We are approaching the end of a long and exhausting year in cybersecurity, in which security personnel have been pushed to the limit by surging attacks and the cyber skills gap. Many IT professionals will therefore be looking forward to some well-earned rest and relaxation over the Christmas and New Year holiday period.
Unfortunately, as cybersecurity experts are all too aware, attackers do not stop over the holidays; far from it. In November, research by Cybereason found that organizations are significantly more vulnerable to ransomware attacks during weekends and holidays, largely due to not having proper contingency plans in place in these periods. Kevin Dunne, president at Pathlock, commented: “As the holidays approach, cyber-criminals will increase their activity in anticipation of more lax monitoring and thin staffing within security operations centers.”
As we approach the most significant holiday period in the Western calendar, organizations must ensure they have plans to keep themselves secure amid IT and security staff absences. Here are four security measures organizations can take to keep themselves safe over Christmas.
1) Establish a Clear Holiday Incident Response Plan
Ahead of the Christmas break, security leaders should set out a clear incident response plan for their teams in the event of an incident. This includes a clear rota displaying who will be on duty at what times and those on call who may be required to step in when an incident occurs. Timur Kovalev, chief technology officer at Untangle, commented: “With fewer eyes on the network, it’s important that everyone knows their role if the site is down or unusual activity occurs. This should include who is on duty, who is called for an after-hours emergency, and how to communicate to leadership and staff. While IT deserves a holiday as much as anyone else, it’s critical to have security staff on call just in case.”
"While IT deserves a holiday as much as anyone else, it's critical to have security staff on call just in case"
Pathlock’s Dunne added: “A completely ‘hands-off’ strategy for monitoring won't suffice, as dedicated personnel will still be needed to review alerts and investigate critical incidents. Companies will need to coordinate across personnel to ensure that holiday plans don't result in coverage gaps in the SOC, which would leave company infrastructure vulnerable to attack.”
To facilitate these approaches, organizations should ensure those security staff who have to work or are on call at any point over this period, according to John Bambenek, principal threat hunter at Netenrich. “You have to also handle the human impact of asking those employees to give up their holidays whether that be enhanced comp time (for instance, for every day they lose in a holiday they get 1.5 days back in comp time), overtime pay (even for FLSA exempt employees) or other incentives. Like first responders and hospital staff, the work still needs doing so you need to take care and reward those who are making those sacrifices… and their families,” he explained.
2) Add Context to Monitoring Tools
To avoid unnecessarily disrupting the holidays of security leaders and workers, there should be clear rules and understanding around the types of alerts that require immediate action. Jasmine Henry, field security director at JupiterOne, advised: “I recommend that security leaders add as much context as possible to monitoring systems to right-size their team's response according to risk. Threat actors often work overtime during the holidays while security responders are relaxing, so it's crucial to minimize any confusion about which alerts require an immediate response.”
Henry added that steps should be taken to filter monitoring alerts according to business needs. This will help IT personnel understand potential threats that are immediately actionable and those that are not. She added: “Adding context to your continuous monitoring tools – data on asset classification, threat likelihood and potential impact – makes this work achievable. It helps filter and prioritize security alerts based on quantitative risk, security policy and organizational compliance requirements. Minimizing white noise with context can help your team relax over the holidays and respond instantly to meaningful risks.”
3) Audit and Update Existing Security Measures
There are numerous actions organizations can take to reassure themselves that their current security measures and tools are as effective as possible over the holidays. At a basic level, this involves ensuring their software is updated with the latest patches. These patches are especially relevant given the recent discovery of the Log4j vulnerability.
In the view of Untangle’s Kovalev, organizations can go further. This includes conducting a VPN audit, which is especially important amid the shift to home working. “IT Teams should conduct a VPN audit to ensure which devices are successfully connecting to the VPN client and which devices need additional help or security. IT teams can then work with employees who are still struggling to securely connect to the network to ensure they can connect if needed during the holiday break. This is especially important to do before IT teams are short-staffed for the holiday,” he said.
Additionally, a final check, and if necessary, update of security policies should be undertaken before the Christmas period. Kovalev added: “Many businesses have filters, blocks, alerts and segregation policies set up when employees access the network. Before taking a holiday break, IT Teams should revisit, and possibly update, policies and rules to accommodate increased home use, shopping as well as reduced staff to monitor usage.”
4) Ensure Data is Backed Up
With organizations undoubtedly at higher risk of suffering a successful attack over holiday periods, it is even more vital that adequate backup systems are in place to ensure they can recover quickly from a breach. This need is exacerbated by rising ransomware attacks, as good backups will reduce the likelihood of an extortion demand needing to be paid. Kovalev said: “Double check your backup settings and systems prior to vacation. If your data is backed up, even if your network is breached, a backup can revert the machine to the data it had on it the day before the attack, minimizing losses.”
Cybersecurity teams have faced significant pressures over the past couple of years and deserve a break over the Christmas holidays. To ensure this can happen without compromising security, organizations need to plan; this ranges from special processes for dealing with potential IT issues during this period to building in as much resiliency as possible into their systems before the holidays. This will provide peace of mind during what is often seen as the most vulnerable time of the year.