Staying one step ahead of attackers by eliminating vulnerabilities before they’re detected is the obvious goal of any enterprise. How to shore up your infrastructure and IT operations with state-of-the-art defense and efficiency should be on any infosec team’s to-do list, and what follows are various best practices to help you with your network security management.
Of course, every organization has different needs, which should be the deciding factor in determining a framework and catalog, notes Troy DeLung, senior enterprise IT and security risk manager for Genworth Financial, who will lead the “Information Security Frameworks and Control Catalogs: Differences, Selection, Implementation” session at InfoSec World 2020.
When considering the multitude of Informational Security Frameworks, including ISO/IEC 27001, NIST CSF, COBIT, et.al., and control catalogs, such as ISO/IEC 27002, NIST 800-53, among them, DeLung advises to keep in mind regulatory entities to reduce the amount of compliance activities and streamline an organization.
Pinpointing unprotected surfaces before usually stealth hackers figure out where the holes and backdoors exist obviously should be a major consideration, notes John Loucaides, vice president of engineering at Eclypsium, who will speak during the “Hacking Firmware: The Unprotected Attack Surface of the Enterprise” session.
He notes these persistent bad guys often have a decided advantage when their firmware implants fly under the radar, so it behooves cybersecurity professionals to earn their keep by pulling out all the stops.
Risk management figures in all business decisions, but when you’re talking IT security it’s easy to throw around notions that “inside means trusted” and “outside means untrusted.” Well, tell that to any organization hit by a disgruntled employee turned insider with full credentials for access to the crown jewels.
The digital business disruption requires that systems, services, APIs, data and processes are accessible through multiple ecosystems anywhere, anytime, and from any device over the internet, notes Brett Conlon, global CISO for Edelman Financial Engines, who will lead the “Embracing the Digital Business Transformation with Zero Trust” session at next week’s conference.
“This expands the surface area for attackers to target and puts security and risk management leaders in a position where they must make intelligent, risk-based decisions about which security technologies they choose to manage the risk to their business,” adds Conlon.
New attack patterns emerge under intense scrutiny, and usually the perpetrators are targeting the keys to the kingdom, reports Derek Melber, Alsid’s technical director for North America.
Recent trends show attackers looking deeper into object and attribute configurations to exploit raw access and functionality within the Active Directory, he notes in the “New Attack Patterns: Targeting the Keys to the Kingdom” session. “The reality is that many attacks bypass the event logging and look like routine access,” he adds. Meanwhile, many organizations are still trying to secure their environment against traditional attacks.
In international politics, so-called “back-channel” communication can change history. Similarly, speculative executive side channel methods get a lot of technology industry attention, “but what do we know about them and how do such methods differ from traditional side channel methods?” asks Antonio Gomez, software engineer in the Intel Open Source Technology Center, where he works in mitigations.
Gomez, who will lead the “Exposing Speculative Execution Side Channel Methods: What You Should Know and What You Should Do” session, points out these are complex methods that use advanced techniques to try to exploit architectural and microarchitectural structures and optimizations to leak secret data.
Changing hardware that is already in production and used in the real world to react to these methods is difficult, if not impossible, which is why software modifications are more agile and allow mitigation against potential attacks while maintaining the benefits of hardware optimizations.
Expert service providers in our field and their clients must always be honest when balancing physical security needs vs. social engineering assessments.
“Just like any other assessment type, there is often confusion with what’s needed, vs. what is realistic for their budget, deadlines, etc.,” says Brent White, senior security consultant at NTT Security, who also advises the Tennessee Department of Safety and Homeland Security on the topics of physical and cybersecurity.
Taking some of the guesswork out of planning and budget requests to help you get the most out of your next physical and social engineering.
“As physical penetration testers, it’s important to have that discussion with clients to help them understand what makes the most sense to include in physical security and social engineering assessments,” White adds in the session “Getting the Most Out of Your Covert Physical Security Assessment: A Client’s Guide.”
Cybersecurity professionals spend a lot of time on dealing with persistent threats, but hackers don’t always follow the path of least resistance, notes Ryan Rodrigue, a principal of Wolf & Company. Security vulnerabilities will always exist until patched coupled with incorporating sound asset management, patch management, and vulnerability management, but it’s easy to forget “other” devices on your network that represent additional threats, he adds in his sesssion, “How to Implement the “Triangle” of Network Security Management.”
Tim Krabec, a senior information security analyst, advocates sometimes building one-off scripts even if it might be faster to do it manually. When figuring out workflow, a private git repository, a distributed version-control system, provides for flexibility in coordinating work, but it can be also used to track changes in any set of files, he’ll say during the “Increasing Efficiency and Effectiveness with One-Off Tools and Scripts” presentation.
Mark Cooper, president and founder of PKI Solutions, believes a new standard endorsed by the FCC and consortium of major telecommunications companies including Comcast, AT&T, and T-Mobile will help eradicate robocalls and caller ID spoofing, which the FCC estimates will constitute this year more than half of all phone calls placed in the U.S.
Public key infrastructure is the backbone behind SHAKEN/STIR (Signature-based Handling of Asserted Information using ToKENs and Secure Telephony Identity Revisited), which uses digital certificates based on common public key cryptography techniques, Cooper will discuss in “How PKI and SHAKEN/STIR Will Fix the Robocall Problem.”