An update to ‘Cottage Please’ . . .
Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . .
Finding time to write a Dan’s New Leaf article about remote access security, I notice there are many good articles already available. So how can I make my article worth the read?
I wrote an article about remote access, back in 2009, called “Cottage Please,” which envisioned a secure remote access. But partially because of the hundreds of articles already out there, partially because we’ve been doing this for years, I want my article to be a “mid-event review.” We do have a guidance summary available here, but I want my article to be more than a “how-to.” It’s too late for that. I want it to be a “what-now.” Like a post-mortem review, in the middle of an incident.
LOCATION, LOCATION, LOCATION: We come at this from a unique perspective. As many of you know, infotex “went remote” in 2002. For several years our two-room office included a conference room reserved for auditors and examiners. Most of us work from home. Okay, now all do.
And some of you may also know I got my start in cybersecurity in a previous job where the company, a retail chain, suffered an incident in the 1980’s.
Back then, when we were successfully battling the likes of Blockbuster and Movies, EVERYTHING was about “location, location, location.” It’s almost eerie that I find myself now, in 2020, addressing the fact that cybersecurity has been forced to be centered around . . . you got it . . . location, location, location.
We are going to locate our endpoints in homes now.
But to do this safely, there are fundamentals we must not forget, and thus the weird repetition of keywords in this article. If it’s about risk management, risk management, risk management, then it’s about measurement, response, and monitoring. And thus, the mid-event review (monitoring).
So first: are we passing the test?
Yes! I am proud that most community banks have been far more prescient than the non-banks I’ve interacted with. When I had to start responding to a stream of emails from my friends outside the industry, suggesting things like “you ought to put Pandemic in your risk assessment,” I realized that once again the FFIEC has served a very important role. While we may all feel that we are scrambling, the scramble is because of the impact severity, not a lack of readiness.
Second: what are we doing right?
AWARENESS. AWARENESS. AWARENESS: We all had tested pandemic plans at a level of maturity that we had at least formally accepted as sufficient, even if we may be proving ourselves wrong in some areas. Overall, the community banking community was AWARE. Compare banking to any other community. We were aware.
Meanwhile, we have noticed that most of our Clients are doing a great job of “building awareness in” rather than “bolting it on.” You are converting the frightened into enlightened. You are finding yourself right smack in the middle, and while you’d never say this, we see that you are leveraging your cybersecurity superhero position. Your team trusts you, are looking to you for leadership and seeing you apply the controls you are asking them to apply.
And management is more cooperative than we could ever expect. They seem totally on board with the need to secure remote access.
REMINDERS, REMINDERS, REMINDERS: We have found ourselves in a position where we are saying, “…and I know you know this, but don’t forget…” That is so simple yet powerful, especially compared to other industries we are watching. And we have had many Clients ask us about various awareness resources such as vigilize.infotex.com or posters.infotex.com. Nice!
AUDITS AUDIT AUDITS: We are proud to respond to Clients asking us to audit their remote access. Yes, now is the time to adjust your audit plan, and focus your budget on your remote access, VPN, awareness, Office 365, and the controls that you believe are in place. Timing is crucial. Don’t start until you’re ready, don’t wait until you’re discovered.
And now . . . . the “areas of improvement” section:
WHAT WENT WRONG. WHAT WENT WRONG. WHAT WENT WRONG: The rest of this article is based on our own reading and experience, and not scientific studies, but we hope we can learn from what we’re seeing out there. What we’re seeing is from our own unique perspective. Being that we are risk managers, let’s organize this in terms of risk measurement, risk response, and risk monitoring.
MEASUREMENT, MEASUREMENT, MEASUREMENT: Fortunately, we already knew where the “low hanging fruit” was. Unlike other industries, who are in a world of hurt, we had the basics of remote security in place, but our customers are at risk, and that makes us at risk. It’s like our society has rolled out a smorgasbord of unprotected VPNs for hackers who just lost their day-job.
But hey, now that the dust has settled, how about we do a formal risk assessment? It’s not too late. It’s not really for compliance reasons, so no worries if we’re doing it after-the-fact. It’s to make sure we’ve dotted our i’s, crossed our t’s, and prioritized based on risk and not other factors. (Here’s a copy of our remote access checklist if you haven’t done this yet.)
