DevSecOps, Phishing, API Abuses…and More! A Call to Action for Holistic Security and Privacy
Guest post by top IT and business transformation analyst Akshay Sharma
As digital transformation permeates the enterprises, with IoT, POS systems, mobile payment from smartphones, RFID and NFC-based payment systems, cloud-based solutions, open API’s, software bus middleware solutions, and Phishing attacks, we are all exposed to a fast-growing cyber threat landscape that makes personal data increasingly vulnerable to attack due to the generally insecure state of the back office systems, network infrastructure as well as the connected devices used today.
So What Do We Do?
As Rich Tehrani recently published Cybersecurity Essentials:
Initial Steps with Next Steps include:
- Have a business continuity plan.
Evaluate your IT disaster recovery and service continuity:
- Are geo-diverse, hybrid multi-clouds in use, and in sync?
- Are IT service management (ITSM) tools for IT asset management (ITAM) and IT recovery orchestration tools in place?
- Is Crisis/emergency management in place?
- Are workflows automated, and if so can manual fallback procedures take over?
- Are the networks resilient with hitless failover to diverse networks in place?
- Are databases and applications resilient with hitless failover to backup server farms?
- Keep computer operating systems and software patched!
Ensure Holistic version control of networks and applications
- Network Configuration Management with DevOps Applications Source Code Management, with version audits to ensure compliance.
- Network Policy Compliance Enforcements with Document Electronic Data Record Compliance, and Workflow/Process Compliance
- Networks Maintenance/Upgrades Management with DevOps Applications for Requirements Management, Test Management, Issues and Change Management.
- Can an IT Release Manager override and overrule a DevOps CI/CD upgrade ?
- If so how? And how quickly, with compliance audits in place?
- If not, look to DevOps CI/CD Compliance and Workflow firms like Kovair.
- Understand that every person in an organization is a potential target.
Look at Phishing prevention solutions like Knowbe4, as well as vendors like ColorTokens with embedded agents providing WhiteList/BlackList policy-based controls, as well as potentially the usage Blockchain with it’s Smart Contracts, Consensus Algorithms and encrypted distributed ledgers, along with behavioral analytics from vendors like Cybraics, to see if rogue employees or those impersonating them can be verified to see the devices they are using, their credentials, their location, their IP address, and the context of what is being accessed.
- Ensure social media accounts are private.
- According to PhoenixNAP, the following is a useful checklist.
- Start by developing a social media policy.
- Don’t advertise company vacation time or any events that may have most senior staff being away. This can be announcing the right time to launch a cyber attack.
- Be proactive with network security on all devices and networks. This includes cell phones, and it also means keeping social media off the company’s business network.
- Teach employees about social media security threats with consistent training and security awareness programs.
- Use social media management software to track company accounts.
- Keep personal information private. Hackers are always looking for a way to get personal information that can open the door to gaining account access.
- Regularly use Cybersecurity training, and ensure compliance, and passing by employees with on-line accreditation being tracked.
Ensure the training teaches:
- Understanding Security Threats
- Practicing Safe Computing
- Protecting Data
- Practicing Safe Remote And Mobile Computing
- Protecting Physical Security
- Auditing and documentation must be performed regularly to ensure systems are secure, ideally by trusted 3rd-party auditors.
- Best Practices include:
- Establish a Chief Security Officer, with Board-level reporting, ensure security reporting through regular audits.
- Choose auditors with “real” security experience, not just “checklists”
- Look to Privacy solutions for GDPR and CCPA compliance for not just customer databases but also HR databases, Payroll systems, IVR/Voicemail systems, and everything where personally identifiable information is stored. Vendors include Tehama, Call Cabinet as well as others.
- Anomaly detection should be running constantly to detect threats as they emerge.
Look to vendors like Cybraics, and Darktrace.
- Penetration testing shows if systems can easily be reached from the outside.
Explore all applications, APIs, and software middleware bus solutions and ensure policy controls, and encryption is in place.
Testing Methods and tools to use include:
- Runtime application self-protection (RASP)
- Application Security Testing (AST) from vendors like CA: Veracode, IBM.
- MicroFocus and others
- Next Generation Web Application Firewall (NGWAF), from providers like Akamai, F5, A10, and others.
- Secure Software middleware bus solutions that are resilient and secure like Kovair.
Implications for Business Leaders
The C-suite for enterprises have to connect the dots and bridge existing and emerging processes, methods, tools, and education into a holistic security platform that incorporates behavioral analytics and DPI/DLP (Deep Packet Inspection/Data Loss Prevention) solutions, with continuous monitoring and reporting in place.
Traditional IT/CT technology providers will need to venture outside of their silos and work together with enterprise CISOs/CIOs/CTOs in designing and deploying innovative new solutions to counter the continuous onslaught of cyberattacks and the newer forms of threat vectors that will accompany the global digital race.