With all the layoffs and furloughs due to COVID-19, you may be wondering if the shortage of cyber professionals is still a problem. According to Gartner, the answer is yes. Citing the rise in COVID-19 themed cyberattacks, Gartner saw the demand for information security roles surge in February 2020.
Industry experts now count the global shortage of cybersecurity professionals in the millions. To hiring managers, this simply means good people are very hard to find and even harder to retain within their budget.
The labor shortage is complicated by the proliferation of roles that are needed to support a strong cybersecurity defense. For example, staffing a Security Operations Center (SOC) requires a team of security analysts, threat responders, security engineers, and SIEM content developers. Many organizations are not big enough to support full-time employees with such a narrow cybersecurity specialization. And when you add in the requirement to staff a 24/7 operation, the cost and time to build a team can become insurmountable.
Here are three areas where you can combat the staffing shortages in our industry.
- Partner with Educational Institutes
Universities and Technical Colleges offer a range of cybersecurity courses and degree programs that may one day help shrink the skills gap. In the meantime, employers should identify local educational institutes and recruit students into intern and entry-level positions. Consider offering to be a guest presenter, hosting a tour of your company, or contact the college’s student placement team and ask about hiring events.
- Hire More Women
Women only make up a quarter of the cyber workforce, but bring many desirable skills and unique perspectives to cybersecurity roles. Get involved in networking groups for women interested in cybersecurity and demonstrate to female candidates that your organization is an environment where they are valued and can achieve their career goals.
- Recruit Veterans
Veterans are accustomed to working in demanding environments, using advanced technology, and being trusted with confidential information. There are multiple opportunities for employers to support veteran’s groups that focus on cybersecurity training and gain more visibility as a potential employer.
- Look for Adjacent Skills
Hiring managers like to find people who have experience in a role that is similar to the job vacancy they are trying to fill. In a tight labor market, you can expand your candidate pool by recruiting based on skills vs. roles. For example, search for candidates with computer networking or ITSM skills, that can be trained on the missing skillset.
Reduce the Need
IT teams should look for opportunities to automate workflow and remediation tasks, to create faster processes and reduce the workload. Security Orchestration Automation and Response (SOAR) tools can increase productivity and reduce the need for incremental hiring.
Like automation strategies, effective training increases the productivity of your IT security team. Cybersecurity professionals are often focused on achieving certifications that increase their marketability but do not necessarily increase their productivity. Map your teams skills gaps to key objectives and explore training courses that allow your team to optimize the tools you have in place.
Employee turnover has a negative impact on productivity and quality and is a significant time drain for hiring managers. Effective retention strategies include offering a career path, paying competitively, providing training, and offering the ability to work remotely.
Change the Dynamic
Many organizations do not have the scale or budget to hire a team of cyber professionals. Outsourcing this function to a managed security service provider (MSSP) taps into a pool of trained experts, allowing the client to leverage the MSSP’s investments in tools and benefit from their mature processes.
- Hire Remote Employees
COVID-19 has altered the expectations of working from home. Traditionally, companies required security staff to work in a secure physical location or Security Operations Center (SOC). While there are still advantages from team members collaborating from the same location, IT security managers are becoming more accepting of virtual collaboration. This shift provides more flexibility for those in the industry and will be a differentiator in combatting the cyber skills gap.
- Move SOC Location
The challenge of staffing and managing a 24/7 operation is non-trivial. Studies of human behavior show that productivity and effectiveness degrade during second and third shifts. Adopting a follow-the-sun model allows employees to work during local business hours, attracting higher quality and more experienced professionals who otherwise would not sacrifice their quality of life by working graveyard shifts. Moving a SOC can also take advantage of the availability of skilled labor in locations near universities or other big employers.
According to the consulting firm, McKinsey, organizations will need to navigate through the stages of Resolve, Resilience, Return, Reimagination, and Reform during the COVID-19 pandemic. Many organizations are now in the Return stage as they ask their employees to come back to their business locations.
The challenge for IT organizations is how to manage the transition through these stages as securely and effectively as possible. It is not as simple as flipping a switch, where business operations return back to the way they were before COVID. Successfully reopening will require advanced planning, locking down networks, and avoiding human errors often caused by a rushed implementation.
Industry experts expect COVID to accelerate digital transformation. From the supply chain, through manufacturing and on to customer engagement, businesses need solutions that are more adaptable, agile, and digitally enabled. For example, the digital transformation of the supply chain includes digitally connecting buyers with a network of partners, uploading design data, getting instant pricing, and performing design for manufacturing on the fly.
