Tactical & technical

Caveat

This page draws information from collaboration within the CISO Lens community. The insights, advice, recommendations, assumptions and assertions were shared within the CISO Lens community and have been sythesised, analysed, and deidentified by CISO Lens.

Often one topic will contain information from a number of CISOs, so you will probably note the tone changes between sentences - we have tried to keep our editing to a minimum. Think of this page as the opportunity to hear CISOs talking to each other about various tactical and technical issues. CISO Lens does not perform validation on this information, so use it at your discretion and risk.

For vendors: CISO Lens members agree not to enter into any discussion, exchange any information or resolve to engage in any conduct that may contravene any applicable competition law. This page is a presentation and synthesis of the opinions of CISOs, so any points that you believe to be inaccurate represent an opportunity to communicate with your prospects and customers.

Ransomware controls - 10th June 2020

Given the high profile ransomware attacks in the local region, the CISO Lens community is sharing some of the controls they use. Naturally, all the usual caveats apply; these are all opinions, these controls should not be used in isolation, your milage may vary, none are silver bullets that will provide flawless security, etc. etc. Any controls must follow a risk-based approach to security. And, prevention is invariably better than cure.

  • One member shared that they view ransomware as a kill chain. For this organisation, typically, ransomware comes via email, so their first point is email filtering. Then it lands in someone’s inbox, so the second layer is a human. If the humans click on the link, then the AV should kick in. If it bypasses the AV and goes out to a URL then the proxy should kick in.
  • One member shared that a recent malware attack against their organisation had failed due to application whitelisting on key workstations. This ransomware had managed to evade other controls (users had clicked links). Their security team ran the malware through VirusTotal and reported that Cylance would have stopped it.
  • One member shared this link and said "Nice simple instruction for OneDrive restoration of files and previous versions. Great for end user compute ransomware protection."
  • One member recommended taking the time to check that the controls you think you have are actually there and operating.
    • A few members have shared in the last few weeks that their third party monitoring and management suppliers had failed to provide the services expected of them.
  • One member noted that many organisations have open RDP and single factor authentication which exposes these organisations to considerable risk.
  • Microsoft LAPS - "It goes around and changes all the local admins so that they’re different."
  • One member shared that they had ACLs on their file servers. "As long as the malware cannot travel sideways, that's the main thing. If it can move sideways, you're cooked in 15 minutes."
  • One member moved their Proofpoint filter in front of Microsoft because they found that Proofpoint was more effective at filtering bad emails.
  • "Only enabling signed macros has kept us out of trouble several times".
  • One member shared that they are seeing more ransomware attacks that are coming through exploiting VPN vulnerabilities, not email. This in line with the TTPs from ACSC.

Office 365 and legacy protocols - 29th May 2020

This topic area should be of interest to many organisations. Please check your config as this bypass of MFA is happening, and nearly all credential stuffing and password spray attacks use legacy authentication.

"How to: Block legacy authentication to Azure AD with Conditional Access", Microsoft, 13th May 2020


Ransomware & FY21 security budgets - 22nd May

Ransomware: key questions

On the back of several high profile security incidents in the local region (i.e. Toll Group, BlueScope Steel, MyBudget & ServiceNSW) security executives are busy preparing briefing papers for their boards.

  • Many boards are very concerned with what is happening to organisations experiencing significant ransomware attacks. There are three main areas of questions that mature organisations are working through.
    1. The potential impact of ransomware on their organisations.
    2. Potential exposure via suppliers from any integration, and adopting more defensive architecture with supply chain partners.
    3. Business process impact from a third party having a cyber security incident, and compensating controls.

FY21 security budgets

Security executives are working on their budgets for the coming financial year. Understandably, due to the circumstances resulting from the pandemic, all budgets are under scrutiny.

  • Consistently, security budgets appear to be much more insulated than overall IT budgets. Executives recognise that every enterprise is now a digital enterprise, and they need the digital assets to still be under their control if the digital enterprise is to continue. And, security executives are looking for areas they can trim spending to help the wider corporate effort, particularly given the potential for human impacts.
  • Adjustments to security budgets are typically a reflection of a rearrangement of business priorities. Projects that were scheduled for next year are being brought forward to directly support the now-urgent requirements to protect staff and customers in remote ways of working. Other projects that do not directly support immediate requirements have rapidly become "good ideas that can wait until next year".
  • While there is less money to go around, the risks have grown. As people around the world lose their jobs acts of desperation are increasing, and some people experiencing the economic impact of the pandemic are technically capable.
  • Geopolitical issues mean that companies that may otherwise have flown under the radar are now potentially in the crosshairs for sophisticated attackers.

