Cybersecurity dangers for virtual organizations and workers are often overlooked or unaddressed. Listen as Drs. Allen, Smiley, and Jackson discuss some of the critical skills and best practices most often ignored or not addressed by virtual organizations. Learn how ethical hacking and network penetration testing are viable practices for organizations to test remote worker data
security.
Cybersecurity dangers for virtual organizations and workers are often overlooked or unaddressed. Listen as Drs. Allen, Smiley, and Jackson discuss some of the critical skills and best practices most often ignored or not addressed by virtual organizations. Learn how ethical hacking and network penetration testing are viable practices for organizations to test remote worker data
security.
Welcome to the Center for the advancement of virtual organizations podcast, cyber security tools, defense and office. I'm Brian Allen. And today we're joined by doctors, Garrett smiley and Harry Jackson. Welcome. And thank you so much for taking time to join the chat and to communicate with us today. Welcome.
00:21
Thank you, Brian. Thank you. Excellent. Well, let's, um, let's jump in. If you don't mind, I'd love to get just your feedback. And what I'm going to do is open up some questions, and then we will, we'll just take it from there. And what I'll do is I'll start with Garrett on the first question. And then, and then Harry, I'll, I'll ask you the same question. So what are some of the cybersecurity dangers for virtual organizations and workers that are often overlooked or most important to consider?
00:53
Well, I don't know that I burn. I don't know that I see a distinct difference between somebody in a virtual space and otherwise, especially nowadays, but I will try and answer the question by saying that some of the biggest dangers are the ones quite frankly, the eager about in the news, successful phishing attacks, successful ransomware attacks, those tend to be the most common, quite frankly, the easiest to perpetrate. And the most devastating. So you know, a lot of my energy in my my full time role as the chief information security officer for federal contractor, we're very focused on those particular attack vectors, because they tend to be so effective, right? So and that, that, you know, the virtual people don't really get a pass on that. So regardless of whether you're physically instance, their virtual instance, or cyber instance, whatever you want to call it, those are still the main concerns,
01:58
I can just add from a different perspective, I also support a lot of federal clients in the space. Some of the dangers that I see with within virtual organizations are proud of the employee workforce. Again, obviously, everyone's subject to phishing, which is human hacking. But I'm thinking about just employee cyber hygiene behavior, using their own information, IT assets instead of those that are provisioned to them by their by their organization that may not be sufficiently hardened, or be in compliance with an organization's for the sake of convenience. I've seen that as a as a major challenge, I think for making sure that they're using tools and technologies that have full disk encryption. And then, you know, obviously, people tend to print things out or if they dispose of information that should have been shredded to begin with. So with the COVID pandemic, I don't think some organizations were adequately prepared to go 100%. telework.
02:50
Yeah, absolutely. I think that's very true. So. So Harry, I'll go to you on this. Next question. So in light of the growing number of data breaches, do you believe an offensive or defensive approach is the best for for organizations from for remote workers? And I guess why? Well, I guess my question for you is that when you mean by offensive approach to me being like offensive, like hacking like proactive, defensive operations?
03:15
Well, I'll let you actually define that because I think there are a lot of definitions there.
03:20
Right, because I think if we're talking about offensive operations, or like hacking back, I think you're dealing with legal and ethical issues there. But I think we talk about the defensive approach, I think what is meant by that question is Can you be more proactive? And I would say that yes, I think with data breaches, organizations should be taking a proactive approach with awareness is delivered with awareness to shape the user behavior. So a person is aware of what is risky behavior, what what are the what are the security policies of the organization that they should follow, and why and how to operate it when a person more secure manner to ensure that the organization is operationally resilient, is operationally resilient? I'm sorry.
04:02
All right, excellent. Garrett,
04:04
I'll try and answer it as directly as I can. But to kind of build off of what was just said, You don't mind my staff and their focus is always going to be on the having the ability to monitor things popping off, as it were. So it's definitely going to be more reactive simply because you cannot proactively anticipate all attack vectors and when they might be exploited. It's just not possible. But if I have in my staff have visibility, with the technical capabilities and solutions that we have at our fingertips for monitoring, anomalous behavior, monitoring, attempted attacks, then that's about as good as it gets.
