the lessons this year has thrown at us. What are you changing about your security in the next year? As head of Razorthorn’s consultancy, Jim shares his insights into what needs to be done to change with the times.
Razorwire – The Interview Series: James Rees
Overview
If you work in infosec, are new to the industry or are currently studying, this is the vlog for you. Razorwire gives you unique insight into an industry that is thriving despite the pandemic, directly from the key players. James Rees, who has been in infosec for over 20 years, shares his thoughts on a variety of issues and topics over the series and includes interviews with leading industry experts.
Today we join our MD, James Rees, to find out what twists and turns his career has taken to wind up running a successful security consultancy, what advice he has for newcomers to the industry and what the future might have in store.
An Introduction to GRC
Biometrics: Improving Security for Working from Home
Biometrics has been around for longer than you might think
Biometrics has been around for a long time but has only had limited adoption until recently. I was involved in some of the early commercial biometric devices way back in 2000; the company I was working for at the time investigated the possibility of using them, but back then the false positive rates on the devices we investigated were way too high – either people could not authenticate or it was authenticating the wrong people.
We decided at the time the technology was too unreliable and it was too early to adopt.
Biometrics, for a long time, has been in a strange limbo, for many years we have not seen much from the technology until phones began to adopt it comparatively recently. Some laptops have also had biometric devices which have begun to gain in some popularity, but the adoption has been slow and biometrics exists in a very weird space.
Why are biometrics not more widely used?
Maybe a significant reason people have been resistant to biometrics is due to the privacy issues. Members of the public are, on the whole, highly resistant to organisations having their biometric details, and don’t trust that these organisations will secure these details appropriately and not misuse our biometric prints.
These issues have been a talking point for many, and the subject of a number of articles over the years. People are not yet trusting enough to adopt biometrics in their daily lives, but that trend IS starting to change, with more and more mobile devices and mobile software engaging with the technology, I think it is time to start reviewing the adoption of this valuable technology.
The business world at the moment is being rocked by Covid-19 and with many workers having to work from home during lockdown, there has been a significant amount of discussion about whether or not it would be more beneficial to keep a majority of employees working from home in the future. Many large organisations can see significant cost savings in reducing large corporate office spaces and there is a significant move to investigate possibilities, but before this can happen we need to look at changing the way we handle security.
Security for the ‘New Normal’
As I have mentioned a few times before, there will need to be a significant change in the way we handle security. With more and more people working from home, we need to:
- protect the endpoint from untrusted, less secure, home networks
- start thinking about multifactor authentication for all employee logins
- revisit biometrics as a possible second or even third factor of authentication
Biometrics offers something that many other forms of authentication do not – they ensure nonrepudiation of the individual’s identity, which is extremely valuable when it comes to remote working. For those wondering what that means, by its very nature, biometrics is very difficult – nigh on impossible – to falsify.
User Behaviour Analysis
Another solution to consider is behaviour-based biometrics which has, to date, been has been a rarely used area of security. The principles are that using AI learning techniques, software can learn the patterns of an individual and track them as they utilise protected systems and infrastructure.
Should someone log in then let someone else take the controls, the AI will detect that the individual using the logged in systems is not the correct individual, and will either log them out or challenge them to re-authenticate. This technology, again, has been around a while but has not been widely adopted – maybe it’s time to re-think.
Biometrics are invaluable if you can get around the concerns about securing the biometric data. Couple that with some behavioral biometrics and you have an extremely powerful authentication solution that not only proves the identity of the individual but also provides consistent ongoing authentication as that individual works. By using these two technologies as part of your authentication, you have an extremely powerful tool to the remote working solution.
Changing Security for Changing Times
To conclude, with the world changing and with the workforce becoming more and more distributed, we absolutely need to rethink our access control. Many organisations currently use user / password and hard or soft tokens for their authentication, which is great but if you want true non-repudiation, it’s time to look back at biometrics. With more devices integrating biometric technology, we are in a good space to begin looking at biometric authentication seriously, rather than as an amusing niche technology. Times are changing and we need to change with them.
