WHITE PAPER
3 HEIGHTENED CYBER RISKS IN THE NEW NORMAL HOW SECURITY AND FRAUD TEAMS CAN ADAPT TO CONTINUE OPERATIONS AND STAY SECURE As organizations adapt to today’s business environment and changing dynamics brought on by the global health crisis, they face unprecedented challenges in protecting against cyber threats. Bad actors are exploiting the crisis using both new schemes and tried-and-true tactics. Three areas of increasing concern for cybersecurity are the escalating risks from a remote workforce; an expanding threat landscape in which new (largely cloud and SaaS) resources are being rapidly deployed to meet the demands of unprecedented remote work; and detecting and responding to threats due to altered security operations and environment. Read on to learn more about what security teams are up against and what they can do to adapt.
ESCALATING RISKS FROM THE REMOTE WORKFORCE The workforce has changed almost overnight. Remote work has become a universal requirement, not just an option. Many organizations have had to scramble to rapidly deploy capabilities for remote work during the crisis to continue business operations. Endpoints warrant a closer look. Endpoint vulnerabilities have increased as millions of workers are now accessing corporate networks and applications using their own technology (phones, tablets, laptops, etc.), as well as using home internet routers that may or may not be adequately protected. All these points of home connectivity provide new avenues for bad actors to advance their attacks. Employees are getting barraged with attacks. The bad actors are not just exploiting endpoints and home networks. There has also been a dramatic increase in phishing, spear phishing, credential stuffing and other familiar social engineering tactics to gain unauthorized access. These attacks are more sophisticated, and effective, as the bad actors exploit the crisis with false information, fraudulent websites packed with malware, and targeting of remote employees by spoofing IT or HR help desks and asking for sensitive information. It’s a good time for organizations to revisit anti-phishing tools and training to educate the workforce about threats that exploit the current situation.
EXPANDING THREAT SURFACE—NETWORKS, DEVICES, APPS, CLOUDS AND SAAS Prior to the current crisis, most organizations had at least some resources in the cloud, while others were quickly expanding their software-as-a-service (SaaS) and infrastructure-as-a-service (IaaS) offerings. Now many organizations face increased vulnerabilities as they rapidly deploy new cloud and SaaS-based resources to quickly stand up technologies that enable the workforce to be remote. These new technologies are being deployed both formally and in the shadows, raising even greater concerns about data protection and privacy. Application discovery should be a priority. Data leaks from unsanctioned or unvetted applications may pose new risks into which the security operations center (SOC) may have limited visibility. Since security and IT teams are likely to see an increase in unsanctioned applications, discovering these applications and getting control of them is vital to limiting the attack surface. Parsing and analyzing logs from firewalls can help identify unauthorized applications. Once security teams have identified these rogue applications, they should connect with the teams using them to either recommend approved alternatives or bring them under control with single sign-on, multi-factor authentication, identity governance and access controls, and acceptable use policies. Close control over cloud access can head off problems. Once the rush to enable remote work slows, security operations teams should review their cloud usage policies to ensure they are acceptable for the remote workforce. Taking a leastprivilege approach to cloud access is always a best practice, but especially now, given the increased risk with so many people working remotely. Security teams may also want to consider eliminating certain cloud rights and entitlements while users are remote, or limiting them within a group.
Now many organizations face increased vulnerabilities as they rapidly deploy new cloud and SaaSbased resources to quickly stand up technologies that enable the workforce to be remote.
Mistakes can happen, but there are ways to reduce the risk. Another risk that’s sure to increase is cloud misconfiguration. IT, security, operations and development teams can work together to sketch out a configuration baseline for the most critical cloud assets. Another possibility is to consider a temporary moratorium on launching any new infrastructure or storage-as-a-service capability until teams have a handle on the current environments.
DETECTING AND RESPONDING TO THREATS DUE TO ALTERED OPERATIONS AND ENVIRONMENT With an increased threat surface in play, security and fraud operations teams may find it even more challenging than usual to rapidly detect and respond to threats. Virtual operations must be seamless. Security challenges are more complex when security operations teams are not able to seamlessly adapt to operating virtually. While many organizations have remote operations capabilities in addition
3 HEIGHTENED CYBER RISKS IN THE NEW NORMAL | 2
to traditional security operations centers, having the vast majority of analysts and forensic investigators working remotely is different. Remote operations can potentially inhibit their speed, collaboration and responses. Automation and orchestration become vital to security operations. Some organizations may be behind the curve on deploying security automation capabilities. While this may not have been perceived as an issue during “normal” operations, it becomes critical in today’s dramatically altered environment, where staff, talent and budgets have been reduced. Automation is critical to working in a lean environment, identifying the threats that matter most to the organization and orchestrating the actions required to remediate. Automation may also speed the remediation steps by connecting to stakeholders outside the SOC, such as IT, that will be required to take action. Automation and orchestration reduce the need to rely on emails or conversations, and allow workflows seamlessly through the security platform. AI has a critical part to play, too. Artificial intelligence (AI) technologies can help spot anomalies in a digital landscape that looks almost nothing like it did six months or even a year ago. They may prove key to identifying threats and ensuring that in a remote environment the appropriate flags and actions are in place to thwart an attack. Fraud detection and takedown services are more important than ever. With literally trillions of dollars worldwide being devoted to helping communities that are hard hit by the economic fallout of the crisis, fraudsters are launching aggressive campaigns to take advantage of relief programs. Financial institutions and healthcare organizations in particular are being bombarded with fraud attempts in the wake of the crisis. The risk of cyber attack and fraud increases the potential for compromised data and financial losses, not only for organizations but also for individual employees and customers who may fall victim to fraud. New or unexpected challenges arise in breach response plans. Organizations must reassess their cyber incident and breach response readiness plans to account for the new normal. While many may have a security incident response plan for addressing cyber attacks, many of those plans may not account for a global pandemic and an entire workforce that is working remotely. Standing up a crisis team across the organization may present additional challenges. Responsibilities may have shifted for critical team members during the crisis to address the immediate need to maintain operations, especially if resources are being impacted by downsizing due to economic factors or by the shutdown of certain regions. These factors may mean that executing a cross-functional business, IT and security response will prove to be particularly challenging. But at the same time, alignment among these teams is more important than ever, to ensure that cybersecurity is part of the business continuity and business resiliency plans that many organizations are revisiting.
