Morey Haber, CTO & CISO at BeyondTrust, speaks about the top three cybersecurity trends we should be looking out for
How has the security threat landscape evolved over the past few months?
The security landscape over the past few months has evolved from protecting against a breach to having the proper procedures, policies, and disclosures for when a breach occurs. The community has come to an understanding that even with the best tools and diligence, a breach can still occur. We have seen this happen even with some of the most secure companies and governments throughout the world.
Attack vectors can come from virtually any angle and it is not a matter of if they will occur, but rather when they will occur. The security threat landscape has come to the painful conclusion that a proper defense also includes all the steps necessary to triage a breach and notify the appropriate parties when an event occurs. This includes everything from a well-rehearsed incident response plan through having attorneys on retainer for when it happens. It is a change of full defense from previous methodologies of strictly protection.
What are the top 3 cybersecurity trends we should be looking out for?
The top 3 cybersecurity trends all security professionals should be looking out for include:
- Excessive Account Privileges – provisioning accounts with excessive privileges or shared secrets that can be leveraged against a user or application. Everything should follow the model of least privilege
- Inappropriate Asset Access – The usage of all assets, applications, and accounts should be monitored for inappropriate usage. This should include basic traits like first time geolocation access, foreign geolocation access, and simultaneous geolocation access.
- API Security – All applications in the cloud should have strict API access regardless of SaaS, PaaS, or IaaS. Usage of cloud-based APIs should be monitored and any new API usage or granted/denied permissions monitored for appropriate behavior.
What sort of security challenges are people facing when working from home and how is your company equipped to handle those challenges?
While most disaster recovery plans focus on a single catastrophic event, the coronavirus represents a long-term threat that might stretch a disaster recovery model to its brink of coverage. With this in mind, I have compiled four considerations for how to expand a remote workforce and deal with this threat — potentially for the long haul:
Sensitive Data And Privacy: When enabling large numbers of employees to work remotely, CISOs need to consider the exposure of sensitive data and privacy of information flowing to the remote end user’s environment. There are many tasks and transactions that are performed by office employees, and the data should never leave the traditional corporate perimeter. For these situations, consider how you are protecting the data and the transaction itself. As a simple example, are you allowing for the data to be downloaded to a local spreadsheet via VPN technology, rendering a sensitive spreadsheet in a browser via Office 365 OneDrive documents, or remotely rendering a desktop directly via browser or bastion host? The latter is the most secure since the data is only visibly available, not rendered locally, and not downloaded potentially to the end user’s device. While this might be a low risk for web applications, Win32 applications operating over protocol tunneling can expose data outside of any pre-authorized network zone. Therefore, we need to consider how we enable remote employees and what datasets they are working with.
Shadow IT With Free Tools: For some organizations, employees have been asked to work remotely but have not been given the proper tools for a variety of reasons. These include cost, lack of authority by geographic region or simply lack of process. This leaves employees, or even local IT staff, to download free remote access solutions to solve the problem. These free tools lack the monitoring, authentication and security modeling necessary to protect against an incident. In addition, if employees pick their own tools, you could be facing a plethora of remote access solutions and a mountain of shadow IT problems that are simply unmanageable. If remote access is being requested for your organization, find a single scalable and secure tool for the entire organization. Many vendors offered multiple months free to manage the crisis, and if the solution works well, it might be a permanent solution to a growing problem. This is especially true for any privileged access performed by remote employees or even vendors.
Bring Your Own Device (BYOD): For many CISOs, this is just an unacceptable risk. With no traditional security controls like antivirus or vulnerability assessment on these employee owned devices, there is no way to mitigate the threats when they are connected and unmanaged. And if these devices are shared among family members, the risk of malware from a simple online game increases exceptionally when the same device is used to connect to potentially sensitive data. If BYOD is your only recourse, ensure your remote access technology does not use a VPN or any local clients, does not do any protocol tunneling, and renders all remote sessions in a browser. This is true for even remote web applications. This minimizes the exposure of the device to the corporate network and has no network path to compromise additional assets.
Privileged Remote Access: There is a strong chance that if the coronavirus has affected your organization, then some of the employees being asked to work remotely will need privileged access to resources. This means that once they establish a remote session, the credentials they need to access and operate a resource are either administrative, root or power user. If they are entering them remotely, then they are exposed to the local computer, and any malware or attack can sniff them out. Consider using a remote access solution that performs credential injection from a password safe or password vault. The session itself is automatically detected by the remote access solution, and attribute-based access will automatically inject the proper privileged credentials into the session remotely in order for the user to continue. No credentials, especially the password, leave the organization, nor are they typed in. They are managed and potentially even changed after every session, so the threat of an exposed privileged credential remotely is mitigated.
How has ransomware evolved during the pandemic period and what are you doing to tackle the problem?
Ransomware in the pandemic has evolved from threats to end-users (primary through phishing attacks) to sophisticated attacks leveraging advanced exploits targeting hypervisors and exchange mail servers. Threat actors are fully aware of the attack vectors that work best on remote workers but also realize most organizations have defenses to block propagation via VPN or to cloud resources.
Therefore, in order to continue monetizing the threat of ransomware, threat actors have successfully bundled their payload onto vulnerabilities that target critical resources as employees work from home. This evolution of attack provides maximum impact to the business and creates a high visibility scenario that forces the business to react due to a large-scale outage of hypervisors and email.
In order to tackle this problem, organizations have embarked on more aggressive patch management schedules and implementing least privilege solutions for human and non-human accounts in order to minimize the exposure to these evolving threats. This essentially remediates the risk before a vulnerability can be exploited and the threat of ransomware looms over the organization.
How can companies overcome digital security and privacy challenges?
Organizations can overcome digital security and privacy challenges by ensuring proper separation of duties between the two. There is a common problem in the industry that organizations confuse security and privacy requirements. If these requirements are properly understood, and role delegation and ownership is assigned appropriately, many companies can overcome digital security and privacy challenges despite changes in regional laws and disclosure requirements. Companies must keep them separate and educate team members on the differences and how they complement each other.
What are the key factors organizations should consider making sure digital economies of today are secured?
There are several key factors organizations should consider in protecting the digital economies that drive today’s business:
- Data Mapping – organizations should perform an electronic and manual discovery of all sensitive data sets and ensure proper security and privacy controls are in place to safeguard the information in transit and at rest. This includes concepts like encryption and privileged access management.
- Data Retention – organizations should have an established data retention policy and purge old or obsolete data on a periodic basis to ensure older data sets do not become a privacy or a security liability.
- Vendor Security – To support a businesses’ digital economy, most organizations rely on a wide variety of vendors. Organizations should secure their supply chains and deploy least privileged access, secure vendor remote access, session monitoring, etc to ensure the vendors themselves do not become the attack vector into your organization.