During the very early days of the COVID-19 pandemic, I took every opportunity I could, to get cybersecurity thoughts out for the newly minted, global WFH workforce. Not just my teams, but any/every team across the world. This is one of those opportunities, where I got together with colleagues to get some raw ideas out to the world, as we all navigated the new WFH world.
Colleague virtual roundtable, discussing how to stay safe online from home
Stay home, stay safe, and keep your organizations secure with our #RemoteWork webcast series. Join Rapid7’s Eric Reiners, Shawn Valle, and Katie Ledoux tomorrow as they answer the question: How can you ensure that security remains a top priority, while maintaining business continuity?
I was thinking end of last week, “what I would tell my friends and family about being safe online while being forced to work from home”. I started writing a few ideas (nothing Earth shattering), and then released those thoughts this morning in a blog post. If you find it useful at all, please share with those who may get value out of it. #cybersecurity#rapid7#onlinesafety
We have rapidly entered a new era of living with a global pandemic. As a result, many are working from home – at kitchen tables, sitting on the sofa, or typing at a desk next to the bed. With very little notice, our work and personal lives have changed, and we don’t know how long this will last. Without any talk of FUD (fear, uncertainty, doubt), it got me thinking about how we can stay safe online in this new world.
BE ON HIGH ALERT FOR ONLINE SCAMS
In times of uncertainty, we should anticipate bad actors looking for an opportunity to capitalize. This could be through phishing emails, financial scams, or other tactics that prey on human nature. Fortunately, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) is monitoring and notifying the general public on cybersecurity scams related to COVID-19 and has provided the following guidance:
While at home, it may be a good time for you to review your company’s security awareness communication regarding remote working and stay up to date with any new guidance as company plans and protections are likely to evolve over the coming days and weeks. Although it may be tempting or seem appropriate to “fast track” or “bypass” some of the processes or controls laid out, I advise against it. Internal controls and processes are in place for a reason and must be followed to avoid scams and in some cases, ensure compliance with external regulations.
MAKE SURE YOUR CORPORATE PASSWORDS ARE NOT ABOUT TO EXPIRE
Everyone’s experienced some challenges when it comes to changing passwords and it can get even more difficult and complex to change your password when you are NOT in the office. Check to see if your password is expiring in the near future and make sure you know how to change it. Also consider checking with your IT team beforehand to ensure all systems for remote password changes are in order. The risk here is that your password expires while you are out of office. Once you’re locked out from the corporate network, it can be difficult to get yourself back online while remote.
CHECK YOUR WIFI CONNECTION
As many of our work laptops or mobile devices auto-connect to WiFi networks, check to ensure that you are connected to your home network (or intended hotspot). You might be surprised that you are connected to a public hotspot offered by a broadband provider, or a nearby neighbor’s WiFi network. To ensure you have the utmost privacy, just check your WiFi settings and ensure you are on the network you intend to be on.
CHECK YOUR VPN CONNECTIONS
Everyone does remote work a little differently, but most of us have some kind of VPN solution that gets us to critical internal systems we need to do our jobs. Please resist the urge to rig up your own RDP, VNC, or ssh tunnel (okay, maybe that last one, but only if you *really* know what you’re doing). Those solutions tend to mean poking holes in your firewall, exposing stuff you don’t mean to, and you probably haven’t instrumented your endpoints with logging, brute force resistance, or otherwise hardened them for the wild and wooly internet. Even if it’s “just temporarily” open, there’s nothing quite so permanent as a temporary fix. I promise, your IT department is there for you, and probably has a few extra licenses for a professionally managed VPN solution. And, if you haven’t exercised your VPN in a while, now is a great time to test it out. Better to find out that your VPN is busted now rather than later when the support requests really start to pile up.
If you have any questions about any of the above, I strongly recommend you reach out to your IT or security teams, who will be seeking ways of making remote working more practical for the organization during this difficult time. By being aware of the factors above and vigilant for malicious activity, you should be able to embrace remote working with confidence, hopefully reducing one area of stress relating to the COVID-19 pandemic.
