Cyberattackers are resourceful and opportunistic. They will move quickly to take advantage of a situation. COVID-19 is no different.<\/p>\n
There is a huge amount of global uncertainty and change right now which criminals are seeking to capitalize on. The risks are amplified by the immediate and unforeseen IT challenges that companies are having ensuring their staff can work from home.<\/p>\n
There are two areas which are most likely to result in a cybersecurity incident due to the ongoing crisis: remote access and phishing. We\u2019ll cover both in this article and provide a set of prioritized recommendations to expeditiously prevent, or at least mitigate, these critical issues.<\/p>\n
By remote access I\u2019m referring to the myriad ways organizations are allowing their employees to work from home. These range from the obvious \u201ctraditional\u201d remote access services, such as VPN and terminal service gateways, as well as cloud-native conferencing and other collaboration tools that organizations everywhere are adopting in a hurry.<\/p>\n
The key risk is weak authentication of your remote access services.<\/strong><\/p>\n Organizations have been battling for years to ensure services (particularly when internet-facing) are protected by multi-factor authentication (MFA) and only accessible with centrally-managed corporate accounts (typically held in Active Directory, Azure or Okta).<\/p>\n Doing this well is a real challenge at the best of times and requires IT staff to have intricate knowledge of SAML, OpenID and various other technologies and standards that support our modern identity management.<\/p>\n This is, of course, on top of all the legacy technologies (LDAP, RADIUS, Kerberos, etc\u2026) that are still in place to support authentication in traditional architectures.<\/p>\n Throw in a global crisis with IT teams worldwide scrambling to keep services accessible and it\u2019s obvious the complexity of identity federation and MFA claims will not be top of mind.<\/p>\n This is perfectly understandable and, in most cases, taking risk to get services online is absolutely the right decision. With business fighting to survive, business continuity and availability should take precedence.<\/p>\n The security problems occur for a couple of reasons. Firstly changes being made quickly on the front line may not been seen or understood by leaders in the organization better placed to evaluate the resultant risk.<\/p>\n Secondly, even when risk assessments were made, the original premises are probably no longer correct. Only a few weeks ago we were expecting everything to be back to normal in a month or so. It\u2019s now becoming very clear that this new reality may be long term and the window of exposure resulting from poorly protected services could extend months, or even years.<\/p>\n Furthermore, it\u2019s going to be very hard for organization to go back to previous working models once employees realise you can work from home very effectively.<\/p>\n In short, organizations must not assume they will quickly be able to remove all these risky internet-facing services. They instead need to figure out how to secure them.<\/p>\n There are long term and short term fixes. Long terms fixes boil down to a zero trust approach. There is no doubt this crisis will accelerate the shift towards zero trust architectures.<\/p>\n Unfortunately organizations can not and should not rush in this direction as it requires large IT infrastructure investment and changes to organisational mindset to be executed successfully.<\/p>\n Organizations should thus focus their efforts on tactically reducing risk as quickly as possible. Primarily this means ensuring key services as protected with MFA by any means possible.<\/p>\n This is best tackled per service. Organizations need to identify which services are most at risk and most valuable to their adversaries. For organizations with on premise infrastructure and traditional perimeter-based security these are likely to be VPNs and other remote access gateways.<\/p>\n For organizations with cloud infrastructure, the focus should be their identity provider (most commonly Azure or Okta). As the central point for authentication, simply enabling MFA here will get you the biggest and quickest win, especially as both Azure and Okta have integrated MFA capabilities and integrations with popular 3rd party providers such as Duo.<\/p>\n Organizations that haven\u2019t managed to centralise cloud identities will need to look at specific applications and see if they offer their own MFA capabilities. Mail, collaboration, CRM and ERP systems are the obvious places to start.