CISOs debate on the vulnerabilities, preparedness, best practices to follow and possible outcomes as they prepare to secure their WFH guidelines
The COVID19 pandemic and the total lockdown accentuated the Work From Home (WFH) norms for the industry. Though the nation is currently in various phases of unlock as restrictions are gradually lifted and offices are opening, albeit with limited attendance, everyone accept that WFH is here going to stay. With the health impact of the pandemic likely to continue for months, WFH will probably be the predominant component of a blended working model.
WFH in turn brings up a host of challenges though, perhaps security being the most overriding one. No wonder then when CISOs and CIOs from different industries join heads in the webinar on Securing Work From Home During and After COVID19, they not only discussed the vulnerabilities but were more keen to focus on the solutions.
The panellists included Ashish Khanna, CISO, The Oberoi Group and Harish Chandra, CTO, Sarovar Hotels, representatives from the hospitality sector which has been significantly impacted in the current situation. Core manufacturing, another sector to have borne the brunt of the pandemic, was represented by Manzar Abbas, CIO, Rockman Industries and Himanshu Sharma, CISO, Dalmia Bharat Group. Kanishk Gaur, Director, Cyber Security, EY India, Africa & Middle East completed the panel.
WFH Opening up More Security Vulnerabilities
There are some critically vulnerable areas in WFH and Sharma focuses about network security first. Organizations have deployed multiple controls over the years and have been able to manage potential attacks. “We have been able to put multi-layer controls on our office networks and this was done to ensure that the threat vector is largely taken care off. But suddenly now there is a huge workforce that is working from home who are essentially either connecting via the home Wi-Fi router or the mobile hotspot. This means losing on the great effort that IT guys have been putting on in securing our organizations and our office network,” reiterates Sharma as one key WFH vulnerability.
Today at homes, employees are not only connecting to their offices, but they are connecting their home laptops, mobile phones, smart devices, smart TVs smart lighting solutions, maybe monitors and what not. Now no one knows whether the right set of security configurations or password protection is enabled on those devices or not. These would be the backward route for any attacker to get through to the organization assets which are currently connected to homes. Sharma recommends from the technology point of view the usage of a strong VPN mechanism and a multi factor authentication, especially for the users who are security administrators and are actually going to access whole systems to keep them up and running.
Another less appreciated vulnerability Sharma focuses on is the overwhelming number of Corona virus related details that are available online be it in the form of applications, Websites, web pages, so on and so forth. Many security organizations have come up with the result that almost 70 to 75% of the domains registered with the name Corona virus or COVID19 are malicious. This, he feels is exploiting a basic human tendency. “If there is something going on across my city, across my state and globally, I need to know the information. So the hackers are actually playing on this human curiosity,” explains Sharma.
There is a huge campaign which is going on in the form of sending phishing e-mails, targeted emails or just a click on those Corona virus detailed graphs and events and so on. Organizations have to build a strong user awareness mechanism. On the background, especially on the mailing systems, the admin has to relook at the configurations of the anti spam, anti- malware and anti spoofing. Then spamming mechanisms need to be activated that will keep you from a standard sifting through a more secure checking over the e-mail system.
Security is a concern of everyone as of now, concurs Chandra and feels that in hospitality business this is very different from IT, BFSI, energy, Government and others. “We are in people business. We need to have everyone in office generally and very few people are supposed to work from home. Our industry was never prepared for this but somehow we managed the show. We are keeping an eye on our mail servers. We are checking all the databases like what of customers and the other things. But cloud has really played an important role. Most of our things are on cloud,” he informs.
In the corporate offices, we have got a lot of security layer in switches, firewall, antivirus, servers, but at home, all those things are not possible. Home Wi-Fi connection is not safe. What the hospitality industry has done is it created a document, wherein they have guided the GMs of the hotels, all the road warriors at the moment to ensure that they switch off their PCs when not in use. They also switch off the Wi-Fi when that is not required because there are rumors that Zoom is not safe or XYZ is not safe. Teams or Google Hangout is better. People have different concepts, different, different understandings. So CISOs keep on educating them by sending different mails.