Shawn is a participating member of the Cyber Resilience Think Tank. The Cyber Resilience Think Tank is an independent group of industry influencers dedicated to understanding the cyber resilience challenges facing organizations across the globe, and together, providing guidance on possible solutions.
Excerpts from eBook: “Transforming the SOC: Building Tomorrow’s Security Operations, Today”
Introduction
“The Cyber Resilience Think Tank gathered at RSA Conference to explore building out security operations center strategies. Read the report to get more insight on the four main trends they uncovered.”
Cyber Resilience Think Tank Report, Feb 2020
“When you think of a security operations center (SOC), what comes to mind? Is it an organized team of security analysts and engineers who detect, analyze, and respond to incidents, always working in lockstep with business managers to execute on the security strategy? Or, is it a few analysts who spend their days reactively responding to unprioritized security issues with a variety of point tools at their fingertips?”
The human element
“The skills gap in cybersecurity is well documented; a 2019 study by (ISC)2 showed the cybersecurity workforce gap in the U.S. is approximately 500,000, and by estimating workforce gaps in 11 major economies around the world, it is believed that we have a cybersecurity talent shortage of just over 4 million.”
The idea of mapping cybersecurity threat trends is certainly not new, but it can be difficult to achieve when the number of incidents is too high for humans to manage. According to Shawn Valle, Chief Security Officer at Rapid7, the amount of times he’s heard that an external SOC is three or four hours late to report an incident is unacceptable.
“We all know that if it’s ransomware or some other malicious code,” Valle said. “It’d take milliseconds to spread across your entire network. Usually I hear that lack of manpower is the culprit, but it’s akin to having a home alarm system that goes off after the police file their report and leave your house.”
The argument for zero, partial, or a fully outsourced SOC staff may never be resolved, but experts agree that when SOC analysts and engineers are tuned into your organization’s cybersecurity strategy, business processes and overall business, the relationship is no longer transactional. Instead, the relationship and the outcomes of the SOC are directly tied to the security needs of the business.
Here’s something you don’t often hear of someone in the role of CSO/CISO do; coordinate a concert for the entire company, made up solely of employee musicians, from locations across the globe, and perform for their peers in full rock star fashion at the company’s annual kick-off. But, that is exactly what happened earlier this month.
The idea to take my background in music performance (dates back well before my tech and infosec days), and find a unique way to bring people together from all across the company (infosec, engineering, sales, marketing, it, customer success, ux, and consulting), and then bring the whole company together to be part of a grand performance….well, the post from Jennifer Gregorio below is an example of how we demonstrate our core values (Impact Together, Bring You, Challenge Convention) at Rapid7. #rapid7 #ciso #cso #infosec #rockstars
23 years ago, this week, someone took a chance on me, offering me my first professional job on a help desk, supporting UNIX and mainframe systems, and tracking my work on a Windows 3.1 desktop with Lotus Notes. At that time, I couldn’t spell UNIX, nor had any clue what a Lotus Note was. But, someone took a chance on me, and I’m forever grateful.
Fast forward to 2006, I had worked in IT, software and web development, and some experience in professional services…not much in the InfoSec space. Someone took a chance on me again, hiring me to kick-start professional services of a start-up InfoSec product company. I remember starting the job thinking, “What is compliance?”
I’m thankful to those who took chances on me, and always looking for a chance to pay it forward. #infosec#cso#leadership
At the end of 2019, I met in Boston with global IT and Security leaders to reflect on the year and develop strategic guidance for 2020. Here’s a look into the discussion and where we landed. #CRThinkTank#cybersecurity#infosec
Shawn is a participating member of the Cyber Resilience Think Tank. The Cyber Resilience Think Tank is an independent group of industry influencers dedicated to understanding the cyber resilience challenges facing organizations across the globe, and together, providing guidance on possible solutions.
