{"id":41339,"date":"2020-08-26T06:21:10","date_gmt":"2020-08-26T13:21:10","guid":{"rendered":"https:\/\/www.enxmag.com\/twii\/?p=41339"},"modified":"2020-08-26T06:25:32","modified_gmt":"2020-08-26T13:25:32","slug":"cybersecurity-best-practices-for-todays-providers-resourceful-ways-to-protect-the-attack-surface","status":"publish","type":"post","link":"https:\/\/www.enxmag.com\/twii\/best-practices\/2020\/08\/cybersecurity-best-practices-for-todays-providers-resourceful-ways-to-protect-the-attack-surface\/","title":{"rendered":"Cybersecurity Best Practices for Today\u2019s Providers: Resourceful Ways to Protect the Attack Surface"},"content":{"rendered":"\n<p><strong>Not too long ago, I gave a talk about the importance of creating a red team and a blue team to help prepare for cyberthreats. I told a few stories about pen testers who acted as red team \u201cattackers,\u201d and the blue team security analysts who listen for the attacks and defend the company.<\/strong><\/p>\n\n\n\n<p>Afterward, a CEO of a Managed Service Provider (MSP) approached me with a determined look on her face. So did an IT leader from another provider. We all discussed the dynamic of how a \u201cred team\u201d pen tester helps make the \u201cblue team\u201d security analysts more successful and precise. Then, the CEO stated, \u201cYou know, this is all fascinating, but I just don\u2019t know how I\u2019m going to afford all of this.\u201d The IT leader echoed her point saying that the skills sets I was talking about were far out of reach for the typical managed service provider.<\/p>\n\n\n\n<p><strong>A Question of Resources\u2014and Resourcefulness<\/strong><\/p>\n\n\n\n<p>They both had excellent points. After all, how many businesses can afford entire teams of security workers? I\u2019ve led a small business myself, and I recognize that a major component of success in a business is watching margins. I also know quite a few CISOs of large organizations around the world, including banks, mega-retailers, and manufacturing companies. They employ teams of testers and their security analyst counterparts. Few businesses can afford to do that. Fewer still can create a formal, high-tech security operations center (SOC), complete with expensive monitoring software and highly trained people. Many small businesses just don\u2019t have the resources, and that makes them a target.<\/p>\n\n\n\n<p>Yet, it\u2019s possible to get resourceful. Some IT leaders for smaller companies and providers rent essential security services on a per-service basis. It\u2019s also possible to obtain capable and powerful free software from the open source community. Tools such as Wireshark, Suricata, Metasploit, Zeek and Kibana stand ready to help. Of course, you\u2019ll need workers who can use those tools properly\u2014more about that in a second. But first, a few words about why constantly updating your cybersecurity is so important.<\/p>\n\n\n\n<p><strong>Why it\u2019s Necessary: the Morphing Attack Surface of Today\u2019s Businesses<\/strong><\/p>\n\n\n\n<p>Security issues continue to evolve, and with that evolution, a new phrase has emerged: attack surface. It describes the myriad ways organizations present a target to attackers. Sometimes, these attackers are external third parties. In other instances, attacks come from inside the organization.<\/p>\n\n\n\n<p>Today\u2019s attack surface includes employees who fall victim to social-engineering attacks as well as devices that aren\u2019t properly patched, monitored and secured. Usually, the result is a form of ransomware or malware that gets unleashed on the network. Businesses of all types have experienced an increase of ransomware attacks over the past several months, as reported by CompTIA\u2019s IT Industry Outlook 2020 report. Additionally, social engineering is becoming far more advanced. Attackers go beyond deep fakes and now employ artificial intelligence (AI) to help discover the best attack strategies for their targets. AI can help identify the attack surface of any organization, including a managed service provider, a manufacturer or a bank.<\/p>\n\n\n\n<p>But in many ways, security isn\u2019t just about managing or stopping the hacker. We\u2019re now living in an age in which privacy laws require businesses to conform to standards. We\u2019re only seeing the beginning of privacy and governance regulations, which currently includes the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR). That list will grow larger; in the United States alone, models such as the Cybersecurity Maturity Model Certification (CMMC) and NIST Cybersecurity Framework (CSF) represent compliance standards for businesses of all types. Organizations need to either obtain (or rent) the talented people who can help them demonstrate compliance and prepare them to respond effectively to attacks.