[BreachExchange] How COVID-19 Is Changing CISOs' Approaches to Security

Fri Aug 21 10:18:29 EDT 2020

https://www.bankinfosecurity.com/how-covid-19-changing-cisos-approaches-to-security-a-14855

The COVID-19 pandemic is forcing big businesses to rethink their
security plans. For example, the National Football League is
experimenting with "zero trust" architectures, while Jet Blue is
focusing on more frequent risk assessments.

In a panel discussion at Information Security Media Group's
Cybersecurity Virtual Summit, the CISOs of the NFL and JetBlue
explained how they are mitigating the threat posed by an increase of
cybercrime during the economic downturn triggered by the pandemic
(see: Global Cybercrime Surging During Pandemic).

"As economic downturns happen, typically criminality goes up. So our
job hasn't changed when it comes to looking at threats, threat actors
and what they are targeting," said Jet Blue CISO Tim Rohrbaugh. "We
have changed our approach just a little to better expect what we see
coming out of our information sharing programs. Security team sizes
are obviously affected by a drop off in revenue, and that can affect
how you're viewing the volume of data you are seeing. That has caused
some challenges with respect to detecting anomalies."

NFL's 'Zero Trust' Approach

Meanwhile, the NFL has begun experimenting with a "zero trust"
approach to help it better manage who has access to certain apps and
resources (see: NIST Issues Final Guidance on 'Zero Trust'
Architecture).

"We are looking at how do we limit and screen traffic internal to our
environment ... and how does data leave and enter our environment. And
we're looking at that across our data centers," said NFL CISO Tomas
Maldonado.

Remote work and other issues associated with the pandemic led
Maldonado and his team to consider how a zero trust architecture could
help protect infrastructure and assets. The NFL security team is
trying to determine how implementing zero trust in one part of its
network affects other network components, Maldonado said.

"How do you actually handle business continuity planning when you're
in this sort of hybrid mode - where you've got a portion of the
environment doing zero trust?" Maldonado asks. "That's a challenge
that we're looking at, especially making sure that we could clearly
document and recover our business."

Maldonado joined the NFL as CISO in December 2019, giving him only a
few months at the organization before the pandemic hit.

"I never really got the chance to get comfortable in the new role,"
Maldonado said. "You don't have your typical 30-, 60-, 90- or 100-day
plans that you would do as a new CISO. Coming into any new
organization, you literally throw it out the window, because you just
started and the pandemic hit and you're in almost a fire-fighting
mode."

Frequent Risk Assessments

Although airline travel is far lower during the pandemic,
cybersecurity remains a priority for Jet Blue, Rohrbaugh said. Over
the last several months, his team has focused on how risk assessments
can help with efforts to fill in security gaps as staff members leave
the organization and there's more work for those who remain.

"Gone are the times where we could rely on doing risk assessments once
a year, or maybe doing one just at the enterprise level," Rohrbaugh
said. "You really have to be flexible with doing risk assessments very
frequently - at the project level and at all change levels. And in the
remote situation that we're in, we have to really learn to communicate
well to our staff members and make them part of the process."

Beware of Risks

Rohrbaugh noted that recent ransomware attacks against large
organizations, such as Garmin, should serve as a warning (see: Garmin
Confirms Hackers Encrypted Several Systems).

Ransomware gangs "are doing due diligence on the systems that they
have encrypted ... and sometimes even looking for filings and reports
before they ever give a price to unlock," he said.

Since March, the NFL security team has tracked over 100,000 suspicious
domains, Maldonado said, and it's attempting to block any emails that
might attempt to lure employees into clicking on malicious links.

"Phishing emails have probably gone up by tenfold," Maldonado said.
"We were tracking all newly registered domain names that had any sort
of combination of 'Coronavirus,' 'COVID,' 'Wuhan'."