CDSA

By CDSA November 17, 2020

Convergent Risks: Security Issues Have Only Become ‘Exacerbated’ by COVID

Although the media and entertainment industry supply chain adapted quickly to support a distributed workforce, and the integration of new technologies created a positive side-effect of innovation as a result of the COVID-19 pandemic, some security issues have only become amplified as a result of the shift to more remote work, according to Convergent Risks executives.

“The only real constant in the pandemic situation that we’re in the midst of is that there’s a dynamic nature of change and unpredictability to it,” Chris Johnson, president and CEO of the company, said Oct. 20 during the online Media & Entertainment Day event.

“It’s very, very difficult for people to read what’s going to come next,” he pointed out during the Content Security breakout session Actionable Insights into Securing Innovative and Collaborative Environments.

This is impacting us by territory. It’s impacting the access to our facilities and the content that we need to work on and the types of work that we carry out. So the key message from a Convergent point of view is one that it’s no longer just about assurance. It’s as much about resilience as it is assurance,” he told viewers.

When the pandemic started, “we were on the cusp of managing the technology evolution to the cloud and use of applications,” he noted. But he said: “What COVID has done is it’s changed our trajectory in that regard and now we’ve got this immediate necessity to change rapidly and respond quickly and proportionately…. We’re going to continue to respond and we’re going to continue to recover. But this presentation’s also about the fact that we need to focus on reviewing what we already have within our assurance programs and creating what we need to protect the workflows for the future if we are to remain resilient to this changeable environment.”

Some Vendors Were Better Prepared Than Others

“As vendors rapidly move through the various stages of business recovery, those that were able to respond quickly and remain agile were better prepared for the migration to the work-from-home environments,” according to Janice Pearson, VP of global content protection at Convergent Risks.

“What has become clear is that the decisions that companies made to cope with the COVID-19 crisis would either help or hinder their positioning in the future,” she said, noting: “We believe that the work-from-home environments will be with us in some shape or form for the foreseeable future and the reality is that there is no end date to this crisis. This will require an agile workforce and more dependency on technology than ever before.”

It was “impressive to see how our industry came together and adapted so quickly” to the pandemic, she said, explaining: “New technologies that supported automation, machine learning and integration have solved many of our workflow and supply chain challenges.”

She sees “more changes on the horizon that support cloud computing” and told viewers she believes the “efficiencies gained will become a part of our regular business practices for the foreseeable future,” adding: “We are already seeing organisations re-evaluating their services, that are consolidating where appropriate and changing their business models to support a more agile supply chain and to reduce their operational costs in a positive way.”

Convergent Risks cited a Deloitte study that said: “Automation was the top transformation action arising from the COVID-19 crisis. Globally and across all regions, roughly two of three companies expect to pursue automation.”

Pearson pointed to five key trends being seen now:

  1. Organisations are reducing their real estate footprint.
  2. Organisations are redesigning their supply chains.
  3. New cloud-based workflows are creating opportunities for scale and efficiency by using automation, machine learning, and integration capabilities.
  4. There has been an increase in streaming technologies and Software-as-a-Service (SaaS) applications.
  5. There is an increased use of digital channels for pre-sale, sale and post-sale activities.

The Bad News

“While innovation is a positive by-product of the pandemic, we also must look at the current threat landscape, which paints a very bleak picture,” Pearson told viewers.

Citing Verizon 2020 breach data, Convergent Risks noted:

  1. 86% of data breaches were financially motivated.
  2. 55% of the breaches were perpetrated by organised criminal groups.
  3. 43% of breaches involved web applications.
  4. 28% of breaches involved internal threat actors.

Verizon’s data also found that web-related attacks were prevalent in three of the four global regions (all except Latin America), while “denial of service attacks have been significant in Europe and in Latin America” (but not in North America or Asia Pacific), Pearson said.

“The statistics are sobering,” she noted, adding: “We must recognise that the rapid move to work from home environments has resulted in a significant increase in phishing attacks, many of them COVID-19-themed and aimed at remote workers.”

According to a recent Wall St. Journal research briefing, phishing attacks have soared 350% this year, she said.

The most common attacks on web applications involved stolen credentials or exploited vulnerabilities in the applications, she noted, adding: “The main takeaway is that it is vital that, as an industry, we keep our guard up and security and best practices and guidance must remain current and adequately address future risks.”

