Q&A: Securing the 'next normal' through improved cybersecurity Special

Posted Nov 28, 2020 by Tim Sandle
What will the 'new normal' look like in 2021 and how can these be secured? Understanding this will enable businesses to set their cybersecurity priorities and spending plans for for 2021.
US national intelligence director Dan Coats identified Russia as the most aggressive foreign actor c...
US national intelligence director Dan Coats identified Russia as the most aggressive foreign actor cyber attacker, "no question"
To gain an insight as to the suitable cybersecurity priorities, Digital Journal conducted an interview with Shitesh Sachan, CEO of Detox Technologies. Shitesh Sachan is a white hat hacker and a Certified Information Security Auditor (CISA) with over 20 years’ experience.
Digital Journal: Since the COVID-19 Pandemic began and teams have become more dispersed, cybersecurity and privacy has become a priority for many businesses. But what steps should they be taking to protect ourselves?
Shitesh Sachan: At the outset of the global COVID-19 pandemic, many organisations decided to enforce social distancing by encouraging their employees to work from home. This decision created new security challenges for many organizations, who now had larger remote workforces. As people have started to work remotely, businesses are, quite rightly, concerned about their data privacy. Social engineering attacks and ransomware attacks have become 4 times more common during lockdown. Most of those attacks are a result of a lack of cybersecurity awareness and in-competent or incomplete security policies. There are five key steps all businesses should take to protect themselves. These are:
Govern Data Access: When you limit access to data, you narrow the pool of employees who might accidentally leak that data or click on a harmful link. Hackers will always look for the weakest link. It is easy for a social engineer to steal the credentials of one employee and gain access to all your sensitive data if everyone has access to that data. Governance is key. By restricting access to your data, you make the work of the social engineer harder, and they will be less likely to target your team.
Use VPNs: Most of us have lots of devices that are connected to the internet. And those devices are considerably more powerful than many older computers. However, despite the democratization of access, very little has changed in terms of security. Remember that HTTPS has only been popular for the past few years. This suggests that, sadly, it is up to people to defend themselves. Antivirus apps and password managers go a long way, but a VPN is a uniquely powerful tool that you should have in your personal security toolkit. Particularly in the connected world of today.
Use Antivirus: It is critical to have all your work-related devices downloaded with antivirus software to protect you against malware, trojans, rootkits and viruses. Antivirus software acts as a prophylactic to not only kill a virus, but also keep the device from being compromised by any new virus in the future. I get multiple spam emails, attachments, calls every day, but antivirus software helps me to quickly filter out what is genuine and what is infected.
Use Password Managers: Most of us use very poor passwords and tend to reuse them on various websites. It is tricky to use solid, unique passwords for all the websites that you use daily? A password manager is the solution. For all the websites that you use, password managers store your login information and help you log into them automatically. With a master password, they encrypt your password database, and the master password is the only one you must remember.
Employees Training: Security awareness training is so important in our always-connected work environments, where cyber threats abound, and the risks are evolving constantly. For hackers, employees are still the weakest link, and present an easy target. The aim of awareness training is to provide people with the security skills they need to combat threats, like social engineering, phishing, vishing. It is not realistic to expect your employees to know what risks exist, or how to protect themselves from them. They need to be taught what is dangerous or appropriate to them, what signs to look for, and how to react when they see them.
DJ: What are the most important aspects of any security strategy for you?
Sachan: Confidentiality, integrity, and availability remain key. However, while all three remain critical, hackers are also building new exploits and threats to take advantage of vulnerabilities that result from them. Key points are:
Confidentiality: for example, shifting massive infrastructures rapidly to the cloud can compromise the most sacred asset in health care, patient data. Ensuring data privacy and confidentiality is at the core of all health systems, and migration online presents the opportunity for lurking hackers and bad actors. Security professionals need to plug this gap by taking a "security and privacy by design" approach to risk management, which embeds security and privacy into the design and operation of all systems, infrastructures, and practices.
Integrity: equally as important to the confidentiality of any data is its integrity. Integrity includes PII, PHI, sensitive data, maintaining the accuracy of a patient’s personal details, health summary, clinical notes, test results and family information. The more of this data that is digitized, the higher the risk. In a data breach that compromises integrity, a hacker could seize the data and modify it before sending it on to the intended recipient. Some security controls designed to maintain the integrity of information include:
User access controls
Version control
Backup and recovery procedures
Error detection software
Availability: Hackers are using different ways to take down servers via Dos and DDOS attacks. Your information is more vulnerable to data availability threats than the other two components in the CIA model. Making regular off-site backups can limit the damage caused to hard drives by attacks or server failures. Information only has value if the right people can access it at the right time. Information security measures for mitigating threats to data availability include:
Off-site backups
Disaster recovery
Proper monitoring
Environmental controls
Server clustering
Continuity of operations planning
Looking ahead to 2021, what do you see being the critical threats that businesses and individuals should be preparing for?
Ransomware. The growth rate of ransomware attacks is unbelievably high. It is a curse on data and web security, and the respective professionals responsible for securing our digital lives. There is no doubt that it is currently number one among the major IT security challenges, and I believe that will not change any time soon. Tomorrow’s hackers will not only hack your data, but they will blackmail you based on that data and threaten to encrypt your data, so you cannot access or retrieve it. Criminals can have both your data and the money, and you will not be able to do anything about it.
DJ: What steps can businesses take to protect themselves from ransomware?
Sachan: Businesses can take several steps to ensure they are protected:
Backing up your data every day is the strongest protection against ransomware. After backing up, you need to disconnect your drive because new ransomware can encrypt backup drives too.
Using whitelisting software that only allows the programs listed to run on your business’s devices, blocking any malware.
Install security/antivirus software and maintain it with the security updates.
Do not offer admin rights to members of staff if they do not need them. Central management is best.
Educate your employees to detect phishing emails, as they are the primary attack vehicle for hackers.
Encourage your team to report back to their IT/admin head if they see any suspicious emails. We need to act immediately, so automate that process, if you can. Some people will never learn, and your processes may not be understood by everyone. So, make sure that those who do know how to detect phishing are on hand to help and to offer advice those who do not.
DJ: If your business does suffer a ransomware attack, data, or security breach, what can you do to protect yourself and your customers from further attacks or harm?
Sachan: Investigate the breach. Fix the loopholes. Revise your policies. Change them if it is needed. Then train your employees, so a situation like this will not happen again.
Business need to take the time to educate their employees regarding cybersecurity policies and updates. Every employee must be responsible for, and aware of, the company’s cybersecurity policy. These security fundamentals are intended to be a set of simple and mostly common-sense guidelines to allow all employees to cover the basics. Look out for one another, and continue to focus freely on your day job, but be aware, be alert and be careful. These fundamentals should help you to avoid creating easily exploited vulnerabilities, but comprehensive security is a never-ending process. The first step in awareness of that process is to be able to recognize a security threat.
My team and I implement a ‘zero leakage, zero trust’ model, where we assure our customers that once we certify the application release or build, then there is absolutely no chance of any loophole. However, as a minimum, a business should have the following systems in place:
DDOS Protection/IPS Implementation
MSB (Minimum Security Baseline) Audit
SSDLC Implementation
Experienced and well-trained security researchers
Cloud Backup with two-three diff copies at diff format/locations