It is no secret that today’s society relies heavily on their mobile devices. From tracking your calorie count and fitness progress to paying for your groceries with a swipe of your finger, our mobile devices have essentially become an extension of ourselves. In many ways, these devices bring a new age of simplicity to a complex world, but this simplicity can come at a high price. This blog will shed light on mobile cyber attacks, and ways to overcome them.
The movement towards a more mobile workforce has forced organizations to adapt their business practices to extend far beyond the safety and security of their networked environments. The evolution from company-issued Blackberrys to BYOD (Bring Your Own Device) has created an expansive attack surface for an organization’s security team to manage and protect.
Since an organization’s attack surface has grown to include networked space that is not under their control, how can they keep their users safe when on the go? As with everything that makes up the security space there is no “one-size fits all” solution. However, one of the most important actions an organization can take to combat this security risk is to create informed users.
Informed users are an organization’s first line of defense. The more informed their user-base is, the less likely they will become a victim of a mobile attack. Many organizations may already have or are working to create policies and procedures around BYOD to convey the rules and best practices to keep not only their users safe, but to keep the company data and integrity protected. Just like any policy or procedure implemented within an organization, these mobile device policies should be regularly reviewed and updated as new threats or features are introduced. Let’s take a look at some of the threats our users face, and ways to help them reduce their risk when they’re on the go.
It seems no matter who you are, CEO or a regular everyday user, you run the risk of falling victim to a phishing attack. In a phishing attack, attackers present themselves as a legitimate person or firm to try and trick unsuspecting users into handing over valuable data about themselves or their organization. Most times these unsolicited attempts will be presented over email, but this trend is now spreading to mobile and social media. It is human nature to want to trust in others, especially if the source seems like a legitimate request or offer, but how do overcome this urge to trust?
- First things first: If the source is not trusted or it seems suspicious, DO NOT CLICK! This practice may seem simple, but people fall victim to this scheme more times than you would expect. So, when in doubt, exit out.
- If you suspect that the email may be legitimate, but because of your training you are still suspicious, perform some investigative work. Most phones will allow you to preview which site the link will direct you to by holding your finger over the link (without clicking it). Look for small spelling errors that may normally be overlooked. If you have never used this feature before, test it out by emailing a trusted link to yourself and practice using it before attempting it on a potentially malicious email.
- Research the sender’s email domain against their legitimate site. If there are any one-offs, do not trust it.
- Legitimate companies will never ask you to provide your username, pin, password, or will they ask you to pay them via a prepaid credit card. If you receive an email asking you to verify these items or any other personal information, do not respond. Contact the institution in question to provide them with the details of the email received. By doing this, you can alert them to this scheme and they can provide their users with a warning against this attempt.
Unsecured Wireless “Hotspots”
Our need to be constantly connected can pose an unintended risk to our mobile safety. Many establishments try to fulfill this need by providing free WiFi access to their patrons. Everywhere from your local coffee shop to Disney World, WiFi access has become a common and necessary service for companies to provide to its customers. However, this service may provide you with more than a free way of staying connected.
- Never connect to an unsecured WiFi network. An unsecured WiFi network or hotspot is one that a user does not need to provide a password to connect. These networks are a prime target for attackers to snoop or spy on a user’s online activity. Attackers can steal information such as login credentials, credit card data, or personal data which can leave them vulnerable to identity theft or theft of proprietary information.
- Many mobile providers offer personal hotspots to their users for a small monthly fee. This service can provide a user a secure way of connecting on the go. As long as you have a mobile data connection, you have a secure communication path.
- However, if you are forced to connect to one of these unsecured networks, invest in a VPN service. Some organizations may have the ability to provide their mobile workforce VPN connectivity, but for those who do not have access to this, it is a highly recommended investment. VPNs (Virtual Private Network) protect its users by encrypting their Internet connection which prevents attackers or anyone, including Internet Service Providers, from seeing the information sent over the network.
Malware continues to be a threat to organizations regardless of how their users connect. Long gone are the days where security teams had to only be concerned about their internal assets falling victim to these destructive tactics. Now as organization’s environments stretch across the nation and across the world, the need to extend their security programs are even greater.
This combination of business assets on personal devices has added an additional layer of complexity to protecting an organization’s network. To combat this issue, end users should be conditioned to follow a few simple guidelines when using their personal devices for business purposes:
- Utilize a security application to detect malware. An organization should research acceptable applications their end users can install on their devices to periodically scan for and detect malware.
- End users should be trained on application security. Educating users on how to determine if an app is legitimate will help to prevent them from inadvertently downloading an application that may contain malware.
- Some organizations may even opt to have stringent BYOD policies and procedures where certain applications cannot be downloaded of their personal devices if they are being used for business purposes.
- As simple as it sounds, educates end users on the dangers of clicking on suspicious links. Even links found on popular social media sites might lead to a malware infection. Following the same steps outlined in reducing phishing attacks, will help prevent users from falling victim to a malware attack.
