Security Considerations for the Social Distancing Era?

Andrew Barratt, Managing Director, Europe

COVID-19 is changing the way nearly all of us work and, for some specialist security operations, this is a real challenge. For others, it’s an excellent opportunity to add value to the business for when the economy starts to recover.

The challenges

Many of us see the day-to-day security operations baked into modern businesses. These operations include things like security awareness training, identity, and access control, and vulnerability management. However, for those operating with regulated encryption programs or that have to maintain robust multi-person key management schemes, social distancing presents a problem.

Within a businesses’ most fortified rooms are often devices that are used to secure cryptographic keys – called Hardware Security Modules (or HSMs for short). These devices typically serve one or two functions. In some cases, they’re the only place a root encryption key can exist as a whole, alternatively, they perform very specific cryptographic operations - like verifying your PIN.

HSMs essentially provide hardware-maintained security such as tamper resistance, physical security, and multi-party control over access; this is where the issues begin.

In many cases, the basic implementation is ‘dual control,’ often requiring two people to be physically present at the HSM to enter their keys, and PINs. In more sophisticated implementations, there may be a quorum – perhaps three out of five – or ‘N of M’ as it’s commonly known.

In an environment where social distancing is required, this can be extremely challenging. If there are a significant number of key custodians, it may require a rethink of the process and some dialogue with your security assessor or accreditation body. There are situations where just two people can be present if local law allows; however, with encryption services being deployed all over the world, there could be substantial challenges to overcome.

If possible, procedural consolidation of key custodians is a possible compromise. This process should be clearly documented as an emergency protocol and, if key components need to be shared in order to move from an N of M, it should be done while minimising exposure to all components and the key custodians.

The gift of time

For many, the move to social distancing may have given their business back some additional time previously lost to commuting or travel. There is also the opportunity to prioritise workload or process optimisation. This would enable staff with available time to be leveraged on those ‘back burner’ projects that were due when the backlog was complete.

Other security professionals in the software world are seeing their organisations implement change freezes to cope with an uptick in demand or a switch to supporting their government and healthcare industries’ efforts in the battle against COVID-19.

Whatever direction a business is travelling in, it is important to ensure that security is a core requirement and not an add-on feature at the end of a project. With multiple attacks in the media leveraging COVID-19 messaging, rushed software solutions could easily be a target in the future.

For those in the payments community, there are also some new software security standards to consider. The Secure SLC Standard introduced by the PCI Standards Council, for example, provides a framework for security governance and secure software development to certify against.

Many vendors and standards bodies are now making their security guidance available freely so now is as good a time to review and decide what fits your environment best. Having a plan in place when executive teams come to focus on firmwide security again may be one of the more long-term upsides to enforced working from home.

https://www.microsoft.com/en-us/securityengineering/sdl/resources
https://safecode.org/publications/
https://csrc.nist.gov/CSRC/media/Publications/white-paper/2019/06/07/mitigating-risk-of-software-vulnerabilities-with-ssdf/draft/documents/ssdf-for-mitigating-risk-of-software-vulns-draft.pdf
https://www.owasp.org/images/7/76/Jim_Manico_(Hamburg)_-_Securiing_the_SDLC.pdf
Andrew Barratt

Author

Andrew Barratt — Managing Director, Europe

Recent Posts

Post Topics

Archives

Tags

Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS
Top