Cybersecurity in the World of COVID-19
By Carl Adasa | SOC Director US Operations
As people around the world are grappling with the new reality, COVID-19 is drastically changing the way organizations do business. From protecting employee and customer health to maintaining operational and economic resilience, we are challenged with finding ways to keep business running smoothly – and safely – in this new normal.
For IT leaders, looking for ways to reduce their cybersecurity risk, we recommend focusing on three key areas: working from home, opportunistic attacks, and operational disruptions. Here are some recommendations on how to get through this difficult period:
Working from Home
To encourage social distancing and help employees struggling with recent school closures, many organizations have their employees working from home. While this may be a temporary measure, industry analysts have suggested that COVID-19 may be the inflection point in a greater acceptance of remote working.
Proficio recommends the following cybersecurity best practices for teleworkers:
- VPN Connectivity: Strengthen security for VPN by reviewing password controls, adopting two-factor authentication and strong encryption, and monitoring VPN access by geo location, anomalies to baseline home VPN locations, and users.
- Monitor Activity: Increase active monitoring of VPN and Office365 activity logs in your Security Operations Center, enable new VPN user reporting (if you do not have active reports or dashboards) and at minimum, review them daily.
- Secure Endpoints: Apply and update effective endpoint security software and use endpoint and detection response techniques to protect remote users from account compromises and device infection. If you lack in-house resources for managed response to endpoint compromises, we recommend contracting with an MDR partner.
- Educate: Remind your users of best practices for working from home, including backing up data, using secure WiFi and home routers and monitor use of Remote Desktop Protocols (RDPs). It is also key to remind them of the increased volume and sophistication of phishing attacks, so it is important they stay alert and be on the lookout for COVID-19 scams.
- Cloud Safety: The use of cloud-based infrastructure and applications is growing rapidly, and with the increase in teleworking, the use of the cloud will further accelerate. Organizations should implement use cases to help monitor cloud-based applications for anomalous user behavior and review their procedures for configuring and securing virtual servers.
Opportunistic Attacks and Active Defense Mitigation
Cybercriminals are already exploiting people’s anxiety around COVID-19. For example, phishing emails purported to be sent by the World Health Organization and CDC that contain new “information” about the virus or claiming to be from charitable organizations raising money for victims.
According to researchers at Proofpoint, phishing attacks involving emails that contain Microsoft Office document attachments are being used to lure victims and exploit a Microsoft Office vulnerability. In parallel with this type of activity, there has been a surge in the number of registered COVID-19-related domains and malicious applications, promising to track the cases.
In this environment, Proficio recommends the following:
- Caution users to be ultra-vigilant and on the lookout for scams, phishing attacks, and social engineering tactics that take advantage of the current situation. Use trusted sites, such as CISA, for guidance and information.
- Tailor multi-layer protections on email, infrastructure, systems and applications to detect malware, spam, and domains that pertain to “corona”, “virus”, “COVID”, “infection”, and related terms.
- Enrich and correlate log data with new sources of threat intelligence from government agencies, broadcast and social media, and local websites.
- Monitor security events on a 24/7 basis and use a framework like MITRE ATT&CK to more comprehensively understand and respond to threats.
- For quicker action, automate containment actions to respond to attacks at the perimeter, endpoint, and cloud. Ask your service provider for SOAR-as-a-Service.
- Regularly scan for vulnerabilities and adopt a risk-based vulnerability management approach to more effectively patch assets with real and exploitable vulnerabilities.
- Continuously monitor your organizations’ security posture. Build real-time dashboards that show trends in attack volumes and methods to pinpoint gaps in security.
Risk of Operational Disruptions
The impact of employee sick leave or quarantining could undermine an organizations operational readiness and reduce the capability for IT teams to respond to attacks. Even if your team is not seriously affected, there is a risk that they will be distracted with unplanned tasks such as supporting remote workers or adjusting to new family schedules. Similarly, in the world of COVID-19, it is also likely that your vendors may be disrupted or less responsive.
To minimize this impact, Proficio recommends:
- Review your business continuity plan and be prepared to implement it.
- Understand your vendors’ preparedness and plans. If you are reliant on an outsourced 24/7 monitoring or support, understand if your service provider operates from a single SOC location, as this adds risk in the event of localized virus hot spot.
- Implement cross-training, if this is not already in place.
- Check that your list of vendor contacts and their back-ups are available, especially in the case you have limited named support contacts.
- Adopt best practices to reduce the risk of contagion, including social distancing, working from home, and reduced travel.
We hope you all find yourself safe in this time of uncertainty but please feel free to reach out to us if you need help in any way.