The actions outlined in this article are a few simple steps, which, if consistently followed, will reduce an organization’s risk when it comes to mobile devices in their environment. Although organizations today are taking many preventative measures, all it takes is one successful attack to lead to devastating consequences and a full-blown security incident. Security teams need to be able to detect and respond immediately to any and every security alert which they face, whether from a phishing attack, malware attack or other forms. With the increasing volume of alerts, the most effective and efficient way to do this is through automation and orchestration, to ensure no alert goes undetected or untouched. Contact DFLabs today to arrange a personalized demo of its Security Orchestration, Automation and Response platform, IncMan SOAR.
In our recent blog post, we discussed the need for knowledge transfer and why it has to become a crucial part of the incident response process and an organization’s security program. This time we will take a closer look and take the topic one step further to discuss how to successfully implement knowledge transfer in incident response.
It’s important to note that knowledge transfer within an organization does not only happen within Security Operations Centers (SOCs) between incident responders and must also include other departments involved in the IR process. The Legal department should be included in order to ensure and oversee regulatory compliance as well as the Human Resources team to monitor the security incident processes that take place across the entire organizational landscape. Last but not least, management stakeholders need to be updated on areas such as ROI to ensure they have the latest data available to make key decisions.
Based on the need for knowledge transfer in incident response and the difficulties it currently presents within security teams, this blog post focuses on the details of 5 key elements needed for achieving successful knowledge transfer.
- Understanding your audience – knowing the people who are going to receive the knowledge that you’re going to put out (for example, you’re not going to use technical terms for a legal audience).
- Develop a focused curriculum – creating a curriculum that’s engaging to the audience you are going to work with.
- Designate the appropriate delivery method – there’s a number of different delivery methods for moving the transfer of knowledge (for example automated, manual or a combination of both).
- Designate a messenger – this is probably one of the most critical parts of the five key elements because you’ll want someone who is going to be speaking from the point of view of actually having been there, or having experienced the things they are to deliver.
- Evaluate the results – Is it the right information that we’re pushing forward? Is this what they need to be successful? Is there a way to edit this information efficiently and effectively to keep it up to date?
Breaking Down the Elements
Now let’s break down the components of knowledge transfer in incident response in more detail and see how we can implement them individually to achieve success.
Understanding your audience
You must provide as much context as possible to ensure the clarity of the task. Moreover, providing context is essential for people to pull that information in and process it within their own experience. Another important step is to identify who will actually be getting the most benefit from the information, not just who may top the organizational charts – the people who are actually expected to accomplish the tasks are the priority.
Craft the message to the audience (IT jargon with legal and HR folks could result in blank faces). Make sure that you craft your message so that the audience understands what you’re trying to deliver. Don’t be afraid to schedule time after the training session for follow-up questions. This is sometimes your most valuable interaction with the attendees.
Developing focused materials
The information transfer should focus on clearly defined goals for the identified audience, for example, ITSEC has one set of goals, legal another, senior stakeholders yet a third. Focus the information on those tasks that are relevant to resolving the identified issues – you should make sure to address only those tasks that are critical to solving a certain issue.
Materials should be based on regulations and standards. If there isn’t a defined set of regulations, utilize your local policies and best practices from the industry. All of these things ensure validity in the process of knowledge transfer.
Determining the appropriate delivery method
This can be performed manually or automatically. If it is done manually, the following tips should be taken into consideration:
- Have regularly scheduled training sessions – having someone in, take a seat – this can sometimes be tricky because you might be pulling people during their off time, or you have to do it in shifts
- Internal methods of communication – this will help passing messages along, or use some type of a chat, intranet, or something similar to that nature, so people can stay in tune with what exactly is happening
- Access to webinars and online content – this is more self-styled; if an incident responder hesitates on how to do a particular task, they can look for a webinar online or content that has the answers from previous historic events.
On the other hand, if this is performed automatically, then the following steps should be considered:
- Have a formalized knowledge base – this basically means that you can put all of the knowledge transfer articles in one centralized database which is easily accessible
- Create structured playbooks – these are an integrated part of security orchestration automated response – incident responders are using them now as part of their incident management program. Being able to use structured playbooks to transfer knowledge is like killing several birds with one stone.
Designating a messenger
In order to choose the most suitable person for this position, there are a number of qualifying factors to take into consideration. The best candidate should be an expert in the subject matter, should allow a cross-section of subject matter experts to contribute and also ensure they are part of periodic reviews.
Evaluating the results
As the final step of the process, it is key to ensure results are evaluated and this is an integral part of the post-incident response process. It should be determined if the knowledge transfer process was effective, was any information missing or could any further processes be improved in the future. Based on these evaluations and developments, training materials should be updated and also undergo periodic reviews to ensure they remain up to date.