Cyber Resilience Think Tank eBook, Nov 2019
They define cyber resilience as: “an organization’s capacity to adapt and respond to adverse cyber events—whether the events are internal or external, malicious or unintentional in ways that maintain the confidentiality, integrity and availability of whatever data and service are important to the organization.”
Excerpt from eBook: “Cyber Resilience Think Tank (Sponsored by MimeCast), Commencing A New Decade: 2020 Predictions”
SaaS is Eating the Enterprise
Security leaders discussed the tremendous shift that’s taken place when it comes to SaaS and InfoSec. In fact, Shawn Valle, Chief Security Officer at Rapid7, recently marveled at how quickly SaaS took over the enterprise.
“SaaS is eating on-prem enterprise data centers,” Valle said. “Just five years ago I was at an ecommerce company, and the feeling was ‘if it’s SaaS it’s not for us,’ when it came to InfoSec mentality and software.”
Now, Valle noted that security leaders have changed their tune: firewall purchases are becoming less critical, and more and more companies are dabbling in AWS, Azure, and Google Cloud to keep their organizations secure.
In January 2019, I had the honor of joining industry colleagues in an open webcast discussion on Cybersecurity predictions for 2019. Vito Sardanopoli, Gary Hayslip, CISSP, Scott King
With the ever-changing threat environment and increasing prevalence of data breaches, today’s CISOs face a daunting task of securing their organization from a variety of threats. But, with so many priorities and a finite budget, it can sometimes feel like an impossible task to decide where to focus. So, what does 2019 have in store for cybersecurity and what are CISOs’ top priorities?
Join Rapid7 and our panel of expert CISOs for our 2019 predictions. Some of the topics our panel will cover include:
1. What are the top cybersecurity predictions for 2019? 2. How will CISOs’ priorities change in 2019? What will become new areas of focus and what will decrease in priority? 3. How will CISO’s investments change in 2019? What areas of cybersecurity do they see receiving more funding? 4. Actionable insights for how to improve your organization’s cybersecurity strategy in 2019
This month marks the completion of my twenty-second professional year in the technology industry. From days of system/network/IT work, in the worlds of AS400, UNIX, Novell, Windows NT, and Domino; moving into software development in Notes, Java, web; and into the human facing roles of technical professional services / consulting / training. All that before I dove head first into Information Security 12 years ago & never looked back.
Now, entering year 23, I look back on a career that was never a predetermined path. A kid with little direction, poor grades, initially flunked out of college, introverted & self-conscious; really only good at delivering newspapers, playing the drums, and finding ways to edit/break software on Atari floppy disks. I am fortunate for where my career has taken me, & thankful to the people I’ve met along the way; many who have helped guide me in a path of positivity & prosperity, where several alternative paths would have been easier to take.
I have ideas where the future will take me, but I’ll have to continue on this ride to see where it goes from here.
Thanks to family, friends & colleagues along the way, who have either joined me on this ride, hopped on for a stop or two, or just pointed in a direction that looked interesting enough to explore.
Happy New Year! Whether you’re feeling rattled or relieved to leave 2018 in the rearview mirror, now is your moment to take one deep (and deserved!) breath before launching into 2019. Though the flip of your desk calendar might not exactly result in a discernible change in your day-to-day, the fact is that each new year brings with it shifting opportunities, challenges, trends, and areas of focus.
Fortunately, we at Rapid7 have adhered to one of our favorite seasonal traditions and rounded up some of the best minds in the security industry to predict what they expect to see in 2019. Rapid7’s CEO, Corey Thomas, predicts that people next year will become more aware of mobile spying and compromise, while other predictions revolve around policy changes, breach fatigue, automation, and the need for better security defenses, among other topics.
Shawn Valle, Chief Security Officer, Rapid7
Three things come to mind when I envision 2019. First, more breaches are on the top of my list. We have a long ways to go before we reduce this statistic.
