Good day! I wanted to share some thoughts on staying safe (from a cybersecurity perspective) during the COVID-19 outbreak. Unfortunately, there are ethically and morally challenged individuals and groups that are taking advantage of the outbreak to increase their attacks and to prey on people’s fears and uncertainty. I could write an entire blog about the distain I have for individuals and groups that pray on the weaknesses of others for their own benefit, but I’ll refrain. (How depraved do you have to be to attack a hospital at any time, let alone when it’s trying to deal with an outbreak and save people’s lives?)
Indignation aside, let’s cover some suggestions on what you can do to protect yourself and your organization during the outbreak. I’m fortunate that my organization has been highly decentralized and mobile for several years, so we didn’t have to think of all these areas overnight. However, many organizations are not as fortunate. They are scrambling to rapidly enable a mobile workforce, and it’s easy to gloss over some key security areas, especially when speed is the most important measurement.
The focus of this article is protection. However, I think we need to spend just a little time discussing the background of these attacks and some of the current attack vectors. Many good articles and blogs have been published on this subject, so I’ll provide links to them at the end of this blog to give the authors credit. The most important point is that attackers are using the Coronavirus to facilitate their attacks, particularly those involving aspects of social engineering. Examples include the distribution of malware via email or links purporting to pertain to the coronavirus. There are numerous attempts to lure people with the promise of a cure or vaccine. The World Health Organization has even issued a warning (https://www.who.int/about/communications/cyber-security) about the attacks that would leverage the context of this pandemic. In addition, there are many non-security-related scams, such as selling non-existent hand sanitizer, toilet paper, and cleaning supplies or charging highly inflated prices for these items.
Credential theft through phishing attacks and the leveraging of remote workers and potentially weak endpoints are also at increased levels. This is becoming particularly important because many employees are working from home for the first time and organizations are scrambling to set up remote connectivity (perhaps through a VPN). With so much emphasis on speed and social distancing, security frequently takes a back seat—sometimes with disastrous results. All those home connections leveraging VPNs can become easy targets for backdoors into corporate networks. If you can compromise the endpoint with a VPN tunnel, you’ve just established a pathway to the data center!
What can you do?
Let’s focus most of our attention on how you can protect yourself. While there are many security topics to discuss, I’m going to focus on those that are unique or specific to remote workers because this is the biggest change at most organizations right now. Links to definitions for each of these terms are provided at the end of the blog.
Let’s start with the endpoint example mentioned above. With so many employees working from home (many for the first time), security is critical. It’s important to have a strong endpoint security application on all your devices. This blog isn’t a vendor comparison, so I won’t comment on names. You need a solution with high efficacy (many organizations such as av-comparatives.org, nsslabs.org, and av-test.org provide independent testing of endpoint solutions). These testing agencies assess multiple factors, such as system overhead and false positive and detection rates. Make sure the solution doesn’t rely solely on signatures. It should have behavioral analytics and sandboxing capabilities as well.
Domain Name System (DNS) Security
A great move against phishing and other dangerous links is to have DNS protection at the endpoints. Many organizations might control the DNS for the devices on the corporate network; however, most home employees are leveraging the DNS services of their ISPs. The implementation of a strong DNS security program will help to protect employees even if they click on malicious links and will do so regardless of their location. Such a program would simply not resolve the links; therefore, the employees would be denied access to malicious sites. In many cases, this can also provide protection against some forms of ransomware and other malware by blocking the command-and-control (C2) traffic.
Adaptive Multi-Factor Authentication (MFA)
I mentioned that credential theft is on the rise. An excellent method for protection against such attacks is MFA. It is most commonly implemented as two-factor authentication; however, there are instances when more than two factors are used. This is an easy-to-use and, typically, easy-to-implement technology that usually requires you to enter a password before leveraging a mobile application to confirm that it’s really you who are trying to authenticate. There are certainly other ways in which the technology can be implemented, but this is the most common and secure. Other methods, such as leveraging an SMS message, are less secure, and the manual entry of codes is cumbersome for the end-user. By leveraging this technology, you will prevent an attacker from authenticating without the corresponding software token even if your password is comprised. In addition, if you get a request to confirm an authentication attempt that you did not initiate, this will be an indication that someone has compromised your credentials; thus, you should change your password immediately.
In addition to MFA, there is Adaptive MFA. Simply put, this is the ability to contextualize MFA. For example, perhaps you wouldn’t allow access from home under normal conditions but now wish to do so. Interestingly, you might want to block access from the corporate location to ensure that the employees are following the appropriate health protocols and that someone hasn’t physically broken into the office and attempted to access the applications and data. There are other concepts that can be explored, but they are beyond what I want to cover in this blog.
With the increasing emphasis on communication mechanisms other than in-person conversation, email will be used more heavily. Therefore, email security is critical. As with the discussion on endpoints, I won’t attempt to compare specific solutions; however, Radicati (radicati.com) is a great resource for independent testing. The important function is to try to prevent all phishing attacks (not just those related to the outbreak) and to assist with malware detection.
Make sure that you’re taking advantage of Domain-Based Message Authentication, Reporting & Conformance (DMARC) to assist with spoof detection and prevention. You can easily check your own status at https://mxtoolbox.com/DMARC.aspx.
Many organizations are looking to rapidly migrate applications to the cloud for a variety of reasons, such as hardware shortages and a lack of physical access to existing IT data centers. The best way to understand your responsibility for securing cloud applications, particularly your own applications, is to remember the following: The large public providers maintain the security OF the cloud, but they do not help with the security of the data and applications (namely, your data) IN the cloud. If you’re considering Infrastructure as a Service (IaaS) to support your own applications, make sure that you’re considering MFA for access to the applications, virtual firewalls to protect the applications themselves, and a backup / disaster recovery plan to protect the data against corruption, destruction, or failure. If you’re looking to SaaS (Software as a Service) applications, you might also want to consider a cloud access security broker (CASB) or other software to help to ensure that the appropriate access and data loss rules are enforced uniquely across all of your user groups and applications.
An often overlooked but highly valuable approach to protecting your organization from dynamic and emerging security threats is to ensure that your workforce is well informed. This should include keeping employees armed with information about the latest and most common attacks, ensuring that they understand how to leverage the tools you have provided to protect against cyber-attacks, and providing policy and guidelines for their practices and behavior to ensure safe computing. You can do this by leveraging services that mimic real-world attacks, e.g., phishing, for testing. Another approach is to subscribe to cyber education services that make easy-to-understand educational content available on commonly used platforms. These services are almost exclusively delivered online, so they are well suited to a newly remote workforce.
These are challenging times for everyone, and it’s easy to overlook security considerations when the focus is on enabling workers to be productive and safe while working from home. I hope that some of the strategies outlined in this document can help you to cover the basics and to ensure that your employees are as safe in cyberspace as they are safe from the virus.
Be well. Feel free to reach out to Logicalis for help with these tips or any other topics!
These links provide some good background material if you want more details on the nature of the current threats and attacks.
Overview of the cybersecurity threat posed by COVID-19:
Examples of a hospital system that was attacked during the crisis: https://www.computerweekly.com/news/252480022/Coronavirus-linked-hacks-likely-as-Czech-hospital-comes-under-attack
Endpoint Security: https://www.webopedia.com/TERM/E/endpoint_security.html
DNS (Domain Name System): https://techterms.com/definition/dns
Multifactor Authentication: https://en.wikipedia.org/wiki/Multi-factor_authentication
Ron Temske is Vice President of Cyber Security, Network & Workplace solution at Logicalis, responsible for growing Logicalis’ security and network and workplace business and helping our customers leverage security to protect and enable their business.