Marc Ashworth, Senior Vice President and Chief Information Security Officer at First Bank, is a respected professional with over 25 years of experience in cyber and physical security, IT/security architecture, business and departmental strategy, budgeting, project management, author and a public speaker. He is a board member of St. Louis Chapter of InfraGard, Co-Founded the State of Cyber annual security conference, and a Lifetime member of FBI Citizens Academy. Possessing security certifications in CISSP, CISM, CRISC, and Security+, Ashworth currently oversees First Bank’s Information Security Department and the Network Services Department.
The COVID-19 pandemic has brought many challenges to all sizes of organizations around the world. During this time many companies have moved to a remote work force overnight. For many employees it may become permanent. IT staff scrambled to ramp up capacity and support for remote workers. Management is needing to learn how to manage and support remote staff. Sales teams are adjusting to video calls versus face to face meetings. All of these changes have to be monitored by corporate security teams. This has not gone unnoticed by criminals and nation state cyber teams.
The FBI and Cybersecurity and Infrastructure Security Agency (CISA) have released alerts over the past 6 months warning organizations of dramatic increase in cyber-attacks and fraud. Some industries have seen a minimum of 400% increase in online attacks and over 300% increase in phishing emails. Many security teams are already understaffed and feeling the pressure of protecting corporate assets. The increased number of remote workers bring additional threats and risks that need to be managed by already stressed out security teams.
The risks to the increased online attacks can be reduced by a good vulnerability management program and patch management program. Consider categorizing systems based off of risk levels where the system is internet exposed and DMZ systems are a tier 1 system. Tier 1 systems should be patched quickly and configurations reviewed for misconfigurations. Service level agreements (SLAs) should be put in place for patching of these systems. Regular third party penetration tests should be done at a minimum annually if not more frequently. Consider an automated penetration test solution especially if there are frequent changes to the tier 1 systems or firewall configurations.
A good patch management program along with the proper oversight of the program is critical to mitigating vulnerabilities. It is a time consuming process to patch all of the routers, firewalls, servers and PCs. Many companies probably do not have test systems to verify patches for all systems. Therefore, validation of the patches are done in production. Over the past couple of years, the quality of patches coming out of manufacturers have been sub-par at best causing outages for some companies. One way to reduce manhours for patch are with automated patching systems. Automated patch management systems are newer to the market and can save employee resources while expediting patch installations and meeting SLAs.
Application allow listing is a great solution to provide server and end point protection. The solution prevents unwanted changes to application and system files. It can also prevent unwanted scripts from being executed. There is no AI needed, either the program is allowed to run or it isn’t. Centralized management of rules and authorize software installation points control what is allowed to run on your systems.
Application allow listing can take time to implement in a large environment, but it comes with multiple benefits. It has been my experience that time spent on malware infections are almost zero which has freed up IT resources to perform other tasks and assists in maintaining compliance. Unauthorized application installation, file integrity monitoring, device control and memory protection are additional benefits of such a solution. Combine an application control solution along with the built in OS antivirus, group policies, and a good EDR solution to round out end point controls.
The daily barrage of attacks and emails will continue to be a primary risks to organizations and should be a topic for all company boards. Phishing is the root cause for most breaches and a constant daily threat to individuals and companies alike. Due diligence is required by all employees and not just the security team for detection and reporting. A good anti-spam and anti-phishing solution to monitor and remove any invalid emails. Many of the top email providers do a good job for detecting phishing emails and there are several good third party solutions.
Unfortunately, a small percentage will still find their way to a user’s inbox. Regular user training for detecting phishing and business email compromise (BEC) emails will reduce the risk of someone opening a malicious attachment or clicking on an embedded link. The company’s training program should be tested on a regular basis in order to validate its effectiveness. Back the users up with a quality end point protection program that contains an application control solution, as previously mention, will also reduce the risk for when a user fails to detect a malicious email.
There are no guarantees or a silver bullet solution to prevent a breach. However, with the proper tools, monitoring and governance along with a supported security team, will reduce the risks for any organization against today’s threats.