Security: What to Do Before and After

Recently, we recorded two virtualization and cloud security podcasts. These podcasts covered what to do after Black Friday and, more recently, what to do before the holiday break. What do you do before and after events? While targeted to specific events, the actionable advice is valid for all events that impact your business. Above all, it is about the business. Security’s goal during these events and breaks is to ensure the business stays running. Much of the advice in these podcasts covers people and process. Technology is there to augment the process. Unfortunately, there is no technology that covers every case. Therefore, you need a good, well-thought-out process.

After

The first podcast was about what to do after an event, such as Black Friday. After is important, as an event could generate ten to one hundred times more data than you normally see. How do you analyze or handle the increase in data? How do you weed through for the attacks and weed out things that don’t matter? We looked at this from the consumer side and the business side.
So, what can you do?

Consumer

• Reconcile receipts against credit/debit cards.
• Verify your accounts regularly for unknown withdrawals.
• Set up email/SMS messages for all transactions over $0: did you authorize the transaction or not?
• Have your bank and credit card company fraud hotlines available (do not trust the number on the back of the card, as they constantly change).
• Ensure that your packages are not left outside; track them and have someone there to pull them into the house. You can also have deliveries made to the local UPS, FedEx, or postal location.
• Destroy package boxes you are not saving. In effect, do not put the box out on the curb, but put out a pile of cardboard label-side down or place in a proper recycling receptacle.
• Do not click on links in email: go direct to the site to verify shipping information, invoices, payments, etc.

Business

• Send out a nicely worded message about safer ways to access links to avoid falling prey to phishing while shopping or due to the emails that arrive afterward. Point people to a proxy service. Quarantine anything on the company email network that includes a document or non-whitelisted link.
• Use operations tools to notice spikes in performance (good or bad), and correlate against security logs for similar spikes in activity. Was the increase in processing due to security issues, or expected behavior?
• Each person who manages a business credit card should also monitor the account and set alerts for debits just as if they were a consumer. Ultimately, that person is responsible for the debt racked up on a company card, not the company.

The goal of the business discussion is to determine what can help you manage the sudden massive influx of data that is not considered normal. You may have the tools available, or you may not. The goal of the consumer discussion is to raise awareness around financial concerns.
In essence, you deal with Black Friday and other events by raising awareness: awareness around shipping, email usage, and even website statistics. Once you start down this path, it is a good idea to continue and use these new elements to aid future issues.

Before

Before is ultimately a discussion of process changes and not technology. For the business, there are simple process changes that could help while everyone is out to the office:

• Ensure the call tree for issues is correct. If someone is out of the country, an emergency call may go nowhere quick.
• Test all your means of remote ingress to allow problems to be fixed.
• Set up a mail quarantine system to ensure that attachments and links are not in anyone’s email unless whitelisted.
• Use an email or web proxy to defang possible phishing and other attacks.
• Answer the simple questions “Are you satisfied with your backup?” and “When was your last disaster recovery test?”
• If there are any self-service portals, ensure they are up and running as expected.
• Instead of increasing the sensitivity of false positives, employ a tool that does not have any false positives, one that seeds your system with canary credentials, files, etc.
• Ensure that you can detect ransomware using canary files.
• Have a moratorium on all but critical-to-the-business updates and patches.

If you look at everything to do before you leave on vacation, you will notice that these are all things you should do on a regular basis and not some one-off items. You end up with a practice that is steady and understands when things have been checked and tested. Many of those tests can be 100% automated.

Final Thoughts

What you do after an event is verify and find outliers. What you do before an event is tick off a list of checkboxes around testing items to ensure they work as expected. These should be monthly items, at the very least.
What you practice for both before and after is what you can practice to ensure security works. Trust but verify.