Posts

Cybersecurity in the World of COVID-19

People around the world are grappling with the new reality of COVID-19 which is drastically changing the way organizations do business. From protecting employee and customer health to maintaining operational and economic resilience, we are challenged with finding ways to keep business running smoothly – and safely – in this new normal.

For IT leaders, looking for ways to reduce their cybersecurity risk, we recommend focusing on three key areas: working from home, opportunistic attacks, and operational disruptions. Here are some recommendations on how to get through this difficult period:

Working from Home

To encourage social distancing and help employees struggling with recent school closures, many organizations have their employees working from home. While this may be a temporary measure, industry analysts have suggested that COVID-19 may be the inflection point in a greater acceptance of remote working.

Proficio recommends the following cybersecurity best practices for teleworkers:

  1. VPN Connectivity: Strengthen security for VPN by reviewing password controls, adopting two-factor authentication and strong encryption, and monitoring VPN access by geolocation, anomalies to baseline home VPN locations, and users.
  2. Monitor Activity: Increase active monitoring of VPN and Office 365 activity logs in your Security Operations Center, enable new VPN user reporting (if you do not have active reports or dashboards) and at minimum, review them daily.
  3. Secure Endpoints: Apply and update effective endpoint security software and use endpoint detection and response techniques to protect remote users from account compromises and device infection. If you lack in-house resources for managed response to endpoint compromises, we recommend contracting with an MDR service provider.
  4. Educate: Remind your users of best practices for working from home, including backing up data, using secure WiFi and home routers and monitor the use of Remote Desktop Protocols (RDPs). It is also key to remind them of the increased volume and sophistication of phishing attacks, so it is important they stay alert and be on the lookout for COVID-19 scams.
  5. Cloud Safety: The use of cloud-based infrastructure and applications is growing rapidly, and with the increase in teleworking, the use of the cloud will further accelerate. Organizations should implement use cases to help monitor cloud-based applications for anomalous user behavior and review their procedures for configuring and securing virtual servers.

Opportunistic Attacks and Active Defense Mitigation

Cybercriminals are already exploiting people’s anxiety around COVID-19. For example, phishing emails purported to be sent by the World Health Organization and CDC that contain new “information” about the virus or claiming to be from charitable organizations raising money for victims.

According to researchers at Proofpoint, phishing attacks involving emails that contain Microsoft Office document attachments are being used to lure victims and exploit a Microsoft Office vulnerability. In parallel with this type of activity, there has been a surge in the number of registered COVID-19-related domains and malicious applications, promising to track the virus.

In this environment, Proficio recommends the following:

  1. Caution users to be ultra-vigilant and on the lookout for scams, phishing attacks, and social engineering tactics that take advantage of the current situation. Use trusted sites, such as CISA, for guidance and information.
  2. Tailor multi-layer protections on email, infrastructure, systems and applications to detect malware, spam, and domains that pertain to “corona”, “virus”, “COVID”, “infection”, and related terms.
  3. Enrich and correlate log data with new sources of threat intelligence from government agencies, broadcast and social media, and local websites.
  4. Monitor security events on a 24/7 basis and use a framework like MITRE ATT&CK to more comprehensively understand and respond to threats.
  5. For quicker action, automate containment actions to respond to attacks at the perimeter, endpoint, and cloud. Ask your service provider for SOAR-as-a-Service.
  6. Regularly scan for vulnerabilities and adopt a risk-based vulnerability management approach to more effectively patch assets with real and exploitable vulnerabilities.
  7. Continuously monitor your organizations’ security posture. Build real-time dashboards that show trends in attack volumes and methods to pinpoint gaps in security.

Risk of Operational Disruptions

The impact of employee sick leave or quarantining could undermine an organizations operational readiness and reduce the capability for IT teams to respond to attacks. Even if your team is not seriously affected, there is a risk that they will be distracted with unplanned tasks such as supporting remote workers or adjusting to new family schedules. Similarly, in the world of COVID-19, it is also likely that your vendors may be disrupted or less responsive.

To minimize this impact, Proficio recommends:

  1. Review your business continuity plan and be prepared to implement it.
  2. Understand your vendors’ preparedness and plans. If you are reliant on an outsourced 24/7 monitoring or support, understand if your service provider operates from a single SOC location, as this adds risk in the event of localized virus hot spot.
  3. Implement cross-training, if this is not already in place.
  4. Check that your list of vendor contacts and their back-ups are available, especially in the case you have limited named support contacts.
  5. Adopt best practices to reduce the risk of contagion, including social distancing, working from home and reduced travel.

We hope you all find yourself safe in this time of uncertainty but please feel free to reach out to us if you need help in any way.

Focus on the Big Rocks

I travel 200,000 miles a year, talking to CIOs and CISOs all over the world. While I encounter a wide range of issues relating to the security posture and maturity of these organizations, the one theme that resonates with them all is a conversation around focusing on the “big rocks”.

Too often, the people responsible for cybersecurity get mired in a discussion about all the ways an attacker can potentially get data from your company. We can get trapped in a daily tactical battle to scour through false alarms or resolve the compromises of a user device or their credentials. The problem is that we are not able to see the whole forest through all the trees.

Senior managers are often recognized for their ability to see the big picture and focus on the big rocks.

So, what are these big rocks?

  1. The Map: It may seem straight-forward, but many companies that have extensive applications, data, and devices do not have a map of their business-critical assets, zones, or users. Being able to locate, categorize, and prioritize your assets is a first step to defining risk, and implementing defense in depth, threat monitoring, and threat response.

    NIST-Framework

    The NIST Framework prescribes a set of activities that help companies to achieve cybersecurity outcomes.

  2. The Holes: If you have a leaky boat, the priority is patching the holes that are letting in the most water. The same goes for cybersecurity. Although this seems simple, most companies are not applying a risk-based approach to vulnerability management and patching the systems that are most critical, exposed, and exploitable. You should also perform a gap analysis of your security controls aligned to your map of assets and compared with security best practices defined in any number of frameworks or regulations – then fill the big gaps first.
  3. Top-Level View: It is amazing how clear your security posture can be if you have the right level of visibility. If you are in the trees, focusing on the small rocks, it is hard to see the best path forward and planting more trees before you have a good view will only compound the problem. For cybersecurity effectiveness, organizations should first acquire good threat visibility through collecting enriched log and threat data. And then apply active monitoring and actionable alerting combined with orchestrated and automated threat response. This approach is called Managed Detection and Response. Understanding your high-level security posture and relative risk also requires continuous business intelligence for IT security. Ask your team or managed security services partner for a comprehensive dashboard providing this visibility.
  4. The Plan: Have a plan for success and work through your plan. Too often, we think that if we ignore the noise it will go away or we are caught in the trap of playing whack-a-mole for every compromise without figuring out how to keep the mole out of your yard. Success arrives when you tune your visibility to actionable threats, use your map, patch the right holes, and look at the forest from a high-level view. Only when the noise is reduced and vision focused, are you equipped to implement a comprehensive response plan. Such a plan will include detection of the threat, acknowledgment and triage of next steps, and containment and resolution of the immediate threat to your business. You must fully remediate the cause of the threat, so it does not reoccur. Lastly, your plan should include measuring your security posture and response lifecycle, and always be making improvements.

My recommendation to cybersecurity leaders is to write down your “big rock” objectives and list the key outcomes needed to accomplish them. Your teams will appreciate the clarity of vision and join in your mission to reach these goals on your combined journey.

For more detail on how we help executives achieve their cybersecurity objectives, please feel free to contact us at info@proficio.com.

 

By Brad Taylor | CEO | Proficio