Now lot phishing mails are coming that says about Corona or someone from from WHO. Everyone is trying to fool now. The best part is CISOs should make sure they educate all the road warriors or corporate employees who are laptop users, to switch off the laptop, make sure that they do not go to any website or any message which can put them into some sort of honeytrap.
Are CISOs Geared up For the Challenge?
These are very different times, but it sets the onset of a new normal. And this is the way we are going to operate in time to come, asserts Khanna. The metrics of security up till now for any security organization has been ensuring the CIA. CIA basically meant confidentiality, integrity and availability in that sequence. But with this new culture coming in, that entire metrics gets inversed wherein availability takes over from integrity and confidentiality and people who are ensuring the security landscape of an organization should be aligned with that goal.
COVID19 has been the biggest digital transformation hook for an organization and move towards digitization. But from a security standpoint, it brings different dynamics. “Up till now, our focus has always been to ensure the perimeter security and the endpoint security. This approach needs to change now and we need to look at the new framework like Zero Trust based access to people to your data centres,” explains Khanna. Only need based access should be given to people instead of having open access available for anybody to sprawl around your data centre. “We should only move to towards SL and DL based communication rather than open tech space, or data exchange,” he adds.
Khanna also advises on putting a lot of emphasis to ensure that the end user is part of this whole journey. There is a collaboration culture which is being brought on to ensure that in this entire process the end user is there along with the CISO. “On one side you can take the tools and systems of the organization from X level to Y level, but if your user still remains on the understanding of X level like clicking on a phishing mail and providing their credentials then that is the biggest mistake which can cripple the entire system of the organization. What we are doing in this whole process is collaborating with end users and ensuring that they are aware of the new threat landscape which are coming up alongside COVID,” opines Khanna.
Gaur feels it is very important that you carry out right team assessments before anyone else tries to hack you, and it is important you carry out that exercise yourself. More like a redteam assessment. Very few companies carry out redteam assessment but that is very much important. He also advises CISOs to carry on phishing simulations which involve end users. So once a phishing activity is carried out across, you have to involve end-users to make them aware, how many of them actually clicked on different links, who was the weakest link, what they need to do as best practices.
CISOs need to come up with a remedial measure where people have to undergo training. This could be self assessments, quiz or a certain webinar they have to undertake to know more about security. Last but not least, the Dark Web is accessed by hackers. But it is very important, enterprise also started accessing the Dark Web to find out whether their credentials are leaked or not. Because whatever gets leaked it is available today on the Dark Web, and people want to sell it through bitcoins. So very important for CISOs to treat intelligence to find out if the ompany’s credentials or sensitive information are already lying there, and then what you can do to ensure their safeguard. Do you need to change your passwords? Do you need to change your controls? Do you need to implement a new security policy or a strategy?
Threats basically remain the same but the vector and magnitude has changed, feels Abbas. Now there is a need to protect from outside threat as well as an internal threat that has always been there. So nothing has changed. But only the security paradigm has shifted. It will be helpful to have advanced threat protection, make employees aware of the phishing mails, donation scams. There has to be also a regular patch management, especially on the collaboration tools like Zoom.
We have very recently seen there has been a lot of UNC path injection and all those things that have come up. So those collaboration tools and other tools have to be patched up regularly, backups and enabling Two-Factor or Multifactor Authentications need to be done. Also not to forget that while the entire organization is operating from home, including IT personnel, there is a data centre sitting out there. One has to ensure that data centre parameters are maintained, that temperature is maintained, the perimetric security, the peripheral security, all those things are still of paramount importance.
