In these difficult times, as many of us adapt to the disruptive new-normal of distance working, a robust information security program becomes more important than ever.
Specific Cybersecurity Threats Related to COVID-19
These global events are bringing with them specific, targeted threats. Including:
Phishing and Social Engineering
The easiest and fastest way to exploit a target, whether an individual or an organization, is through social engineering attacks. These attack vectors are the fastest to spin up and have the highest rate of return. According to the WHO, cyber-criminals are already disguising themselves as WHO, federal, state and local agencies to steal money or sensitive information. There are also many false adverts for masks, tests and cures often designed to steal credit card information and money.
Social engineering attacks are especially attractive because, regardless of whatever technological security measures are in place, the human psyche is the weakest link in any security systems as it is the easiest to exploit.
It has been reported that an interactive dashboard of Coronavirus infections and deaths produced by Johns Hopkins University is being used in malicious Web sites (and possibly spam emails) to spread password-stealing malware. As the phishing and social engineering concerns above are also vectors for malware attacks, this is a special area of concern.
Fear exacerbates the human inclination to click before thinking, and it can prevail over good security practices.
Critical Protective Measures
An organization’s business-as-usual security and privacy programs should already include mechanisms to evaluate and respond to the ever changing business, threat and technology landscape. The current crisis is no different. Though every information security program is different, here are some key suggestions and recommendations for consideration.
Patching & Anti Malware
Make sure that any Anti Malware definitions are kept up to date on a continual basis even if devices are at home and not on the corporate network for an extended period. Maintain a proactive patching routine when vendor updates are available that reliably reaches remote devices. If patching is not feasible, perform a risk assessment to determine if additional mitigation and safeguards are appropriate.
Security Awareness Training
With many people working remotely it may be more difficult to easily verify the authenticity of email and other requests. Ensure training sessions to educate and inform personnel about the latest phishing/spear phishing attacks, including COVID-19 specific attacks, are conducted. Remind your employees to never open attachments from someone they don’t know, and to always treat emails from unrecognized/untrusted senders with caution. Consider implementing a banner or subject annotation on all messages received from outside sources if you do not already do this.
You should already be conducting phishing tests to train your users. Tailor some of these to use COVID-19 specific topics – especially ones that purport to relate to your own company and staff.
Monitor Business Process Innovation and Shadow IT
When great team members meet an obstacle to success, they find a way around it. However this can often bring with it a lack of planning and oversight for security and privacy. Are staff members exchanging customer data with each other over unauthorized file share sites? Is sensitive data being handled on vulnerable home computers? Perform a review of your most critical business processes and data flows to ensure that any rapid innovation by people handling your data still meets your objectives, commitments and obligations for security, privacy and compliance.
Re-evaluate the Effectiveness of Existing Controls
If your security controls were defined before some or all of your staff were working from home, they may no longer be sufficient to meet your control objectives. Evaluate each control to see if it is still going to work as you intended. Consider not only the design of the control (for some, there may be little point penetration testing only the corporate network if all the users have their laptops at home), but also the likelihood that the control will be effective - if a monitoring control assumed that your security analysts would be sitting at a desk with four large monitors, can they be as effective working from a laptop at their kitchen table? Ensure logging and alerting systems are functioning as expected and sufficient to audit remote workers’ systems.
VPNs, Remote Access, Multi-Factor Authentication (MFA)
Phishing and other attacks can compromise passwords and user IDs. Requiring an additional authentication factor, such as a SaaS based security token, will vastly reduce this risk. Ensure your VPN and remote access services are robust enough to handle the higher level of activity, and if they are now essential to ongoing operations make sure they are in a dual redundant configuration.
Once a remote connection is established, the user should be constrained by internal enclaves. Internal accessibility should be restricted through the use of internal firewalls, VLANs, network admissions control. This means that even if an account or system in the general corporate environment is compromised, an attacker can be prevented from pivoting to a more critical or sensitive system.
Also ensure MFA is required more generally for users with significant administrative or fiscal responsibilities - not just for remote access.
Follow and publicize internally the NIST recommendations:
- Limit reuse of access codes; if you've used the same code for a while, you've probably shared it with more people than you can imagine or recall.
- If the topic is sensitive, use one-time PINs or meeting identifier codes, and consider multi-factor authentication (MFA).
- Use a "green room" or "waiting room" and don't allow the meeting to begin until the host joins.
- Enable notification when attendees join by playing a tone or announcing names. If this is not an option, make sure the meeting host asks new attendees to identify themselves.
- If available, use a dashboard to monitor attendees—and identify all generic attendees.
- Don't record the meeting unless it's necessary.
- If it's a web meeting (with video):
- Disable features you don't need (like chat or file sharing).
- Before anyone shares their screen, remind them not to share other sensitive information during the meeting inadvertently.
Even if many of your staff are working from home, your business systems and network locations with elevated access are not. With sparsely populated or empty offices, it may be easier for thieves or hackers to gain access. Even if you believe that you are at minimal risk from a targeted physical intrusion to gain access to your systems, the theft of a device containing sensitive material can be at best a compliance headache, and at worst a critical data breach. Ensure that unattended facilities are locked down and preferably alarmed. Make sure all rooms are locked and computing and data resources are not left in plain view. Decide if security or other personnel should remain onsite as essential staff to protect it.
Third Party and Vendor Risks
In the era of cloud computing, few organizations are not already heavily reliant on external services in a way that exposes them to risks from their vendors. Just as you evaluate, adapt and evolve your own security and privacy programs, ensure and evaluate that your vendors and partners are doing the same.
Availability and Business Continuity
As remote access systems or cloud hosted solutions reach higher than normal usages, be proactive in monitoring and expanding your systems to ensure employees continue to have uninterrupted access. Develop and disseminate failover plans for critical resources such as VPNs, authentication systems, and video/telephone conferencing.
Managing Your Risk
Even at the best of times, security and privacy programs should adapt to the evolving business, technical and human environment that they operate in. The key tools that you use to manage these programs are as vital as they always were:
- Measure against industry best practice. In the absence of a more specific standard for your organization, consider the CIS Controls.
- Penetration testing. At least annually and after any significant change (such as sending your workforce to work from home).
- Perform a structured security risk assessment. Done right, it is the absolute best way to identify what is important to address and what can wait.