2020 was an immensely challenging year for everyone, including the cybersecurity sector. An explosion in remote working endpoints and new technology investments brought about by the pandemic have created fresh security challenges and visibility gaps. The trend continues in 2021, with the SolarWinds attack demonstrating the level and sophistication of threats organizations are facing.
By Jamie Brummell, Founder & CTO, Socura
But what are the emerging types of threats and threat vectors, and what do CISOs need to do to put in place strong foundations to secure the new, hybrid ways of working? I will outline my top five tips on how to tackle threats in a new era of sophistication.
Prioritize endpoint security for home workers
At its core, cybersecurity is a people problem. Phishing has become a top threat vector for attackers precisely because it works so well. You can have the most advanced email security system in the world, but if a phishing message slips through the net, it takes just one untrained user to click through and your organization can be exposed to crippling ransomware or large-scale data theft.
The people factor has become even more critical because of the rise in remote working. There’s strong evidence to suggest that those at home are more likely to click through on something suspicious. The problem is amplified by the fact that many home workers may be connecting to company networks from personal devices which aren’t suitably protected.
One global study found that even though most (72%) remote workers say they are more conscious of their organization’s cybersecurity policies since the start of the pandemic, large numbers are using non-work apps on corporate devices (56%), or a work laptop for personal browsing (80%) and are often, or always, accessing corporate data from a personal device (39%). All these scenarios represent varying degrees of security risk.
Gain full visibility of the ‘Internet of Things’
And it’s not just the remote laptops and tablets, there’s also the rise of IoT to consider as well. According to forecasts from leading analyst house Gartner, the world will be filled with as many as 25 billion connected “things” by the end of 2021. A big part of this surge is down to the Internet of Things (IoT): programmable gadgets, machines, sensors, and other bits of hardware that collect data and transmit it to cloud servers for analysis and processing.
There’s no denying the potential for such devices to deliver an increasingly connected future, but these devices also represent a major security risk. Why? Because they may be more difficult to patch or may not be protected with adequate access controls, whilst visibility gaps and a lack of network segmentation also increase the risks. Further, many IoT devices will only run old, unpatched (and often ‘unpatchable’) operating systems with lax security configuration and no security agents protecting them.
Gaining full visibility and control is critical, with IT leaders, in my experience, requiring a better understanding of where their assets are and how devices are being used to effectively manage cyber risk.
The good news for CISOs is that the security of consumer IoT devices is being bolstered by the introduction of new international standards, such as ETSI EN 303 645. The standard covers 13 areas designed to put in place a baseline level of security for connected devices. For example, it requires IoT manufacturers to provide transparency on the minimum time for which the product will receive security updates. It also provides guidance on best practice cryptography to ensure confidentiality of personal data transiting between a device and a service.
A key strategy to address endpoint security for managed devices includes the adoption of Endpoint Detection and Response (EDR) agents that record all activity, including network connections that are no longer seen by centralized network security systems when users are working remotely. With traditional antivirus vendors building EDR capability into their agents, endpoint security investigations have been simplified and their visibility has improved. The visibility into all endpoints is further enhanced with Extended Detection and Response (XDR), where activities across endpoint, network, identity, and cloud are stitched together for even deeper insight.
Tackle escalating ‘social engineering’ in critical services
One prominent target for compromise right now is the cold supply chains associated with vaccine rollout. A global phishing campaign uncovered by IBM involved sending out phishing emails to organizations associated with Gavi, The Vaccine Alliance’s Cold Chain Equipment Optimization Platform (CCEOP) program. This was a ‘spear’ phishing attack involving precision targeting where messages were developed to specifically appeal to certain individuals.
Along with precision targeting, spear-phishing campaigns are grounded in thorough research of information available online, such as social media profiles, to create a credible email with a strong call to action.
Phishing is a tried and tested tool in any cybercriminal’s toolbox but during the pandemic, we have seen the emotional appeal exploiting the fear surrounding COVID-19 evolving into precision ‘social engineering’.