<\/p>\n Also consider highly-critical but less widely accessed services such as your security management tools. This\u00a0Knowledge Base article<\/a>\u00a0walks you through setting up MFA in our Sophos Central security platform.<\/p>\n Even these tactical options are not easy and compromises will need to be made. The exact balance of trade-offs will be different for every organisation but here are some considerations:<\/p>\n VPN Capacity<\/strong><\/p>\n If you\u2019re backhauling client traffic to scrub, allowing \u201cSplit VPNs\u201d (where clients go direct to the internet) is the quickest way to gain capacity and likely less risky than exposing squishy, insecure internal services directly online.<\/p>\n However this does depend on your clients having well-patched browsers and, ideally, endpoint based web-protection. Also be aware that if you have SaaS services relying on clients coming from known corporate IP addresses don\u2019t simply turn off that control \u2013 replace it with MFA!<\/p>\n Centralized vs de-centralized MFA<\/strong><\/p>\n Attaching MFA to your identity provider allows for a common experience across all applications. This is undoubtably less confusing for staff and easier to rollout. It\u2019s also a much longer route if you don\u2019t have a centralized identity service.<\/p>\n Retrofitting federated identity to an existing production app can be really hard so, tactically, it may be easier to enable MFA capabilities from the service provider.<\/p>\n This does mean staff will likely have multiple different authentication mechanisms to navigate. Not ideal but don\u2019t forget they are used to handling this when logging on to non-work applications (internet banking, personal email, etc).<\/p>\n Everyone is handling a lot of change right now so they may be more accommodating and resilient than you might expect!<\/p>\n SMS-based MFA<\/strong><\/p>\n There\u2019s a lot of very valid concerns about SMS-based MFA. It\u2019s also the simplest and quickest way to get MFA enabled, particularly as staff will likely be familiar with it.<\/p>\n SMS-based MFA is still immeasurably better than no MFA. If it\u2019s the fastest route to protecting your business, it\u2019s very likely the right place to start. Just make sure you have a migration plan to something more secure.<\/p>\n Passwords<\/strong><\/p>\n If you\u2019re spinning up new services (e.g. video-conferencing) and are unable to setup federated identity, employees are going to need to remember even more passwords. The biggest risk with this is password reuse.<\/p>\n You can\u2019t reasonably expect employees to remember dozens of unique passwords. A password manager is the best tool to get around this problem. Unfortunately password managers do take some getting used to and the UX can be very confusing for non-technical staff.<\/p>\n In a pickle, writing passwords physically down in a notebook is not the worst thing right now. It may fly in-the-face of conventional wisdom but with everyone at home, the chances of that notebook falling into the hands of an adversary is slim right now.<\/p>\n Just try and find a better solution \u2013 and change the passwords \u2013 before staff start travelling again!<\/p>\n Beyond MFA there are a couple other related remote-access risks to consider:<\/p>\n VPN and Remote access gateway vulnerabilities<\/strong><\/p>\n Patching critical infrastructure probably feels risky right now. Unfortunately in the past few months there have been some\u00a0very serious vulnerabilities<\/a>\u00a0in\u00a0common remote access equipment<\/a>.<\/p>\n These vulnerabilities are being actively exploited by multiple criminal groups right now. If you have a vulnerable service you need to patch immediately. Just have a backup plan in-case the device fails to patch (especially if you\u2019re unable to get physical access).<\/p>\n Endpoint security updates<\/strong><\/p>\n Check your infrastructure to make sure that you are still receiving updates from your endpoint security provider. If you have a cloud-based management (such as Sophos Central) you\u2019re probably ok but if not, it\u2019s essential that your clients can reach updating services.<\/p>\n This requires checking that your VPN allows access to your update server(s) (and that you have capacity). Don\u2019t forget to consider clients that may not regularly connect to the VPN.<\/p>\n Phishing attacks using COVID-19 as a lure are the most visible and immediate cybersecurity risk in the ongoing crisis.<\/p>\n This isn\u2019t surprising as we\u2019ve seen attackers use current events as a lure for many years. Unfortunately the risks this time are higher.