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/www.enxmag.com\/twii\/wp-content\/uploads\/2020\/08\/CompTIA-Career-Pathway-2020-Widescreen-PPT.jpg\" target=\"_blank\" rel=\"noreferrer noopener\"><img loading=\"lazy\" width=\"1000\" height=\"563\" src=\"https:\/\/www.enxmag.com\/twii\/wp-content\/uploads\/2020\/08\/CompTIA-Career-Pathway-2020-Widescreen-PPT.jpg\" alt=\"\" class=\"wp-image-41341\" srcset=\"https:\/\/www.enxmag.com\/twii\/wp-content\/uploads\/2020\/08\/CompTIA-Career-Pathway-2020-Widescreen-PPT.jpg 1000w, https:\/\/www.enxmag.com\/twii\/wp-content\/uploads\/2020\/08\/CompTIA-Career-Pathway-2020-Widescreen-PPT-300x169.jpg 300w, https:\/\/www.enxmag.com\/twii\/wp-content\/uploads\/2020\/08\/CompTIA-Career-Pathway-2020-Widescreen-PPT-768x432.jpg 768w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><\/a><\/figure>\n\n\n\n<p><strong>Steps You Can Take<\/strong><\/p>\n\n\n\n<p>The first focus for service providers should be upskilling existing workers; it\u2019s all about competencies. End-users require frequent, engaging training concerning how to avoid social engineering in all of its forms, including phishing. IT workers will also need specialized training. As a service provider, if you can provide increasingly nuanced and proactive services in this area, you\u2019ll be seen as a go-to resource that is well worth the customer\u2019s investment.<\/p>\n\n\n\n<p>When it comes to workers in the managed service provider space, there\u2019s a pressing issue. Many companies frankly don\u2019t know where to start when it comes to training their workers. Some of the training is quite valid, but very costly. Other training has questionable benefits. Thus, some companies tend to avoid investing in their people. It also causes some providers to get overly choosy when it comes to hiring people.<\/p>\n\n\n\n<p>As a result, some organizations decide not to invest in their workers. Instead, they expect talented workers to come to them. This is why we\u2019ve created the CompTIA Career Pathway. Organizations of any size can use this as a guide for providing workers with strong IT infrastructure and cybersecurity skills. This provides confidence that their IT employees can work closely with cybersecurity professionals to create business resiliency solutions (e.g., cloud backup), incident response plans and monitoring solutions.<\/p>\n\n\n\n<p><strong>Additional Nuances: Changing Your Business Culture<\/strong><\/p>\n\n\n\n<p>Ensuring cybersecurity is, in many ways, a business culture issue. Let me draw an analogy: over the past few months, I\u2019ve been restoring an old 1975 Toyota Land Cruiser. I\u2019ve learned the hard way that it\u2019s a bad idea to simply paint over existing rust without first completely eradicating it through grinding it out. It\u2019s a lengthy, labor-intensive process. Why do I mention this? Because many businesses tend to approach security as if it were paint that you slather over an existing problem.<\/p>\n\n\n\n<p>I know of a managed service provider that invested in some expensive security monitoring software to help stop ransomware. But the solution kept failing and ransomware kept hitting the company. The security worker started investigating the root cause of the attacks. It turned out that this particular provider allowed a partner to use their network every few days without first conducting a check on that partner\u2019s notebook computer. This notebook computer was the \u201cvector\u201d that caused the ransomware problem.<\/p>\n\n\n\n<p>The solution? The company established a simple policy that all computers needed to be inspected and vetted before connecting to the network. Any computer\u2014even that of the CEO and her most-trusted partner\u2014had to be checked. The company hasn\u2019t had a ransomware problem since. Applying and enforcing a busines policy made all of the difference.<\/p>\n\n\n\n<p>In short, it\u2019s vital for a company to get its business policy ducks in a row first. You can\u2019t secure something that is fundamentally broken, or simply slather paint over the problem and hope for the best. In this case, it took a bit of work for the company to grind out the policy and get everyone to follow it. But the process was worth it. The provider even found more uses for the monitoring solution. After the policy change, the provider was in a position to provide additional cost-effective monitoring solutions to its customers. Why? Because they saw through their own experience that technology, mapped to sound security policies, allowed them to sell an inexpensive but useful service that helped others identify root causes of various security problems.<\/p>\n\n\n\n<p><strong>Fostering Intelligence in the Workplace<\/strong><\/p>\n\n\n\n<p>At CompTIA, we\u2019ve noticed that it\u2019s easy for providers and businesses of all types to \u201close the forest for the trees.