Cyber attackers are resourceful and opportunistic. They leave no stone unturned to move quickly to take advantage of a situation. And, COVID-19 is no different. The risks are amplified by the immediate and unforeseen IT challenges that companies are having to ensure their staff can work from home. The two areas that are prone to be taken illegitimate advantage of remote access and phishing. This article will provide a set of prioritized recommendations to prevent or at least mitigate these issues.
Remote Access
There are myriad ways organizations are allowing their employees to work remotely. The traditional remote services range from VPN, terminal service gateways, as well as cloud-native conferencing and other collaboration tools that organizations are adopting in a hurry. The key risk is weak authentication of your remote access services. Using multi-factor authentication (MFA) and doing it well requires detailed knowledge of SAML, OpenID and various other technologies. So organizations must not assume they will quickly be able to remove all these risky internet-facing services. They instead need to figure out how to secure them.
What should IT and security leaders do?
There are long term and short term fixes. Long term fixes boil down to a zero-trust approach which requires large IT infrastructure investments and changes to organizational mindset to be executed successfully.
So start small with services that can be protected by MFA by any means possible. This is best tackled per service. Organizations need to identify which services are at most risk and most valuable to their adversaries. For organizations with on-premise infrastructure and traditional perimeter-based security, these are likely to be VPNs and other remote access gateways.
For organizations with cloud infrastructure, the focus should be their identity provider (most commonly Azure or Okta). As the central point for authentication, simply enabling MFA here will get you the biggest and quickest win, especially as both Azure and Okta have integrated MFA capabilities and integrations with popular 3rd party providers such as Duo.
Phishing attacks
Firstly, as everyone is worried and handling an unprecedented change to their daily lives. High-stress situations make everyone hungry for information and less likely to objectively evaluate any message they receive. Secondly, IT departments and service providers are bombarding us all with legitimate messages about changes to services. So here is some advice.
-
MFA – it is the most important defense.
-
Awareness – Encourage staff to report such phishing attacks, so you can warn others.
-
Putting endpoint and email defenses in place can better the overall protection.
Here is a compiled list of the top seven steps we recommend all organizations take. They are listed in priority order, so start at the top and work down.
-
-
Ensure all internet-facing services are protected with MFA (SMS-based MFA is better than no MFA)
-
Patch remote access services – particularly VPN and terminal service gateways.
-
Monitor phishing reports and get your operations team or MTR service to hunt for associated IOCs.
-
Check remote clients are still receiving their endpoint security updates.
-
Ensure your OS, browser, email client and software commonly used to open attachments are set to update automatically.
-
Disable browser plugins such as Java, Flash, and Acrobat.
-
Use identity federation to ensure all cloud services are accessed with corporate credentials.
-
It is advised to stay vigilant as Coronavirus-related attacks will likely ramp-up over the coming weeks and months.
(Image credit: Pixabay.com)