As a CISO, this time of the year always brought about some additional anxiety. With some exceptions, the period between Thanksgiving and New Year’s meant a slowdown in business operations and staff with lots of time off to burn.
Unfortunately, nation-state hackers and others often exploit this less-staffed period to gain access and establish persistence for nefarious purposes. This presents security professionals with a challenge: maintain nominal (or better) security posture while supporting your team’s well-deserved time off.
Here are a few tips that have helped me sleep better over the holiday periods.
- Ask your team to distribute their time off more effectively.
Can your team members alternate or adjust time off? Can some requests be delayed until after a holiday? As a last resort, ask that one or more individuals keep their phone and laptop available and agree to check in on systems periodically. - Check and double-check your escalation guides.
Whether you are using a third-party Virtual Security Operations Center (vSOC), Endpoint Detection and Response (EDR) or your own internal SOC, verify that the event triggers, contact names and phone numbers are still valid for the providers and your team. - Verify your Security Incident Event Management (SIEM) data feeds are all nominal.
Have there been any significant drops in data volume that might lead to blind spots? Are events still being parsed correctly and are meaningful and actionable to the SOC? Is alerting still working as expected or are you awash in false positives that could be hiding critical events? - Stick to the plan.
Establish incident response playbooks for events like business e-mail compromise (BEC), phishing, network intrusion, etc. Clear and concise documentation provides assurance that a task is effective and repeatable for any member of your team to complete. Those playbooks should also include considerations for reduced or remote staff, if necessary. - Establish an out-of-band communication method.
In the event of an attack that degrades your primary means of communications, get key members of your team to load WhatsApp, Signal, or another solution so they are reachable. Don’t rely on e-mail for critical communication. Test in advance using a call tree or similar method. - Don’t advertise.
Ask that privileged users like admins refrain from broadcasting their holiday absence, timing, circumstances, or location on social media. The same is true for senior executives. The more information available the better equipped an attacker is to use social engineering to gain access. Radio silence is best. - Unplug.
Reducing the attack surface is the simplest way to reduce risk. While not every organization or system can take some downtime, systems and applications that are used infrequently (like Dev & Test) should be shut down. This is one of the significant benefits of cloud environments which allow spinning resources up and down quickly.
Lastly, don’t forget the reason for the season(s). It’s likely you and your team have poured a lot of time and energy into the business in 2023. Regardless of what and how you celebrate, allowing for time to be with family and friends to recharge the batteries will mean you and your team members come back ready for the challenges ahead in 2024.