Post-Covid "normality" - 15th May 2020

Many organisations are preparing to enable staff to return to offices. This means security policies need to be reviewed, as these were often relaxed to enable WFH. The return to offices is complicated by:

  • Different requirements in different jurisdictions (this includes not only across the different states and territories of Australia but also internationally),
  • The need to split teams into "light" and "dark" groups that cannot cross-contaminate,
  • Allowing staff that are not comfortable returning to the office to work from home,
  • Physical space when at the workplace (including in lifts), and
  • Tolerance for hot-desking.

General topics - 22nd April 2020

The areas below were flagged by CISO Lens members on emails and video calls.

Remote patching

  • One of the members hosted a video call with the community on the 20th to share their architecture for remote patching.

Sanitisation of returning equipment

  • Some members discussed the issue of how to go about sanitising all the office equipment that would eventually be coming back to the office.
  • One member shared that they were considering restricting desks to a limited number of named individuals to minimise any future risk of widespread (and difficult to trace) contagion.

Cognizant security incident

  • Continuing on the theme that "it's not if but when you have a security incident" the members discussed that dealing with third party security incidents is just another area that their organisations need to be able to run as BAU rather than panicking every time a supplier had an incident.
    • "We should be really good at quickly determining if the supplier knows what they're doing, or not, and then how we respond".

Simulated phishing activity

  • Most of the members are continuing with various levels of phishing awareness training. The main driver was to ensure that awareness levels remained high, and that staff knew the correct process to report phishing.

Regulators

  • More mature regulators and enterprise customers will be more interested in seeing the evidence of informed decision making around risk management and acceptance. Conversely less mature organisations will be interested in tick-box compliance.
    • "It's less about the risk you've accepted and more about the process you went through to make that assessment".

BCP or crisis response?

  • The members have discussed how their organisations responded to the pandemic and requirement for WFH and social distancing.
  • One member shared that they were "not targeting minimum viable service, we’re targeting maximum capability in a crisis".
  • Another members commented, "It’s not about keeping the business alive – we have all our people – but it’s about trying to work as usual through a crisis".

General topics - 15th April 2020

The areas below were flagged by CISO Lens members on emails and video calls.

Guidelines for video calls

  • It's worthwhile having a one page document for:
    • Staff who are hosting a Zoom meeting for staff & third parties, and
    • Staff joining third party Zoom meetings.

Risks getting exposed

  • Major overseas suppliers are (or have) moving their staff home. This is causing concern for executives.
  • Several members shared that this level of attention has the risk of running too far, and some risks have to be accepted in order to keep business processes functioning.
  • Due to the challenge of third party BCU plans not catering for their staff working from home, many clauses in contracts are being bypassed. Lawyers are starting to get involved and this is causing everything to slow down.

The future of corporate office space

  • Many members have shared that their organisations are already actively reviewing their future corporate office space requirements for when the pandemic was over, or social isolation relaxed.
    • "All those jobs that could never never be done from home are now suddenly being done from home."
  • Future office space requirements are expected to be much less than pre-COVID-19.

Onshoring

  • Several members shared that they were actively onshoring services. Combined with the point above (corporate office space) it's going to be an interesting few years.

Creative problem solving

  • One member shared that they were struggling to get their teams to do the blue sky creative thinking, "I used to lock a few of them in a room and load them with coffee".
  • Two of the members shared that their teams were using Miro.
    • One of these said that "We’ve approved use it for internals for data classified up to Confidential. That’s on the understanding that our Miro boards cannot be shared or accessed by externals / 3rd parties."

Controls getting faster buy-in

  • A few members have shared that a few controls that in the past were too hard and required too much agreement to be deployed were suddenly getting approved and pushed into production. A shared example involved moving Windows VDIs to Azure.

Moving to shorter meetings

  • Several members agreed that their meetings were getting shorter.
  • One organisation implemented a 2 minute break for every 30 minutes of video call.
  • Another member shared in the "waffle" of O365 ... Click more apps and My Analytics. You can set Focus Time settings in there. This blocks out time in your future calendar.
  • Another member had previously shared with me that they were not accepting meeting requests that were not either 25 min, or 50 min meetings.
  • One member shared that they were trying to get the shorter meeting option set to be the global default in the corporate calendar.

