The effects of COVID-19 on society and global business have been both vast and abrupt. Many are entrenched in the ongoing struggle of operational shifts. According to Dr. Anthony Fauci, director of the National Institute of Allergy and Infectious Diseases, it is likely the pandemic has not even hit its peak. From what we’re seeing, most organizations rapidly adapted and were able to “make this work” for the immediate needs. The big question now - in your effort to transition your business, did you unknowingly expose your organization to an increasing volume of attacks? Did these quick changes introduce new or exacerbate existing vulnerabilities? In your efforts to meet changing business needs, did the threat landscape just expand beyond your organization’s visibility and control? The true answers to these questions are likely unknown. Now is the time to engage your Cybersecurity partner for a holistic cybersecurity posture assessment.
The adversaries have ramped up their campaigns since the beginning of this year, taking full advantage of COVID-19. Google stated they saw a 350% increase in active phishing websites since January. RiskIQ’s scan of new websites with coronavirus-related keywords showed an increase in 317K created during a two-week period between March 9ththrough the 23rd. While ZDNet scanning these same websites found roughly 90% being malicious or fake. FireEye recently observed the Chinese APT41 organization execute one of the broadest cyber espionage campaigns observed in recent years.
There are numerous ways to validate your organizations cybersecurity posture. One such option is attempting to conduct a review internally, which should provide insight into systems exposed to the public. Internally conducted assessments also leverage the tools and processes already in place to scan these on defined intervals, including after major changes. This is great for general hygiene, and the effort can be performed more frequently to validate patching and change management processes. However, independent third-party assessments are highly recommended, often required, leverage proven tools and highly experienced resources. Statistically, these engagements are often more successful at revealing previously unknown vulnerabilities or weaknesses. Third-party organizations offer experts with advanced training and additional tools for maximum intended efficiency and effectiveness to find and validate vulnerabilities. Furthermore, outside evaluators can objectively review your environment, thinking like the adversary, without possibly overlooking small details due to familiarity. Internal resources are often inexperienced, more delicate with their approach and more focused on other tasks pertinent to their position.
If you’re considering outside experts, Sayers has developed a comprehensive assessment strategy geared towards the recent growth in Work From Home (WFH) users. Sayers can evaluate the full lifecycle of an employee working from home accessing all available resources. This would include; the endpoint, Virtual Private Network (VPN) and communication channels, Virtual Desktop Infrastructure (VDI), network, application, cloud, SaaS, identity, Zero Trust Architecture (ZTA), and more leveraging guidelines like that from NIST, including the recently published bulletin, for Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security; along with other standards, guidelines and frameworks. Security is not focused to one area, it has to be right in all areas. Whereas the adversary only needs to be right once.
Another approach is to leverage an emerging technology known as Breach and Attack Simulation (BAS). While not a replacement for third-party vulnerability assessments and penetration testing, it can provide significant insight and value to your security program. BAS runs through a comprehensive hacker’s playbook, more than what one individual would be capable of performing, on a continuous basis; monthly, weekly, or even daily. It validates network, north-south along with east-west, and endpoint security automatically ensuring that as applications and firewalls changes are being made, your organization is not introducing any novel risks.
Lastly, organizations can leverage crowdsourced services. While it may sound public and unvetted, this is a very modern and secure method with highly skilled resources who have been rigorously scrutinized. The major reasons for considering this type of option would be the available skill of these talented individuals from all over the world, working remotely, to assess and validate the security of your network and applications. Consider the enormous and varying amount of talent that your organization will have access to without employing them. These crowdsourced services record all activity, including every keystroke from each resource, being performed on your network. After any finding, it is validated and documented for your review and resolution. Also, did I mention this is a service? It’s continuous.
With the recent growth of work from home and the necessary steps that were quickly taken to accommodate, now is the time to assess. All options provided are viable steps to assessing your current security posture, but Sayers would encourage you to consider third-party validation with experienced and available consultants in this field. If you already have an existing relationship, now is the time to engage with them. If you are looking for additional consultation on this or any Cybersecurity topic, one of our Sayers associates would be very happy to jump on a call and discuss our program options. Multiple forms of security verification are highly recommended and complement each other with an important balance of People, Process and Technology.