The global Coronavirus crisis imposes an increasingly difficult quarantine policy on many economies. This policy in its turn, gives rise to a surge of cyber attacks that target remote connection credentials as well as vulnerable personal devices and unprotected endpoints. This chaotic situation places a heavy responsibility on the CISO’s shoulders. This template captures in a concise, clear, and actionable manner all the essentials practices that should be checked to ensure the organizations cyber defenses can successfully survive through this challenging time.
The template is built of five pillars:-
- Security Technology: a recommended list of product categories that should be installed and configured. The guideline in choosing these categories was an aggregated analysis of the Coronavirus related threat landscape gathered from multiple threat intelligence and attack analysis sources.
- Security Team: every team, regardless of size and dedication level, has a set of procedures to handle ongoing security operations routinely. These procedures must be at the very least refreshed, and in many aspects updated to address the specific IT and cyberattack changes.
- General Workforce: CISOs know better than anyone else that a man is a far weaker link than a machine. The built-in uncertainty that the Coronavirus brings, make people significantly more vulnerable to all sorts of social engineering manipulations. Awareness, education, and security drills are essential to arm your workforce against these vastly increasing attacks.
- 3rd Party Service Providers: whether your organization performs all its security tasks in-house or not, it is definitely a time to consider outsourcing some of the more skill-dependent mission to a domain expert MSSP – or at least make sure that all IR and security management operations are adequately covered.
- Management Visibility: the organization’s executives must have full visibility both into the CISOs efforts as well as to the actual security posture – is there an increase in attacks, do security teams and products operate as expected, has there been a breach and if so how was it managed and contained, etc. Every CISO must have the infrastructure to effortlessly produce these reports.
SECURE REMOTE WORK CISO CHECKLIST
|Security Technology||MFA for Remote Connection||Check|
|Malware protection on unmanaged devices (work and personal, if possible)|
|Installed software policy for unmanaged devices (Java, Flash, etc.)|
|Reevaluation on login policies + optional conditional access polices (based on time, geolocation, concurrent sessions etc.)|
|Monitoring activity on cloud workloads (IaaS + PaaS)|
|Threat intelligence: IP reputation services|
|Set up granular remote connection policies, potentially restricting access to sensitive resources|
|Update DLP policies, considering unmanaged devices and exposed services (ensure these policies apply to both on-prem and cloud workloads)|
|Security Team||Set strict monitoring procedures for remote connection to sensitive resources|
|Set strict monitoring procedures for connection to cloud workloads|
|Ensure there’s a well-defined IR procedure in place|
|Set a continuous vulnerability management process with focus on publicly exposed services|
|Set an emergency patching procedure|
|General Workforce||Build and launch dedicated security awareness program focusing on spear phishing, remote credential theft, ands strong authentication|
|Define a trusted communication channel and ensure that all employees acknowledge that it’s the exclusive way to communicate (i.e. email. MSFT Teams, WhatsApp, etc.)|
|Define a mutual identification validation process between employees|
|Set up periodic security drills with social engineered emails:
· Credential theft
· Endpoint compromise
|3rd Party Service Providers||Consider engaging with an MSSP if any of the above are exceeds your resources’ capacity:-
· Security products deployment
· Security monitoring & management
· Workforce training
|Management Visibility||Generate periodic and on demand reports showing:
· Current security state (existing and trends)
· Disclosed gaps and their potential implications
· In case of attack: status and operation progress