Categories
General Cyber and IT Security

Returning to the Post-COVID-19 New Normal: What to Expect for IT and Cyber Security Professionals Coming Back to the Workplace

COVID-19 is still with us, however many enterprises are reopening their doors and attempting to return to some sense of normal. It’s certainly a new normal: keeping staff safe requires a host of new processes, precautions, and even potentially new technologies and equipment.

From all perspectives, lock downs and work-from-home directives have created a significant disruption to normal enterprise operations. Looking at the situation from the point of view of technology staff, specific operational challenges shift into focus. Work equipment may have left the enterprise environment, home devices may have been used for work purposes, the delineation between work and home spaces has been blurred, or even removed completely.

There’s a lot on the plates of IT and cyber security specialists. Here are some of the most pressing issues to consider as you, your colleagues and the staff you support return to the post-COVID-19 workplace.

COVID-19 Mitigations

At the most basic level, normal workplace procedures are affected by recommendations for safety, as announced by the CDC. The most elementary of these recommendations likely apply to how cyber security professionals must conduct themselves, including:

  • Sick or symptomatic employees should stay home
  • Wear a mask
  • Limit interpersonal contact
  • Maintain appropriate spacing between staff
  • Sanitize surfaces after touching

IT and cyber security staff should be particularly aware of sanitizing devices before and after working with them. Check the CDC list for more recommendations, which vary according to the type of workplace, and follow any guidelines specified by your organization.

Relearn Cyber Security Fundamentals

Basic enterprise cyber security training for staff is often on the “we’ll get to it eventually” list, with indefinite deferral to maintain priority for operational needs. Now is an excellent time to reserve a block of time to review best practices, refresh basic training and boost awareness. Follow your cyber security training protocols and be sure to highlight the basics:

  • Password security training
  • Phishing and social engineering awareness
  • Email security
  • Updating and patching

Reestablishing the importance of awareness can go a long way toward creating resilience against the most elementary threats.

Speaking of Passwords…

Password security is often the first casualty when work and home environments are blurred together. Enterprise equipment and devices may be used by staff family or friends, or home devices could be used on enterprise networks. New employees might have been onboarded outside the usual training and processing framework, including being brought on remotely.

Passwords

A required password reset is the first step toward reasserting control over your security posture. Ensure staff adhere to company password policies when making changes. If your organization hasn’t yet implemented two-factor authentication, now is an ideal time to do so.

  • Have users reset all relevant passwords
  • Implement 2FA

Returning Equipment

Working from home has become the new normal for staff at many enterprises, which requires work equipment and devices migrating from the enterprise environment to homes. Returning work equipment to the enterprise environment creates two important IT security concerns:

Trivial equipment return. Certain items require only basic inventorying: cables, chargers, docking stations, etc. This is a tedious but necessary requirement, to ensure equipment is tracked and available if needed again, and that resources are not wasted. Damaged equipment is inevitable and needs to be replaced. Reemergence of lock down requirements may necessitate a return to large-scale work-from-home deployment: make certain you maintain the basic equipment resources required for that scenario.

USB

Returning devices. Work devices that left the enterprise environment in a secure state do not necessarily return that way. Expect that staff have been negligent in maintaining high security standards and respond accordingly. Many staff will ignore update prompts or postpone them indefinitely. Others might disable security apps as a matter of convenience. Conduct comprehensive updating and patching of all returning devices.

Additionally, staff might install software they commonly use in their home environment, or to replace resources unavailable outside the office. Certain upgraded software licenses may have been added to facilitate work-from-home efficiency, but are no longer necessary (video conferencing, remote sharing and collaboration software in particular). Scan for unregistered software to determine potential vulnerabilities and risks, and cancel unneeded licenses to manage costs.

  • Inventory and maintain adequate supply of trivial equipment
  • Update and patch OS, software, and EDR solutions
  • Scan for unregistered software
  • Inventory software licenses

New Devices in the Enterprise Environment

Returning staff introducing new devices to the enterprise environment is a significant threat to security. These will typically be personal devices – laptops and phones – that staff used for work at home out of necessity because office resources were not available, or because they were more convenient.

Work From Home

Home devices are vulnerable for all the obvious reasons: lack of updating and patching, presence of unauthorized apps, absence of enterprise-grade security solutions, poor password security, etc. Once one of these devices connects, the entire network is at risk of compromise.

