Webinar: Security of remote work | What security aspects are worth reviewing after accelerated digital transformation

Learn about steps your organization can take to protect itself long-term from the negative effects of accelerated digital transformation. Webinar transcript: What aspects of security are worth reviewing after accelerated digital transformation in your organization.

Security of remote work: What security aspects are worth reviewing after accelerated digital transformation (21.05.2020)

 

— Karol Wróbel —

What do we mean by accelerated digital transformation – what has it given us and what have we encountered? Just two months ago, few of us would have predicted what the next steps would look like in terms of the nature of our work as it changed drastically. The biggest changes came in terms of communication within teams and communication with customers. In many cases – however, not in all of them – we lost the possibility to meet with them face to face. In retrospect, I can say that there were some instances – particularly when discussing new topics – in which direct work proved to be irreplaceable. Nevertheless, we had no choice but to quickly switch to working remotely.

Accelerated changes in system and network architecture and an increased appetite for risk were also significant factors. In the discussed state of affairs the appetite was relatively large and in the overall transformation processes our cyber security department saw a big parallel between what was happening and incident handling. This is very much our daily bread and, as a result, our emotions didn’t get the better of us and we were able to assist in addressing certain types of actions, setting directions and assisting in the transformation of the organization. The main focus here was on the network, IT and general support departments, thus we were pleased to play an advisory and support role.

At the stage we are at now, which is around a month and a half since the transformation started, we can formulate further reflections on what would be worth doing and what we should pay particular attention to in order to ensure the security of ICT systems and remote work in general, in relation to what we encountered, namely: many systems were modified, transformed and their capacity was increased, while due to the fact that all actions were undertaken with the key priority of maintaining the business continuity, security had a slightly lower priority. Both among our customers and on the basis of what is happening on the market in general, we have observed that opportunities that were previously blocked for security reasons are now opening up. The topic we need to analyse at the moment is how to approach the whole undertaking and get back to some kind of a “comfort zone” in relation to taking risk – in a structured way.

Very often the most valuable asset of the company are its employees. For some employees, changing the nature of work and largely switching to home office wasn’t a comfortable situation to be in. Some might have felt a little anxious, especially when they were distracted working at home. It’s worth focusing a bit more on the human aspect of this transformation. Even before the shift to home office, there were some predictions how interpersonal relationships would change  soon– in three phases. Phase one – after the first three days, everyone is excited about working remotely. Phase two – three weeks after the switch, employees express willingness to return to their “normal”, traditional working model. These two phases are already behind us, but there is a third one, which is what happens after the first three months of home office. Employees might discover that they work for a company that is completely different than before the switch. The nature of work has changed, the issue of interpersonal communication has changed, and not everyone feels as comfortable as they originally did within the organization. Let’s keep in mind that some of the ways of doing business that we currently see, know and are in the middle of – those will remain despite the process of unfreezing the economy and increasing its activity after the break. Therefore, the question of taking care of an employee and enabling him or her to communicate in a way they were used to do before – i.e. maintaining interpersonal relationships, creating some kind of common space for teams, restoring possibilities of formal contacts – is a very important element of long-term planning of efficient work.

A hot topic these days is the question of taking vacations during a pandemic – is it worth doing or not? Many people I talked to said that when we worked remotely, we worked a lot more than in the office. Many companies so far have not relied on remote workers, all the more reason to consider how hard we use our bodies in such a work model. Sometimes taking two or three days off, or even a week, can significantly help us to calm our thoughts and adjust to new conditions. So let us try not to neglect this issue.

 

— Paweł Krawczyk —

The procedural aspect may be associated – quite reasonably – with the system approach to safety management, where a number of new business processes are often required and safety aspects have to be included in the existing processes. As for what the procedural aspect may be associated with, it is a series of labour-intensive activities carried out just in case. How do we deal with such an issue when we have much faster actions implemented by the business? Before we delve into this subject, I would like to mention the lower level documents, i.e. instructions and procedures. These documents are undervalued in normal times, however highly appreciated in difficult times. Once we have such procedures, we should make sure that they are easy to use and useful. Once these conditions are met, anyone in need should know where to find these documents. Why is this so important? Because in difficult times we often experience the “WTFN” effect, meaning “What the frick now”. It can be understood in terms of quite popular Murphy’s law which states that if something can go wrong, it definitely will. As we and our colleagues from other companies know perfectly, this applies to those days when gigabyte limits in the phone run out, VPNs stop working and we don’t have electricity at home because maintenance works are underway or our neighbour caused a short circuit. To make matters worse, such things happen at the worst moments possible.