Digital transformation will require businesses to rearchitect their networks and applications, creating new cybersecurity challenges.
Protect Your Networks
Sales of notebooks rose dramatically in March and April of 2020 as office workers transitioned to teleworking. Whether permanently or following a staggered work schedule, many of these workers will be trading in these notebooks for their old desktop computers as they return to their traditional place of work. IT teams should proactively secure desktop PCs by applying security patches, updating endpoint security, and adjusting thresholds for desktop logs.
Unpatched vulnerabilities are a significant cause of avoidable data breaches. Patch management for Microsoft products alone is a major undertaking. Known as Patch Tuesday, on the second Tuesday of each month, Microsoft releases security-related updates for Windows, Office, and related products. Microsoft issued 339 security patches in March, April, and May of 2020. When reviewing vulnerabilities, teams responsible for patching should not only assess the criticality of the vulnerability but also consider its exploitability. For example, Microsoft classifies CVE-2020-1054 as “Important” with a rating of “Exploitation More Likely”. According to Microsoft, an attacker that exploited this Win32k Elevation of Privilege Vulnerability could run arbitrary code in kernel mode, and then install programs; view, change, or delete data; or create new accounts with full user rights.
Risk-Based Vulnerability Management (RBVM) tools help address the trade-off between criticality and exploitability. Asset discovery, continuous vulnerability scanning, risk indexing, and patch management are components of RBVM solutions. RBVM Managed Services take this a step further by offering experts that provide lifecycle vulnerability management services and make patching recommendations that factor in compensating controls, deployment challenges, and business continuity.
Review Remote Access Solutions and Policies
Chances are that your IT team has already experienced a trial by fire experience setting up remote access for a large number of employees as their organizations adopted a work from home policy. Now is a good time to re-evaluate your VPN capacity as the pendulum swings the other way.
Your approach to working from home will significantly affect your required VPN capacity. Some organizations are embracing teleworking on a long-term basis, while others see this as a temporary solution until there is a COVID-19 vaccine. Use a network performance monitoring tool to analyze usage of your VPN. If you do not have one, many good tools are available on a free trial basis. For example, products like PRTG can be used to monitor multiple VPN parameters including traffic, users, and applications.
Through the process of rebaselining your capacity needs, you will determine if your existing VPN hardware and licensing are sufficient for your expected requirements. This is also a good time to consider rearchitecting your approach to remote access. Strategies include moving data and applications to the cloud and using products like Citrix Access Control. Moving away from traditional VPNs will likely add flexibility and scalability to your users and mission-critical applications. However, these benefits come at a price and often have longer implementation timelines than expected.
In addition to reviewing operational aspects of your VPN infrastructure, a reopening plan should revisit policies that secure VPNs including password policies, 2FA, and software updates. SOC teams or managed service providers should constantly monitor VPN activity for anomalous behavior. Easy to use dashboards should provide visibility into VPN user activity, geographic locations, and variations from expected thresholds. Having a better understanding of your VPN traffic and trends will increase your security posture by streamlining the level of effort required to properly analyze alerts. Event notifications will drive security analyst investigations and remediation steps.
Questions to consider:
- How many employees are just doing what works and bypassing security controls to get things done?
- Is it normal for your organization to have successful remote VPN logins from resources outside the country?
- Did your organization need to “relax” any security or compliance policies to enable employees to use RTP (Real-time Transport Protocol), used in live video streaming services like Zoom, WebEx or others?
- How many different RTP applications are running on these hosts and are they configured to meet your organization’s security and compliance strategy?
Network Access Control (NAC) solutions add to your remote access security program by controlling user and device access to the corporate infrastructure. The case for NAC deployment is stronger in an environment where employees are switching between office and home locations and there are BOYD and IoT devices being connected to the network. Examples of NAC vendors are Forescout, HPE-Aruba, and Portnox.
To further leverage your NAC investments, ask your SOC or MDR Service provider to build correlation rules with endpoint security software, and then automate the containment of infected devices on your network.
Assess COVID’s Impact on Scoping New and Upcoming Projects
Many information security teams planned to build out new capabilities or implement new security controls this year. Underlying these plans were assumptions on the cost and resources required for these projects.
The COVID pandemic should cause planners to look carefully at their assumptions. For example, projects to deploy new SIEM (Security Information Event Management) software or centralize log management, need to be scoped with more than a snapshot of current traffic. With people out of the office and certain on-premise systems and controls operating at low usage, the amount of storage required (usually measured in gigabytes per day or events per second) might be artificially low compared to when the office reopens.
