Consumers are increasingly wanting to engage with organizations using social media and SaaS tools. I love being able to order dinner for the family with a few taps using my nearby burger restaurant’s mobile app. My city government is using a SaaS web application to manage permits. These tools should, and likely will, become the norm for doing business. However, the downside of this is that, with the acceleration of digital transformation, threat actors have a rapidly expanded attack surface to exploit for espionage or profit.
Organizations have also added new office tools, like IoT devices to monitor for viruses and reporting tools to track vaccine status. Companies that were on legacy productivity applications have moved to cloud-based tools. While our business tools have also become more flexible, our intellectual property and customer data is in the cloud to stay. Organizations did not transfer all cybersecurity risk to the SaaS vendors; instead, we gained the insider threats and vulnerabilities of these vendors.
Many of us are relearning the skills we used to secure our devices at airports and coffee shops with resumed business travel. The complacency over our personal and corporate devices while working from home must be reversed.
How do we retain and enhance customer and employee experiences and manage the new cybersecurity risks? In short, zero-trust, threat intelligence and attack surface management are the keys to accomplishing those goals.
Zero-trust is more than a buzzword. It’s a policy in the U.S. federal government. Security and IT leaders see a lot of dollar signs when vendors start talking about zero-trust. You can start your zero-trust journey for relatively little investment—but it’s just a start, not your end state.
● Segregate privileged accounts. At a prior job in critical infrastructure, we had separate credentials for administering servers or ‘crown jewels.’ If you can’t afford a privileged access management tool, use a commercial password manager.
● Use modern password standards for little cost. Toss out the old password standards that used all character types, disallowed any words in the dictionary and mandated regular changes. Turns out we’ve been doing passwords wrong for decades. NIST updated its digital identity guidelines acknowledging these truths. My favorite XKCD comic explains how to create a memorable passphrase that is very hard to hack.
● Kill the VPN. Rather than requiring employee devices to connect via a corporate VPN, require authentication to all applications, preferably via SSO and MFA. Beware, though—threat actors regularly exploit vulnerabilities in VPN gateways and use compromised credentials sold by initial access brokers in the underground economy to log in remotely.
● Start from a ‘disallow all’ policy for servers and network appliances. All networks are untrusted in a zero-trust world. Allow communications to only the infrastructure needed for the server or tool to meet its business functionality. With such a strategy, you can avoid becoming a victim of a supply chain compromise, as the connections to an adversary’s infrastructure aren’t on the allow list.
Threat intelligence is about supporting the tactical and operational decisions of security and risk leaders assessing the intent of threat actors in the physical world and cyberspace.
● Listen empathetically to your stakeholders to determine what business processes and technologies are most valuable to the company (if you don’t have priority intelligence requirements already).
● Support vulnerability management teams. Use the visibility from external attack surface management to prioritize assessment of risks from vulnerability exploitation.
● Support brand and executive protection. Not all impersonations or mentions of your brand and VIPs are significant. Use threat intelligence to assess the severity of the threat and provide recommendations to reduce risks to the brand’s reputation and the safety of people and property.
Attack surface management is the process of continuously discovering, identifying, inventorying and assessing the exposures of an entity’s IT asset estate. That attack surface includes all the mediums where your business works with customers, partners, and employees like social media, career sites, and cloud providers.
● Re-baseline your external and internal attack surface. Your baseline in January 2020 will look nothing like it does today. External attack surface management vendors report on average that prospects have 30% more assets in the cloud than they realized.
● Continually monitor your attack surface. Think like the threat and proactively find exposures. Accurate hardware and software inventories are critical to the success of every strategy, including zero-trust.
● Use external attack surface management tools to prioritize threat intelligence collection and analysis. Pay particular attention to any mentions of exploits to those technologies.
● Install and tune security controls on all employee devices. The fluid nature of businesses has placed additional pressure on the IT team to provide computers and software to the remote employee base. Use biometric authentication on user laptops to reduce the login burden; go passwordless.
Innovation is Not Without Cybersecurity Risks
I’m excited about all the innovation and digital transformation taking place. But all this new technology is not without cybersecurity risks. Security pros can enhance employee and customer experiences, maintain trust and reputation, reduce breaches and maintain compliance with smart strategies based on zero-trust, threat intelligence and attack surface management.
by Brian Kime on September 14, 2022