How do we manage in these times that are so unusual for our type of business and organizational culture? We need to be able to communicate with each other, especially when Murphy ‘s law applies. If we have established possible channels of communication, including emergency ones, and know who to call in time of need, then while it certainly won’t solve all our problems, it will be a step forward and open some doors for us.

If we were to think about what we would need, we should think about the end of this pandemic. We will have to ask ourselves questions such as: were the decisions we made in the crisis appropriate and were the expenses we incurred justified? How should we update our business continuity plans? At the company, we call this a “lesson learned” meaning what we now know that could have been done better. However, to have data for such reflections, one must remember that the material written down must equal the one we memorised. The more meticulously we record our activities, the more material we will have to make our procedures and instructions for internal work organisation better organised. So how does it translate to procedures and organisation? Example: you probably all have a document in your company that is called a list of derogations from the security policy. This is a document that, in this era of rapid actions, you should update as often as possible. The same applies to asset inventories which can be translated directly into, for example, a list of systems made available to the Internet or modified so that the business can serve its core functions. So, when it comes to such elements, it is also a good idea to maintain a close collaboration and mutual understanding of the needed actions and priorities for the business operation. Because that’s really the key – when we can complementarily work together with other departments.

 

— Karol Wróbel —

The issue of recorded and memorised material is very important. We are in such a stable moment in which we can really undertake cleaning works and what is important, while considering any kind of changes, we should make even the smallest notes, so that we can later come back to what was changed, what services were rendered, what modifications inside the systems took place. Only then can we confidently approach the issue of going through further verification steps as to how safe they are and to what extent.

 

— Andrzej Milewski —

The coronavirus outbreak has forced changes in most companies that, in many cases, were not possible or difficult to implement until now. I am referring to the subject of remote work and the technological problem of it, on the one hand, and the process issue, on the other. Until now, many companies lacked processes that would accommodate this model of work. Therefore, I would like to address the issue of choosing remote communication tools. The person who is asked by the company to choose a tool the company shall use during a pandemic does not have an easy task – there is a lot of tools to choose from on the market.

The most popular platforms available include Zoom, Microsoft Teams, Cisco Webex or Skype. These tools can replace traditional ones, creating the opportunity to meet virtually, hold discussions, present materials or conduct job interviews. There are other apps we can use, not only during a pandemic – for example Signal and WhatsApp. It is worth paying special attention to the first one. This app ensures confidentiality, as well as gives the opportunity to work in a group (creating so-called task groups thanks to which we can address a specific topic to specific people). In addition, the information distributed within the group becomes available faster.

 

Besides, it is a phone app and we usually have our phones with us, so it is the most convenient solution to use in case we need to quickly exchange information in a group.

The last and most common tool is e-mail. In this case, there are no revolutionary changes. The only change for those working during the pandemic is that correspondence may be a bit more voluminous. This is related to the fact that we do not have the opportunity to meet directly and talk in the company hallway or kitchen.

What is important when using these tools is the matter of being acquainted with them. In a situation when many people have had to switch to remote work, it is crucial to get to know these tools and their parameters well. Let’s not forget this, let’s not succumb to the rush and the thought that “we have to start work immediately”. Especially when our work requires conducting closed meetings where important information is distributed. We should then take care of the issue of controlling access to those meetings so that not everyone can just freely attend them.

This can be done by the host responsible for authenticating and controlling people who connect with the given meeting room. A good option, although – as some say – not always possible, is to use the cameras. This way we can perform authentication ourselves by showing our face, so that others know who they’re talking to. Why? Because in case of a large meeting when not every attendee has to speak, there may be a situation when an unauthorised person gets into the meeting, they don’t show their face, and they overhear information that de facto they shouldn’t hear. This could lead to an incident of information leakage in a way – at least so far – that is rather unusual.