General topics - 9th April 2020

The areas below were flagged by CISO Lens members on emails and video calls.

Shifting to the new BAU

  • Several of the members are moving to the "new BAU" and stand-ups that were happening multiple times a week are dropping back.

Patching

  • Patching has been a point of concern for many members.
  • One member had their team focusing on only the critical patches, but that this approach had increased the workload on the security team. So now they were simply pushing out all patches.
  • One member recommended allowing the staff a 24 hour window when they could install the patches.

Managing equipment for starters and leavers

  • A few members have noted that overseas supply chains are a little chaotic. Trying to get laptops to new starters overseas is proving problematic.
  • Several members agreed that they were sending couriers to collect laptops, phones, etc from leavers.


General topics - 8th April 2020

The areas below were flagged by CISO Lens members on emails and video calls.

Corporate email addresses used as credentials with 3rd party websites

  • As staff are being moved to WFH, there are also third party sites that provide services like games. Some HR teams are recommending these sites to staff, so staff are then using their work email addresses to sign up to the service.
  • A compensating control to the above was standard deployment of password managers to ensure that the same passwords were not being paired with corporate emails.
  • A few of the members nominated KeePass as their preferred password manager for corporate environments.

DLP policies

  • Where possible, these are all being tightened up to that events that would previously have alerted are now being blocked. This tightening is designed to streamline the workload of both security and business people.

Interest in e-sign services

  • A few members are seeing an explosion of interest in platforms that enabled people to e-sign documents.
  • These members were in the early days of exploring how these vendors handled the information.

COVID-19 cyber dashboards

  • Several of the members had been providing daily updates to executive leadership teams and boards.
  • As of the 8th of April, many of these were starting to wind down to once per week, as the tempo became normalised.

General topics - 3rd April 2020

The areas below were flagged by CISO Lens members on emails and video calls.

Third parties and remote access

  • Getting third parties (i.e. MSPs) to remotely connect is proving problematic. As one member said, "Our BCP was to use another building. No one envisioned everyone having to go home". This was impacting third parties that also wanted to send to send their staff home and not use the IP ranges for corporate offices, etc.
  • Further, for MSP staff overseas, latency on international networks meant that throwing in a VPN connection could significantly degrade the operator's experience, and many were bypassing corporate VPNs.

Collaboration platforms

  • One member shared that their Skype for Business was suffering due to the number of people working from home.
  • Microsoft Teams appears to be delivering satisfactory experience.
  • A few members shared that they were dealing with staff wanting to install plugins that made Google Hangouts/Meet look like Zoom with the grid layout of everyone on the call, but a freeze was on all plugins as security did not have the spare capacity to review.

Split tunneling

Members with cloud proxies were using them to take the bulk of remote workers traffic

  • People without cloud proxies were pushing more content back through the VPN
  • Zscaler, again, getting solid reviews from existing customers.

Boards

  • Many boards were very focused on cyber risks.
  • Many IT budgets were being impacted, but typically security budgets were being left alone.


Zoom vulnerabilities - 2nd April 2020

As expected when researchers shine a light on a piece of software there has been several reported security vulnerabilities reported recently in Zoom over the last few days.

1. Theft of windows credentials.

Participants in a zoom meeting can send each other links – usually to websites, but they can also be files stored on a server. An attacker can send a link to a malicious server that will capture and steal the windows passwords of other meeting participants when they click the link.

Note that the attacker has to be a meeting participant, that this is a common and well known issue with Windows systems – email and websites are also usually vulnerable to this.

Mitigation advice is to only open links you’re expecting, and if possible have your IT staff restrict outgoing NTLM traffic (... while they’re working from home)

2. Local privilege escalation.

If an attacker has already taken over your computer, they can use the Zoom installer to escalate their level of access, giving them more control and making the steps required to remove them much more difficult. Note that if an attacker has the level of access required to perform this attack there are usually several methods available to them to escalate.

3. Webcam and microphone take over.

If an attacker has already taken over your computer, they can manipulate Zoom to take over the webcam and microphone, allowing them to see and hear what would be displayed in a VC. Unfortunately there are no additional prompts or pop ups for this, however it is likely that, where installed, a web camera will be showing its “in use” light.


  • It is unlikely that issue #1 will get resolved, and issues 2 and 3 were published as “0 day” yesterday so will take some time for a patch to be available.