So, if you are looking for some ideas on how to protect your organisation and its remote workers, be it with biometrics or any other solution, give us a shout. We have the knowledge, expertise and the partnerships.
Contact us on 0800 772 0625 or email us at office@razorthorn.com.
Razorthorn Vlog Series – Coming Soon!
Razorthorn Vlog Series: The Truth About Being an Information Security Professional
We’re excited to announce that over the coming months, Razorthorn will be running a series of video blogs that will give you the hard-learned secrets to being successful in this industry, the skills you need (and those you don’t) and I’ll talk about the life of an information security professional and the paths you can take to success.
It’s not a traditional course, there will be no exams, but I will be covering as much material as I can on a regular basis in order to assist you in becoming the best information security professional you can be.
I will let you in on the things you don’t find out from a text book, things that I’ve learned throughout my career that I wish I had known when I was starting out.
This is a collaborative effort – drop me a line with any burning questions and I’ll give you the answers and cover the areas you ask me to.
Email us quoting “The Truth About Being an Information Security Professional” and we will alert you when a new vlog is released.
Who is this vlog series for?
This training vlog series is for those in the early to mid-stages of their infosec career, and it will also be helpful to those considering beginning a career in this industry.
Maybe you have been in the infosec industry for a while and are interested in other ideas, other ways of practicing your craft, maybe you are looking for guidance on areas that you have yet to touch on or have had a stall in your career and are looking to get back on track – the reason really doesn’t matter, what matters is that you are looking to improve yourselves and are attempting to be the best you can be.
I have been in this game for a long time and I have had a lot of excellent mentors that have taught me a great deal – it’s time to pass that on to a new generation of information security people.
This vlog is for everyone, no matter if you’re here to learn what infosec is or you are planning a career and need to know where to start.
So, what can I teach you?
I have been in information security a long time, since well before it became a popular career choice and way before information security or cyber security was important. Back when I first got into information security you were lucky if the company you worked for had antivirus… or even a firewall. Yes, things have moved on extensively since I was a bright-eyed newbie in this field, the world is a lot more complex today than it was 20 years ago.
Today, information security and cyber security is widely regarded as a necessary business requirement, CISOs are commonplace and ever increasingly are either board members or advisors to the board leadership. In a vast majority of cases, we are also no longer extensions of the IT department, we are either a department of our own or we are part of compliance or legal departments, occasionally the finance department.
The light is shining bright for those individuals following an information security career, and to be honest, with everything going on in the world, that light is going to get a hell of a lot brighter than it is even today. But we are facing a significant challenge, one that is proving to be extremely difficult to overcome.
We don’t have enough well rounded, qualified and dedicated security professionals.
There – I’ve said it, though I’m not the first and won’t be the last. The lack of qualified information security and/or cyber security professionals in this industry is causing a serious concern for us top-end career infosec people. It’s extremely hard these days to get good, qualified people onto your team because there are not enough of them, and the ones that are good are often quickly poached and move on because the wages for a security person even midway through their career is extremely attractive.
There is also a flood of people trying desperately to get into the field, seeing the high wage potential, there have been a fair few people changing career, making out they have been in the industry for a long time in order to get the high salary. Unfortunately for them, they usually quickly get found out and moved on, leaving the next information security professional to mop up their mess.
Become the best
What this industry desperately needs is good quality, well trained, upcoming information security professionals who are being mentored by experienced information security professionals for at least the first five years of their career. They need to understand both information security as well as cyber security and the differences between them. They need to know what a good security policy looks like, how a pen test works and to interpret the results, when a security tool is beneficial and when it’s not. Being a good quality information security professional is not all about cool security tools and the power to say no.
There is a lot to being an information security professional that much of the available material online does not mention, a lot of concepts that you tend to only learn in the field when you have a good mentor, such as it being beneficial to know at least a basic level of psychology, a basic level of law for your area, concepts such as Schrodinger’s Cat and Occam’s razor. There are a lot of skills you need to consider in a journey to becoming an information/cyber security professional.
Get involved
If you want to learn from me, your online mentor, join our mailing list today and find out when the vlog goes live. Equally if there are any burning topics you want me to cover then please send us an email and I’ll work it into the vlog series.