 

Phishing is an ever-present topic. Attackers like to take advantage of any possible situation and pandemic is one of them, too. Recently, we have had to deal with a lot of fake invitations to meetings. In such invitations, you have to pay special attention to the links provided – whether they are actually links to meetings. We should be cautious especially in case of html messages – we may come across a link that  is fine, at first glance, and leads to a meeting, but underneath there is a URL that leads to a malicious site. What can happen after clicking a malicious link? The site may trick us into entering our credentials, or simply asking us – in a message – to install some additional software to conduct the meeting. Be careful with such information because hackers are just waiting to trick us into installing such software. Don’t rush things – if you have any doubts regarding the invitation you received, call the person you received it from. If we have a situation in which someone claims to be our friend and sends us a strange invitation, let’s call them, preferably using a different channel than the one specified in the message and confirm that such a meeting is to take place. Also, if you suspect you’ve received a fake link, report it to your company’s security incident response team. We operate during a pandemic and work remotely but it doesn’t mean such teams don’t work. They should act, react and continue to help us.

Another important issue concerns equipment we use. If we have the possibility to use business equipment at home, we should try to maintain such work hygiene that business matters are performed on business equipment, and private ones – on our private equipment. Also, make sure that business equipment is used as if you were in the office, i.e. that it is not shared by other users (household members). If we have the need to step away from the computer and take a break, it would be a good habit to use the screen lock.

 

— Karol Wróbel —

To sum up, it is important to know well the tool you are using, or in other words, to provide appropriate training to people who are supposed to use it and prepare good practices for using the solution. It may happen that all of us have to start using a given solution overnight. Some employees may be fully aware of how to use a given class of solutions, while others might never have to use them before, so try not to take it for granted. On the one hand, let’s make sure that employees are familiar with the tools, on the other hand, let’s ensure the solutions are safe to use.

The competences at EXATEL are at a very high level, which is why we are able to offer you competent implementation, including documentation and training.

I’d like to address the topic on how the landscape has changed, or rather what was under the hood of the change in the landscape of using business systems, because the business continuity and the effectiveness of bringing in new revenue depends on how failure-free the business tools – used at the company so far – are, to what extend we have access to them and whether their capacity is sufficient. Due to the change in the nature of the work we performed, various companies found out, for example, that the gentleman from the helpdesk could not just come to us and help because he was working remotely. This is why the transfer of knowledge to employees, e.g. by creating a general information channel, is such an important issue. At EXATEL, we started to use such methods of spreading information to all employees much earlier.

 

Ensuring a proper flow of information is an important backbone of organisational culture.

Going back to the technical aspects – during the transformation, changes in the capacity of various types of systems were implemented immediately. The efficiency of systems, understood as the issues of virtualization capacity, physical machine capacity, etc., caused some of you to consider migrations of various kinds from business systems or to collocation, to server rooms, changing their location, buying equipment, which was not always available either, because let’s remember that supply chains are no longer as efficient as they used to be.

In many cases we have to make do with the resources we already have and it is important to help competently tune the performance of these systems, which is the area EXATEL can help you in. As a telecom operator, we see a huge increase in demand for bandwidth, we see the issue of migration to different types of data centres or the use of cloud services. However, we should remember that migration to cloud services also involves many risks, starting with, for example, using this fact in the preparation and utilisation of phishing and spear phishing by hackers. Correct implementation, access verification at the network and system level – recently many companies have experienced a revolution when it comes to these aspects. Being aware of the fact referred to above, we are able to help you in these matters.

 

— Rafał Litwińczuk —

Given the current situation, the most important issue was to ensure business continuity. We had to ensure our business existence in the marketplace. As a result, new systems began to appear in our infrastructure. There were also changes to the already existing ones. As a security department, we often didn’t have time to perform an in-depth analysis of what was being put up, how it was being done, because the priority was to ensure continuity. Other issues, such as integrity and confidentiality, were of less importance. We also had some communication problems due to the fact that everyone was really loaded with work. Sometimes it was hard to convey information about new systems. There were new developments in the infrastructure. Some of us were terrified and wondered whether our VPN could handle it. It wasn’t so bad if it was a software issue – then you click, buy a license and it just works. It was way worse if it turned out that for example our hardware couldn’t support it or worse, hardware or software hadn’t been updated for a long time and that was why we didn’t have support.

