APNIC Security Specialist Jamie Gillespie gives a presentation at the PITA Technical and Business session, held online on 10 Juen 2020, on 'Cybersecurity outside the office' on the changes to traditional cybersecurity, the challenges around technology, and the less-discussed threats around the people and processes, and how those need to adapt as well.

1. 1
Cybersecurity Outside the Office
Jamie Gillespie, APNIC
PITA Technical and Business Forum – 10 June 2020

2. Layers of Cybersecurity
2
PEOPLE PROCESS TECHNOLOGY

3. Layers of Cybersecurity
3
PEOPLE PROCESS TECHNOLOGY

4. Technology
• Easiest one to think about: routers, firewalls, VPN
• Authentication also critical, as we can no longer rely upon
the local office network as a sign of being “trusted”
– 2 Factor Authentication (2FA) vs Multi Factor Authentication (MFA)
• U2F, FIDO, Yubikey
• Google Authenticator, TOTP
• SMS
• Why is this important?
– haveibeenpwned.com
4

5. Have YOU been pwned?
5

6. Technology
• Exposed services on public IP addresses
– Remote Desktop Protocol (RDP)
– SSH (with password authentication)
– Previously internal-only servers
• Centralised security solutions, but distributed workers
– Need to rethink how to protect computers outside the office
– VPN may allow this, but what about when they’re not connected?
6

7. Technology
• Cybersecurity is sometimes viewed as a sliding scale
• During a crisis, some changes are implemented for usability
of staff and customers
• These changes may need improvements or even rollback
once the smoke clears
7

8. Layers of Cybersecurity
8
PEOPLE PROCESS TECHNOLOGY

9. Process
• You had a Business Continuity Plan…. right?
9

10. Process
• Some office processes don’t translate to remote working
– Walk-up questions for IT and Cybersecurity
– Face to face approvals for business and finance
• Policies and procedures can lag behind during major
changes to working conditions, especially during a crisis
• Flagging tactical decisions for strategic review later
10

11. Layers of Cybersecurity
11
PEOPLE PROCESS TECHNOLOGY

12. People
• Under additional stress when moving to working remotely
• It’s harder to check up on the mental health of staff
• Working from home feels different to working in an office
• Less physical oversight, less IT monitoring
• Confused with new and changing systems or procedures
12

13. People
• People have their own working procedures, and they
usually aren’t documented, communicated, or approved
– Who prints off every email?
– Who saves important documents on their laptop?
– Who uses Skype/Teams/Zoom/WebEx/Hangouts/WhatsApp/……?
– Who uses their personal phone or computer for work?
– Who lets their family and friends use their work laptop?
13

14. Summary
• Remote working has been getting easier and more common
• Rethink securing your networks and data
• Keep your policies and procedures current
• Rethink managing and monitoring your users
• Re-review all changes, and don’t be afraid to make
adjustments or roll back
• Get an external review of your security, from all angles
– People, Process, Technology
14

15. Questions?
https://NFH.APNIC.NET
Oceania conference on 4 August 2020
15