Security Automation Could be One Answer
Abbas raises another valid point from the CISO perspective. There is a large chunk of time of CISOs and IT admins which is now getting consumed into doing manual activities like patch management, configuration management, data protection awareness campaigns, blocking of spammer IDs, IP addresses, and nowadays, MD5 hashes, which are suspicious hashes, keeping an eye on the security event as it unfolds. “You have to keep an eye on different forums, different sites, different advisories like a cyber threat, to gather intelligence. So for sustained cyber security in case of work from home becoming a norm going forward, it would no longer be a manual domain for a medium to large enterprise because of the bandwidth consumed,” concludes Abbas.
It puts a lot of stress on the system to keep itself updated to that level, to that extent, monitoring the behavioral pattern, and traffic transaction through the user computer, which is getting worked from home. There is definitely a need of automating cybersecurity, because home is now the new office. “We have seen that there is a tremendous increase in MS Teams user. The Google Hangout is 25 times higher. Zoom has garnered $35 billion in share pricing and all. I am talking about the collaborative tools because it gives us an idea about how and to the extent it is getting used. If we come to cybersecurity automation, IT community already has analytical algorithms, which we are using very actively for prescriptive, suggestive and predictive analytics. But as of now, in the domain of information security, we have not done it to a large extent but is has started now,” Abbas informs.
There is a tremendous amount of increased brute force attacks which is attempted on you but does not get through. Then there are the DDoS attacks. These are all the inputs onto the core systems, the core analytical algorithm that is happening. This analytical algorithm should, as an output, give CISOs cyber threat vector that is applicable with its severity, change management of internal demand and its implication. Then it should also be in applicable scenarios of patching and blocking all the patches, including as SAP Notes and patches. Initially it has to be given to CISOs with the control through system admins. If you say the admin approves certain scenarios, it gets implemented or applied automatically. We can give a complete automation as a complete control of that of applying to those particular patches. We have an ELK system, Elastic search, Logstash and Kibana, so that the database is getting generated every day. We are able to record and have a historical records of all the events getting generated, what are the trends and behavior patterns for the threat as well.
So going forward in six months to one year, Abbas feels we should be somewhere with security automation as a very achievable point.
The Importance of Identity Management and Access Management
WFH or no WFH, Sharma thinks identity and access management are key controls in the information security domain. “But when we are especially talking about WFH kind of scenario, it becomes more crucial considering you open access to the public network. My system administrator may be accessing over a Wi-Fi or weakly configured Wi-Fi router. She/he is accessing the SAP server back at the data center. So this is essentially important,” he justifies.
Organizations need to adopt Role based access control (RBAC) mechanism and methodology ensuring that the philosophy of least privilege accessers is by default. Even if you are at the Executive Director level or system administrator by default, the least privilege access methodology needs to be put in place. In addition to that, we have to pay close attention to the potential attacks, especially these suspicious traffic from strange locations. Nobody is travelling these days. So we have to have some kind of monitoring system put in place for any suspicious attempts of a wrong log-in or failed log in attempts and take necessary actions whenever blockages are happening.
After y identity and access management rights management is equally important. Gone are the eras when, you would actually contributing your data, which is only accessible on BlackBerry or organizational devices. The data is now available anywhere and everywhere. So you need to have a mechanism first, authorize the right set of people, have some kind of identity and access management system ensuring that they are for all applications. Plus, we have to also take into consideration some monitoring to be put in place. If somebody is trying to download certain data or somebody is trying to access certain pages, certain applications which are more complex, there needs to be monitoring. Was it a legitimate attempt or was it the script running behind? So a combination of a framework that is a combination of some monitoring tools and timely action is the need of the hour.
Difficulty of managing and monitoring remote workers in WFH
It is complex, but not difficult provided you have the right tools and the data visibility available, and then Khanna feels it can be managed pretty well. If you do not have the source of getting the visibility of what is going on the network, who is connecting when and from where and on what device, then it is a problem. You have to see what is the device posture while connecting to your infra. Is it as per the standard benchmark which you had set or coming with a legacy set up? For example, is it a Windows XP machine connecting to your intranet over a VPN connection or machine without having antivirus on the latest patches. “I think as long as you have the right set of tools available, which can give you visiwwbility of data streams across the connectivity of people who are coming and getting serve from your data centre legitimately then it is not very complex,” sounds a confident Khanna.