New solutions related to group work, various kinds of chat rooms, discussion rooms and videoconferences appeared on the market. Not only that, but also systems that allowed file sharing between us and our customers. Sometimes we need to send a large amount of data and unfortunately we can’t pack it into an e-mail. And so, file sharing platforms appeared. Most of you have probably experienced a situation in which your Internet connection could not handle the current number of users. It worked when there were, for example, ten or twenty remote employees. Now, we have a hundred home-office people and there is a problem, because we need to buy bandwidth and thus anti-DDoS solutions, so someone doesn’t take that bandwidth away from us. Unfortunately, these new services and modifications were often issued with the so-called default configuration. However, now accessibility is ensured, our business is functioning, we have done it quickly, so we need to catch up on the other aspects, namely confidentiality and integrity.

First, we would recommend taking inventory, as Karol has already mentioned. However, we need to know what is new or what has been changed in our infrastructure. The easiest way to achieve this is to talk to administrators of various solutions, if possible. They are a treasury of knowledge and information about what has actually been done. So, we need to rebuild the relationship between the Cyber and IT. Since we have already mentioned new services, it would be worthwhile to take a look at what new services have appeared in our address pool, run a simple scan, review the available address pool, or extract information from DNS servers about the domains we put up and scan them to see if any redundant services have appeared. Once we’ve checked more or less what we put up, it’s a good idea to check the setup for default settings. As we applied default settings – because we were in a hurry – we should check whether there are no default users and passwords like “admin”, for example. Have the certificates also been changed, or are the certificates of the solution manufacturer still there? It’s also worthwhile to read the documentation and find such default settings. It is good to check whether a given solution fits into the standards adopted by us, e.g. we have a VPN server but we have to add a second one – a completely different solution. In such a situation you should make sure that the user who will be logging on the first VPN server has the same privileges on the second one, or, for example, by logging on one server they suddenly have access to other elements of our network. We also recommend checking other issues, e.g. one solution supports multi-factor authentication and we have assumptions in our standards, and another one e.g. has not been implemented yet, we need to catch up with it and address this issue as soon as possible. Of course, many times we will have to operate in a project mode. We also need to complete the documentation, and first of all update the architecture, because later, in case of actual incident, we don’t want to experience a situation when we discover that something is out of place and it turns out that it has been there since Covid outbreak.

 

Thus, we waste time to actually handle the incident.

Probably all of us are monitoring security, and in this area, too, we need to introduce changes and consider certain aspects in the context of digital transformation. First of all, we should verify whether our security systems also include new or modified solutions, i.e. for example: we have a VPN server put up, but do the logs from it flow to our SIEM server? There may be some incidents later when we notice failed logins, we look for entry points, we can see a VPN server, we knew some things about it, but we don’t monitor it and we don’t know that someone has been trying to log in there for six months with known passwords. In case of security systems, it is also worth checking whether the solutions on users’ computers can update automatically, whether the operating system can be updated automatically, or whether we have such a closed policy on our company computers that it is only possible through a connection to the company network via cable. It is the same with our security solutions, EDR (Endpoint Detection and Response) can connect freely to the management server and other antivirus solutions as well. We also need to make sure – in the context of monitoring – that we have security solutions prepared, set and configured appropriately, but in the context of remote work, e.g.:  currently the borders are closed and we know that employees work only from Poland. In such a case, we should try to detect failed or successful login attempts from outside Poland and this will be the actual sign that we may have an incident. While using anti-DDoS systems, or other behavioural systems detecting anomalies, we have to take into account that the sensitivity thresholds of these systems have to be raised to take into consideration that, for example: the users used to adopt 5 megabits of bandwidth in the anti-DDoS solution but now this threshold has been raised, and so the DDoS alarm will not be triggered – let’s say after exceeding those five megabits – because the users are currently using 10 megabits of bandwidth. Probably in many cases there may also be a need to add exceptions of various types. Include them, clarify if they are actually meant to be in place, and very importantly, specify how long they are meant to be added for. During his presentation, Adam Haertle mentioned a very interesting solution, namely – if employees work on home hardware, they should use the operating system on a USB stick – plug it in, turn the computer off and boot it from the stick to ensure a clean system and that it is not infected in any way. It is also worth mentioning that if an employee connects to our infrastructure via VPN, it is good to check if our solution supports it, and if so – whether this VPN client can verify before connecting to our infrastructure that we have an up-to-date system version with activated anti-virus protection.