Estimating staffing levels for security operations during COVID can have similar challenges. For many organizations, the number of security alerts processed by a security operations team is directly correlated with increased user activity. Users will click on suspicious links, access suspicious websites, attempt to install suspicious software and perform other activities that will result in work for security analysts to investigate. As a result of COVID, many organizations were forced to furlough workers. Additionally, remote users may not be going through certain on-premise controls such as web filters and firewalls. As a result, alerts the security operations team are processing might be artificially low compared to activity levels when offices reopen.
To combat the risk of under scoping resources for these projects, assess activity levels for pre-COVID periods, such as January and February of 2020. Businesses are being affected by COVID in different ways and management teams are rethinking their go-forward operational models. We suggest getting a range of inputs to properly scope the requirements for new security products and services.
Accelerate Transition to the Cloud
Workloads were increasingly being migrated to the cloud before COVID. Post-COVID, the adoption of cloud computing will likely speed up as companies deal with uncertainty and value the ability to flexibly scale up and down capacity. Businesses are also reviewing their reliance on physical data centers because of safety concerns related to site visits during the COVID pandemic.
When formulating a cloud security strategy, IT leadership will need to consider trade-off risks against the benefit of increased agility. According to Gartner’s predictions around the cloud, through 2025, 90% of the organizations that fail to control public cloud use will inappropriately share sensitive data and 99% of cloud security failures will be the customer’s fault.
In the “2019 Data Breach Investigations Report” (DBIR), errors were found to be one of the top causes of data breaches. Errors that have resulted in misconfigurations of cloud infrastructures are increasingly cited as the cause of the loss of sensitive data. Examples of such misconfigurations include:
- Data encryption not turned on
- Access to resources not provisioned using IAM roles
- VPC Flow logs being disabled
- Publicly exposed cloud resources
In the case of Capital One, 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers, 80,000 bank account numbers, and an undisclosed number of customers’ personal information was disclosed due to a misconfigured web application firewall.
The first steps to minimizing misconfigurations in the cloud are training your security teams to understand cloud infrastructure and documenting and auditing processes. Next, use cloud-native security tools that allow you to monitor your networks for suspicious activity such as a malicious actor abusing a set of compromised credentials, moving laterally across the cloud environment, or attempting to exfiltrate information. For many organizations, it is more practical to outsource the responsibility of configuring and monitoring cloud infrastructures to outside experts or a Managed Security Service Provider (MSSP).
Conventional wisdom has been that users of cloud computing must realize their responsibility for security and not overly rely upon providers who are primarily concerned with securing their platform vs everything their customers build and store within it. While cloud providers have considerably improved their security, data and applications hosted in a cloud infrastructure require the same security programs used for on-premise networks. In this shared responsibility model, event logs must be collected, analyzed and monitored; traffic in and out of virtual networks must be inspected and protected by virtual NGFWs and WAFs; and hosts must be scanned for vulnerabilities.
Today, the three cloud providers that dominate the market are AWS, Azure, and Google. As an enterprise grows its cloud infrastructure, it is likely they will consider a Multicloud approach. The idea is using more than one vendor reduces dependency and provides the user with more leverage. For organizations that are selecting a MSSP to monitor their cloud infrastructure, check if your prospective provider can support the top three players in case your organization decides to follow a Multicloud strategy.
Post-COVID Threat Landscape
Cybersecurity teams should always be anticipating new threats and new threat actors and be prepared to detect and respond to damaging attacks.
We recommend reminding your employees that phishing attack campaigns continue to be a successful tool for attackers, attempting to entice email recipients to click on embedded links to download malicious programs or launch nefarious websites. The crafting of these phishing emails will prey on anxieties regarding the spread and impact of the COVID-19 pandemic. Attackers are fully aware of the social status of this worldwide pandemic and they will craft emails with the intent of eliciting an emotional response.
Attackers are seeking to harvest verified credentials. If an employee does click on a malicious link but closes the web browser before any download can begin, the attacker has confirmation that the email account is legitimate. This will result in more targeted phishing emails. Credential gathering and phishing emails are on-going security challenges for organizations to maintain their security posture. To get ahead of this threat, organizations might consider an organization-wide password reset as well as using multi-factor authentication.
While the themes used in cyberattacks are changing, it does not appear that the actors behind these attacks or the attack vectors have changed. Enterprises must maintain heightened vigilance for malware, ransomware, and phishing attacks, but that is not new. Endpoint security tools must be fit for purpose and kept updated. Implementing security tools is only half the battle, they need to be correctly configured, monitored, and their alerts investigated. Where internal teams lack the expertise or time for these functions, a managed endpoint detection and response service provider can fill the gap. Finally, the need for employee security awareness and training can never be overstated.
