As the COVID-19 (aka coronavirus) pandemic unfolds, we have prepared a special edition of Secrutiny’s Emerging Trends Podcast. Read on as we discuss the outbreak and its impact on businesses and their cyber security plans. Alongside, secrets of successful remote IT teams and best practices on how to prepare a business network for an influx of remote workers.
How Can I Keep Security When Employees Work Remotely?
When it comes to the security of remote workers in such a crisis, like COVID-19, the only effective difference is the need for enhanced security, primarily on instrumentation. Remote working introduces new opportunities to attackers as they focus on gaps in home security. In light of this, we can expect to see a rise in phishing and smishing attacks, increased scanning and penetration of vulnerable systems that are exposed to the internet, and expanded attack surface that companies create by opening services and applications to remote workers.
Shane adds: “It’s important to note that malicious actors fundamentally need three things – a tool, a credential and time to achieve their objectives.”
To increase the security posture, organisations have to take into account the opportunities the attackers are taking advantage of and come up with constructive methods that don’t interrupt those business services for remote workers, and remote executives’ interaction with clients and the business itself. There are a couple of relatively simple things that can be done remotely.
Enforcing Multi-Factor Authentication (MFA)
Even if it’s only a two-factor authentication and forcing a peremptory challenge so that more than just a password is required can create an obstacle that an attacker may not be able to get around. That can be implemented relatively easy as most domains are being managed by Active Directory (AD) and in most cases today by Azure AD. So, it’s a service enablement feature that then gets pushed down through AD authentications to services. MFA can dramatically reduce the exposure to phishing or smishing for credentials.
Implement Enhanced Logging
As past experiences have shown, like the Tsunami in Japan and terrorist incidents, malicious actors will prey on the vulnerable and take advantage of any opportunity they can. Therefore, when there’s an incident, a cyber attack will most likely follow. So, it’s essential for organisations to not only provide the tools to help sustain access and business services but also enable logging related to the remote work, in particular, VPN and AD authentication logging that can be done to the services themselves.
Shane highlighted that while we discount antivirus as being something of an antique concept of security, it is very effective against initial attack vectors, like exploits of memory residency.
“Something as simple as forcing an antivirus update to your servers and your endpoints, and then forcing a reboot of the host and service so that those updates are enabled, can be an effective first-level defence that organisations should consider in these types of situations,” continued Shane.
In times like these, it’s also really crucial organisations ensure that data backups for key reporting systems, like finance or client services, are working effectively. And beyond hot spare backups, that have become the standard, organisations need to ensure that there is at least some period of cold spare recovery of data in case of a system outage for one reason or another.
Should Organisations Be Making Shifts and Changes in Daily Operations?
Since the COVID-19 outbreak, Shane, who resides in the USA, has been practicing a policy of ‘shelter-in-place’. This is a policy of isolation, which many other countries are practicing as well. This same principle could be said to systems and applications in organisations that are being supported by a remote worker.
Isolating crucial business services away from more general supporting applications and services.
This is very useful through VPN or subnets to slow the impact of breaches, particularly things that automatically propagate like ransomware, in order to provide the opportunity to correct or respond with effective action against an incident. For example, remote workers often need to access certain applications, but they don’t necessarily need to access printers or some file shares that they would otherwise have more general access to just in their common construct in the office.
As we isolate, in order to slow the impact in the spread of the virus, so should our systems.
The same proposition holds true with IT and security. Isolate the systems and applications that your remote workers need access to away from those that they don’t need access to. It can be done with subnetting, even by remote IT workers, and be one of the most effective techniques to prevent widespread propagation or lateral movement from one segment to another.