Meanwhile, as companies “continue to rapidly adopt cloud services, many fail to put proper security controls in place,” she pointed out. “This failure has often resulted in confusion over the shared responsibility model between the cloud provider and client,” she said, explaining: “While cloud security may appear simple enough on the surface, things can get quite complex because of the way organisations consume cloud resources. And this is why it is so important to follow widely adopted cloud and application security standards…. Additionally, it’s also important to include the best practices developed by the cloud service providers within your framework to ensure that your environment is properly configured.”

Convergent has spent a lot of time focusing on these issues and “we believe our approach delivers cost-effective security reviews” for vendors, she said, pointing to four key challenges on this front:

  1. Shared responsibility model
  2. Lack of talent
  3. Cyber attacks
  4. Misconfiguration errors

“Before COVID, companies typically had understaffed security teams, and with the dramatic escalation of threats, it’s important to have the right talent in place that have the skills to respond appropriately, especially as businesses shift towards hybrid cloud environments and more dynamic endpoints,” she told viewers.

Application-Specific Security Considerations

“There are additional security considerations that companies should implement for securing applications since this is also such a big attack vector,” Pearson said, explaining: “We need to think beyond the typical system and software development life cycle and evaluate the entire workflow and dependencies inside and outside of the application. We need to ensure that development, quality assurance and production environments are physically and logically separated and, once the application goes live, that security controls are in place to maintain it and keep code up to date. Now the best tools we have to accomplish this are continuous monitoring, third-party penetration testing and regular code and configuration reviews, which should already be a part of your vulnerability management program.”

Convergent Risks also often sees “security vulnerabilities as a result of not implementing proper hardening guidance, and we recommend that application providers provide hardening guidance to their customers so they can configure their environments securely,” she noted.

As the firm’s assessors completed various remote assessments during the COVID-19 pandemic, they “encountered security findings that were not as widespread pre-COVID,” she pointed out.

Existing security vulnerabilities that had become more relevant:

  1. Improper Virtual Private Network (VPN) Access Configuration on a larger scale
  2. Lack of logged VPN access to content by administrators – but now on a larger scale
  3. Use of personal computers that are not maintained or monitored by IT
  4. Personnel working on content from Wi-Fi networks not protected by a software/hardware firewall
  5. Work traffic not segregated from other home devices or IoT solutions

It became apparent that “the move to a work-from-home model exacerbated these types of vulnerabilities because they were extended beyond the confines of IT management and the perimeter was extended to a large number of endpoints out of the vendor’s immediate control,” she said.

Also, “configuration changes and new technologies were implemented so quickly that in many cases security professionals were not consulted or were involved too late in the implementation process,” she told viewers.

Prior to the pandemic, the industry hadn’t thought about the risk posed by work traffic not segregated from other home devices or IoT solutions, she pointed out, adding: “We need to have best practices that address the management of IoT solutions and how to secure work traffic so these home devices do not introduce a threat that can compromise content or sensitive data.”

Security Recommendations to have more success reducing compromise:

  1. “We need to think beyond the perimeter,” Pearson said.
  2. Vulnerability management
  3. Least privilege: The restriction of users, accounts, devices and computing processes and monitor access
  4. Web browser protection
  5. Email protection
  6. Security awareness training: She suggested that training on malware, phishing and social engineering attacks get a “refresh” more regularly at companies than annually to “heighten awareness.”

Convergent Risks conducted about 250 assessments from March-October – most of them resilience assessments rather than assurance assessments, according to Johnson. Assessors are saying that “there’s a big difference between levels of maturity in the supply chain that we’re servicing,” especially within areas of the distributed workforce, and bad actors are trying to exploit this, he noted.

“We need to stay resilient,” he told viewers, adding:  “It’s going to take time for our industry to make the necessary changes. We need to be patient with those parties because they will get the job done.” But there is still more the industry can do in the meantime, he concluded.

Click here to access the full presentation.

M&E Day was sponsored by IBM Security, Microsoft Azure, SHIFT, Akamai, Cartesian, Chesapeake Systems, ContentArmor, Convergent Risks, Deluxe, Digital Nirvana, edgescan, EIDR, PK, Richey May Technology Solutions, STEGA, Synamedia and Signiant and was produced by MESA, in cooperation with NAB Show New York, and in association with the Content Delivery & Security Association (CDSA) and the Hollywood IT Society (HITS).