Creating a positive security culture that raises awareness and provides the necessary training so that victims feel empowered to report an attack are all essential measures but don’t go far enough. CISOs need to limit threat surfaces by ensuring that employees only have access to data and systems that are fundamental to doing their job.
Establish transparent supply chains
Data breaches are a pressing concern not just in ‘physical’ supply chains of vaccine supplies but also in software supply chains spanning an organization’s third-party relationships.
Supply chain breaches are not new, but their severity and ramifications have certainly become more far-reaching, as recently demonstrated by SolarWinds.
The challenge can only be addressed through industry-wide collaboration. An interoperable metadata approach based on the Software Bill of Materials (SBOM) helps manage supply chain risk through increased transparency. SBOM is a record of various components used in building software that enables faster identification and remediation of vulnerabilities.
An important, recent initiative aimed at managing vulnerabilities in an open-source ecosystem has been introduced by Google. OSV is a database for open-source vulnerabilities that automates the triage workflow for an open-source package consumer, making it easier for users to identify which vulnerabilities impact them. Such initiatives are essential if the cybersecurity industry is to reduce the growing trend of key software supply chains being compromised.
Clearly define shared responsibilities in the cloud
With the rise in remote working further accelerating cloud adoption, cloud misconfiguration has become one of the biggest sources of cyber risk today—often providing an open goal for attackers. Threat actors are constantly scanning for exposed cloud systems to compromise, with frequent success, so the trend of cloud-related breaches is unlikely to abate in the future.
When used appropriately and configured correctly, the public cloud can be more secure than on-premises environments. But there are two key sources of risk. The first one is a shortage of skills that have already led to countless cloud data breaches and leaks through misconfiguration, exposing highly sensitive customer data and IP. The second important cause is an insufficient understanding of the Shared Responsibility Model, leading to a misconception of the demarcation between the security responsibilities of cloud providers and those of their customers.
Security teams must ensure they clearly define what the cloud provider is securing, and what they are responsible for. The ‘grey’ areas of the Shared Responsibility Model that normally require extra clarification include applications, operating systems, network controls, and identity and directory infrastructure.
What next for CISOs?
Addressing security challenges and visibility gaps in the post-COVID era is no mean feat. Aside from securing adequate resourcing and funding, CISOs need to put in place the tools and processes to tackle the growing levels of threat as well as their evolving sophistication.
Zero Trust, conceived by John Kindervag, has been co-opted by a multitude of security vendors, often focussing on only one part of the ‘never trust, always verify’ concept. However, the NSA has recently published official guidance on the Zero Trust Security Model, giving it the much-needed neutrality and endorsement it deserves.
By assuming that a breach is inevitable or has likely occurred, organizations are set to constantly limit access to only what is needed and monitor for suspicious activity. In a supply chain breach, for example, a Zero Trust model would adopt a deny-by-default security policy, for all users, systems, and applications. Real-time protective monitoring would detect suspicious activity and provide an alert on any unauthorized attempts to access an application.
Managed threat detection and response (MDR) services can be helpful here as they have accrued all the necessary expertise, experience, and threat context through visibility of multiple customer environments with a laser focus on security operations and incident response.
This focus also enables them to apply optimal automation alongside human analysis, adding human context and intelligence to decision making. The end result is a faster response to threats and a reduction in attacker dwell time and risk.
WRITE FOR CISO MAG
Do you want to write for CISO MAG? Please read our guidelines here.
About the Author
Jamie Brummell is Founder and CTO of Socura (www.socura.co.uk). He is a cybersecurity leader with over 20 years of experience working with multinational organizations, security vendors, and systems integrators. Responsibilities have included security design, engineering, consultancy, and strategy.
Jamie works with senior executives, architects, analysts, and engineers alike; helping them manage cyber risk and improve their cyber defense capability.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.