What happens next when the pandemic is over and we go back to working in offices? From our experience we know that items and services we put up like to stay with us for longer. As such, it is worth taking the time to scan for vulnerabilities that may appear in relation to those new products. In a perfect scenario we should sit down and run penetration tests completely from the outside, simulating an actual attack.

 

— Tomasz Podłucki —

I work in the sector of cyber security for industrial automation on a daily basis and would like to offer you some food for thought on our plans for security in this area. Digitisation is obviously an opportunity and the research confirms this. According to IHS World Industry Services, digitally advanced businesses are growing several times faster than digitally backward organizations. In case of the digital transformation to Industry 4.0, opportunities brought risks, while in case of the COVID-19 pandemic, risks bring opportunities. Be that as it may, when it comes to digitisation, we have to keep in mind such an aspect that the market may eat us up, whereas by ignoring COVID-19, we stand a good chance of losing our ability to operate. Both bring new threats specific to the area of IT solutions directly under the OT. To maintain availability, the industrial environment must ensure both security and safety. Safety – usually understood as OHS – is addressed. However, cyber security is more difficult to address, especially in an Industry 4.0 environment where industrial automation is becoming increasingly entwined with IT. As we take further steps on the path to continuous improvement, we must remember that caring for safety is also a process of continuous improvement.

I suggest taking your organisation’s inventory, including OT area, as a first step, just like my colleagues have already mentioned. We need to know what we have, where we have it, how we operate it and how the various devices communicate with each other. It is a good idea to take a look at and update your technical and process documentation, which often facilitates optimisation and digitisation, extracting further added value from the work you put into these processes. It’s also good to know what’s going on in the network infrastructure elements, with particular emphasis on the industrial infrastructure, what is available on the network, what devices are communicating with others and what those others are exactly. A good practice is to monitor threats, reminders and messages about further threats within the OT area and implement updates to block the possibility of exploiting vulnerabilities.

 

 

The next step may be to control the state of the network at the physical and logical layer, both those more widely known in the IT environment, Ethernet-like and based on serial communication. Monitor its condition, commission audits, verify results and implement recommendations. Doing so helps to predict troublesome and undesirable situations, such as failures in one’s infrastructure, and often even be ahead of those failures. It is essential to modernise the process by supporting the maintenance of key systems and retrofitting them with a Cyber component. We must realise what risks we will face and acceptably minimise them. A well-developed business continuity plan helps to improve OEE(Overall Equipment Effectiveness) of a machinery park. I would like to emphasise one thing here – it is not worth postponing changes for the future, because it is an attempt to avoid the inevitable by creating a snowball effect. When adapting an industrial area to a transformation procedure, you will face many opportunities and risks and EXATEL can provide you with a support service at each of these stages. Therefore, feel free to analyse our offer.

 

— Karol Wróbel —

Tomek has just said that despite whatever the circumstances in the work environment and whatever the changes, when it comes to digital transformation, do not to hold back and put off cyber security projects, including in the area of industrial automation. Just six months ago, most of the public would not have predicted that the current COVID-19 situation would look like this. Business continuity plans did not take into account the situation we are facing now either… at least not all of its aspects. Nevertheless, how can we be sure that within the next three years there won’t occur another type of unpredictable event that will be even worse than the one we are facing now? That is why it is worth to roll up your sleeves and at least try to prepare for optimisation works.

 

— Activity proposal and game plan (slide discussion – 59:50) —

The bottom left corner of the slide is where we start because we’ve discussed there a number of potential problems that we’ve faced, are facing, or may face. In our company’s cyber security department, we were thinking about how we could help you and we have come up with some sort of activities and their priorities in terms of how we could relate and collaborate on these aspects.