04:54
And, you know, I can say that right now. I feel pretty good about the visibility. We have With some of the tools that we have, you know, we've got sim based technology that functions off of log ingest. We've got network traffic analysis capabilities, which actually tells you what's going on at the network packet level. and a variety of other types of traditional security controls, such as endpoint detection and response, and so on, so forth. But the point is, you have to be able to see the thing that's being exploited. And you have to be able to, in an agile way, respond to that. And if you have that ability to do that, for your technical estate, it doesn't get much better than that. So that's, that, to me, is kind of the brass ring that you want to be able to grab hold on to.
05:47
So let me follow up on that, if you don't mind. So one of the issues is that it that many of the actions, many of the transactions that take place, in an environment are are defensive. In other words, they're after the fact. And I guess when I look at an offensive, I'm looking at the things that predate those instances, are there are there particular cues, or particular policies that need to be set in place to to effect a few user behavior in a way that isn't currently being currently being approached and handled? And I'll open that up for either of you.
06:28
I think some things that might be overlooked at some organizations don't do and I can mention this with a number of clients who have supported our final practice, not having Acceptable Use agreements for accessing it resources and assets, that they should be aware of having things such as warning banners, for lock for when a user does lock in what's what's acceptable behavior or showing that the person is being monitored. There's that one adage, you get what you measure. So they should they should have some sort of summarization should look into having some sort of assessment of measuring their security program to and how they are influencing behavior for their users, for example, maybe phishing exercises and showing metrics over time as to how well the how the, the improved responses to phishing attacks, or decreased susceptibility to phishing attacks, for example.
07:29
Gary, did you want to add anything to that?
07:31
Um, well, I guess just to kind of build on everything that's been said, Yeah, you know, he's absolutely right. You you've got a baseline normative behavior before you can know if you're deviating from it. So you know, there's a variety ways to do that. But that's, that's an absolute requirement. And also to, you know, as far as being prepared and doing things proactively, you have to you have to, as you know, select establish rollout and implement and enforce monitoring from a technical perspective, in order to be able to detect if somebody is trying to gain foothold into your environment through ransomware.
Or to detect if somebody is trying to send you a fish. So they can, you know, do all sorts of nefarious things. If you don't have those capabilities, there is no human corollary that's going to make up for the the technical capability to be sure. So while while it is important to have, you know, on paper, so to speak, policies, and, and acceptable use and all that stuff, and you should without technical enforcement, you know, just kind of lacks teeth, and without the ability to be continuously monitoring. It's, you're going to miss stuff.
08:54
So yeah, absolutely. So I guess a follow up to that question is, what do you what do you believe are some of the critical skills or best practices better? They're often ignored, or they're not addressed in in these organizations and with employees? hairy, well sinned organizations? I would say the assessors of those security controls, I think there's a critical skills gap. If you have an organization that might use leverage to services of a managed Security Service Provider that's implementing controls, I think there's there's also a gap in qualified security control assessors that can actually competently assess the adequate, the adequacy of those controls. I think that's a huge gap.
And then with virtual workers, you're talking about that human element goes Gary's saying before, it's impossible to know what attack vector is going to be is what new campaign with a malicious actor use or what crisis that they'll use to craft a phishing or spear phishing or even a whaling, particularly your whaling email attack that targets For those that aren't familiar, willing attackers, are you going after a high profile target, like an executive within the organization, a person where is used to outside engagement, where they have a lot of publicly available information, information publicly available about them, that would allow for a tailored, targeted phishing attack? Or just being able to recognize and talk about the skills for the user as part of how to recognize a phishing attack? Because some of them are quite, quite good.
