Outsourcing Production Risks Productivity

Uploaded on 2024-02-13 in TECHNOLOGY--Resilience, FREE TO VIEW

Today’s modern workforce relies on a whole host of different "as a service” approaches. Remote working is certainly here to stay and cloud-based management of roaming devices, which makes it easier to apply policies and updates, has become increasingly common.  Any remote device just needs an internet connection because the cloud is always on. 

With all of the talk about AI and its rapidly increasing versatility, if you work in cyber security, you would be forgiven for thinking AI-based solutions are coming for our jobs.  We’re not there yet though, and some of it is hardly new.

In isolated forms, “automated response” has been with us for many years.  Anti-virus products have implemented automatic quarantine and deletion of files for years when malicious content was detected – effectively stopping the execution of a chain of attack in an isolated fashion.  

Anti-virus updates are no longer only applied when a client is connected to the corporate network’s internal update services. Today updates can be pushed out quickly and automatically from a central cloud service, reducing exposure time to potential threats.

The Security Benefit Of Automatic, Fast Updates Is Clear. 

However, there can be a less obvious downside, in terms of productivity risks. Although productivity benefits often drive businesses to adopt a more agile, cloud centric model, once a business has adopted a dynamic cloud service they are at the mercy of these platforms. While global outages or incidents in large cloud platforms do not happen often, when they do the ripples can be felt everywhere.  Just a single global provider’s mistake can create huge disruption to a global workforce. 

With legacy on-premises environments, updates were often tested thoroughly before being rolled out, now updates are commonly rolled out with little or no testing. When this goes wrong, it can be hugely disruptive.

An example of this was MO497128 – “ASRMAGEDDON” last year. Microsoft provides an advanced and robust mechanism for the remote deployment of core services such as application hardening, operating system updates and anti-virus solutions with technologies such as Intune and Windows Defender. In enterprise subscriptions, companies can take this a step further than historic anti-virus via tooling such as the Attack Surface Reduction (ASR) rules. These rules provide a baseline of controls for hardening frequently attached applications, for example, Microsoft Office applications and integrated macro code execution options.

In January, an update to the Windows Defender ASR rule set created havoc for sysadmins around the world. It pushed out new rules that marked shortcut files and links as dangerous and then deleted these shortcuts, making common program links for Outlook and Word vanish from the start menu. Even though just the links and shortcuts to the programs were deleted, access to them was removed from core locations of Windows. 

Users were understandably alarmed as they got warnings about activity being blocked and then had access to programs removed as icons disappeared. Many internal IT teams must have been stretched considerably.

Most end users don’t need or want to know about the inner workings of systems. Computers are there to help them to do their jobs and when this fails, the individual cannot work until the IT department provides a solution.  Scale this up to 100s or 1000s of users, that is a significant hit to productivity.

Almost certainly mission critical projects would have been disrupted as user groups struggled to gain access to the tools they need. Many hours will also have been burned in IT departments to keep people working and handle the influx of support tickets.  The distraction created by the shower of false positives in alerting systems may have even created opportunities for a genuine attacker's activity to go unnoticed, or at least receive less scrutiny because of the chaos.

Many IT heads will have lost time trying to explain what had happened to people that needed to work. There was no server they could reboot, nor rollback. This problem was pushed onto them, and there was little they could do about it. The only consolation was that the Microsoft updates on Friday 13th January 2023 created a global problem, so the business, customers, and partners they work with may also have been affected.

There was a workaround - to set the relevant rule into audit mode rather than blocking mode, reducing the coverage of the ASR protection. The overall security posture of endpoints had to be reduced to prevent operational disruption because of the error. Whilst the workaround prevented the deletion of shortcuts, it introduced additional security risk that should ordinarily have been carefully considered – but probably didn’t receive much of a review.

An IT department often needs to find a quick solution when a large number of users are impacted by an operational emergency. If decisions expose the company to another threat, leading to data loss and risks that owners are not aware of, the ramifications could be significant. The impact on productivity must always be weighed against the reduction in defences.

Productivity vs Security?