SECOPS daily checklists - 31st March 2020

Checklists are a useful mechanism to support systemised thinking and consistency of actions. Every security team's checklist will need customisation to their unique environment, and business priorities.

  • Remember to track these through time, so you have longitudinal data (and records).
  • For each control, a named primary and secondary contact.
  • Using Red/Amber/Green (RAG) keeps things simple; but ensure definitions for what constitutes each colour.
  • For each control, if the daily RAG status is not Green, what action is required?
  • We are not reducing SECOPS activity, this is business as usual. In fact, there are areas we are increasing focus due to changing business operations.

Trusted insiders - 31st March 2020

BPOs and MSPs - 30th March 2020

  • A key consideration for remote working are the BCP arrangements that an organisation’s MSP and BPO partner ecosystem has in place.
  • What approved connectivity mechanisms are in place ? Do you allow your MSP/BPO to BYOD ?
  • Finally, what assurances have you gained over their arrangements that protects you from malware and data loss?

Working from home FAQs - 27th March 2020

Many organisations that are enabling their staff to work from home (WFH) are also publishing FAQs and policy documents to guide staff behaviour.

  • Do not allow work in a public place. Firstly, it runs the risk of confidential information being inadvertently disclosed. Secondly, it is contrary to the Australian Government's guidance on social distancing.
  • Existing security and information classification policies should not be changed, unless senior executives have changed their risk tolerance and are prepared to say so in writing.
  • Staff may want to take and share photos of themselves working at home. Provided these photos do not contain any work information (e.g. screen information, or printed material) this should be fine. Naturally, corporations will have social media policies, and it's important that staff understand that very few of them are authorised spokespeople.
  • Ensure that staff are trained in eSafety, so that issues like webcams are understood.
  • Ensure staff handling sensitive information - especially executives and board members - are informed of the risk from personal surveillance devices (e.g. Alexa and Google) which may potentially be recording and exfiltrating parts of phone calls and video conferences.
  • Even when working from home, ensure that staff know they are to lock their laptop/workstation when leaving it unattended. (Kids!)

There's further guidance available from:

Zoom - 26th March 2020

  • Two-factor authentication is supported by Zoom under the security config for local accounts, but the recommendation is to use SSO instead for MFA.
  • Zoom allows the use of unencrypted SIP signalling and data not encrypted by default (so ensure SIP over TLS and turn on encryption by default if possible)
  • Zoom suffering from the same attacks as Webex it seems, so turn on meeting passwords/locking/etc.
  • Register the email domain in Zoom - this ensures anyone who register using your corporate email address will automatically register into the management console. Zoom allows anyone to register for a free account so it’s very hard to keep track of without this option. It also allows you to assign pro license with unrestricted meetings.

Cloud file sharing - 26th March 2020

  • ShareFile with MFA enabled works really well. User cannot synchronise this to their device. ShareFile can be configured such that the document storage is on the organisations Data Centre (SAN) but is accessible from the internet
  • Be aware though, that user can download documents from any cloud storage solutions to their own personal devices if they have access. Some providers have security options to minimise this risk, e.g. whitelisting an IP address.
  • For short term data sharing between entities you may want to see if SFTP works better, and it will depend largely on the use case.
  • Accellion is another option that works really well for us. (Multiple CISOs agreed on this point).
  • Box also has these features and I've seen it used for M&A activity. But it has the risk of being used in personal life unless it is locked down.
  • One organisation implemented Box as part of an M&A. Due to the sensitivity of the information we did a custom implementation where we encrypt the files using AWS KMS (unique key for each file). The top tier is to use HSM for encryption should you have this requirement. We can also control synchronisation with desktop/ mobile client at individual user level. Authentication/SSO and MFA is out of the box. Permission can also be done at quite a granular level. Since the license is subscription based and for a project, all users are aware this is only temporary solution.

O365 - 20th March 2020

  • There are some issues in applying conditional access policy on BYOD. Conditional access policy works fine for browser based access, but if a BYOD user decides to download the Team App on their device to access O365, after multiple tries they can download the documents on their personal devices. We have discovered this in Macs.
  • The reason this occurs is that the Teams app tries to connect to the Teams service as a ‘web’ client if the native connection method fails. That is, it appears the connection is coming from a web browser rather than the app, and so the download restriction doesn’t apply.
  • In our configuration we have a secondary control in place to restrict web browser access to Teams on unmanaged devices. This second control allows access to Teams from a web browser but it blocks downloads. Therefore when the Teams client is used, even if the user keeps trying and it successfully connects to Teams (as a ‘web’ client), the second policy kicks in and downloads are blocked.
  • We’ve tested this specifically with Macs and have proven it’s not possible to download content when using the Teams app on unmanaged devices.

