With a large number of people now working from home, there are new security threats to the network that have to be added into cyber risk assessments.
The enterprise attack surface is open to new vulnerabilities because it now includes devices that generally would not have be considered, including IoT devices at home and smart hubs, says Bob Huber, chief security officer and head of research at Tenable, in a new podcast.
When lateral movement is considered, a threat actor could compromise home devices and then begin targeting enterprise assets, Huber says. And this is a risk that organizations generally haven’t had to grapple with before.
“The problem which this creates for organizations trying to secure people working from home is that we just can’t willingly go and assess the security of their home networks,” he explains.
Huber takes a deeper dive into some of the sudden pressures that private and public sector IT security teams are facing to support and secure their workforces — and steps enterprises can take to reduce cyber risks, in this new podcast, produced by CyberScoop and underwritten by Tenable:
Prioritizing risk management for the enterprise
What executives must focus on is that they have a limited pool of resources available to reduce risk to the enterprise. So, the primary way to address security threats is understanding how to prioritize them in order to mitigate those risks, Huber explains.
“So, for organizations that have taken the time have probably conducted an enterprise risk assessment — and that’s assessing against strategic risks, operational risks, financial risks and people. Cybersecurity is not only one of many of those types of risks, it can actually impact all of those risks,” he says.
Huber explains how at Tenable they routinely conduct business impact assessments internally, including cyber risk assessments, which helps Tenable understand – if there is a business continuity type of event – “how to prioritize returning the business back to normal operations or even ensuring normal operations during the event.”
Securing enterprise assets and the workforce at home
Huber explains there are several ways to look at securing enterprise assets. One that is often overlooked is identifying those critical assets that are essential to the value of the enterprise’s services, including key personnel who make up a variety of functions — including leaders, system administrators or even those in payroll.
“Another component is risk-based vulnerability management, which means not only do you have to be looking for vulnerabilities of infrastructure in general, but somehow you have to think about how to prioritize those [vulnerabilities]. The head of engineering on CIO can’t just say, ‘here is a list of everything, now go remediate this,’ because it’s just not feasible,” he says.
That is why tools that allow security leaders to rank vulnerabilities based on risk will add most value to prioritizing actionable items.
How to meet security requirements under new working conditions
Huber explains that it is always best to practice the basics of cyber-hygiene, and the NIST cybersecurity framework is a great starting point. That includes:
- Start with an assessment of the enterprise, whether that is done internally or with a third party, to know where the organization is doing well or needs to improve.
- Plot a path forward and apply resources based on a premise that there are deficiencies to improve.
- Create or update policies and procedures to mitigate risks.
“Basic cyber-hygiene is hard, and we use the word ‘basic,’ – which I think people imply that we can all do this – the answer is you really can’t. Even basic cyber-hygiene has to be prioritized,” he explains.
“In Tenable, through our vulnerability priority ratings, we’re pulling in threat intelligence and looking at the vulnerabilities and we’re prioritizing them for you based on the information of the threat landscape and what’s available at hand, based on our intelligence. Then we tie that back to the business context. And when I say business context, that goes back to the earlier conversation where I talk about enterprise risk assessment, business impact assessment and security risk assessment.”
Bob Huber has served as a seed investor as well as a cyber analyst for a variety of enterprises, including Air National Guard Recruiting, 418 Intelligence, Veracity Industrial Networks and Blue Lava, before joining Tenable.
Listen to the podcast for the full conversation on securing a remote workforce. You can hear more coverage of “IT Security Modernization” on our CyberScoop radio channels on Apple Podcasts, Spotify, Google Play, Stitcher and TuneIn.
This podcast was produced by CyberScoop and underwritten by Tenable.