10:25
Yeah, absolutely. Some of very, very, very sophisticated gear. Did you want to add to that? Well,
10:32
yeah, I think in regards to critical skills for me, since we need, you didn't really specify what department or who, I'll just go back to ones that I think everybody can benefit from, which is problem solving skills, critical thinking skills, situational assessment skills. But those are things that everybody could benefit from. Technically focused employees definitely can benefit from them. Because you never know what you're going to see. You never know how it's going to come to you. know, I always like to joke about certain vendors products, never doing the same thing twice. I won't name names, but you know, so being able to kind of contextualize the situation and say, Okay, what, what do I believe is going on here? And how can we walk out my theory and trying to fix what I believe to be that going problem is very helpful across the board. But I will also say that, you know, an organization and all departments must have its processes defined. Because if you don't know what you're supposed to be doing, how do you know you're doing what you're supposed to be doing? And you can't improve on that if you haven't baselined? it? So, you know, I've used the baseline term more than once. And clearly, I feel that's pretty important, organizationally speaking.
11:57
Are you trying to imply that you can't improve performance without a measure and a measuring stick? Is that what you're saying? That's kind of what I'm getting? Yeah, you know, I'm, I'm the cynical Cisco, who says, kind of hard for me to protect the assets when you aren't doing asset management, kind of hard for us to expect that things are hardened when you're not doing configuration management, and so on and so forth. So
12:23
yes, yeah, absolutely. Okay. What's that now? I was just saying just makes it just a little challenging.
12:32
Just a little challenging? Well, you know, you want to have a balancing target, right, you don't want to be a consistency is the hobgoblin of small minds, right? So ethical hacking and network penetration testing are practices for organizations, what are some of the best tools and practices to test remote worker data security? And I would say, data security and data security practices.
12:57
Wow, I guess best tools and best practices for reuse for users would be some sort of sandbox, like, everything's moving from VMs to containers. As far as virtual environments, make sure that you do have users, if they're not using a hardened device that they have at least using operating in a hardened virtual environment. It would be my is my recommendation.
13:20
So how does it I guess, how does a remote worker know that they are there in that condition? What would they do to encourage that behavior? Well, most organizations, you'll just have they they'll give them like a hardened device that will require them in order to use that asset they'll have to VPN into into the organization or to access organizational IT assets and resources. So they inherit those controls provided by that organizations architecture otherwise, I wouldn't be on and I say that again? No, go ahead. Well, I was just gonna ask if there is a, there's a movement, we'll call it a backlash against like, dual authentication and those kinds of things.
And I think users in particular get frustrated because, you know, they have to use their phone or a watch or whatever, as a secondary as a dual authentication and, and I guess from a hardened device, I get a hardened device, but then I try to find ways to circumnavigate that. So I'm, I see it as kind of a double edged sword. Right. It's people want the convenience of being able to get in quickly, but they also need the data security. So it's kind of a catch 22. I would agree with Garrett, did you want to add anything to that? Yeah,
14:35
I agree that it's a catch 22. And I've found, you know, practically speaking in the real world that end users are always going to want immediate satisfaction and convenience. And there's no reason that you can't include that as a target. However, that's not the end goal. And that's not the only goal. So you know, you have to you have to do a bit of a vandalization I think with a lot of security tools when they're being rolled out, you know, and, and ideally, optimally, you do want them to be as, you know, non intrusive as possible, as seamless as possible, as transparent as possible as easy to use as possible. And that is the goal, right. And I would say that manufacturers out there have those security solutions do understand that, and the ones that are successful, heed that call, and they make sure to make it more user friendly.
15:36
However, you know, it's still going to be a balancing act, you're still going to have to educate people in what's appropriate, and what isn't. And, you know, it's that behavioral challenge that it's, it's a continuous moving target. You know, that's just like with the, I use a basic example of the phishing campaigns, I can spend a trillion dollars doing a million different phishing campaigns. But if people don't slow the heck down, and stop clicking out of I'm in a rush, I'm in a rush, I'm in a hurry. You can spend as much money as you want, it's not going to help. So you know, addressing the underlying human behavior in trying to get a more appropriate enterprise security posture, including the person in what they do. It's challenging, but it's it's a part of it that cannot be removed. Yeah, absolutely.
