Infosecurity Magazine presents it’s Infosec Advent Calendar – brand new for 2020 – bringing you a security tip from an industry expert every day as we count down to Christmas!
Security tip for December 24: Understand the business so you can secure the business.
It is critical that you understand the business your organization is in. Without this understanding, you will not appreciate the context of how your security initiatives will either support or hinder the business. I recommend reviewing your organization’s business strategy, annual report and any other material that is relevant to the key strategic goals of the business. Also, take time to meet with your peers in the business to appreciate the challenges they may face in conducting their own functions’ goals. You should review your company’s IT strategy so that you better understand the future direction it will take. With these understandings, you can better align your cybersecurity strategy and goals with those of the business. If done properly, this can lead to better buy-in from management and your peers, more accurate and reflective cybersecurity KPIs and metrics and strong relationships to leverage in delivering security initiatives.
Brian Honan, owner, BH Consulting
Security tip for December 23: Take precautions when connecting electronic gifts (Christmas or any other) to protect your home and corporate network.
Most people may not be able to change the gifts they have bought or received, but they can still take some precautions to ensure that they are not making their network any more vulnerable by adding new insecure devices. Recent reports by various researchers have pointed to the fact that many consumer devices do not have security baked in. The importance of this for organizations is that while many people are still working from home their home network is their normal everyday work network, so any compromise on that network could possibly affect the work devices and/or data transmitted from and to them. Organizations must provide some education and awareness for their staff to be protected from attacks on the home network.
Provide user awareness and education on:
- Changing default passwords on new devices
- Setting devices to accept auto update if it is available
- Switching off any services on devices relating to remote management unless they are knowledgeable and will be managing the device remotely
- Selecting options which enable the latest encryption for any transmission to and from devices
Sarb Sembhi CISM, CTO and CISO, Virtually Informed
Security tip for December 22: Stay connected and up-to-date with security vulnerabilities.
There is so much happening within the adversarial landscape it is imperative we stay up-to-date with the latest data, from vulnerabilities in order to prioritize patch cycles to new TTPs from adversaries. Unfortunately, the deluge of data makes it hard to differentiate signals from noise, but we have to establish a credible threat feed to remain aware of the risks that matter.
Raj Samani, chief scientist and McAfee fellow, McAfee
Security tip for December 21: Organizations will rush to conduct digital transformation programs to stay relevant in the marketplace – winners will dominate industries, losers will be left behind.
Organizations will undertake increasingly complex digital transformations – deploying AI, Blockchain or robotics – expecting them to seamlessly assimilate with underlying systems. Those that get it wrong will have their data compromised. Consumers and dependent supply chains will lose confidence in organizations that do not integrate systems and services effectively. New vulnerabilities and attack vectors will be introduced, attracting opportunistic attackers.
Steve Durbin, managing director, Information Security Forum
Security tip for December 20: Take time off immediately if you are dealing with burnout.
Burnout is incredibly common these days, but it can lead to placing your security at risk and/or your employer at risk if you are not fully present. When we are dealing with burnout, we are not functioning like our normal selves and can miss details and deadlines and fall for a phishing attempt or not patching a vulnerability properly. The only cure for burnout is taking time off from work, infosec and devices.
Allow employees to take at least three business days to manage burnout, or, if you can, grant them a full week of paid time off. By not providing them with PTO, it places you, your team, your department, your company and your customers at huge risk. To reduce burnout, make sure you have a weekly ‘no meetings’ day, more flexibility towards allowing your employees to take time off for their mental health and weekly 1:1s with your team members to go over items and what to prioritize.
Chloé Messdaghi, VP of strategy, Point3 Security
Security tip for December 19: Conduct business impact assessments on systems to understand risk exposure and prioritize investment.
It has been a challenging year for almost every business. Resources have been stretched and, as a result, budgets for technology and security improvements have been hit hard. CISOs are having to really prioritize where they spend their money to improve their organization’s cybersecurity posture. A BIA will help organizations prioritize the allocation of time and resources to prevent, manage and recover from incidents that affect critical business operations and assets. BIAs should be reviewed on a regular basis as the functions/systems can change over time.
Nish Gopal, cybersecurity governance, risk and compliance Specialist
Security tip for December 18: Invest your security budget in internal people, processes and tools.
Organizations will get the most jingle from their bells if they invest the majority of their security budgets in internal security staff, maturing their security processes and buying tools to prevent, detect and eliminate bugs internally. This approach is much more effective than an organization curdling all of its eggnog in the bottomless bug bounty bowl with too much whisky, aka too many preventable bugs, making it an indigestible punch that goes to your head, but leaves you reeling and dysfunctional. By investing in key internal security areas, an organization will experience ongoing, measurable improvements that will significantly advance its overall security, without intoxicating themselves with a disproportionate level of bug bounty bourbon.
