Posts

Reopening Safely – Cybersecurity Recommendations for Organizations Returning to the Office

According to the consulting firm, McKinsey, organizations will need to navigate through the stages of Resolve, Resilience, Return, Reimagination, and Reform during the COVID-19 pandemic. Many organizations are now in the Return stage as they ask their employees to come back to their business locations.

The challenge for IT organizations is how to manage the transition through these stages as securely and effectively as possible. It is not as simple as flipping a switch, where business operations return back to the way they were before COVID. Successfully reopening will require advanced planning, locking down networks, and avoiding human errors often caused by a rushed implementation.

Industry experts expect COVID to accelerate digital transformation. From the supply chain, through manufacturing and on to customer engagement, businesses need solutions that are more adaptable, agile, and digitally enabled. For example, the digital transformation of the supply chain includes digitally connecting buyers with a network of partners, uploading design data, getting instant pricing, and performing design for manufacturing on the fly.

Digital transformation will require businesses to rearchitect their networks and applications, creating new cybersecurity challenges.

Protect Your Networks

Sales of notebooks rose dramatically in March and April of 2020 as office workers transitioned to teleworking. Whether permanently or following a staggered work schedule, many of these workers will be trading in these notebooks for their old desktop computers as they return to their traditional place of work. IT teams should proactively secure desktop PCs by applying security patches, updating endpoint security, and adjusting thresholds for desktop logs.Calendar with Band Aid - Patch Tuesday

Unpatched vulnerabilities are a significant cause of avoidable data breaches. Patch management for Microsoft products alone is a major undertaking. Known as Patch Tuesday, on the second Tuesday of each month, Microsoft releases security-related updates for Windows, Office, and related products. Microsoft issued 339 security patches in March, April, and May of 2020. When reviewing vulnerabilities, teams responsible for patching should not only assess the criticality of the vulnerability but also consider its exploitability. For example, Microsoft classifies CVE-2020-1054 as “Important” with a rating of “Exploitation More Likely”. According to Microsoft, an attacker that exploited this Win32k Elevation of Privilege Vulnerability could run arbitrary code in kernel mode, and then install programs; view, change, or delete data; or create new accounts with full user rights.

Risk-Based Vulnerability Management (RBVM) tools help address the trade-off between criticality and exploitability. Asset discovery, continuous vulnerability scanning, risk indexing, and patch management are components of RBVM solutions. RBVM Managed Services take this a step further by offering experts that provide lifecycle vulnerability management services and make patching recommendations that factor in compensating controls, deployment challenges, and business continuity.

Review Remote Access Solutions and Policies

Chances are that your IT team has already experienced a trial by fire experience setting up remote access for a large number of employees as their organizations adopted a work from home policy. Now is a good time to re-evaluate your VPN capacity as the pendulum swings the other way.

Your approach to working from home will significantly affect your required VPN capacity. Some organizations are embracing teleworking on a long-term basis, while others see this as a temporary solution until there is a COVID-19 vaccine. Use a network performance monitoring tool to analyze usage of your VPN. If you do not have one, many good tools are available on a free trial basis. For example, products like PRTG can be used to monitor multiple VPN parameters including traffic, users, and applications.

PRTG VPN Monitoring

PRTG VPN Monitoring

Through the process of rebaselining your capacity needs, you will determine if your existing VPN hardware and licensing are sufficient for your expected requirements. This is also a good time to consider rearchitecting your approach to remote access. Strategies include moving data and applications to the cloud and using products like Citrix Access Control. Moving away from traditional VPNs will likely add flexibility and scalability to your users and mission-critical applications. However, these benefits come at a price and often have longer implementation timelines than expected.

In addition to reviewing operational aspects of your VPN infrastructure, a reopening plan should revisit policies that secure VPNs including password policies, 2FA, and software updates. SOC teams or managed service providers should constantly monitor VPN activity for anomalous behavior. Easy to use dashboards should provide visibility into VPN user activity, geographic locations, and variations from expected thresholds. Having a better understanding of your VPN traffic and trends will increase your security posture by streamlining the level of effort required to properly analyze alerts.  Event notifications will drive security analyst investigations and remediation steps.

Questions to consider:

  • How many employees are just doing what works and bypassing security controls to get things done?
  • Is it normal for your organization to have successful remote VPN logins from resources outside the country?
  • Did your organization need to “relax” any security or compliance policies to enable employees to use RTP (Real-time Transport Protocol), used in live video streaming services like Zoom, WebEx or others?
  • How many different RTP applications are running on these hosts and are they configured to meet your organization’s security and compliance strategy?

Network Access Control (NAC) solutions add to your remote access security program by controlling user and device access to the corporate infrastructure. The case for NAC deployment is stronger in an environment where employees are switching between office and home locations and there are BOYD and IoT devices being connected to the network. Examples of NAC vendors are Forescout, HPE-Aruba, and Portnox.