16:29
Harry, did you want to add anything to that? No, I would just agree. Everything with Gary had just said, you know, as far as one thing that was about that question asked about, like, what pentesting would benefit organizations and maybe your realistic pen test duration? You know, good pen tests, we should last about two weeks, but organizations resource constrained only do it for a few days, or maybe a week at most.
16:54
Yeah, yeah. In my experience, they're typically very short lived. They're very output based, right? Give me the report, tell me I'm good for the moment. And then procedures and policies go back into place and things don't work the way they should. Right. And so it's like, forgive and forget, right. All right. Last question. Many remote workers or gig workers, subcontractors or temporary employees? What if any consideration should be taken for cybersecurity for these individuals?
And we'll start with Harry? Well, I think the first thing would make sure that you have non disclosure agreements in place. If we're contractors, and any third party make sure you clearly have an SLA a service level agreement in place, is well as any type of memorandum of understanding of what what requirements they're going to have to to meet in order to access your your organization's resources. What comes to mind was the was the target for each with one of the third party vendors, an apex supplier that had weeks that had a weak security posture that was compromised, and what was left is the factor into that organizations route network, and they were able to laterally move into the point of sale systems.
18:09
Yeah, absolutely. Guaranteed. Yeah, those are all good things. I mean, obviously, the devils in the details, right. So if you're talking about gig workers who are using their own equipment, that's kind of a different calculus than if you're providing them the equipment to use. But I think in either case, you know, like we've already stated, you have to make it very clear what the acceptable rules of use are, and what the parameters are, under which they're going to be allowed to access resources and data, and do what they need to do as those gig workers and third party contractors and whoever it may be.
So I think that I think the truth of the matter is, most organizations have to kind of think through that, walk through that and decide what they're willing to put up with, so to speak, from a risk perspective, and then just hold to it. And I know that I've been through several conversations on this particular topic recently, where I said, you know, where possible, we really don't want to give up anything. Unless it's, you know, a control or something that's dependent upon us giving them a hardened laptop that we, you know, kind of own and govern. So, it just depends, but yeah, you got to walk through it. Definitely.
19:36
Well, I said that was the last question, but I guess I'll add one more here in an environment where we are dealing with a lot of bring your own device to work. options for employers, how do you feel like that? That plays especially when you talk about remote workers and virtual work, and I'll open that up to either one of you.
19:55
Oh, run with that one real quick. I can I can say that, you know, The typical approach when I know that I'm McCoy here, and my place of business is, you know, using MDM, ma'am solutions for mobile device management, where it's a bring your own device. And that tends to be the best way to say, you know, hey, look, if you want access to, for example, my office 365 environment, you've got to enroll your own device into Intune. You know, that's like Microsoft's one.
And, you know, I may require you to do Ma'am, which is not quite as tough, so to speak, or a may require you to do MDM. But either way, whatever I require you to do, those are the terms of use, right? You go, I'm not interested in that. Well, then maybe I need to go and find you a free cheapy phone that I can give you the you can jump on there with a cheap phone, or, you know, if it's a laptop, we give you a loaner, whatever. So that's how I think most organizations do it, there still has to be some governance, you know, just because it's your device doesn't mean you can access my stuff anyway, you feel like
21:06
Harry, did you want to add any that?
21:08
Well, when it comes to bring your own device, I think it sounds great from an organization you get to save, save, seems it sounds good, because you're saving money on investment, your infrastructure or your enterprise. But being on the side of leading incident response side, I think it's kind of an incident response nightmare when you have an incident or malware and you try to find the root cause of what you're trying to do lessons learned or malware analysis. And it can be problematic to try to even pick up a device that you don't own necessarily control. And you can have legal problems with that. But I'm more of a fan of just give the user a device that you can that you can manage.
21:48
Yeah, I tend to lean towards that in my previous CIO role. So I want to thank you, Garrett and herring for your time today. Thank you so much for joining us in support of the Center for the advancement of virtual organizations. We truly appreciate your insights and we know our listeners will benefit from your experience. Thank you very much.
22:08
Thank you.