\u201d In other words, it\u2019s sometimes hard to identify essential steps and best practices. That\u2019s why we\u2019ve created an Information Sharing and Analysis Organization (ISAO). The CompTIA ISAO is designed to help organizations obtain the latest cybersecurity threat information and create a clear, concise and coherent narrative concerning threats they\u2019re facing. This includes MSPs as well as value-added reseller organizations.<\/p>\n\n\n\n<p>An ISAO is designed to obtain timely information about today\u2019s threats, then share that info with its members. The promise of using cybersecurity threat intelligence (CTI) is that it helps organizations make better decisions concerning how they secure the software and services they purchase, and adapting that security as threats dictate new actions. It\u2019s also hoped that using threat intelligence information will help organizations make more-accurate choices concerning their purchases and efforts, so they can avoid \u201cboiling the ocean\u201d when it comes to their efforts. But that\u2019s not all.<\/p>\n\n\n\n<p>Increasing diversity in the workplace is another way to ensure that increased intelligence enters your organization. At CompTIA, we\u2019ve found that the best way to ensure true resourcefulness and creativity is to foster an environment that includes varied backgrounds. Organizations that bring in workers of varied histories and backgrounds are the ones that have been able to better respond to today\u2019s asynchronous threats.<\/p>\n\n\n\n<p><strong>Upskilling: the Best Practice<\/strong><\/p>\n\n\n\n<p>Today\u2019s cybersecurity workforce is increasingly diverse and needs constant upskilling. To learn more about today\u2019s tech and cyber workforce, check out the Cyberstates website, the definitive guide to the tech workforce in the United States. If you\u2019re interested in learning more about the cybersecurity employment space, visit our CyberSeek site, created in conjunction with Burning Glass and the U.S. National Institute of Technology (NIST).<\/p>\n\n\n\n<p>Finally, CompTIA recently published its \u201c2020 Emerging Technology Top 10 List,\u201d which can help you identify essential technologies companies are using today. One of the more surprising developments is that AI became the top technology adopted over the past year. Even though this isn\u2019t a dedicated cybersecurity list, it nevertheless will help you understand the typical attack surface of today\u2019s providers.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Not too long ago, I gave a talk about the importance of creating a red team and a blue team to help prepare for cyberthreats. I told a few stories about pen testers who acted as red team \u201cattackers,\u201d and the blue team security analysts who listen for the attacks and defend the company. Afterward, a CEO of a Managed Service Provider (MSP) approached me with a determined look on her face. So did an IT leader from another provider. We all discussed the dynamic of how a \u201cred team\u201d pen tester helps make the \u201cblue team\u201d security analysts more successful and precise. Then, the CEO stated, \u201cYou know, this is all fascinating, but I just don\u2019t know how I\u2019m going to afford all of this.\u201d The IT leader echoed her point saying that the skills sets I was talking about were far out of reach for the typical managed service provider. A Question of Resources\u2014and Resourcefulness They both had excellent points. After all, how many businesses can afford entire teams of security workers? I\u2019ve led a small business myself, and I recognize that a major component of success in a business is watching margins. I also know quite a few CISOs of large organizations around the world, including banks, mega-retailers, and manufacturing companies. They employ teams of testers and their security analyst counterparts. Few businesses can afford to do that. Fewer still can create a formal, high-tech security operations center (SOC), complete with expensive monitoring software and highly trained people. Many small businesses just don\u2019t have the resources, and that makes them a target. Yet, it\u2019s possible to get resourceful. Some IT leaders for smaller companies and providers rent essential security services on a per-service basis. It\u2019s also possible to obtain capable and powerful free software from the open source community. Tools such as Wireshark, Suricata, Metasploit, Zeek and Kibana stand ready to help. Of course, you\u2019ll need workers who can use those tools properly\u2014more about that in a second. But first, a few words about why constantly updating your cybersecurity is so important. Why it\u2019s Necessary: the Morphing Attack Surface of Today\u2019s Businesses Security issues continue to evolve, and with that evolution, a new phrase has emerged: attack surface. It describes the myriad ways organizations present a target to attackers. Sometimes, these attackers are external third parties. In other instances, attacks come from inside the organization. Today\u2019s attack surface includes employees who fall victim to social-engineering attacks as well as