Increased Risk of Insider Threats
Unfortunately, many organizations are being forced to furlough or lay off employees as a result of the impact of COVID on their business. Disgruntled employees are more likely to steal data or credentials to retaliate against perceived grievances. According to research from Gartner, “seeking harm and revenge on employers is a bigger incentive for insider threats than is stealing money.”
Passwords are the first line of defense against insider threats. Organizations must immediately change passwords, close accounts, and remove access to shared resources when an employee leaves. Your company will be liable for the confidentiality of your partners’ information, so it is equally important to inform third parties and vendors that may have provided the employee with access. This risk is enhanced where your company has signed a covered entity or business associate agreement.
Ensure departing employees have up to date paperwork protecting confidentiality and inventions, return corporate devices, and do not have company data on personal devices.
Depending on your organization’s security controls and collection of event logs, user activity can be an indicator of insider behavior. Examples of logs that can be monitored and investigated for anomalous behavior or used for correlation rules include:
- Detect the first time a USB drive is plugged in
- Detect data exfiltration by monitoring DNS activity for total bytes transferred
- Detect unauthorized access attempts to sensitive systems
- Detect activity from expired user accounts
- Detect credential sharing for your privileged accounts by correlating account logins from disparate locations
- Detect download events from SaaS applications like Salesforce.com for indicators of data exfiltration
Be Prepared for the Short Term and Long Term
No one knows with certainty what will be new normal for the business. Questions like when will workers return to their physical offices, what percentage of the workforce will return to physical offices, and will businesses move certain functions to permanent remote roles are all hard to predict.
In the short term, we can expect issues with technology and existing information security procedures. For example, furloughed employees may not have their access properly shutoff, their phones may still be configured to check email, their accounts might still be enabled for certain systems, or they may still have access to certain physical assets. As a result, Windows accounts will expire without password updates causing spikes in failed authentications on an organization’s domain.
Over the long term, information security programs should be evaluated based on their ability to provide visibility to threats and their efficiency in meeting operational requirements.
Expect gaps in visibility for organizations switching to a work from home model without an architecture setup to route internet traffic from work machines through a web filter product. Employees can access phishing sites, competitor websites, or use their machines for non-work-related activity because the organization does not have visibility into this layer of network traffic or the ability to log network and endpoint telemetry to a central location.
Businesses that are not experienced with remote workers will need to create new processes to ensure their employees can work efficiently. For example, if a machine is suspected to be compromised, how will the organization perform remote forensics if they do not have a detailed cloud-based EDR product logging significant endpoint telemetry? Additionally, if the employee’s machine is compromised, do you stop that employee from working and ship a replacement laptop to the employee? As a result, the employee can do nothing while the new machine is being delivered. For some businesses, this is nothing new, but for others these changes will require some level of effort to smooth over.
Get Ahead of Upcoming Audit Inquiries
Part of reopening is preparing to meet compliance standards and undergo security audits.
Security audits have become a common feature of almost every industry. Preparation and planning reduce the disruption of an audit and increases the likelihood of a successful result. Companies that take a checkbox approach to meet compliance standards can fail to adequately assess the cybersecurity risks to their organization.
Preparing for an audit should start with a review of the latest changes to compliance standards. Risk and security teams should compile and update key documents that describe the organization’s security policies. These should include a list of technical controls and safeguards, password and user account policies, configuration management, patching, incident response plan, and backup and disaster recovery.
The COVID pandemic is placing enormous stress on individuals and organizations. Those responsible for enterprise security operations and risk management are being challenged to respond to more change and uncertainty than ever before.
In this environment, it is key that IT leadership aligns it operational objectives with their organization’s strategic goals. IT teams must be agile and deliver value while ensuring the integrity of day to day operations. At Proficio, we address these same challenges through partnering with our clients, empowering our team of security experts, and creating innovative solutions to real world problems.
Bryan Borra, Director of Security Engineering, Proficio
Paul Fletcher, Security Advisor, Proficio
This article originally appeared in InfoSecurity Magazine
The world is adjusting to a new reality. While working from home may be the norm for many tech companies, organizations of all shapes and sizes are now faced with the unique challenges that come from remote employees, trying to navigate how to secure their networks in an uncertain world.
Today, they are concerned with keeping the employees – and company – safe and connected, but as the days become weeks, and weeks are certain to become months, they also have to start considering their future plans.