Katie Moussouris, CEO and founder, Luta Security
Security tip for December 17: Be wary of emotional content! 2020 has been an emotional rollercoaster and fraudsters have been quick to incorporate events into their scripts.
I have been warning people for years about the dangers of emotional content but 2020 has been an emotional rollercoaster and the criminals, scammers and fraudsters have been quick to incorporate events into their scripts. From fear inducing ransomware attacks, to false hope offered by romance scammers, from fake lottery wins to the disgusting practice of ‘sad-phishing’ in social media for attention, support and charitable donations, the use of emotion has been prevalent in scams and cons of all types this year.
The advice is simple enough to state, but can be very hard to implement psychologically! If any content makes you emotional, regardless of what emotion that is, you absolutely must take time to question and evaluate it before you jump in with your support, response or reaction. Whether it’s a rallying cry for a cause you support, a mistake you are looking to correct or to express sympathy for someone or something, it’s so important to fact check the post first and really think about the reasons behind the post and the veracity of the poster! In this age of ‘fake news’ and widely proliferated lies, never has checking the character and the content of who and what you engage with been so important.
Jenny Radcliffe, aka the people hacker, Human Factor Security
Security tip for December 16: Be mindful of what access you grant mobile apps and services, implement system security updates and use security tools to mitigate the threat of unwanted access.
Your mobile device provides unmatched access to your sensitive data, network, private thoughts and behavior/habits. Users should be intentional about what access they grant mobile apps and services. This includes having a password to access the device, using a VPN when using public Wi-Fi, implementing two-factor authentication everywhere possible and not granting access to certain data just because the app asks. Take the time to evaluate whether they really need it and whether you need that functionality.
Organizations should have robust policies about device usage and clearly communicate how, when and why they collect user data for devices they provide and the level of access the user is granting when they merge personal and professional onto one device. For organizations developing apps, they should be guided by privacy principles to minimize data access, encourage user choice, clearly communicate data collection and abide by legal constraints to deliver the desired user experience.
Camille Stewart, cyber & tech Attorney, foreign policy specialist, national security professional
Security tip for December 15: Be aware of the impact that untested digital tools can have on your infrastructure.
Whether it’s an indie desktop calendar application that an employee has installed on their machine, or a software package that developers might use on your software solution, malicious software can end up on your systems. This means that both non-techy people who are unaware of the security risks they may cause, and techy-techy employees who ignore the risks and just want to get the job done, are both a threat to the security of a workplace.
Put in place security awareness training, limit users’ ability to download unauthorized software and have correct procedures in place for ensuring that the technologies your employees use are safe.
Jenny Potts, aspiring security engineer and Dev freelancer
Security tip for December 14: Developers should naturally build security into their pipelines, so application and configuration code is validated before features reach production.
With Forrester predicting business spending on software to reach $950bn next year, it’s clear software has become the backbone of modern business and society – and one of its biggest sources of risk. As DevOps and pipeline automation continue to accelerate and, ultimately, become the norm, a ‘security as code’ mindset will be essential to succeeding with DevSecOps.
Chris Wysopal, founder and CTO, Veracode
Security tip for December 13: Make time every year to clean your security house.
When you’re trying to keep up with the business and react to incidents, it’s easy to lose track of where you were originally going, and this year has been especially problematic. Take time to re-discover the assets you need to protect, check the visibility you have at different layers of the infrastructure and see if there is technical debt that you can possibly pay down. It may sound like basic advice, but the most basic parts of security are never easy.
Wendy Nather, head of advisory CISOs, Duo Security (Cisco)
Security tip for December 12: Back it up! An endless number of business continuity and data security incidents can be solved with proper backups.
Make sure you make frequent-enough backups of everything that needs to be backed up, store them offline so they can’t be corrupted by ransomware, double-check that the backups are accessible even if your business HQ and data centers are down, and then test the recovery and restoration of the data frequently. Then you’re good to go!
Mikko Hyppönen, cyber and privacy expert, F-Secure
Security tip for December 11: It’s important for wellbeing and security that organizations and employees build in a level of segregation to keep professional and personal lives as separate as possible.
With working from home looking to continue, we see a disappearance of boundaries between corporate and personal devices, apps and even time. This makes the segregation of professional and personal lives vital. That way, if an employee is breached at a personal level, then the impact doesn’t spread to the organization, and vice versa.
Javvad Malik, security awareness advocate, KnowBe4
Security tip for December 10: Always look for ways to say “Yes” to a security request, rather than defaulting to “No.”
By putting yourself in the shoes of the user, understanding their motivations, end goals and the importance of the task at hand to them (and not you!) you will be able to see the potential benefits that your role as the custodian of information security for your organization can bring. Making this happen is simple on the face of it, but is actually a little harder to implement in reality. Focus your efforts on making risk-based decisions rather than policy-based decisions. The policies are there as a backstop, not as an inviolable rulebook. This risk approach also means you stop being the ‘police’ force of the organization and rather become the trusted advisor. A simple change, but one that has an impact nonetheless.