Second, I believe operational security teams will look to leverage automation wherever they can apply it to help monitor, notify, and respond to threats. Automation has existed in multiple forms for many years, but in recent years, many security-focused solutions have launched in the automation space. Automation can be brought into existing security engineering and security operations teams to reduce considerable minutia and administrivia in initial investigations and responses. As this newer capability starts to get better known, I predict more teams will start to dip their toes in the automation waters.
My third prediction is around the cloud security community working with their primary customers and stakeholders to be more transparent and work toward building and continually growing trust. We in cybersecurity (or infosec, as I still often say) are more and more protecting employee and customer data/assets in publicly facing environments (you have all heard of this internet thing, right?) As this data is more easily exposed than ever before and industry regulations are financially/legally requiring us to rapidly acknowledge data losses, the best approach is to transparently communicate with both internal and external stakeholders about what steps we take to protect their sensitive data and how we plan to work with our stakeholders in the event that data is exposed or lost. Providing stakeholders some visibility into how data is protected will lead to more conversations, which is a key piece to building trust. Let’s talk outside our teams a bit more.
The news regarding the NSA and its British counterpart discussed how the Angry Birds app was targeted as a means to collect personal information about app users. Presumably the agencies were collecting data that the app was already accessing as part of its normal operations. What data is being accessed and should it concern us?
We performed a behavioral analysis on Angry Birds for Android with our mobile application reputation service. Here’s what we found.
Our first analysis was to determine whether Angry Birds contained known malicious code, or malicious behaviors. Fortunately, it’s clean in both cases.
Next we analyzed Angry Birds’ behavioral characteristics against several pre-built application security policies. Policies can be created to look for specific code capabilities, Android permissions, location tracking, etc. Based on the items mentioned in the news stories, we focused on the personal information privacy policy (which btw is also a good idea for healthcare companies – see Caitlin’s postFood for Thought: Mobile Application Security & HIPAA).
Angry Birds received seven violations in the code capabilities section of the privacy policy.
CATEGORY
CODE ITEM
Sensitive Information
Access Unique Device Identification Information
Information like phone number, IMEI, etc.
Sensitive Information
Retrieve SIM Card Information
Contains code that may reveal the serial number of your SIM card as well as information about the provider network with which it is attached.
Sensitive Information
Retrieve Information About Device Type
Contains code capable of finding the device brand, model and/or version of the operating system.
Sensitive Information
Monitor Device Location
Code is present that may track the location of the device based on cellular network and or/gps. This is also aware of when the location changes.
Sensitive Information
Retrieve Carrier Information
Contains code that may identify and retrieve information about your mobile service provider.
System Access
Monitor Device Statistics
Code is present that allows for the tracking of device information such as battery status, signal strengths, network traffic and cpu performance.
System Access
Listen for Key Presses
Contains code to listen for key and touch events and take action via callbacks. While this is a normal API enabled ability it may be combined with other nefarious methods.
In regards to geo-location, Angry Birds received one code capability violation and one permission violation.
CATEGORY
CODE ITEM
Sensitive Information
Monitor Device Location
Code is present that may track the location of the device based on cellular network and or/gps. This is also aware of when the location changes.
Permission
android.permission.ACCESS_COARSE_LOCATION
Angry Birds is currently the 18th most popular game for Android in the Google Play Store. All 100 top free games in the Google Play Store have code capabilities violations for privacy/personal information policy, many with a similar granularity of violations. Compared to other top 100 free games, Angry Birds is categorized as one of the least risky for malware and privacy.
The larger problem ties back to comments made by Chris Eng, Vice President of Veracode Research. Chris said that it’s more complicated than complaining to an app developer to stop requesting certain pieces of information from its users’ smartphones. “If I don’t want an app to know my location, the developer could say, ‘I’m planning these new features that rely on location information,‘” he told ABC News. “That’s where you run into these sorts of issues with apps that leak these sorts of info.” Many apps “are communicating to servers without any encryption,” said Eng. “Apps that don’t encrypt everything in transit are open to eavesdropping.”