A lot of people are wondering what their jobs will look like after the dust of COVID-19 settles, and it’s a good question. A friend recently mentioned…
People around the world are grappling with the new reality of COVID-19 which is drastically changing the way organizations do business. From protecting employee and customer health to maintaining operational and economic resilience, we are challenged with finding ways to keep business running smoothly – and safely – in this new normal.
For IT leaders, looking for ways to reduce their cybersecurity risk, we recommend focusing on three key areas: working from home, opportunistic attacks, and operational disruptions. Here are some recommendations on how to get through this difficult period:
Working from Home
To encourage social distancing and help employees struggling with recent school closures, many organizations have their employees working from home. While this may be a temporary measure, industry analysts have suggested that COVID-19 may be the inflection point in a greater acceptance of remote working.
Proficio recommends the following cybersecurity best practices for teleworkers:
- VPN Connectivity: Strengthen security for VPN by reviewing password controls, adopting two-factor authentication and strong encryption, and monitoring VPN access by geolocation, anomalies to baseline home VPN locations, and users.
- Monitor Activity: Increase active monitoring of VPN and Office 365 activity logs in your Security Operations Center, enable new VPN user reporting (if you do not have active reports or dashboards) and at minimum, review them daily.
- Secure Endpoints: Apply and update effective endpoint security software and use endpoint detection and response techniques to protect remote users from account compromises and device infection. If you lack in-house resources for managed response to endpoint compromises, we recommend contracting with an MDR service provider.
- Educate: Remind your users of best practices for working from home, including backing up data, using secure WiFi and home routers and monitor the use of Remote Desktop Protocols (RDPs). It is also key to remind them of the increased volume and sophistication of phishing attacks, so it is important they stay alert and be on the lookout for COVID-19 scams.
- Cloud Safety: The use of cloud-based infrastructure and applications is growing rapidly, and with the increase in teleworking, the use of the cloud will further accelerate. Organizations should implement use cases to help monitor cloud-based applications for anomalous user behavior and review their procedures for configuring and securing virtual servers.
Opportunistic Attacks and Active Defense Mitigation
Cybercriminals are already exploiting people’s anxiety around COVID-19. For example, phishing emails purported to be sent by the World Health Organization and CDC that contain new “information” about the virus or claiming to be from charitable organizations raising money for victims.
According to researchers at Proofpoint, phishing attacks involving emails that contain Microsoft Office document attachments are being used to lure victims and exploit a Microsoft Office vulnerability. In parallel with this type of activity, there has been a surge in the number of registered COVID-19-related domains and malicious applications, promising to track the virus.
In this environment, Proficio recommends the following:
- Caution users to be ultra-vigilant and on the lookout for scams, phishing attacks, and social engineering tactics that take advantage of the current situation. Use trusted sites, such as CISA, for guidance and information.
- Tailor multi-layer protections on email, infrastructure, systems and applications to detect malware, spam, and domains that pertain to “corona”, “virus”, “COVID”, “infection”, and related terms.
- Enrich and correlate log data with new sources of threat intelligence from government agencies, broadcast and social media, and local websites.
- Monitor security events on a 24/7 basis and use a framework like MITRE ATT&CK to more comprehensively understand and respond to threats.
- For quicker action, automate containment actions to respond to attacks at the perimeter, endpoint, and cloud. Ask your service provider for SOAR-as-a-Service.
- Regularly scan for vulnerabilities and adopt a risk-based vulnerability management approach to more effectively patch assets with real and exploitable vulnerabilities.
- Continuously monitor your organizations’ security posture. Build real-time dashboards that show trends in attack volumes and methods to pinpoint gaps in security.
Risk of Operational Disruptions
The impact of employee sick leave or quarantining could undermine an organizations operational readiness and reduce the capability for IT teams to respond to attacks. Even if your team is not seriously affected, there is a risk that they will be distracted with unplanned tasks such as supporting remote workers or adjusting to new family schedules. Similarly, in the world of COVID-19, it is also likely that your vendors may be disrupted or less responsive.
To minimize this impact, Proficio recommends:
- Review your business continuity plan and be prepared to implement it.
- Understand your vendors’ preparedness and plans. If you are reliant on an outsourced 24/7 monitoring or support, understand if your service provider operates from a single SOC location, as this adds risk in the event of localized virus hot spot.
- Implement cross-training, if this is not already in place.
- Check that your list of vendor contacts and their back-ups are available, especially in the case you have limited named support contacts.
- Adopt best practices to reduce the risk of contagion, including social distancing, working from home and reduced travel.
We hope you all find yourself safe in this time of uncertainty but please feel free to reach out to us if you need help in any way.