Working from home (WFH) enablement - 18th March 2020

With the arrival of the COVID-19 pandemic many organisations were enabling remote working out of necessity.

Key insights:

  1. Use VPN for connecting back to apps within the organisation. It's more efficient for staff to use their own internet connections to directly access collaborative platforms like Microsoft Team (Skype for Business), Google's G-Suite, and other SaaS platforms as long as security is configured appropriately.
  2. Organisations that have already deployed multi-factor authentication (MFA) are having a much easier time. The IT service desk should proactively inform staff that (due to the sudden shift to WFH), they should expect delays in provisioning. Using apps for MFA has also meant that there was no shortage of physical tokens.
  3. Organisations are not relaxing MFA policies while enabling staff to WFH.


More observations from various CISOs:

  • Bandwidth: we are now seeing organisations shortening the inactivity duration for VPN connectivity to 2 hours. Shortening the idle duration is now assisting organisations with the VPN numbered connections and server load. They are doing this by measuring inactivity from no mouse/keyboard movement, they have also communicated these changes to employees.
  • Collaboration tools (mostly video) has significant impact on infrastructure bandwidth. In addition to allowing direct access to selected SaaS platforms, some organisations are now restricting video collaboration tools being used and providing guidance on using other digital means. There has been a drive to leverage apps over 4G and/or home internet.
  • Increasing VPN’s hasn’t been effective. Organisations have been limited by the ‘tunnel’ and therefore having the higher number of VPN’s is now no longer a mitigation activity. Therefore organisations that have applied A and B teams are now rostering morning and afternoon teams of connectivity. Also on this, technical companies are offering assistance with VPNs and in some cases are offering this for free – <named vendor> is one actively doing this.
  • Security controls are not being turned off. Organisations are not relaxing (or risk accepting) security measures/controls (such as multi-factor) due to influx of work from home requests. Communications on delays and structured timing is now being applied to make sure that security is maintained.
  • Ransomware uplift in relation to COVID. Android phones have been at high-risk to this, with an app noted to ‘track COVID’ is laced with ransomware / encryption lockers. Organisations are applying limitations on authentication using Android phones (i.e. two factor authentication being sent via SMS to android phones). We are also seeing ransomware being hidden in COVID related graphs for people to click on and track.
  • We have a large number of services in areas like O365 that can be accessed directly, and not through the VPN. That includes Microsoft Teams which then enables video conferences. We’ve sent a message out to all staff that they should only log into the corporate network if they need to. But otherwise – use native Internet connectivity. This has allowed us to balance the load on our VPN concentrators.
  • We have a 30 day patch cycle which we have not compromised on and patching is continuing as planned. There will be no relaxation on this.
  • Anything SaaS related we have been routing out via our cloud proxies and only directing required traffic back to the datacentres. We have also scaled out our IaaS connectors which should have bigger internet pipes compared to our datacentres.
  • When using Win10 with DirectConnect be mindful that everything can go through your pipes. We have structured this so that collaboration tools like Teams are split tunnelled to use internet instead of going through our internal network.
  • Publishing apps through Azure app proxy has worked pretty well for web apps.

Microsoft Teams - 16th March 2020

General interest across the community for a risk assessment of Microsoft Teams.

Enterprise cyber security tips around COVID-19 - 12th March 2020.

This post was originally posted on LinkedIn but copied here to avoid the requirement to log into Linkedin.

On 12th March 2020 (AEDT), the World Health Organisation declared COVID-19 to be a pandemic. This declaration became the starting gun that many local organisations needed to formalise their responses and planning to protect staff.

Fast and substantial changes to the way things are done can result in communications failures, cut corners, and chaos. These conditions increase risk and present an opportunity to either criminals, or trusted insiders having a bad day acting on a lapse of judgement.

This post is a gathering of tips, tricks and traps from current and recent leaders of enterprise cyber security teams, and is posted here as a resource for organisations that may not have a Chief Information Security Officer (CISO). It's also worth noting that these may be skewed towards Australia and New Zealand organisations.


"Very few organisations would be able to tell all their staff that could work from home to go do it tomorrow. And if they could, it may be a sign that the company has been wasting money on excess capacity. So the message is, you're not alone, we're all in the same boat on this one."- Australian CISO