Email us quoting “The Truth About Being an Information Security Professional” and we will add you to the mailing list.
Contact us for queries or more information.
Securing Your Remote Workforce
The Security Paradigm Shift
“The general who wins the battle makes many calculations in his temple before the battle is fought. The general who loses makes but few calculations beforehand.” – Sun Tzu
“There are not more than five musical notes, yet the combinations of these five give rise to more melodies than can ever be heard. There are not more than five primary colours, yet in combination they produce more hues than can ever been seen. There are not more than five cardinal tastes, yet combinations of them yield more flavours than can ever be tasted.” – Sun Tzu
We are entering a very different business world at the moment, one which has been thrust upon most of us far quicker than we planned for and will by all accounts last a lot longer than many of us think. Reading the news at the moment is pretty grim, especially if you read the business news, and unfortunately I think it’s going to get a lot worse before it gets any better, but one thing is sure about the business world for the next year or so at least – it’s going to change, dramatically.
Furthermore, we are seeing a huge increase in cybercrime, phishing attacks have increased, data thefts are rife and only recently it has come to light that EasyJet has had a massive security breach at a time that they are already experiencing significant losses in revenue – not a great time for them, but it outlines the serious threat that businesses of all sizes are facing.
All the hurried preparations to get employees working remotely has led to a number of holes in corporate security, and in some cases completely broken their security models. Banking institutions, R&D, pharmaceuticals, fintech, etc., the list goes on of organisations that have had to break their traditional security baselines just to survive. In many cases, businesses have been enacting BCP plans that have never been fully tested and, in some cases, never fully defined. We are in a very difficult situation and, for many organisations, the whole security baselines will have to be completely re-written to support remote working. So what can we do?
Historically, many large organisations had large offices in sought after locations where all their employees could work together, interacting directly with one another and working in close teams to complete their tasks. We are facing a reality of long term remote working, partially due to the risks of the current pandemic, but also because it’s finally dawned on the business world that it is cheaper to have remote workers. There are plenty of benefits all round for remote working: work life balance, reduction in travel costs, the ability to go and clear one’s head without having to ask etc. are all being hailed in the media as clear benefits and to be honest, I think in the main they are absolutely right.
For all the benefits of remote working, a significant question needs to be, what should you be doing about securing your remote workforce?
Furthermore, we have seen a significant rise in the use of cloud service, managed telephony and a number of other solutions as a service. Many of these solutions were quickly procured; with the crisis of the pandemic threatening the very existence of many companies, there has been a significant level of expenditure in this area. For the moment, many companies have used a band aid to get their organisations functioning from isolation; once things have eased these organisations will need to refine their remote working solutions to suit a more long term situation.
How to secure your remote workforce
We need a security paradigm shift. Security professionals around the industry will have to change traditional views and build a new way of delivering quality information security to a diversely spread out employee base. Endpoints, for example, have shifted dramatically out to people’s homes, bringing home networks and other devices using those networks potentially in scope. We need to carefully re-evaluate what we need to do – it’s not just about securing, we must also start thinking carefully about validation and consistent security for technical infrastructure.
Authentication
For securing your remote workforce, we need at least multifactor authentication but we also need to consider that one of those factors needs to validate who the individual actually is. Biometrics and ongoing behavioural based authentication should be very strongly considered as the norm now; multi-factors such as user/password combinations and token/soft token-based secondary factors are fantastic, but biometrics is far more reliable for ensuring that the identity of the individual authentication through the nonrepudiation that biometric technology can give. Another possibility is behavioural analysis. There are some very interesting solutions that learn how people interact with systems and provide ongoing authentication. This is still a very niche area but it could be a fantastic option to ensure consistent validation for users during and after authentication.
Endpoint Security
Another example is beefing up the endpoint security, not only to look out for malicious code operating on the laptop itself but also IDS / IPS software that can detect localised attacks and often underused local firewall solutions to regulate communications, as well as file integrity software. There is a wealth of security options to protect endpoints, though quite often these are commonly and woefully under-utilised before now. There are a number of additional items to consider such as tracking and remote wiping technologies for laptops, DLP solutions, cloud based solutions, etc. The list of options is almost endless to ensure that remote working can be done securely.