On the end- user side, there are certain complications which keep coming. For example, a desktop user at a home who does not have an UPS or if there are Internet connectivity issues on the end user side. Khanna agrees those are operational issues which are certainly there, because at the same time, you are trying to connect and work on the enterprise applications while your kids are doing their online classes and your family is trying to watch Netflix on the same Wi-Fi connection. How do you manage that complexity?
There are various organizations who have taken different approaches toward it. Some organizations have gone ahead and given credits to people to just go and buy a new Internet connection dedicated to office, because enterprise applications are only served on Windows10 Pro machine while the organization has given them only Windows 10 standard machine. So they have given one -time credit to people to go ahead and update their Windows10 standard to professional to ensure that the organizational compliance is there in place. But these strategic decisions can only be taken once you have the visibility of what is running on the network and what are the challenges you are up to? If you have the visibility of that entire data, this is not very complex, he feels.
In WFH, BYOD is the only answer, asserts Sharma. Those restrictions of do not take photos, do not do this, buy only BlackBerry, those days are gone, he feels. We can load mobile device management applications so that we know that whatever information is there of the company is not transferred to personal. They can be two different boxes, one for official, and one for personal.
Now, work from home needs special security architecture. Home to office or to cloud, security at end point is very important. Generally, most of the organizations focus on connectivity internals, VPN, etc. But without the control at end point, they are all useless. Once on Internet, it is open to hackers. Another point is what if the user who is accessing critical applications saves data on end point and takes a copy if he is working from home? There has to be some control to regulate this. So, now post COVID lots of new changes will happen to secure that any moment you may have in office or you may have to a road warrior somewhere.
Cloud Access Security Broker also known as CASB acts as a security control point for cloud based applications. Going beyond security, it is essential to quantify productivity of users to find over or under utilization of applications. Say, saving on optimization of licenses or user. We can check whether he is actually working, how much time he has spent on application. Lot of appraisals can be done based on his work on applications. This can help organizations to know who is really performing or not. Today, IT can help in reducing the cost of operation by assuming that maximum workforce can work from home. Workforce can be viewed by the help of automation as long as we can assure them of regulatory requirements of data security and making application usage utilization based.
WFH Forcing Changes in Security Policies
The entire world has completely activated the BCP as never thought of. “We are currently living in an era of BCP. This is the start of a new normal. Work from home has actually shifted the whole paradigm. We, as IT security personnel used to think about the security in a way that has now shifted. We held the model, of the triangle of CIA close to our heart. Now we see that during the initial days when the lockdown was activated, the entire triangle was inverted. So everybody huddled together and they started putting it in order like first availability, second integrity and third confidentiality,” informs Abbas.
The IT community has put together the best hands and they have come out of that initial days wherein the in the AIC was getting to be a norm. Now CISOs have started focusing on the window of threat vector, which hackers are going to exploit, and they are trying very meticulously. We have seen recently tremendous amount of hits coming in from certain countries. We have a malware, a very potent malware like MES that has been unleashed that uses other vectors, and other aspect of the system. The IT community has been quick to react and become proactive in blocking these attempts. Abbas would like to attribute it partially to the benefit of the flexibility of work from home.
Initially, the focus the entire industry, be it information security or OT security, was completely built upon that parametric security. A certain small chunk was on data or mobility security kind of theft. Now the paradigm is shifting from parametric security to building security around the data. We have to check the data wherever it is, second how it is transmitted and third where it is transacted. These are the three places at which we need to look upon the data. There are two places, two avenues to hit upon the security aspect. One is the user end, and they are operating from the home currently. The other is the IT infrastructure where your largest chunk of servers, your applications, ERP is running, may be on cloud or on-premise.