To further leverage your NAC investments, ask your SOC or MDR Service provider to build correlation rules with endpoint security software, and then automate the containment of infected devices on your network.

Assess COVID’s Impact on Scoping New and Upcoming Projects

Many information security teams planned to build out new capabilities or implement new security controls this year. Underlying these plans were assumptions on the cost and resources required for these projects.

The COVID pandemic should cause planners to look carefully at their assumptions. For example, projects to deploy new SIEM (Security Information Event Management) software or centralize log management, need to be scoped with more than a snapshot of current traffic. With people out of the office and certain on-premise systems and controls operating at low usage, the amount of storage required (usually measured in gigabytes per day or events per second) might be artificially low compared to when the office reopens.

Estimating staffing levels for security operations during COVID can have similar challenges. For many organizations, the number of security alerts processed by a security operations team is directly correlated with increased user activity. Users will click on suspicious links, access suspicious websites, attempt to install suspicious software and perform other activities that will result in work for security analysts to investigate. As a result of COVID, many organizations were forced to furlough workers. Additionally, remote users may not be going through certain on-premise controls such as web filters and firewalls. As a result, alerts the security operations team are processing might be artificially low compared to activity levels when offices reopen.

To combat the risk of under scoping resources for these projects, assess activity levels for pre-COVID periods, such as January and February of 2020. Businesses are being affected by COVID in different ways and management teams are rethinking their go-forward operational models. We suggest getting a range of inputs to properly scope the requirements for new security products and services.

Cloud ComputingAccelerate Transition to the Cloud

Workloads were increasingly being migrated to the cloud before COVID. Post-COVID, the adoption of cloud computing will likely speed up as companies deal with uncertainty and value the ability to flexibly scale up and down capacity. Businesses are also reviewing their reliance on physical data centers because of safety concerns related to site visits during the COVID pandemic.

When formulating a cloud security strategy, IT leadership will need to consider trade-off risks against the benefit of increased agility. According to Gartner’s predictions around the cloud, through 2025, 90% of the organizations that fail to control public cloud use will inappropriately share sensitive data and 99% of cloud security failures will be the customer’s fault.

In the “2019 Data Breach Investigations Report” (DBIR), errors were found to be one of the top causes of data breaches. Errors that have resulted in misconfigurations of cloud infrastructures are increasingly cited as the cause of the loss of sensitive data. Examples of such misconfigurations include:

  • Data encryption not turned on
  • Access to resources not provisioned using IAM roles
  • VPC Flow logs being disabled
  • Publicly exposed cloud resources

In the case of Capital One, 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers, 80,000 bank account numbers, and an undisclosed number of customers’ personal information was disclosed due to a misconfigured web application firewall.

The first steps to minimizing misconfigurations in the cloud are training your security teams to understand cloud infrastructure and documenting and auditing processes. Next, use cloud-native security tools that allow you to monitor your networks for suspicious activity such as a malicious actor abusing a set of compromised credentials, moving laterally across the cloud environment, or attempting to exfiltrate information. For many organizations, it is more practical to outsource the responsibility of configuring and monitoring cloud infrastructures to outside experts or a Managed Security Service Provider (MSSP).

Conventional wisdom has been that users of cloud computing must realize their responsibility for security and not overly rely upon providers who are primarily concerned with securing their platform vs everything their customers build and store within it. While cloud providers have considerably improved their security, data and applications hosted in a cloud infrastructure require the same security programs used for on-premise networks. In this shared responsibility model, event logs must be collected, analyzed and monitored; traffic in and out of virtual networks must be inspected and protected by virtual NGFWs and WAFs; and hosts must be scanned for vulnerabilities.

Today, the three cloud providers that dominate the market are AWS, Azure, and Google. As an enterprise grows its cloud infrastructure, it is likely they will consider a Multicloud approach. The idea is using more than one vendor reduces dependency and provides the user with more leverage. For organizations that are selecting a MSSP to monitor their cloud infrastructure, check if your prospective provider can support the top three players in case your organization decides to follow a Multicloud strategy.

Post-COVID Threat Landscape

Cybersecurity teams should always be anticipating new threats and new threat actors and be prepared to detect and respond to damaging attacks.

We recommend reminding your employees that phishing attack campaigns continue to be a successful tool for attackers, attempting to entice email recipients to click on embedded links to download malicious programs or launch nefarious websites. The crafting of these phishing emails will prey on anxieties regarding the spread and impact of the COVID-19 pandemic.  Attackers are fully aware of the social status of this worldwide pandemic and they will craft emails with the intent of eliciting an emotional response.