We start by learning about and verifying the most vulnerable areas of your infrastructure. At EXATEL, we do this using security reconnaissance. There is an agile method to verify the security of your architecture by top-notch experts, i.e. a team of penetration testers and process-procedural analysts. It’s an activity completed within two or three days which in a short time can provide us with information/summary whether your infrastructure can be hacked and what are the most critical elements of vulnerability that we found and verified. Afterwards, we provide you with a report, discuss the works that can be done further and then close the action. If you decide that you enjoyed working with us, we can move on to further analysis. If you think you can handle the bugs that we found yourselves – no problem.

The next step can include vulnerability scanning. However trivial it might be, in the area of accelerated transformation – the issue of switching on different types of systems mentioned by Rafał and which were not always under control – the flow of information between units was not always correct because the priority was to ensure business continuity. And here is space for vulnerability scanning. Finding those resources, being aware of them, finding the business owner – that’s very important. The very issue of vulnerabilities in these solutions is also crucial but first and foremost we need to be aware that they occur in the network in order to further plan our work with respect to security. If vulnerabilities were found during security reconnaissance and vulnerability scanning, it would now be advisable to speak to someone who can help in such an event, a suspected security incident. EXATEL Assistance is a low-cost product that works in such a way that you can report a suspicious incident to us, and our company will quickly set up a team of experts to assess the incident on an ad hoc basis. We consult it on an ongoing basis, assist and close this stage of works by proposing follow-up activities, already in a project mode. This is an effective formula of cooperation, the main advantage of which is that it has a low entry threshold, is low-cost and you can already have a decent back-up in the form of a competent, large, expert team to respond to ICT incident events. In a way, it can be seen as a kind of insurance thanks to which we are able to react quickly to your current problems. This comes in handy in a less urgent situations such as: “Is this e-mail a phishing message? Is the attachment malicious?” It may happen that you report that:

 

“Something has happened; it encrypted a half of my organisation. Is it possible to decrypt this data? How to approach this and how to minimise this threat spreading around the organisation?” This is a completely basic scheme, a cooperation proposal.

The next stage is a decisive expansion of works, although we still remain here in a relatively safe zone when it comes to money. The monthly subscription fee resulting from such works is not drastically high, and we are talking about activities such as architecture and configuration analysis of systems and networks. We are also able to perform a security inspection of accounting processes and phishing vulnerability testing. As there were many changes, some of the less informed people had to change the nature and mode of their work to a more digital one. The e-mail communication channel has become much more important making all organisations more vulnerable to phishing. Therefore, such employees need to be assisted in understanding how to behave, for example through a cyber security awareness training. First of all, the necessary minimum would be to secure the key area from which money can directly leak out. We have experience in responding to incidents of this class as well, so we focus on them – because they just happen. This kind of incidents can happen and the cure is control, verification, assistance in securing accounting processes and training to deepen employee awareness of how to use the tools and what to watch out for. It is important to alert employees that the security of the organisation depends largely on their awareness and vigilance. The fact that we have cyber security portals, a security officer or even a CISO or that one IT guy who also has to take care of systems and security, perhaps it may seem like that cyber security is something that depends on that one person only.  This is not true – it is the responsibility of all employees. What is equally important is ad hoc process and procedural advice. EXATEL’s security department has a dedicated team of procedural experts, so we are also able to assist you in such ongoing consultations. Gap identification in the information security management process is also an important component and a corrective action within the architecture.

The third of the five stages comprises all those activities that we perform in the cyber security department. However, it is a proposal that can be used here and now, at the stage we currently are, which is a month and a half since the changes began to occur. As a next stage, our suggestion would be to change the density, the frequency of vulnerability scans to, for example, monthly ones – although they can be performed more often, in a scheduled manner, which is even recommended for large and mature businesses. A key, albeit underestimated, component of the overall action is the monitoring of security incidents. We are not talking about a full Security Operations Center service yet, just a kind of a simplified solution. It’s great that we can have a full technology stack of different kinds of solutions and each of them can be CCTV-monitored, but if we don’t have a central log collection point and if someone competent doesn’t look at these logs (even periodically, it doesn’t have to be 24/7), then how will we know if something goes wrong? Therefore, at this stage we suggest this simplified monitoring, but nevertheless it allows you to ensure the security of different kinds of systems.

