Moving to the cloud: A Study in Security, Efficiency & Reduced Organizational Risk Posture

A recent Gartner study indicates that cyber crimes are at an all-time high, up 30% year over year. This is and should be of tremendous concern to C-suite executives and boards of directors.

The root cause of cybercrimes varies; however, most organizations will experience vulnerabilities arising from technological gaps due to neglected software patching initiatives, outdated firmware, continued use of hardware beyond manufacturer ‘end of life’ standards, limited resources, limited budgets, multiple new compliances, and of course externalities such as the recent global pandemic.

In efforts to protect against threat actors while simultaneously acknowledging their companies’ limitations, more and more C-suite information security executives are proposing complete moves to cloud-based computing environments along with the ‘shared resource’ model characteristic thereof.  This will help ensure information security integrity, reduce or eliminate the threat of bad actors wreaking havoc on the company’s information systems and will allow the organization to achieve its goals with some element of cost-efficiency. To ensure these systems are implemented in the most efficient manner possible, many concerns will turn to Managed Security Services Providers (MSSPs).

1.       Lack of resources create an unintended risk appetite

Some specific security challenges organizations face in today’s operating environment, based on experience include: A lack of resources creates an unintended risk appetite leads to organizational dysfunction and job loss. Organizations need to provide their CISO with their own budget, independent of IT, and the CISO needs to report at the same level as the CIO with a direct line to the Board of Directors and should feel comfortable addressing any vulnerabilities that may arise, notwithstanding resource requirements to address them. Recently, we were tasked with performing a security assessment and reporting our results directly to the client’s Chief Information Officer. The Chief Information Officer, in turn, requested that we provide our findings simultaneously, at a joint meeting of the Board of Directors. The Chief Information Security Officer had previously briefed the board on the organization’s information security posture and had suggested that risk levels were at a minimum and that there were no vulnerabilities or deficiencies that could pose mission-critical faults; in this, the CISO had sought to ‘paper over’ problems that had not been budgeted for and instead treated with an ‘it’s your job, you fix it’ mentality, creating a lose-lose proposition. Our findings and report directly contravened what the Board had previously been told, and this led to the firm initiating a comprehensive systems audit which resulted in the dismissal of multiple information technology executives.

2.       Cloud Security Competency, Efficiency, and Cost-Effectiveness. As the cloud computing environment becomes mainstream, organizations will realize the competitive benefit of having so many competitors offering similar services. This allows organizations to seek out the best technology and team while adhering to internal resource limits.

3.       Application and Network Monitoring

This service is critical for identifying potential risks and attacks from internal and external threats and one of the single largest information security infrastructure areas of investment for companies today. CyberSecOp has seen a volumetric increase in requests for our Security Information and Event Management (SIEM), Managed Detection and Response (MDR), Data Loss Prevention (DLP), Security Operations Center (SOC) and Cloud Access Security Brokers (CASB) services over the last year, which dovetails with broader global market trends. With ransomware and data security breaches at an all-time high, organizations are looking to managed IT security and managed compliance services providers to bridge the resource gap.

4.       Data Security Governance Framework

Organizations are utilizing the cloud to aid with compliance, reducing the upfront cost of buying all the necessary security solutions and related resources needed to get them configured and managed; indeed, the focus has switched to using cloud and shared resources provided by managed IT and managed security providers.

5.       Enterprise Security Partners

Bringing on an Enterprise Partner enables companies to focus on those factors that promote business growth as opposed to focusing on back-end solutions and internal control structures.  In turn, the Enterprise Partner (MSSP) is often able to provide its services at a substantially more cost-efficient and competency structure than if the company had attempted to replicate those services internally; examples of specific areas of favorability are hiring and staffing the function, keeping up with and implementing vulnerability management, leaner staffing levels, and overall cost efficiencies.  

6.       Authentication 

Over the past year, we have seen a 70% increase in the adoption of multifactor authentication technologies, including but not limited to ‘password-lite’ cloud-based solutions capable of biometric authentication, geolocation fence authentication, anomaly detection, end-user based risk scoring, and evaluation. Partnering with an Enterprise Security Partner can ensure such technologies are rolled out across all organization information technology platforms in a coordinated and effective manner, with a minimum risk of non-adoption and systemic conflicts.

CyberSecOp provides proven Risk Management and Digital Transformation: As one of the most called on firms for security breach response services per Google Analytics, we have assisted with over 550 incident responses spanning 2019 and 2020. CyberSecOp helps organizations assess their cloud or on-premise environments and implement a security program that provides the safeguards needed in the cloud or on-premises. We also offer incident response and forensics teams to assist with containment, remediation, recovery from ransomware attacks, and other security breaches.

FBI, DHS CISA Publish Top Ten Cybersecurity ‘Hit List’ for State-Based and Non-State Based threat actors

Recently, two prominent US cybersecurity agencies disclosed, according to their internal metrics, the 10 most commonly exploited software vulnerabilities. The relevant time interval was 2016 through 2019, inclusive, as well as separate guidance listed for 2020.

The report, authored by the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (DHS CISA) and the Federal Bureau of Investigation (FBI), urges organizations in the public and private sector to apply all software patches and updates in order to prevent the most common forms of attacks encountered today.

This includes, but is not limited to, attacks carried out by state-sponsored, non-state, and unattributed threat actors.

US government officials have argued that applying patches could degrade the cyber arsenal of foreign actors targeting US entities, as they'd have to invest resources into developing new exploits, rather than relying on old and tested bugs.

"Exploitation of these vulnerabilities often requires fewer resources as compared with zero-day exploits for which no patches are available," US officials said.

"A concerted campaign to patch these vulnerabilities would introduce friction into foreign adversaries' operational tradecraft and force them to develop or acquire exploits that are costly and less widely effective."

A summary of the FBI and CISA’s ‘Top 10 Vulnerabilities from 2016 through 2019’

1. OLE - According to U.S. Government technical analysis, malicious cyber actors most often exploited vulnerabilities in Microsoft’s Object Linking and Embedding (OLE) technology. OLE allows documents to contain embedded content from other applications such as spreadsheets. Of the top 10, the three vulnerabilities used most frequently across state-sponsored cyber actors from China, Iran, North Korea, and Russia are related to Microsoft’s OLE technology.

2. Apache Struts - After OLE the second-most-reported vulnerable technology was a widespread Web framework known as Apache Struts.

3. Windows Common Controls - As of December 2019, Chinese state cyber actors were frequently exploiting the same Windows OS vulnerability, an exploit in the Windows Common Controls that could allow for remote code execution.

4. Unpatched Devices - Deploying patches often requires IT security professionals to balance the need to mitigate vulnerabilities with the need for keeping systems running and ensuring installed patches are compatible with other software. This can require a significant investment of effort, particularly when mitigating multiple flaws at the same time. The FBI and CISA noted that this is a vulnerability as many organizations focus on their IT infrastructure as an area for cost-saving measure.

5. Microsoft and Adobe Flash products - A U.S. industry study released in early 2019 similarly discovered that the flaws malicious cyber actors exploited the most consistently were in Microsoft and Adobe Flash products, probably because of the widespread use of these technologies.

A summary of the FBI and CISA’s top vulnerabilities from 2020

• Bugs detected in Citrix VPN appliances, specifically the Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0; allows for directory traversal.

• Bugs detected in Pulse Secure VPN servers; specifically, In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URL to perform an arbitrary file reading.