USB and NAS devices are an additional threat vector that can slip through the cracks. Staff may have been using these devices regularly, or as a one-shot solution to port data or files from home to the newly reestablished enterprise environment. Enforce your existing device controls to restrict use of unauthorized storage devices.

  • Run scans to check for new, unknown and/or unapproved devices; personal laptops, phones and devices should not be allowed within the enterprise environment
  • Monitor use of USB and NAS and enforce device control protocols

Maintaining a High Readiness Posture

It’s critically important to remember that the post-COVID-19 new normal can, at any point in the future and without warning, revert to a crisis environment. Your staff could get sick and require your office to close, or general rates of infection could increase enough to cause reimplementation of a shut down. The possibility that things could again get worse still exists.

Make certain that the lessons learned, strategies implemented, and changes made are maintained to ensure readiness in the face of additional challenges. Navigating the new normal is tough enough – don’t let your guard down and be forced to start from scratch, relearning adjustments that were made in March and April.

The path forward requires an extra effort of safety and vigilance. If you can maintain focus, the new normal will become the regular normal and you can once again focus on operations, performance and your core business mission.

Categories
Uncategorized

Have You Switched to Microsoft Advanced Security Auditing Yet?

Stop waiting.

Nothing is more critical during a security investigation (incident response, or “IR”) than the quality of the information coming from your log sources. During a recent incident, progress stopped due to insufficient auditing settings. The IR closed with inconclusive findings and a remediation project to standardize and enable Microsoft Advanced Security Auditing. Microsoft released Advanced Security Auditing with Windows Vista and Windows Server 2008. After 12 years, I still see environments that have not configured it. In today’s threat landscape, most businesses are one incident from regretting it.

What is Advanced Security Auditing?

Here is an explanation from Microsoft:

“Security auditing is a methodical examination and review of activities that may affect the security of a system. In the Windows operating systems, the definition of security auditing is the features and services that enable an administrator to log and review events for specified security-related activities.

Hundreds of events occur as the Windows operating system and the applications that run on it perform their tasks. Monitoring these events can provide valuable information to help administrators troubleshoot and investigate security-related activities.”


Microsoft goes on to explain the difference between audit policies located in “Local Policies\Audit” and in the Advanced Audit Policy Configuration:

The basic security audit policy settings in Security Settings\Local Policies\Audit Policy and the advanced security audit policy settings in Security Settings\Advanced Audit Policy Configuration\System Audit Policies appear to overlap, but they are recorded and applied differently. When you apply basic audit policy settings to the local computer by using the Local Security Policy snap-in (secpol.msc), you are editing the effective audit policy, so changes made to basic audit policy settings will appear exactly as configured in Auditpol.exe.

There are a number of additional differences between the security audit policy settings in these two locations.

There are nine basic audit policy settings under Security Settings\Local Policies\Audit Policy and settings under Advanced Audit Policy Configuration. The settings available in Security Settings\Advanced Audit Policy Configuration address similar issues as the nine basic settings in Local Policies\Audit Policy, but they allow administrators to be more selective in the number and types of events to audit.

Image of a Local Audit Policy

For example, the basic audit policy provides a single setting for account logon, and the advanced audit policy provides four. Enabling the single basic account logon setting would be the equivalent of setting all four advanced account logon settings. In comparison, setting a single advanced audit policy setting does not generate audit events for activities that you are not interested in tracking.

In addition, if you enable success auditing for the basic Audit account logon events setting, only success events will be logged for all account logon–related behaviors. In comparison, depending on the needs of your organization, you can configure success auditing for one advanced account logon setting, failure auditing for a second advanced account logon setting, success and failure auditing for a third advanced account logon setting, or no auditing.”

Image of Microsoft’s Advanced Audit Policy Configuration

What does this mean for my organization?

Where possible, SecurIT360 recommends implementing Microsoft Advanced Security Auditing at the domain level. This, in combination, with Event Log Policies force retaining security log information as long as possible on all machines.

SecurIT360 has teamed up with the Center for Internet Security to establish best practice settings. These settings can be the difference between an IR that ends with a conclusion vs. an IR that ends inconclusively.

For more information on how SecurIT360 can assist you with Security Monitoring, Auditing, Managed Detection and Response Services, and Endpoint Detection and response, contact us.


References: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-auditing-faq