While many may have a security incident response plan for addressing cyber attacks, many of those plans may not account for a global pandemic and an entire workforce that is working remotely.
3 HEIGHTENED CYBER RISKS IN THE NEW NORMAL | 3
HOW RSA CAN HELP SECURITY TEAMS MANAGE DISRUPTION USE CASE
CONTEXT
CHALLENGES & RISKS
RSA SOLUTIONS
Shadow IT
With most of the workforce isolated at home, people will likely turn to cloud-based services to improve the quality of collaboration and effectiveness.
Unknown and unsanctioned applications expand the attack surface and create a number of risks. Furthermore, remote work can lead to islands of identities and access sprawl, which will make identity governance more challenging.
• RSA NetWitness® Platform • RSA® Identity Governance and Lifecycle
Remote workforce BYOD usage
Many people working from home do not have work-issued computers and mobile devices, and are therefore using personal systems for work, too.
Most of us are “local admins” on our personal devices, giving malware the elevated privileges it needs. Many people are still running older and unsupported versions of Microsoft Windows and Mac OS X with unpatched critical vulnerabilities. Sharing devices opens up users to the risky behaviors of others.
• RSA NetWitness Platform
Operational disruption
During a crisis, sec ops teams are under increased pressure to quickly detect and respond to threats, and fraud teams face similar pressure to detect credit card and other types of fraud. Virtual operations may have limited capabilities or require new tools.
While many organizations have security incident response plans, most don’t account for a global pandemic. Limited or virtual SOC and fraud teams can impact the ability to deliver a crossfunctional response.
• RSA NetWitness Platform • RSA Archer® Suite • RSA® Fraud & Risk Intelligence Suite
Phishing attacks
An increase in online consumer transactions is driving a spike in phishing attacks. At the same time, people are being rapidly exposed to new technologies, applications and processes, which can make them even more vulnerable to those attacks
Unfamiliar resources may make people more susceptible to social engineering attacks. Bad actors are using misinformation to draw people to fake websites to commit fraud and spread malware, and they are spoofing IT or HR help desks to steal sensitive information.
• RSA® FraudAction™ service • RSA University • RSA SecurID® Access • RSA NetWitness Platform
Rapid tech adoption
Organizations are accelerating their reliance on cloud computing, to support remote workers and meet unexpected business challenges.
With the rush to turn on new cloud services, risk may increase due to cloud misconfigurations, like unsecured storage containers, excessive permissions, and default security controls and credentials.
• RSA Archer Suite
Different user behavior
For many of us, nothing is routine anymore. We are having to adjust work schedules to accommodate home daycare, home schooling and others’ work schedules.
During this time of transition, it’s likely that users’ behavior has significantly changed, reflected in new and different user login and transaction patterns.
• RSA NetWitness Platform • RSA® Adaptive Authentication • RSA® Adaptive Authentication for eCommerce
3 HEIGHTENED CYBER RISKS IN THE NEW NORMAL | 4
BUILDING A STRONG FOUNDATION FOR THE FUTURE The disruption organizations face during this health crisis is unparalleled in modern times. As organizations adapt to whatever the “next” normal ends up being, security teams will find it imperative to look at the changing threat landscape, assess the security risks and find practical solutions to address their security gaps. Every organization faces security challenges in this crisis. Some may be new and some may just be exacerbated by the scope and scale of the organizational change that must be managed when an entire workforce is forced to work remotely. For many, tried-and-true best practices will be the starting point to gain control of the environment. Organizations are reassessing their basic security tools, policies, practices and resources to ensure a strong foundation to build on going forward.
DIGITAL RISK IS EVERYONE’S BUSINESS, HELPING YOU MANAGE IT IS OURS RSA offers business-driven security solutions that provide organizations with a unified approach to managing digital risk that hinges on integrated visibility, automated insights and coordinated actions. RSA solutions are designed to effectively detect and respond to advanced attacks; manage user access control; and reduce business risk, fraud and cybercrime. RSA protects millions of users around the world and helps more than 90 percent of the Fortune 500 companies thrive and continuously adapt to transformational change.
Find out how to thrive in a dynamic, high-risk digital world at rsa.com
©2020 Dell Inc. or its subsidiaries. All rights reserved. RSA and the RSA logo, are registered trademarks or trademarks of Dell Inc. or its subsidiaries in the United States and other countries. All other trademarks are the property of their respective owners. RSA believes the information in this document is accurate. The information is subject to change without notice. 6/20 White Paper, H18335 W370769.