Desktop Solutions
Finally, we also have remote desktop solutions. If securely undertaken, an organisation can provide remote desktops for staff that are home based. This was popular many years ago with Citrix, and to be fair it’s never really gone away, but it’s more underutilised today than it probably should be. Obviously it’s not going to be suitable for everyone; there are always going to be specialised high end users with high end requirements, such as software developers, CGI rendering and similar such roles and activities that will need more powerful and versatile solutions, but most employees not in such specialised roles can just as easily use some form of remote desktop.
Considerations when securing your remote workforce
Securing any environment is possible. There are numerous technologies, user awareness training packages and policies and supporting procedures that can be built to facilitate almost any environment. But whatever security route you go down, it is wise to consider the following for securing your remote workforce:
Security is there to protect the business
Security is there to protect the business and its critical assets, and every business has critical assets and workflows that allow it to work efficiently and effectively to work toward the company’s vision. Build your security around that.
Build security around the company culture
Ensuring your security programme and baselines are in line with the company culture is as critical as knowing the assets and workflows. If your security programme does not actively support the culture and the values of the organisation, it will fail. The employees and management will reject it and refuse to comply, which will dramatically reduce the effectiveness of your security programme.
Never make security too onerous
Security is vital to any organisation but you need to be careful. If it’s overzealous and it hampers the day to day workings of the company, you’ll need to carefully rethink and look at other ways to secure your remote workforce. For example, making users have separate passwords for login and critical systems is a good way to secure systems from compromise, but then having to remember several user / password combinations is hard for anyone to handle. Maybe multifactor authentication is a better option…
Security is fluid
One of my favourite quotes is one from an interview with Bruce Lee:
“You must be shapeless, formless, like water. When you pour water in a cup, it becomes the cup. When you pour water in a bottle, it becomes the bottle. When you pour water in a teapot, it becomes the teapot. Water can drip and it can crash. Become like water, my friend.”
Bruce Lee
Security should be like water, permeating every aspect of the environment it’s there to secure; it should be fluid and versatile, bending and shaping itself as required. But never forget security – like water – can be dangerous, it requires review and consideration, you need to work with it and try not to fight against it. Ask any civil engineer, architect or builder about how dangerous water can be. When it’s in the wrong place, water can be a serious issue. If you put security in the wrong place, it can erode confidence within the business and can cause great harm.
Final thoughts
There are going to be a lot of security reviews and security programmes going through reviews and changes in the near future, once the Coronavirus lockdown has eased. Businesses large and small are looking very objectively at the feasibility of having a larger portion of staff working from home from now on, so the security paradigms that are currently followed will have to change dramatically to support the shift from predominantly centralised security to predominantly decentralised security.
There’s going to be a great deal of security technology and services being reviewed soon. It’s likely that many will need to be updated for the new situation, so make sure you carefully build your security baseline, ensure you have outlined objectives and undertaken your business assessments before going hell for leather procuring security products. Take time in the selection process to ensure that complimentary products that work well together are implemented to fit the business need. Watch out for vendor marketing too, test products thoroughly.
To all those security professionals out there, I say this. You have a really good opportunity here to fix some of the mistakes of the past and update entire security programmes within your organisations. This will be a rare opportunity to update everything, it’s exciting and should be enjoyed! But do so carefully, yes – this paradigm shift will need to be undertaken with a reasonable amount of speed, but exercise caution and thoroughly test and check your changes.
Whether you need short or long term solutions, contact us to discuss securing your remote workforce.
The Human Behind the Cyber Criminal – Knowing your Enemy
“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”
Sun Tzu – The Art of War
I was asked a very interesting question during an interview yesterday, and the more I think about it the more I thought it would make an interesting thought piece.
The question my interviewer asked me was:
“Do you think that cybercrime will increase due to the current pandemic and lockdown?”
