2021: A Cybersecurity Review

What an absolutely manic year it’s been (two years if you’ve been living down in Melbourne). As we start to ease into Christmas, I thought I’d take a moment to reflect on the year of 2021 and what’s happened in the Cybersecurity space.

We’ve seen a noticeable upturn in the number of organisations, and number of dollars that companies are investing in Cybersecurity. This was due to a number of reasons including companies having to comply with standards/frameworks (ISO, NIST, VPDSF, PCI, CPS 234, Critical Infrastructure Bill, etc), peer organisations being hit with ransomware and ending up in the news, responding to what's happening out in the wild, trying to reduce cyber insurance premiums, following recommendations from audits, or simply the board asking “What are we doing for security?”

COVID has certainly had its challenges and I hope everyone had some silver lining and came out of lockdown stronger. Lockdowns have shown how resilient we are when faced with many hurdles and we can handle whatever is thrown at us. Great to see that majority of organisations have adopted the ability to work from home.?When lockdown first kicked in last year we saw an immediate increase in adoption of security programs, with one client rolling out 3 years of program within 3 months. The logistical nightmare of setting up staff to WFH was certainly a challenge, along with dealing with normal COVID dramas. Great to see that security has continued to be at the forefront for our clients and the steam train keeps moving forward. I'm sure we can all appreciate the meme below for what has been a crazy couple of years, and we are all well deserving of some TLC and time off. Although all the recent vulns; Log4j, Kronos, Chris21, Frontier Software, is making it difficult for us.

As a result of WFH, we have seen a decline in Internal Penetration Testing and a huge increase in Web Application Penetration Testing, both internal and external developed apps. This has resulted in an uptake of SecDevOps and organisations thinking about what they can do to ensure security has been considered throughout the development lifecycle. We hear the same story that Marketing/Dev teams have built an app holding Personal Identifiable Information (PII) that is “going live in a week”. In most instances Cybersecurity has been an after thought, and security teams are scrambling to get it tested in short timeframes. To quote our Application Security Manager, Jack Misiura, "SecDevOps is a culture shift". SecDevOps is the natural progression of the Agile software lifecycle, combining Development (Dev) with Operations (Ops).?The Developer side needs to embrace concepts such as unit and integration testing or test driven development. The Operation side needs to embrace concepts such as CI/CD pipelines, testing environments and infrastructure as code. The outcome is full automation; were stages such as building, testing and deployment can be fully automated, significantly increasing development speed. If you're not sure where to start, The Missing Link can help organisations to develop your SecDevOps strategy and roadmap to mature DevOps flow.?

We have seen many organisations adopting a cloud first strategy and invest heavily in SaaS/AWS/Azure/etc. Zero Trust is a huge buzzword and whilst it means different things to many people, the three main concepts are; user/application authentication, device authentication and trust (or lack of). The misconception that "Oh it's in the cloud now. It's safe! They'll look after our security!" is hopefully a thing of the past and people are taking data in transit/data at rest seriously. There’s many ways to tackle your Zero Trust destiny with plenty of different routes/solutions/practices to help you achieve your goal. At The Missing Link, we will customise an effective and holistic approach to cloud cybersecurity to protect your data and applications. Based on gathered intelligence about your business and your user needs, your roadmap should include authentication of users and devices, managing access control for data and resources, automating provisioning and de-provisioning of users, and protecting data and applications with encryption. Importantly, the solution we recommend will provide authorised users with streamlined access to the applications and websites they need to perform their role with efficiency.

Business Email Compromise (BEC) is a huge concern and phishing attacks are constantly on the rise. Attackers have been indifferent to industry, hitting everyone from Retail to Education, Manufacturing to NFP. It makes me sick to my stomach they have been targeting Healthcare, however unfortunately in this age “data = dollars”. The supply chain has been used as a means to intercept emails and change bank account details. At the end of the day, you're only as strong as your weakest link. Organisations should implement better practices and solutions to verify payment-related requests and identify fraudulent emails.

To combat BEC and educate staff to identify fraudulent emails, organisations should be focusing on user awareness through the rollout of a Security Awareness Training (SAT) program. Staff are the "Human Firewall" and unfortunately one of the weakest links in an organisations security is their own staff. This is supported in part by the Australian Government's Notifiable Data Breach (NDB) scheme, who quote that 35% of all reported breaches in the past year were caused by human error. The Missing Link offer Security Awareness Training as a Service (SATaaS) to help with the ongoing management and improvements to awareness training. A decrease in clicks/attachments opened can also help to reduce your cyber insurance premiums, whilst also ensuring your users remains safe and data secure.

Rather than technologies operating in silos, we've seen organisations start integrating to work collaboratively. "The SOC Nuclear", first coined in 2015 by Gartner security expert Anton Chuvakin, now SOC Visibility Triad, supports enterprise security by providing visibility into attack surfaces, detecting threats and and responding to incidents. The three pillars of the SOC Visibility Triad are SIEM, NDR and EDR. The SOC Triad is really starting to gain some traction and we will continue to see organisations further move towards implementing these technologies.

The Spectra Alliance is among the most promising developments in Cybersecurity.?CrowdStrike, Netskope, Okta, and Proofpoint have together identified Zero Trust architecture as a founding principle in a post-pandemic world, and they are effectively writing the book for this approach, globally. Sensitive data resides in multiple locations (on-prem, private/public cloud) and SaaS applications require real-time data protection and management leading to new data protection strategies and processes. Spectra Alliance brings together a best-of-breed integration, minimising complexity with integrated solutions, whilst reducing risk exposure with simplified architecture, decreased operational costs, and increased Zero Trust security posture. Let's see what they build on from here.

What a year it has been! To impart some of my Mad Dog predictions for the next calendar year;

• People will start returning to the office and we will see a huge uptake in Internal Penetration Testing
• Wanting a more collaborative approach to Red Teaming, organisations will opt for Purple Teaming exercises
• Business Email Compromise will increase and Security Awareness Training (SAT) and Domain-based Message Authentication, Reporting, and Conformance (DMARC) will be implemented (if not so already)
• SecDevOps is a proactive thought and the only defence is an offence
• As malware spreads from IT to OT, IT and OT teams will work together to bridge the gap and secure industrial control systems
• The Australian Signals Directorate (ASD) Essential 8 will continue to be adopted by organisations outside of Government