Thom Langford, security advocate, SentinelOne
Security tip for December 9: Good corporate communications after a data breach can have a significant impact on a business’ reputation and bottom line.
Security is about effective prevention of attacks, but it is also about robust reaction if an organization falls victim. As data breaches become more commonplace, there will be an increase in importance of approaches towards corporate communications and public relations after events. This will make a difference for many organizations regarding whether they are able to weather the storm or if they are forced out of business. Recently, I conducted a critical study into this area, and it is clear that this is an area that is often overlooked by organizations. This oversight will hit businesses hard in the coming year if they are not prepared.
Dr Jason R.C. Nurse, associate professor in cybersecurity, University of Kent
Security tip for December 8: Scale up cybersecurity awareness, behavior and culture in your organization with a cybersecurity champions program.
A successful cybersecurity champions program can expand your reach, facilitate a two-way conversation between security and the rest of the organization and harness social proof to influence positive security behaviors. Inspire champions with incentives, put in place a plan for their training and development and don’t overlook the importance of pre-empting pitfalls.
Dr Jessica Barker, co-founder and Co-CEO, Cygenta
Security tip for December 7: Remember to focus on risk prioritization specific to your company’s resiliency requirements.
In the current environment, new and updated threats are coming fast and furious and it can quickly become overwhelming trying to keep up on a day-to-day basis. By starting with a focus on resiliency for relevant services, you can help ensure the right prioritization against the maelstrom of threat activity.
Becky Pinkard, CISO, Aldermore Bank PLC
Security tip for December 6: Understand your information flows as they pertain to accounts payable and accounts receivable.
No matter how big or small your company is, any direct financial attack will affect these processes. Think outside the box, talk to colleagues, look at other attacks and understand how all of that could be applied to you and how you can implement controls to prevent attacks from happening. Don’t focus on the information security controls; instead, focus on the basic financial separation of duties’ controls.
Quentyn Taylor, director of information security, Canon Europe, Middle East and Africa
Security tip for December 5: Cybersecurity awareness training is a must for remote workers to understand cyber-attacks, best practices and to use their IT and cloud collaboration tools safely and securely.
NTT’s 2020 Intelligent Workplace Report revealed that 76.9% of organizations are finding it more difficult to spot IT security or business risk brought about by employees when they are working remotely. Yet, only 42.8% of organizations provided remote working training, which makes it challenging for both employees and employers to secure their IT assets and protect their brand, reputation and trust.
Organizations should provide cybersecurity awareness training for remote workers and employees to go back to their office at least semi-annually, and senior leadership also should send out a message across their organization to support such cybersecurity efforts for business continuity and risk management.
Mihoko Matsubara, chief cybersecurity strategist, NTT Corporation
Security tip for December 4: Embrace change and use 2020 as a security springboard for your organization next year.
2020 has been a year of upheaval, adaptability and ad hoc in many ways when it comes to security. Use it as a springboard to accelerate your infrastructure and security plans to give you the elasticity, scale and speed that your business needs to thrive in 2021. Stop plugging the holes in the buckets you have and take the time to build a continuous, cross-platform, cloud-native security capability.
Rik Ferguson, vice-president security research, Trend Micro
Security tip for December 3: Organizations will have to change how they prioritize cybersecurity risks in order to adapt to the changing workplace environment.
Many organizations were forced into remote working while lacking the proper security and technology implementations. Some organizations are choosing to remain remote, indefinitely. Others are preparing for the unknown. This means, regardless of preference for where employees physically work, there needs to be long-term solutions to address the lack of security via ISPs, accidental data loss and adapting training and awareness programs to consider remote working.
Talya Parker, cybersecurity, privacy and risk management executive
Security tip for December 2: Use multi-factor authentication (MFA) wherever possible.
Passwords will be with us for a long time to come but we all know total reliance on passwords is flawed. Organizations can mitigate some of the problems associated with passwords by allowing/enabling the use of password managers. However, use of password managers is still building and it is not a magic bullet, so use of MFA is the obvious way to prevent attacks such as credential stuffing.
Using MFA is quite simple – make it a standard operating procedure that users should enable when using services. Most systems found on the desktop these days enable organizations to mandate MFA through the use of security policies. The second factor can be SMS, as this is better than nothing, but we know these have drawbacks and some vulnerabilities. Most authentication systems allow the users to have a mix of second factors: phone, security keys, authentication apps, etc. I’d recommend that these are all enabled. Also, the easier it is for users to use, the more likely it will be used by them.
Professor Alan Woodward, visiting professor, University of Surrey
Security tip for December 1: Focus more on the mental health of staff to help support them through difficult times and working remotely.
Mental health issues will be on the increase and this could have a detrimental impact on security. Employers and security leaders will need to focus more on the mental health of their staff. Emotional intelligence should be an essential soft skill for all employees.
Chani Simms, founder, SHe CISO Exec. and Meta Defence Labs