Initially, I responded very similarly to much of the other commentary on the subject, that cybercrime was seeing a sharp rise, especially in the phishing and ransomware areas, but then the conversation branched (as many of my conversations do when talking about information security in a relaxed setting).
I found myself explaining to the interviewer about the cyber criminals themselves, the situation they are in and the motivations for stepping up their criminal activities. It provoked some interesting thoughts on the matter very rarely covered in articles, and thus here I sit, writing this article and considering an additional chapter to my book.
Cyber criminals
Who are they and why do they do what they do?
Initially, when I began to consider the question, the Sun Tzu quote above instantly sprang to mind. Being a keen cyber and conventional warfare enthusiast (a discussion for another time), it made me re-evaluate cyber criminals and the psychology behind it. I am sure a full blown psychologist would break it down in far more depth than I ever could, but having been in this business for as long as I have, I have gotten pretty good at psychology, especially in the corporate areas.
Cyber criminals are people, and whilst that should not come as any great surprise to any of you, you need to remember that these people are motivated by the same wants and needs as anyone else. It’s just they use illicit means to get to what they want, and pandemics and global shutdowns are just going to expedite that, especially if those individuals are living in a country that has not got the capacity to support its citizens during this hard time. Let’s face it, even the western world is struggling mightily with all of this, so what chance does a poorer country have… not much, and there is pretty good evidence from the IMF and World Bank that it’s going to get a hell of a lot worse before it will get better.
This will mean we will likely see a huge upturn in malicious code, cyber attacks and general cyber larceny than we have ever seen in the past.
Why is this? Because people are struggling, they are struggling financially, mentally and in some cases physically, and during such times the average human will go to extraordinary lengths to protect themselves and their families. As an example, who here – if they were penniless and their children or family members were desperately hungry – would not steal a loaf of bread or a tin of beans for their children to eat if there was no other option? Yes, some reading this will take the moral high ground, but I guarantee that if you became desperate enough you would do anything to protect your families. I mean anything.
Enough setting the scene.
What are the drivers behind cybercrime?
Cyber criminals are people. They don’t start out as cyber criminals, they put themselves into that position either due to circumstance such as being desperately poor, fundamentalism due to a strong belief in a cause or because they can – it’s an adrenalin kick. Ultimately, if there is not a fundamental gain then they would likely not bother committing cybercrime in the first place.
Next, you will find that each and every cyber criminal is usually pretty savvy with technology, coding and psychology. Ok, you do get a very differing level of talent involved but in order to do what they do they have to have a decent level of knowledge of technology. They are also intelligent – they may or may not be cunning but they are usually pretty intelligent.
Finally, the world is a very diverse community. People from different backgrounds, cultures, etc. will have different values and views, some will have no problems justifying criminal acts, maybe because they come from a poor background with no government aid, to those out of work, or maybe their community has very strong views on subject matters. Maybe they hate what big business or governments have done to their communities, maybe they live in an environment where death and disease is commonplace… the list is endless but there are people out there performing criminal acts because they genuinely believe that what they are doing is justifiable or because they simply have no other choice.
Anything else?
On top of all of that, let’s thrust a pandemic with a global shutdown on them, which could result in:
- Loss of income
- Loss of healthcare benefits
- Mounting debt from mortgages, card payments, etc.
- Being locked in the home for extensive periods of time
- Anxiety over the future, both health wise and economically
Anyone would be anxious with this list. How do we know? Because we are all living it now, we are all worried for our jobs, the economy and the paying of bills and feeding our families… but the only difference between us and cyber criminals is that they have the morals (or lack of) to steal from others electronically or through social engineering. The motivation is there and the ability is there, so with nothing more than time on their hands they can spend a great deal of it targeting and refining attacks – they have nothing else to do after all. There is also the fact that the international community is so worried about the coronavirus that hacks can easily go under the radar, not to mention with the quick implementation of remote working and employees working from home, it has only made security harder to manage. It’s also a lot less likely that they will get caught.
Thus we see the meteoric rise in security events, though many of them will go unreported in the media and to be honest people are very unlikely to find out their organisation has been breached until further down the line.
