Since the COVID-19 pandemic drove workforces home, we’ve seen an increase in security risk across the board: from an increase in phishing and spear phishing attacks to an increase in reliance on third-party DNS-over-HTTPS resolver use and sophisticated nation-state attacks like the one that hit SolarWinds.
The gap between what organizations are trying to protect against and where the threats are lurking continues to widen and threatens to overwhelm security teams. In response, I see popular trends such as the purchasing of AI/ML solutions or security-motivated cloud adoption accelerate.
Given that the sophistication of exploits is constantly rising, security strategies shouldn’t be based on point-in-time trends. Instead of betting on a promising new technology solution, leaders must be constantly looking for evergreen ways to reduce risk.
That means not only looking at their security stack, but at their organization-wide policies, processes, controls, and so on, to reduce risk based on their organization-specific risk framework.
With that in mind, here are three timeless, practical approaches to reducing risk that will pay dividends:
Make the most of smart policy enforcement (many don’t)
In the case of the SolarWinds attack, affected organizations let Orion do the threat actor’s bidding for months, virtually undetected. This predictable – and highly privileged – software left hints – in the form of DNS queries – that it was behaving suspiciously.
As a non-user driven server software, Orion can typically be expected to query a set of regular domains. Compromised, it queried an additional domain.
The affected organizations didn’t catch on, because they didn’t adopt the good practice of putting logical policy controls around even their most critical infrastructure.
The lesson here is that regardless of the sophistication of your security stack, there are common-sense steps that ought to be taken.
No database or application server should query a random new domain on the internet. Same goes for smart devices on your network, like security cameras, aquariums, Point of Sale machines, etc. At the very least, if they do, someone should look into it.
The purpose of all this is to reduce the size of the haystack that security teams must sift through to both detect and then remediate attacks.
Don’t rely on the cloud to make up for poor process (many do)
Some organizations see migrating to the cloud as a way of creating greenfield environments that can be secured more easily than the tech-debt-laden on-premises network.
Yes, cloud adoption does have many security benefits. And, yes, the cloud does represent an opportunity to do things over better. With a greenfield architecture, with best practices baked neatly into it.
Only, many organizations’ lack of cloud security processes and controls can quickly eat away at the cloud’s forecasted risk reduction benefits, reducing the overall value of this opportunity.
You should keep in mind that AWS S3 buckets are left unsecured and publicly available all the time. Developers have been known to leave (or hardcode) private keys and tokens in the most embarrassing places.
Personnel leave files unsecured and open to the public far too often. Publicly available endpoints are improperly segmented from private networks, sometimes creating an autobahn towards the on-premises network.
Many organizations don’t do a good enough job of monitoring activity in the cloud or the information flow between the cloud and the on-premises network.
While the goals of cloud security and on-premises security are the same, the design, tools, and methods required to achieve each are very different. Without an ability to act on that, the shared responsibility model will not be helpful.
Begin to think you’re special (many don’t)
Too many organizations assume they carry less security risk than they do, on the false belief that they are not a target. However, if the brand equity risks of being used in a supply chain attack scheme isn’t part of every CEO’s risk matrix, then the CISO hasn’t done a good enough job of educating their colleagues.
Threat actors may not care to directly harm smaller players along a supply chain. However, they are happy to use those smaller players as unwitting accomplices in harming their customers.
Sure, supply chain risk is still mostly managed via buyer-beware contract requirements, vendor audits, and penetration testing. Maybe your organization, the unwitting pawn, may not carry direct liability for its participation in harming its customers. It will, however, take a blow to trust with current and future customers.
CEOs should have an accurate understanding of all the risks to their organization, and that supply chain attack schemes – and resulting customer confidence, goodwill, and brand equity blowback – are often underestimated.
Certain CEOs (i.e., in the finance world) heavily weigh the impact of security risk to their business’ operations. Others, less so. Perhaps this is because the financial services industry has been so highly regulated, or because the finance industry has been a high-priority target for a long time already.
It’s up to security leaders to educate all CEOs of this threat.
Steps to reduce security risk in 2021
A summary of the tactical and strategic moves CISOs can make to reduce security risk:
- Look to reduce your “haystack” of threat avenues through smart policy enforcement. Consider DNS as a vector – for both attack and detection
- Ensure that your cloud adoption strategy is coupled with sound cloud security policy and design
- Educate your leadership team. “We aren’t a target” is equivalent to sticking your head in the sand.
While it’s impossible to prevent all incidents, the above are common-sense steps security leaders can take to reduce security risk. However, these recommendations are only a starting point (from the vantage point of a person who spends time in the worlds of networking and development, no less). You’ve likely got a number of further suggestions for timeless, practical security moves. Please, put them into action.