When people “can’t work”, the theoretical risk of attack is hard to weigh against the immediate reality of users who cannot perform their functions. When risk decisions are made rapidly and under pressure to get people working, there may be no documented ‘back to normal’ plan. In addition, there may be no clear route back from ‘turning off the security control’ that doesn’t risk more disruption that the business.

As a result of the Windows Defender ASR update error, it’s likely there will be more reluctance for this control to be deployed – even though it is highly beneficial to implement these rules. Businesses may choose to audit behaviour rather than block behaviour because they are worried about it happening again. We may also see businesses who placed ASR rules into ‘audit’ mode forget or be reluctant to turn them back into ‘block’ mode.

As we continue to build enterprises on cloud platforms, and the power of AI and automated response grows, the goal is to increase productivity through more freedom for the workforce. We’re also likely to see more disruptive incidents like ASRMAGEDDON happening, and will need to get used to weighing up the “productivity vs. security” calculation – at least for a short term fix.

When an issue occurs at the provider level, it can have widespread impact. We are consuming a service and these platforms have become so embedded into our environments that we forget that there are parts we do not control. Mistakes can and will happen and businesses need to consider the overhead when they do, along with the complex human decisions that may be required in a hurry, and the loss of productivity while trying to get back to operation as normal.

Importantly, when short-term decisions to relax controls are taken in an emergency, there has to be a well-documented pathway to reimplement controls once the emergency is over.

Matt Lorentzen is Principal Consultant at Cyberis

You Might Also Read: 

Static Application Security Testing: Trends & Predictions For 2024:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« The US Makes Robocalls Illegal
Facebook Changed the World »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Barracuda

Barracuda

Barracuda provides a comprehensive cybersecurity platform to protect organizations from all major attack vectors that are present in today’s complex threats.

Data Resolve Technologies

Data Resolve Technologies

Data Resolve offer a mechanism through which customers can detect and tackle various kinds of sensitive activities pertaining to data loss and data theft.

Caretower

Caretower

Caretower is one of Europe’s leading value added managed service provider in cyber security.

WizNucleus

WizNucleus

WizNucleus develops, markets and supports a software platform (Cyberwiz-Pro) that enables Critical Infrastructure enterprises to ensure the future state of their cybersecurity and remain compliant.

Xage Security

Xage Security

Xage is the world’s first blockchain-protected security platform for Industrial IoT.

Neupart

Neupart

Neupart provides Information Security Management System, Secure ISMS, allowing organisations to automate IT Governance, Risk and Compliance management.

NLnet Labs

NLnet Labs

NLnet Labs is a not-for-profit foundation with a long heritage in research and development, Internet architecture and governance, as well as security in the area of DNS and inter-domain routing.

Ioetec

Ioetec

Ioetec's mission is to connect users to their IoT devices securely, ensuring these devices remain safe to use in our increasingly connected world.

APERIO

APERIO

APERIO, the global leader in industrial data integrity, helps its customers drive profitability and sustainability while mitigating risk in their industrial operations.

ePlus

ePlus

ePlus designs and delivers effective, integrated cybersecurity programs centered on culture and technology, aimed at mitigating business risk and empowering digital transformation.

iSolutions

iSolutions

iSolutions is an official reseller and engineering company of leading products and solutions for cybersecurity and information protection, optimization, visualization and control of applications

DataSixth Security Consulting

DataSixth Security Consulting

DataSixth delivers Cybersecurity Intelligence. With our unique capabilities, we’re able to deliver value, deliver answers, and deliver actionable security intelligence.

KirkpatrickPrice

KirkpatrickPrice

KirkpatrickPrice is dedicated to providing you with innovative security guidance and efficient audit services.

Iris Powered by Generali

Iris Powered by Generali

Iris Powered by Generali is an identity theft resolution provider. Our offering combines expert assistance and support with user-friendly identity protection technology.

Dion Training Solutions

Dion Training Solutions

Dion Training Solutions offer comprehensive training in areas such as project management, cybersecurity, agile methodologies, and IT service management.

Trium Cyber

Trium Cyber

Trium Cyber - Expert Cyber Underwriting and Claims Management. Based in the US and UK. Backed by Lloyd’s of London.