With all of the above said, it can be easily concluded that knowledge transfer loses its main purpose when executed ad-hoc and in an informal manner. Organizations need to figure out the importance of knowledge transfer and come up with a structured, multi-layered program that will be designed to be of service to all stakeholder audiences and more importantly, is in line with the goals of the organization and the needs of the clients. In the case of incident response, implementing an automated approach, using a centralized database, with designated playbooks for different incident types will ensure knowledge transfer is consistent and repeatable and remains within the business.
If you would like to learn more about how to facilitate knowledge transfer, in particularly within security operations and by utilizing security orchestration, automation and response, check out our recent webinar here “How to Facilitate Knowledge Transfer within SecOps Utilizing SOAR Technology”.
Building an effective security strategy in organizations today requires the right combination of experts, processes, tools and technologies. Luckily, there are many different ways in which you can organize them to fit your company’s needs.
The two types of teams most often mentioned today are Security Operations Centers (SOCs) and Computer Security Incident Response Teams (or CSIRTs). SOCs and CSIRTs have distinctive roles and responsibilities, so deciding which one is better for your organization’s security program isn’t always easy. This blog post will focus on explaining their main objectives and how they differ in structure, which may help you to decide which one is more suitable for your organization’s internal infrastructure and strategy, especially if you are looking to set one up in the near future as your business expands.
Security Operations Center (SOC)
The term SOC bears the connotation of an environment designed specifically to defend corporate data and networks, and it can be used to describe the facility where carrying out security tasks takes place or the people who are responsible for that.
A SOC is the “brain” of a security organization, as it acts as the center of all roles and responsibilities, with the main goal of protecting information within the organization. Its main tasks are:
- Incident management / response
- Anything that involves managing and protecting information within the company
Furthermore, the SOC also monitors people, technology and tools, and processes involved in all aspects of cybersecurity. Often companies have a SOC before they decide to establish a separate CSIRT. The end objective of every SOC is to monitor and take care of every cyber activity that takes place and ultimately ensure the organization is protected against any type of attack.
The SOC is also responsible for incident response if there is no formal CSIRT established within the organization. If there is, the SOC helps the CSIRT in responding faster and more efficiently to a cyber threat.
The SOC is responsible for the following:
- Monitoring the security of users, systems, and applications
- Prevention, detection, and response to security threats
- Creating and managing procedures
- Integration of security systems with other tools
What makes a SOC unique and different from other units within the organization is its centralized role with a strong focus on combining techniques, skills, and technology, by utilizing tools to increase the protection of the company against threats. It’s also important to underline that even though incident prevention and management is not its specialty, a SOC may still cover these events as well, being a department that covers all things related to cyber security.
Computer Security Incident Response Team (CSIRT)
CSIRT is a centralized department within an organization whose main responsibilities include receiving, reviewing, and responding to security incidents. CSIRTs may work under SOCs, or function individually, depending on the organization’s needs and structure.
The main goal of a CSIRT is to minimize and control the consequences from an incident. It’s not just addressing the attack itself, their role involves communicating with boards, executives, and clients about the incident.
Some of its main responsibilities include:
- Prevention, detection, and response to security threats
- Ranking alerts and tasks
- Investigating and conducting forensics on incidents
- Coordinating strategies
What do CSIRTs do?
The basis of every CSIRT is providing incident management. The CSIRT is the central point of contact in the event of a security incident. Depending on how fast a CSIRT team responds to an incident, it can limit the damage from the incident by providing rapid response and recovery solutions. This ensures the workflow is uninterrupted and lowers the overall costs.
Incident management presupposes three functions: reporting, analysis and response. With this being said, the CSIRT activities usually involve the following:
- Understanding incidents – CSIRTs must be aware of the nature of the incident and the consequences that might arise from it. A repository helps teams gain insights of the patterns of a certain cyber attack and this could lead to future activities that could prevent the occurrence of such attacks.
- Handling negative impact – CSIRTs carry out elaborate research of a certain problem and recommend solutions for it.
- Assist other departments – CSIRT teams distribute alerts across the organizations on the latest threats and risks.
- Compose security strategies
Does my organization need a CSIRT?
The CSIRT within an organization may be a formal unit or an ad-hoc team, depending on the company’s needs. If your organization is not facing a cyber threat on a regular basis, the need for a CSIRT might not be as big as for larger organizations, or companies in high-risk industries, such as healthcare, finance or government. In industries such as these, responding to threats happens daily and there’s a need for a formal, full-time CSIRT.
Whatever the needs of your organization, don’t forget that a CSIRT team will evolve with time. What might start as an ad-hoc team may develop into a fully functioning department as the business expands and progresses.
Regardless of the final choice, which will depend on a number of individual requirements and factors, (including but not limited to the size of the organization, the number of threats it faces, the industry and the company’s security program maturity), don’t forget that whatever team is established, it is always important to clearly define roles and responsibilities, have efficient processes in place that can be automated, and implement the right tools and technologies that will help your team do their job more effectively. Set up correctly, SOCs and CSIRTs will facilitate the organization to respond to all security alerts and react faster to the ever-evolving cyber security incidents.