RESPONSE, RESPONSE, RESPONSE: Beyond planning security into the “Great Adjustment,” in the form of asset-based and threat-based risk assessments there are two things that MUST OCCUR IMMEDIATELY:
MFA, MFA, MFA: Any asset with public exposure must (not should, MUST) require multi-factor authentication prior to deployment. Not using 2FA on OWA or VPN access or Office 365 is like putting an asset on the internet without a firewall. Yes, MFA costs a little money and takes time to set up, but it takes likelihood from an inherent 8 to a residual 1. (Better than a firewall.)
It’s a no-brainer, yet some of us are not doing it. Some of us rolled out remote access with the intention of turning on MFA afterwards. It’s later now! If the cat’s already out of the bag, MFA needs to be the next thing we focus on. It must be next, next, next!!!
PATCH, PATCH, PATCH: In ordinary times, we learned that prior to turning on new asset, we must make sure not only the new asset is patched, but all assets on the way to the new asset are also patched.
Vulnerability Management is about the whole, not the parts. So please please please be sure to test the patch level of all assets involved in remote access. From the endpoint to the servers and everything in between. Yes, you read that right. We cannot ignore the need to protect the endpoint. We realize that VDE and thin clients and Office365 and AzureAD and other products are making the cyber kill chain safer, we don’t want employees compromised even if the bad actor cannot get from your employees’ endpoint to the server. Not while they’re working at home.
These are not ordinary times. But our processes apply now more than ever. We don’t call it patch management anymore, we call it vulnerability management. The difference is awareness, prioritization, and TESTING, TESTING, TESTING!
We find tentable.io has a great endpoint scanner. (But there are many others). Your employees are more than willing to agree to an endpoint scan. Get the proper agreements in place with your employees, the proper documentation in place (which would include a risk assessment), and patch, patch, patch. And yes, this requires an endpoint scanning process for any endpoint that accesses company assets, and that includes workstations owned by your employees. We’ve been doing this since 2002. Automated endpoint scanning is worth the effort, especially now that the cost is easily justified.
MONITOR, MONITOR, MONITOR: No matter how mature we are in hardening our remote access processes, we are taking and accepting risks. So let’s monitor them. Contact your MSSP and ask what they are doing to monitor remote access, make sure your end of that process is being covered. You might want to update your decision tree to address those high-risk employees. You might want to go back to risk measurement to determine which employees should wake you up in the middle of the night. Use your KnowB4 or other phishing test application results to help with an employee risk assessment, and focus monitoring and training and just checking up on those employees who we have already been identified as high risk.
Beyond that, know that your users are not used to working from home. I could go on and on about social considerations of remote work, such as “always announce in advance when you plan to have people turn on their webcams.” Or “exit out of Outlook before sharing your screen.” Maybe this can be fodder for a different article.
But even for the users who have always dreamed of working at home, there are a LOT of cons they are now learning. They need to be reminded to work in a room where family members cannot hear customer names. They need to be assured it’s about the results and not the time, especially now that they are being distracted by frightened family members. Management needs to be ready to have the awkward conversation with those who simply cannot handle working from home.
Your users are faced with many control-decisions of their own now. Do they quarantine themselves from family members? Do they wear a mask, wipe incoming mail, leave the computer on at night? They are looking to you to lead. Get your employees talking about risk.
This pandemic is highlighting how sometimes the controls we choose to use are a matter of opinion, often based upon the person’s specific unique situation. We see this right now: some banks are rotating staff, others are not. But every bank we’ve discussed this with have particular and good reasons for applying staff rotation as a control (or not). We’ve thought it through.
Help your users understand how risk management can be used to “think it through,” to decide which controls to apply around the house. And when. IT’s often about when. You may have already found yourself saying, “when there is risk, apply the control.” For example, I’m not going to wear a mask every time I go outside. I live smack in the middle of a two-acre lot. But I do have to go into my office from time-to-time, and that seems to be the only time that risk is introduced other than we groceries are delivered. So why not wear a mask ? If driving to the office is the only source of risk, why not control it?
Now . . . have I been laughed at, wearing a mask at the gas station?
And I get it. Wearing masks may seem like an overkill to somebody who does not realize it’s my only source of risk. But I also saw, in a different car, a woman turn around and say something about masks to her children. I could be wrong, but I think the sight of me wearing a mask inspired her to apply the control.
Which is why bankers are leaders in this pandemic. We’ve already applied most of the controls. You lead by example.
With an approach that includes measurement, response, and monitoring, we will manage our risk. We will beat this virus. We will beat the jerks who want to take advantage of a virus to attack our institutions.
And we will sleep at night.
Original article by Dan Hadaway CRISC CISA CISM. Founder and Managing Partner, infotex
Dans New Leaf is a fun blog to inspire thought in the area of IT Governance.