Update of key normative documents is a path that may be recommended by an ad hoc process and procedural advice. Also documents that are not up to date should be updated as so far the key has been to maintain business continuity of the various entities and cells of your company. Documents need to be appropriate and keep up with these changes, and as Paweł mentioned earlier, in a potential crisis situation, the knowledge that was originally written down is highly sought after. During this stage it is also recommended to assess the status and improve the efficiency of the cyber security technologies present in the organisation – which means it is worthwhile to review the technology what you have already implemented. Do these solutions work as they should? With this transformation and some employees moving to home office, are the solutions still as efficient as they should be? Shouldn’t the rules and policies that are implemented there be modified? How would we know something was wrong? Just by monitoring security, collecting logs in one place and periodic threat hunt. That’s an entry point.

Stage four is a fairly high level of maturity where we are definitely expanding activities in a number of areas, starting with issues of risk estimation and planning work to secure the most critical areas. In many mature entities we start with risk estimation and we only commence any actions on the basis of that, whereas in an incident mode, only at a relatively high level of maturity, we take inventory of what we have at the moment, estimate the risk and arrange the work in relation to the existing state. We are also able to offer ongoing support and advice to architects in these crucial areas, as these stages are divided in order not to start a large overall safety improvement programme from scratch. It’s not about that. You have to adapt to the reality, to your needs and a certain agility of these works that are undertaken. However, we also offer architectural consulting in the sense of network planning and development. Another important issue is to change the frequency of security reconnaissance, i.e

 

the use of penetration testing and procedural competencies to make sure that more areas are identified. A quarter is a contractual period and very much depends on how big the organisation is, how big the trouble is prone to be and how big the area is to be checked. Nevertheless, security reconnaissance as a predefined amount of expert time in which they have to deal with recognising some aspect of system architecture in an agile way. It may not be a complete work but it will be a work pointing out the most significant vulnerabilities and risks we may encounter, both in terms of ICT systems and in terms of the procedural aspect but very nimbly managed. We come finally to the SOC Starter proposal. Previously, we had log collection and threat hunting on those logs. The next stage is the change between log collection and monitoring – and SOC Starter is also crucial here.

The final stage involves continuous improvement of system and network architecture. There is also a full SOC and the implementation and tuning of advanced cyber security platforms. By taking such actions we can reach a much higher level of security awareness in the organisation, which I wish you and invite you to do.

 

— Questions —

“How is penetration testing different from security reconnaissance?”

Penetration tests performed at EXATEL differ from security reconnaissance in a way that when arranging for the tests we analyse the tested area and examine it comprehensively, from beginning to end. In case of a safety reconnaissance, we’re upfront about the duration, the time in which we do the test, meaning we focus on finding those “low-hanging fruit”, the most important aspects of safety, and focus on the so-called quick-win.

 

“Have you handled complex security incidents during the pandemic?”

Yes, we have handled complex security incidents. A complex security incident is something that, from my perspective, takes a week, two or three weeks, or a month or sometimes even a couple of months. So yes, we’ve helped our clients handle these types of incidents. The nature of this work was a bit different than in “normal times”, when we could move quickly to a place and benefit from the cooperation and working directly with people. Nonetheless, we do undertake such activities and the impact of remote work on solution delivery time, analysis, is not as great as we originally thought.

 

“Can the complexity of security reconnaissance be changed? Can it be planned for a larger study area?”

We are trying to perform the safety reconnaissance in an established time. This product already has a strong foundation. In fact, if there was a legitimate need I think we would be able to modify it. But it is probably better to divide this work into two iterations, do two security reconnaissances in different areas and try to make sure, however, that the work is done within the set time so that we can benefit from the results and findings of this work.

Karol Wróbel, EXATEL
Karol Wróbel
Cyber Security and IT Department Director, EXATEL