<\/p>\n Firstly everyone is worried and handling an unprecedented change to their daily lives. High stress situations make everyone hungry for information and less likely to objectively evaluate any message they receive. Secondly, IT departments and service providers are bombarding us all with legitimate messages about changes to services.<\/p>\n Combine these issues and it\u2019s unrealistic to expect employees to accurately identify and report all attacks. You need to assume that some will get through and some staff will be duped.<\/p>\n Accepting this allows you to focus on being resilient to attacks rather than hoping to avoid them. There\u2019s already a lot of advice on this so I\u2019ll briefly cover the basics:<\/p>\n MFA<\/strong><\/p>\n Good news is that we\u2019ve already covered the most important defence! Credential phishing, whereby the attackers put up a fake login page to trick staff into entering their credentials, is the most common form of phishing. MFA is a great (albeit not always perfect) form of defense against this*.<\/p>\n Awareness<\/strong><\/p>\n This is still important. By encouraging phishing reports from staff you can warn others, and if you have a security operations team (or service), even analyse the attack to identify indicators or compromise to feed into threat hunting processes.<\/p>\n Endpoint and email defenses<\/strong><\/p>\n Your security software has multiple chances at catching a phishing attack. The more chances you give it the better the overall protection:<\/p>\n The better-configured and effective all these defenses are the less likely an attacker will manage to evade everything.<\/p>\n Patching<\/strong><\/p>\n Drive-by-downloads are less common nowadays but still a real risk. Patching browsers, mail clients and applications (such as Microsoft Office) which are regularly used to open attachments will limit the really nasty attacks that rely on minimal user-interaction.<\/p>\n Lastly, there are few reasons to be running browser plugins such as Flash, Java, etc. nowadays \u2013 disable them if you possibly can, it\u2019s much easier and safer than trying to keep them update.<\/p>\n Criminals are already taking advantage of COVID-19 in their cyberattacks, and remote access and phishing are the two areas most likely to result in a cybersecurity incident.<\/p>\n We\u2019ve covered a number of steps you can take to mitigate this risk. We also realize that time is in short supply so have compiled a list of the top seven steps we recommend all organizations take.<\/p>\n They are listed in priority order, so start at the top and work down.<\/p>\n Stay vigilant. Coronavirus-related attacks will likely ramp-up over the coming weeks and months.<\/p>\n For more information, please refer to\u00a0Sophos<\/a><\/p>\n","protected":false},"excerpt":{"rendered":" Cyberattackers are resourceful and opportunistic. They will move quickly to take advantage of a situation. COVID-19 is no different. There is a huge amount of global uncertainty and change right now which criminals are seeking to capitalize on. The risks are amplified by the immediate and unforeseen IT challenges that companies are having ensuring their … Continue reading “Protecting your company during COVID-19”<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":1092,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/www.cllsystems.com\/staging\/wp-json\/wp\/v2\/posts\/1088"}],"collection":[{"href":"https:\/\/www.cllsystems.com\/staging\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cllsystems.com\/staging\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cllsystems.com\/staging\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cllsystems.com\/staging\/wp-json\/wp\/v2\/comments?post=1088"}],"version-history":[{"count":3,"href":"https:\/\/www.cllsystems.com\/staging\/wp-json\/wp\/v2\/posts\/1088\/revisions"}],"predecessor-version":[{"id":1093,"href":"https:\/\/www.cllsystems.com\/staging\/wp-json\/wp\/v2\/posts\/1088\/revisions\/1093"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.cllsystems.com\/staging\/wp-json\/wp\/v2\/media\/1092"}],"wp:attachment":[{"href":"https:\/\/www.cllsystems.com\/staging\/wp-json\/wp\/v2\/media?parent=1088"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cllsystems.com\/staging\/wp-json\/wp\/v2\/categories?post=1088"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cllsystems.com\/staging\/wp-json\/wp\/v2\/tags?post=1088"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}What should IT and security leaders do?<\/h3>\n
Making tough trade-offs<\/h3>\n
Other considerations<\/h3>\n
Phishing attacks<\/h2>\n
\n
Conclusion<\/h2>\n
\n