How to handle security controls in the new normal
April 23, 2020
The last month has seen a fundamental change in workforce demographics, which means that maintaining security controls is also subject to change. So let’s take a look at how to hand security controls in the new normal.
With millions of employees now working from home, ‘shelter in place’ and ‘social distancing’ orders become the norm across the globe. Like most parts of the business, security teams had little to no warning about this step-change. So being able to support this ‘new normal’, as well as dealing with the evolving threat landscape, is a huge challenge. Now more than ever they need to walk a very fine line in order to balance the business’ needs to stay afloat in challenging financial circumstances, whilst also being able to withstand both ‘typical’ and emerging threats.
Employees need fast access to data and systems – without which the business can suffer – but the risks of cutting corners and opening up the opportunity for a breach cannot be understated. This could inadvertently bring about the same outcome a few months down the line. What’s more, security teams need to balance reducing risk with usability of the solutions they provide. As ever, locking everything down too tightly will only tempt employees to try and find workarounds so that they can do their jobs, an effect which is likely to be exacerbated when everyone is under increased pressure and trying to adjust to the situation.
Although focusing on security ‘reporting’ may seem like an unusual recommendation when the pressure is on, maintaining security controls using a Continuous Controls Monitoring programme is as critical as ever. Risk appetites may well need to be revised to enable BAU to continue. It’s important to provide enough data-driven insight for leadership to do this with all the facts in their possession. It also enables security teams to maintain good visibility of where there are any pre-existing control gaps, or where new ones are emerging. It will also allow continuous reassessment of priorities as the situation develops. After all, now is not the time for monthly manually compiled security and risk reports.
The key to effective control monitoring right now is reprioritisation
There are not really any new controls that have suddenly become important at this time of global upheaval. We still need to focus primarily on good security hygiene, but the relative focus of these activities is likely to be different. The best way to assess this focus is based on the businesses’ remote work maturity and how much of a fundamental change this new setup will represent.
There are some businesses that already operate a remote-first model. These organisations will be in the best position in terms of secure access to data and apps and their control priorities will likely remain largely unchanged. So they will need to focus primarily on how the threat landscape is evolving.
Given the focus on virtualised infrastructure, this is at greater risk of becoming a target for attackers. This means that while vulnerability management remains a key element of security BAU, patching of servers that support virtualised infrastructure (e.g. VPN, RDP) must become a strategic business priority, as well as preparing for the possibility of DDoS attacks on some of these services.
Phishing campaigns, already one of the main vectors for breaches, are also more likely to succeed as workers are under additional stress and they may be distracted by the current situation. There’s already been a profusion of COVID-19 themed malicious websites, tracking apps and SMS notifications which further prey on people’s fears, so keeping a focus on user awareness measures is key.
For those businesses whose staff primarily work onsite there are going to be a multitude of hurdles. The focus for these will simply be on providing remote access first and foremost, in the quickest and most secure way possible. Any existing remote capabilities are likely to be under increased load and may not be sufficient to support all remote workers.
Who can, and should, access what?
Some additional access may need to be granted as working processes necessarily change. It may be the case that collaborative groups have been split up or people are no longer co-located with the machines from which they normally access data or services. There will need to be careful consideration about what changes to IDAM and PAM policies may be needed. Similarly, ensure privileges are kept to a minimum where possible as they may need to be expanded elsewhere.
More emphasis may need to be placed on measures such as password reset frequency, removal of stale accounts, unused admin credentials and leaver access. A close eye should also be kept on measures of admin access granted and coverage of additional protections like MFA. And, of course, whatever mode of access is being used, there’s also home networking security to consider – is your employee’s home router securely configured?
Then there’s the hardware itself
Another key aspect of maintaining security controls is the devices themselves. Endpoint hygiene and inventory of managed and authorised devices are very much security ‘bread and butter’, but the controls on these may well need to be reshaped to better reflect current circumstances. There are, broadly speaking, two areas to examine here:
1) employees who have managed corporate laptops.
2) employees who will need to be given permission to use personal devices (at least in the interim).
Both of these present their own challenges, particularly when combined with the increased threat of social engineering and SSO or other forms of remote access potentially providing the ‘keys to the castle’.
In the first scenario, the main concern is whether corporate laptops are behind on updates, possibly just dusted off after being sat in someone’s desk drawer for months after occasional business travel usage. Can they effectively receive these updates (and future ones) when they are not connected to the corporate network? It’s also likely that security SLAs on these laptops should be tightened. An update every 30 days may have been sufficient when they were occasional use devices but now these are primary access points and should be treated as high priority.
In the second scenario, that is to say BYOD, there’s even less visibility over the security status of the device. Particularly if they are being rapidly enrolled in response to the current crisis. However, in addition to sending out user guidance on how to secure personal machines, there will likely need to be a focus on mitigations such as enabling cloud infrastructure policies that block access to resources if the user’s device is unpatched.
Then there are solutions such as partial-MDM (Mobile Device Management) where user’s devices are enrolled and partially managed by the organisation or MAM (Mobile Application Management) where containerised applications can maintain segregation between these work apps and the rest of a user’s personal device – or a combination of both. The latter approaches reduce the risks presented by the security status of the user’s personal hardware, but nothing is a silver bullet of course.
Whichever approach is taken it’s important to track measures that show the coverage of these solutions on user devices, and where visibility into device security is possible, ensure high priority is placed on measures that evaluate the timeliness of updates.
When we come out the other side
Because of this reshaping and refocusing of existing controls, security teams must be sure that as part of their controls monitoring effort that they also track the changes they are making and exceptions they are granting. Regulatory requirements won’t go away so it’s key that they can still demonstrate due process of why and how changes were made and what mitigations were put in place where necessary.
When we come out the other side, it’s important to be clear on what remediation programs need to be prioritised to get back to the previous security posture, or indeed to revise or surpass it based on lessons learned. There will also be an opportunity to keep some of the changes that have been made.
For example, why roll back all remote working capabilities? It could be highly beneficial for some of these to stay in place for business continuity planning and to reduce operational risk in future. However, it’s likely that some changes made in haste (necessarily) may need to be reviewed and refined – investing in tracking these now, and achieving clarity about where improvements will be needed, is crucial for saving time later.
Maintaining a controls monitoring program at this time is a valuable investment as it can help security and business leaders alike navigate the uncharted waters in which we find ourselves. It can provide an up-to-date, accurate view of security status in changing times, help keep in line with regulatory reporting requirements, and facilitate prioritisation of clean-up and retrospectives when the pressure has eased.
And the positive note in all this is that there’s never a better time to start than today. Even identifying 2-3 key controls based on your remote working maturity or areas in which you’ve experienced the most rapid change in working practices can be so helpful. Beginning to track measures for these now will pay dividends in the coming months and well after the crisis has passed.
If you’re interested in joining the conversation, check out our webinar on Continuous Controls Monitoring in uncertain times.