COVID-19: It has devastated victims’ families and upended our day-to-day lives–not to mention its impact on both the healthcare system and the economy–and yet the full extent of the virus’s long-term impact remains to be seen.
In the world of cybersecurity, infosec professionals are already seeing an uptick in attacks as millions of users shift to remote work. "The remote work required as a result of COVID-19 will force more focus on remote connections, firewall rules that control access, and identity management," said Bill Mathews, owner and CTO, Hurricane Labs. "With the virus forcibly adding remote flexibility to companies’ business continuity plans and shutting down many others, the outlook for the cybersecurity industry is changing even while many of the threats remain familiar.
Information security is at the core of who we are here at Hurricane Labs. As the impact of COVID-19 ripples throughout our communities, we are watching and gauging what adjustments are needed to maintain a strong security stance.
In this blog, we are going to cover key issues businesses should keep an eye out for, plus a few steps you can take to help address new or increased vulnerabilities.
Crisis, Uncertainty, and Vulnerability, oh my!
Does increased internet activity equal increased scam and hacker activity?
Anywhere there is uncertainty and vulnerability, scammers and hackers are sure to follow.
For companies able to function remotely, remote work means an increase in vulnerability. “The forced shift to teleworking opens up a variety of attack opportunities–especially those against difficult targets the nation-state attackers couldn't easily access prior to the pandemic," said Tony Robinson, Senior Security Analyst, Hurricane Labs. "These attacks could be anything from disrupting the production of personal protective equipment (PPE) to logistics for moving essential products, as well as healthcare systems and other critical infrastructure. The threats are the same as they've always been, and I don't foresee a massive uptick in activity, but the stakes are much higher.”
As the risk of working from home ramps up, this means an increased focus on remote connections–more exposure for remote desktop protocols (RDP), industrial control systems (ICS), and virtual private networks (VPNs)–as well as firewall rules and identity management.
Although the ongoing crisis is creating new opportunities for these attacks, attackers’ motivations and strategies largely remain the same. Driven by motivations like monetary gain, political influence, or simple mischief, many attacks continue to come in familiar terms.
Triaging the Immediate Threats
Before we discuss the steps to support your security in the time of Covid-19, let’s first talk about what sort of threats we’re seeing that you should be aware of, especially given the immediate environment.
Suspicious geographical locations
Given the travel bans in place, your IT personnel should keep an eye on changes in geographical location of VPN logins, especially if that location changes rapidly.
Suspicious origin points
TOR endpoints and VPS providers are places a VPN login should never come from. Connecting from a TOR network connection or setting up a system on a VPS requires a lot of technical know-how; it’s not something your standard user would bother doing. Most of the time, your logins are going to come from a local or national internet service provider.
Denial of Service (DoS)
Travel restrictions and social distancing orders create new problems in the face of DoS attacks. The outage window may be longer than normal to restore service–for example, if a system or service requires a manual restart/reboot and technicians are working remotely, then you need to wait for a technician to get onsite with a crash cart to handle things. What do you do if your support staff is overseas or across state lines?
Information Accuracy / Verification
A lot of phishing pre-texts prey upon information–or a lack thereof–to convince people to click on things they shouldn't. Remind your staff to get their information from reliable sources (e.g. local and state gov, Johns Hopkins, WHO, CDC, etc.), as opposed to the stranger who just emailed.
Analyze and Inform
When it comes to strengthening your security stance, the best first step you can take is to analyze where you are and determine what problems could arise. This will vary according to a number of factors, so a thorough inventory of your unique stance will help you determine where to go next. “Your security needs are fairly dependent on your organization’s size, how far your business stretches across the globe, and whether or not you allow bring your own device (BYOD) solutions," said Eric Patterson, SOC Analyst Group Co-Team Lead, Hurricane Labs. "For small companies: Proper two-factor authentication (2FA), VPN logging, geo-based alerting, proper firewall configurations, and employee education are critical.”
Educating your employees about password security, internet safety, and verification of information accuracy is critical. Accidental exposure and employee negligence are two of the most frequent cybersecurity risks companies face. Requiring regular cybersecurity training is the first step to remediating this vulnerability.
Strengthening Your Security Posture
With the negative economic impact and loss of business resulting from the coronavirus crisis, companies are naturally looking for ways to cut costs as much as possible. “What concerns me the most about cybersecurity pros weathering this storm is whether or not the businesses we are tasked with defending will continue to be solvent," said Tony Robinson, Senior Security Analyst, Hurricane Labs. "If the business can't exist or make money, they will start cutting staff. IT and information security is often, although unfairly, seen as a cost center. Will it be one that they can afford to keep on payroll?”
It can be tempting to sacrifice costly security measures–but with attackers already engaging in attacks of opportunity, it’s never been more important to solidify your security stance.
Here are key measures to have in place that will allow you to keep your cybersecurity safeguards running efficiently–and cost-effectively.
Making sure you have secure authenticating and proper authorization limiting access to sensitive data is a good first step in establishing a strong security stance. Multi-factor authentication requires additional information, such as an authentication code or certificate, before granting access to the user.
Utilizing geo-based alerting will also support accurate identity authentication. “Our security operations center uses geo-based alerting to correlate activity such as improbable travel. If a user was seen at an IP address in Ohio, for example, and then we see the same user at another IP in New York in under an hour, we know something’s up since it’s impossible to travel that fast. An alert gets triggered, based on the anomalous activity, and we then investigate further,” said Josh Silvestro, SOC II Team Lead, Hurricane Labs.
Firewall configurations, antivirus, and host limitations
Establish or verify you have proper firewall configurations in place. These measures will help prevent malicious actors from gaining access or attacking sensitive data or systems. You should also consider implementing host-based policies that limit what can be installed and used on the host. These rules regulate who can access the host and what actions they can take.
Managing endpoint devices
Endpoint device management can be a challenge, but it's necessary to ensure the protection of employees no matter where they are or what device they're using. Without it, you might be looking at complications due to actions such as downloading dangerous applications. “The trouble with having network hosts outside the office environment is they can be used off the network and then brought back on the network," said Aaron Millikin, SOC Analyst Group Co-Team Lead, Hurricane Labs. "You need measures in place to make sure internal data isn’t disconnected from the network, not to mention measures to keep unwanted data or traffic from being transmitted back into the company’s internal network.”
Implementing VPN logging and audit logging helps track incoming and outgoing connections to a VPN server and a chronological of event data, respectively. It’s important to note this is reactionary–it will help you track down when and where a breach occurred, but it should not take the place of the preventionary measures mentioned above.
For the Long-Term
This crisis highlighted many businesses’ need to upgrade their Business Continuity Plan (BCP) to accommodate a large-scale shutdown. Many companies were caught between a rock and a hard place because their idea of BCP was having backups or something set up in the cloud–and so they were left scrambling to figure out how to make work from home (WFH) a viable alternative.
Roxy, our Vulnerability Management Specialist, talks in more detail about the work that goes into revising a BCP to accommodate larger-scale disasters in her blog. For Hurricane Labs, it meant incorporating policies like our “WFH when sick” policy into our BCP’s documentation. For you, it might mean establishing a BCP committee or clarifying staff requirements and procedures. Much like your security needs, this will vary according to your company’s unique situation.
As we continue to move forward, I hope this blog helps you target your security needs. This crisis is changing a lot of things for our society–but the need for a strong security stance isn’t one of them.