CyberInsights Weekly #25

Six months of CyberInsights!

This week, it’s different.

We have published CyberInsights for 6 months now.

We had set out to cut the clutter and get insights from cybersecurity news.

Every week, we chose two news items, distilled the essence and asked you thought provoking questions! We wanted to spur your thinking and drive you to action.

High goals, indeed!

After six months of doing this, we have decided to pause, take a step back and reflect on those questions.

If you had mulled over the questions and taken some action on them, would something have changed in your cybersecurity framework?

We think so.

Here is what you would have learnt and implemented from the weekly cybersecurity events.

---

July Learnings

1. Change to patching policy: If you were patching only ‘Critical’ vulnerabilities, you would have updated it to include ‘High’ and ‘Medium’ rated vulnerabilities too.

2. Created a post-covid cloud security strategy to ensure that work from home was accommodated and point solutions were not hastily plugged into the existing architecture without consideration for data sovereignty and privacy issues.

3. Changed the USB access policy to have granular levels of controls.

4. Added a process, in conjunction with HR, to perform additional monitoring of personnel with ongoing disciplinary proceedings and access to sensitive data.

5. Created / modified a cryptography process to include ownership of SSL certificates and assigned an individual who would be responsible for handling communication with intermediate certificate authorities ICAs.

6. Created a cybersecurity resource rotation process to ensure that critical resources do not burn out.

7. Evaluated your organisation against the six basic CIS controls, that if implemented correctly would eliminate 80% of your cybersecurity problems

8. Assessed uncontrolled communication channels (like Slack, discord, etc.)

9. Trained employees on what can and cannot be shared on open communication channels.

10. Re-assessed your cyber insurance cover to address risks from work from home and cloud service usage

August Learnings

1. Updated your cyber crisis management plan to consider the possibility of paying ransom.

2. Reviewed your cyber insurance policy to check if payment of ransom is covered.

3. Updated your incident management playbook to include the scenario of theft of physical hard drives.

4. Assessed your CI/CD pipeline for inadvertent data exposure on storage buckets for all environments (including development and test)

5. Assessed your cloud service provider to see if data was exposed within their environment

6. Created an open source software security policy / strategy.

7. Created / updated the red team process to inform key stakeholders and sponsors before and during the exercise to ensure there are no legal hassles.

8. Performed a maturity assessment of your vulnerability management program against the SANS vulnerability management maturity model.

9. Updated your social engineering checks to include ‘Vishing’ or voice phishing attacks.

10. Evaluated the risk of cloud service failure to your business and, if required, created a BCP for the same.

September Learnings

1. Created hardening checklists for third party administration utilities (adminer, etc.)

2. Added rules to the SIEM to monitor suspicious database connections from inside to the internet.

3. Created a specific access control matrix for admin utilities and set a process to review them regularly.

4. Considered implementing emerging solutions that deploy security as a code by talking to the DevOps people.

5. Evaluated the process of employee monitoring vis-a-vis the data privacy requirements of individuals and updated the process accordingly, in discussions with HR.

6. Created an incident response playbook (if not already having one) and made sure that red team exercises contribute to keeping it up to date.

7. Updated your work from home checklist to include home printer security

8. Checked if your DLP was capable of monitoring data sent to the printer (at home).

9. Evaluated the requirement of customer due diligence along with supplier due diligence.

10. Updated your security awareness training to cover malicious QR codes.

11. Created a process for authorisation, usage and removal of developer / admin utilities with special privileges.

12. Enabled event IDs for IOCs of Zerologon in your SIEM

13. Reviewed the pre-draft comments of NIST 800-55 (security metrics) and provided your inputs for the same.

October Learnings

1. Considered a strategy for ‘offensive’ cybersecurity by taking the attack to the hackers while ensuring that you were on the right side of the law.

2. Considered the risks of insider threats (like customer support teams, etc.) and evaluated tools for monitoring and preventing high risk privileged user actions.

3. Mulled over the prospect of having to secure your organisation from software having legitimate backdoors.

4. Thought about privacy vs. national security.

5. Evaluated the effectiveness of your threat intel data feeds and devised metrics for the same.

6. Started a project of merging the cybersecurity risk register with the enterprise risk register.

7. Evaluated the primary and secondary risks of a DDoS attack and conducted a DDoS simulation test for stress testing your network

8. Conducted a red team exercise to discover attack paths from customer facing networks to the Crown Jewels in your ecosystem.

9. Reviewed the IT helpdesk remote administration process for work from home for security concerns.

10. Performed a compromise assessment to check if you are already breached. Set up a process to do this regularly.

November Learnings

1. Created an inventory of AI / ML based systems in your environment.

2. Setup a process for threat modelling of AI / ML based systems.

3. Reviewed applications for their ability to check for breached password usage including those applications that use third party credential management services.

4. Reviewed the security processes in the CI/CD pipeline to secure all components used.

5. Checked and setup rules in the SIEM to detect exfiltration from your source code repositories.

6. Implemented controls to secure end of life and end of support systems that cannot be replaced. Considered technologies such as micro patching for the same.

7. Implemented a mechanism to detect and prevent credential stuffing attacks.

8. Updated your cyber crisis management plan/ incident management plan to cover proactive communication to affected users.

9. Considered if you required third party intermediaries to negotiate with attackers.

10. Included contact centre security testing as a part of the red team exercises.

11. Setup detection mechanisms for changes to your domain account with the registrar.

12. Evaluated means to secure accounts where multiple users access the same social media accounts.

December Learnings

1. Setup a mechanism to incentivise developers to write more secure code.

2. Setup a mechanism to incorporate security user stories in sprint plans.

3. Checked if your AV detect Pay2Key ransomware and added IOCs for the same.

4. Reviewed log movement of cloud based logs (like cloud firewalls).

5. Mulled over the way to detect vulnerabilities that do not have a CVE-ID.

6. Setup a process to secure the software build pipeline against advanced supply chain attacks.

7. Setup processes to discover and remediate compromised systems in your network.

8. Reconsidered cloud service failure risks and business continuity planning for the same.

Happy Holidays!

We are taking a logical break for this year. In the new year, we plan a new format of this newsletter. We will keep you posted.

Let us know if you have any suggestions about the format and duration of the newsletter.