It is a very tough situation in information security at the moment, these types of global disasters are a nightmare to deal with for everyone. The longer it goes on, the worse security events are going to get because, unfortunately, people will get desperate.
Jim’s Top Tips
So what can we do to protect ourselves from this increase in cyber criminal activity? I can sense Jim’s top tips coming on!
Review your information / cyber security stance
It’s changed, trust me, it has. Ok, maybe 10% of global business is operating as normal, but the working environment both logistically and technically will very, very likely have changed. Maybe there is a new centralised phone system or increased VPN use from remote workers. Maybe people are using their own devices to access work. The list is endless, but the advice is the same – look objectively at your organisation’s operations as they are today and try to identify holes, then plug them.
Furloughed staff
Why is this a thing, I hear you ask? Well, did you just furlough your infosec team? If you did, you may want to reconsider that, with the state of cybercrime at the moment. If you don’t have infosec people, then get some advice from a company that can provide you that service. Whilst I love IT people, what they do is a very different discipline from what we do in the infosec field. Yes they can do the technical security, but information and cyber security is far more than a bit of technology, so if you have furloughed a large portion of your staff seriously reconsider at least one of your security specialists, if nothing more than to have a security specialist at hand to deal with potential issues and / or attacks.
Record the failings of BCP
You’re likely in a BCP situation, if you had a plan I hope it’s working well, if it’s not or you didn’t have a plan, it is imperative you list down what the issues have been, the challenges and problems you have faced in trying to keep the company operating. Why? Because that should form the basics for a new BCP plan that you should probably create when this is all done and dusted!
Layered defence matters
You need to take an objective look at your organisation and its critical infrastructure, in essence, re-evaluate your infrastructure and working environments (since they have likely changed with everyone working remotely) and ensure you still have defence in depth. Look at IDS / IPS, your firewalls, your VPNs, your encryption strengths, network countermeasures and figure out what you need to secure the environment. It is highly advised to look at the remote working situation, with everything going on it has forced a great deal of change that has likely not gone through the usual security evaluation process so there will likely be holes.
Solutions
There are some fantastic solutions out there from companies such as Nominet, Cofense, Opswat, Libraeseva, Picus, Qualys, Picus, etc. and any number of vendors with award winning products. The trick is to get these solutions in properly. Layering your defence for malicious code and potential hacks is key to a strong defence posture. Also consider awareness and training solutions as well as qualified information security as part of your defence in depth. Don’t just leave it to clever technology, make sure you have the staff and the talent too, this provides full defence in depth.
There are plenty of others, so if you have need of some recommendations get in touch with us and we will recommend some products to look at or some actions to take, and don’t worry, this first conversation with us is on us, free of charge.
Some products to look at
Don’t be afraid to ask for help
Finally, please feel free to contact us if you want advice, we are here to help and we will as much as we can, these are tough times and Razorthorn is here to assist you through it. If you need us then call.
As a final statement, please all stay healthy, we at Razorthorn hope you are all ok and well during these rather unpleasant times. If you would like to talk to us about this or any other security requirement then please feel free to call us on 0800 772 0625 or email us at office@razorthorn.com and we will be more than happy to assist.
Keep an ear to the ground
Intelligence into current attack patterns, trends and changes will be critical in the coming months, so keep an ear to the ground because we are only really at the tip of the iceberg when it comes to security attacks. It’s early days yet…
Cyber Security in a Global Crisis
“The first rule of business: protect your investment.” Etiquette of the Banker, 1775
We are living in very uncertain times; business is hard enough as it is without a global pandemic shutting down large areas of the business world. But that doesn’t stop security events and malicious actors from attacking organisations, if anything, with all of the confusion and the fact many of these malicious actors being off work, furloughed or made redundant, it’s making them all the more active. We all need cash to survive and they are no different. Only recently as an example it’s come to light that Marriott has had ANOTHER security breach and is facing a fresh set of problems, definitely not needed when, like every other business, they are no doubt seriously feeling the pinch in the current economic climate.
