The global pandemic has highlighted the importance of being prepared for the unexpected. Opportunistic attackers are taking advantage of rapidly changing work environments and stretched security teams to launch a surge in attacks. While there was no way to fully anticipate the impact to our organizations and be prepared from day-one with a detailed plan, there is a lot we can learn to strengthen our resilience to emerging threats.
To discuss some of the key takeaways from the current crisis, I connected with Phil Jones who, since 2016, has overseen Operations within Airbus Cybersecurity, a business unit of Airbus Defence and Space. Phil now leads the group’s Cybersecurity Services business which includes Managed Security Services, Security Consulting and Professional Services, and Integrated Security Services.
What are some of the types of attacks organizations can expect during times of crisis?
Currently, we are seeing a resurgence of some classic cyberattacks such as brute force attacks on Remote Desktop Protocol (RDP) servers or VPN platforms. These types of attacks have experienced three- to fourfold growth around the world in recent weeks.
In their quest to satisfy the remote working needs of their employees, some organizations have increased and quickly deployed new VPN or RDP services without following the usual internal security validation processes. Hackers have taken this opportunity to access information systems that were previously inaccessible due to their configuration. With minimal effort, attackers are able to use open access platforms such as Shodan, which allow them to scan and locate connected objects and vulnerable machines with an open, unsecure RDP port on the Internet.
Organizations that are ill prepared to operate “generalized” remote working face a tenfold increased risk of sensitive data leakage. The bad practices of employees, who in good faith use alternative solutions such as non-corporate SaaS applications or their personal tools and devices, accentuate the “Shadow IT” effect and the loss of monitoring visibility by security teams.
During times of crisis, there is no particular reason for the types of attacks to change, rather it is the ability to deal with them that is hindered. Indeed, during the COVID-19 period, security teams themselves have increasingly been operating remotely and as a result, their response capabilities have been affected.
How can organizations quickly pivot existing tools and practices to address threats as they emerge?
It is essential to remember that every organization must have a minimum security foundation, such as ISS hygiene. This covers most cyber risks and its speed of reaction will depend on its ability to detect new threats in its environment, via Security Operations Centers, for example.
To be able to adapt to new threats, the organization must maintain some room to maneuver by avoiding being at 100% capacity. Having “buffer capacity” can prevent the organization from being immediately overwhelmed and can allow it to better organize itself in the event of an incident.
In non-crisis periods, the organization must adopt a flexible posture, questioning its assets, tools and processes in order to adapt – in the same way that threats evolve and adapt. In fact, this is the biggest challenge when dealing with new threats – being able to constantly evolve and having teams with capacity, flexibility and curiosity to learn and adapt.
What are some of the mistakes you and your team see security teams make?
We observe that configuration errors are widely exploited by attackers. Configuration errors are frequent consequences of a growing attack surface (Bring Your Own Device, mobile, cloud, IoT, etc.) and of organizations that equip themselves with tools and technologies that they have not yet mastered.
To reduce the risk of misconfiguration, the implementation of new IT services must absolutely go through an IT service management validation process by the security teams who will ensure compliance with previously established standards and the verification of certain control points (configuration checklist) or even use technical auditors (slope auditors) for the most sensitive systems.
The organization must be able to make its IT resources aware of cyberthreats beforehand and allocate the necessary time to conduct configuration tasks with due diligence and due care.
Communication is paramount during a crisis. How can organizations improve on that front?
Communication is one of the key elements of crisis management. It is important for the organization to have a communication strategy (internal and external to the organization) covering multiple cases of cyberattacks.
Crisis communication is therefore a challenge, as it is a matter of being able to communicate information via the right means (especially if standard channels are unusable), the right elements, to the right recipients in a way that is easy to interpret. Particularly considering that information relating to the cyberattack can become viral (sometimes even at the initiative of the attacker who advertises it on the Internet) and cause damage to reputation and image greater than the material or financial damage of the cyberattack itself. The communication strategy must be carefully defined and put in place upstream to ensure, for example, that the team in charge of communication is in close contact with the teams in charge of the response.
To assess their resilience, organizations must test this strategy at least once a year using crisis management exercises. Airbus CyberSecurity conducts test crisis management exercises with our customers on a regular basis. The goal is to ensure that when the moment comes to deploy the strategy, the organization is in the best position possible to make the right decisions at the right time and to respond correctly. This is applicable to the communications aspects but also more broadly, including technical elements like incident response and forensics.