devices that aren\u2019t properly patched, monitored and secured. Usually, the result is a form of ransomware or malware that gets unleashed on the network. Businesses of all types have experienced an increase of ransomware attacks over the past several months, as reported by CompTIA\u2019s IT Industry Outlook 2020 report. Additionally, social engineering is becoming far more advanced. Attackers go beyond deep fakes and now employ artificial intelligence (AI) to help discover the best attack strategies for their targets. AI can help identify the attack surface of any organization, including a managed service provider, a manufacturer or a bank. But in many ways, security isn\u2019t just about managing or stopping the hacker. We\u2019re now living in an age in which privacy laws require businesses to conform to standards. We\u2019re only seeing the beginning of privacy and governance regulations, which currently includes the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR). That list will grow larger; in the United States alone, models such as the Cybersecurity Maturity Model Certification (CMMC) and NIST Cybersecurity Framework (CSF) represent compliance standards for businesses of all types. Organizations need to either obtain (or rent) the talented people who can help them demonstrate compliance and prepare them to respond effectively to attacks. Steps You Can Take The first focus for service providers should be upskilling existing workers; it\u2019s all about competencies. End-users require frequent, engaging training concerning how to avoid social engineering in all of its forms, including phishing. IT workers will also need specialized training. As a service provider, if you can provide increasingly nuanced and proactive services in this area, you\u2019ll be seen as a go-to resource that is well worth the customer\u2019s investment. When it comes to workers in the managed service provider space, there\u2019s a pressing issue. Many companies frankly don\u2019t know where to start when it comes to training their workers. Some of the training is quite valid, but very costly. Other training has questionable benefits. Thus, some companies tend to avoid investing in their people. It also causes some providers to get overly choosy when it comes to hiring people. As a result, some organizations decide not to invest in their workers. Instead, they expect talented workers to come to them. This is why we\u2019ve created the CompTIA Career Pathway. Organizations of any size can use this as a guide for providing workers with strong IT infrastructure and cybersecurity skills. This provides confidence that their IT employees can work closely with cybersecurity professionals to create business resiliency solutions (e.g., cloud backup), incident response plans and monitoring solutions. Additional Nuances: Changing Your Business Culture Ensuring cybersecurity is, in many ways, a business culture issue. Let me draw an analogy: over the past few months, I\u2019ve been restoring an old 1975 Toyota Land Cruiser. I\u2019ve learned the hard way that it\u2019s a bad idea to simply paint over existing rust without first completely eradicating it through grinding it out. It\u2019s a lengthy, labor-intensive process. Why do I mention this? Because many businesses tend to approach security as if it were paint that you slather over an existing problem. I know of a managed service provider that invested in some expensive security monitoring software to help stop ransomware. But the solution kept failing and ransomware kept hitting the company. The security worker started investigating the root cause of the attacks. It turned out that this particular provider allowed a partner to use their network every few days without first conducting a check on that partner\u2019s notebook computer. This [&hellip;]<\/p>\n","protected":false},"author":257,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3868],"tags":[],"_links":{"self":[{"href":"https:\/\/www.enxmag.com\/twii\/wp-json\/wp\/v2\/posts\/41339"}],"collection":[{"href":"https:\/\/www.enxmag.com\/twii\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.enxmag.com\/twii\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.enxmag.com\/twii\/wp-json\/wp\/v2\/users\/257"}],"replies":[{"embeddable":true,"href":"https:\/\/www.enxmag.com\/twii\/wp-json\/wp\/v2\/comments?post=41339"}],"version-history":[{"count":3,"href":"https:\/\/www.enxmag.com\/twii\/wp-json\/wp\/v2\/posts\/41339\/revisions"}],"predecessor-version":[{"id":41344,"href":"https:\/\/www.enxmag.com\/twii\/wp-json\/wp\/v2\/posts\/41339\/revisions\/41344"}],"wp:attachment":[{"href":"https:\/\/www.enxmag.com\/twii\/wp-json\/wp\/v2\/media?parent=41339"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.enxmag.com\/twii\/wp-json\/wp\/v2\/categories?post=41339"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.enxmag.com\/twii\/wp-json\/wp\/v2\/tags?post=41339"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}