Information security is tough to manage at the best of times; in a situation where most of your workforce is remote or laid off, it becomes a serious issue. This is going to be a period of time that will seriously test organisations’ BCP and DR plans as well as their defence in depth security countermeasure. It’s also going to test a security department’s ability to detect and undertake corrective measures, as in some cases staff are accessing company facilities with their own computers. Managing the security of an organisation in lockdown with distributed workforces is a significant challenge.
I predict, and indeed we are already seeing, a significant increase in phishing attacks using the coronavirus as a delivery method, with malicious actors stepping up attacks to take advantage. It’s been reported that ransomware attacks are also on the rise, and in this current situation it could be catastrophic. The thought of having a ransomware attack against ANY of our critical infrastructures at the moment such as gas, power or – god forbid – NHS infrastructure is inconceivable and a significant threat not only to the technology, but it’s also a very real risk to the safety of the public. It’s a very, very serious risk.
It’s now that we’ll see how organisations’ security performs. It’s horrible to think that the only way to test organisation security countermeasures is to have a security event, but it’s the unfortunate truth: over the next few weeks or months, basically until things begin to get back to normal, we will see how things turn out. I do strongly think that after this there is going to be a significant rise in BCP/DR planning, with people using lessons learned throughout the experience to ensure that if this does happen again, they will be able to handle it quickly and more effectively. But I will cover this subject in another article.
All in all, as I usually do, here are some Top Tips for managing your information security during a crisis:
Don’t panic!
As a favourite author of mine once put on the front of the greatest book in the history of the universe: Don’t Panic. You will have a lot of work to do, it will be a pretty tough time, accept that and do what you need to do for the best of the company. Secure the investment…
Communication is key
If you’re an information security person, then check in with your staff and key staff members throughout the crisis, be visible and approachable at all times and as responsive as you can. Communicate any issues, alerts and information as quickly and effectively to all staff as needed to ensure people are on the look out for potential security threats, especially phishing and ransomware!
Upgrade email security
If you have email security packages, it is strongly advisable to make sure they are up to date and working. Also ensure that any tolerance settings that the solution may have are correct and if possible updated to a more secure setting. As mentioned before, phishing and ransomware attacks will rapidly increase in size and scope so setting a higher security stance than normal is definitely recommended, actively review all quarantined emails and either release them or remove them as required.
Check defence in depth
As well as email security, also check your antivirus products, IDS/IPS, patching status of all devices and ensure that these products are all up to date, in place and actively scanning and checking for security issues. It’s vital that you also check alerts are active and being reviewed at least daily and that all security countermeasures are actively working.
Remote workers
Actively look at how people in your company are working, if any are using their own devices rather than company assigned devices, then restrict direct access to systems and where possible forbid it completely. If a direct connection from an untrusted source/device is absolutely necessary, work with the IT teams in order to achieve this in the most secure possible way, only communications that are absolutely necessary, no more.
Critical third parties
Many people miss this, but review all of your critical third parties for two reasons. The first is to ensure that they have increased their security in line with yours and that they are undertaking reviews and checks, especially if they have some form of connection to your estate, technologically speaking. The second reason is to review their current status – if they provide critical services and are about to have a business failure and go under, then plans need to be put in place to remediate this as soon as possible, either via assistance or outlining countermeasures to replace or directly take over the services they provide.
Remember compliance obligations
The last thing on anyone’s minds at the moment is that compliance needs to be maintained, but unfortunately it does, if you have PCI DSS, HIPAA, SOX or any similar compliance obligations that you are required to maintain contractually, you need to make sure you do that as best as possible. This is not always easy, but your organisation is unlikely to be in a state to pay a fine or undertake investigations or recovery exercises in its current state. If there’s a reason you can’t maintain compliance, or if you need to put some kind of temporary measure in place, make sure you document the reasons as much as the details of the temporary measures. But be objective and don’t put the organisation or its data at risk.
Document lessons learned as you go
During a crisis, you are busy, running around and trying to keep everything going, along with the stress of worrying about your position, your job, etc. In such situations it is very easy to forget key things that should be looked at after the crisis has gone, so list them, document them as much as you can with at least a little detail of why, that way when you review the lessons learned you will not forget anything.