Attackers are seeking to harvest verified credentials.  If an employee does click on a malicious link but closes the web browser before any download can begin, the attacker has confirmation that the email account is legitimate. This will result in more targeted phishing emails.  Credential gathering and phishing emails are on-going security challenges for organizations to maintain their security posture. To get ahead of this threat, organizations might consider an organization-wide password reset as well as using multi-factor authentication.

While the themes used in cyberattacks are changing, it does not appear that the actors behind these attacks or the attack vectors have changed. Enterprises must maintain heightened vigilance for malware, ransomware, and phishing attacks, but that is not new. Endpoint security tools must be fit for purpose and kept updated. Implementing security tools is only half the battle, they need to be correctly configured, monitored, and their alerts investigated. Where internal teams lack the expertise or time for these functions, a managed endpoint detection and response service provider can fill the gap. Finally, the need for employee security awareness and training can never be overstated.

Increased Risk of Insider Threats Insider Threat Employee Police Lineup

Unfortunately, many organizations are being forced to furlough or lay off employees as a result of the impact of COVID on their business. Disgruntled employees are more likely to steal data or credentials to retaliate against perceived grievances. According to research from Gartner, “seeking harm and revenge on employers is a bigger incentive for insider threats than is stealing money.”

Passwords are the first line of defense against insider threats. Organizations must immediately change passwords, close accounts, and remove access to shared resources when an employee leaves. Your company will be liable for the confidentiality of your partners’ information, so it is equally important to inform third parties and vendors that may have provided the employee with access. This risk is enhanced where your company has signed a covered entity or business associate agreement.

Ensure departing employees have up to date paperwork protecting confidentiality and inventions, return corporate devices, and do not have company data on personal devices.

Depending on your organization’s security controls and collection of event logs, user activity can be an indicator of insider behavior. Examples of logs that can be monitored and investigated for anomalous behavior or used for correlation rules include:

  • Detect the first time a USB drive is plugged in
  • Detect data exfiltration by monitoring DNS activity for total bytes transferred
  • Detect unauthorized access attempts to sensitive systems
  • Detect activity from expired user accounts
  • Detect credential sharing for your privileged accounts by correlating account logins from disparate locations
  • Detect download events from SaaS applications like Salesforce.com for indicators of data exfiltration

Be Prepared for the Short Term and Long Term

No one knows with certainty what will be new normal for the business. Questions like when will workers return to their physical offices, what percentage of the workforce will return to physical offices, and will businesses move certain functions to permanent remote roles are all hard to predict.

In the short term, we can expect issues with technology and existing information security procedures. For example, furloughed employees may not have their access properly shutoff, their phones may still be configured to check email, their accounts might still be enabled for certain systems, or they may still have access to certain physical assets. As a result, Windows accounts will expire without password updates causing spikes in failed authentications on an organization’s domain.

Over the long term, information security programs should be evaluated based on their ability to provide visibility to threats and their efficiency in meeting operational requirements.

Expect gaps in visibility for organizations switching to a work from home model without an architecture setup to route internet traffic from work machines through a web filter product. Employees can access phishing sites, competitor websites, or use their machines for non-work-related activity because the organization does not have visibility into this layer of network traffic or the ability to log network and endpoint telemetry to a central location.

Businesses that are not experienced with remote workers will need to create new processes to ensure their employees can work efficiently. For example, if a machine is suspected to be compromised, how will the organization perform remote forensics if they do not have a detailed cloud-based EDR product logging significant endpoint telemetry? Additionally, if the employee’s machine is compromised, do you stop that employee from working and ship a replacement laptop to the employee? As a result, the employee can do nothing while the new machine is being delivered. For some businesses, this is nothing new, but for others these changes will require some level of effort to smooth over.

Get Ahead of Upcoming Audit Inquiries

Part of reopening is preparing to meet compliance standards and undergo security audits.

Security audits have become a common feature of almost every industry. Preparation and planning reduce the disruption of an audit and increases the likelihood of a successful result. Companies that take a checkbox approach to meet compliance standards can fail to adequately assess the cybersecurity risks to their organization.

Preparing for an audit should start with a review of the latest changes to compliance standards. Risk and security teams should compile and update key documents that describe the organization’s security policies. These should include a list of technical controls and safeguards, password and user account policies, configuration management, patching, incident response plan, and backup and disaster recovery.

Conclusion

The COVID pandemic is placing enormous stress on individuals and organizations. Those responsible for enterprise security operations and risk management are being challenged to respond to more change and uncertainty than ever before.

In this environment, it is key that IT leadership aligns it operational objectives with their organization’s strategic goals. IT teams must be agile and deliver value while ensuring the integrity of day to day operations. At Proficio, we address these same challenges through partnering with our clients, empowering our team of security experts, and creating innovative solutions to real world problems.

By:
Bryan Borra, Director of Security Engineering, Proficio
Paul Fletcher, Security Advisor, Proficio