The world is witnessing an unprecedented crisis and uncertainty due to the coronavirus outbreak. And opportunistic cybercriminals are quick to take advantage of the situation.
These criminals are seeking to capitalise on the immediate and unforeseen IT challenges that companies are having to ensure their staff can work from home. Hence, organisations need to expeditiously prevent, or at least mitigate, these critical issues.
According to Ross McKerchar, Chief Information Security Officer at Sophos, there are two areas that are most likely to result in a cybersecurity incident due to the ongoing crisis – remote access and phishing.
Remote Access
Most organisations are allowing employees to work from home. These range from the obvious “traditional” remote access services, such as VPN and terminal service gateways, as well as cloud-native conferencing and other collaboration tools that organisations everywhere are adopting in a hurry. The key risk is weak authentication of your remote access services.
Organisations have been battling for years to ensure services (particularly internet-facing) are protected by multi-factor authentication (MFA) and only accessible with centrally-managed corporate accounts (typically held in Active Directory). Doing this well is a real challenge at the best of times and requires IT staff to have intricate knowledge of SAML, OpenID and various other technologies and standards that support our modern identity management. This is, of course, on top of all the legacy technologies (LDAP, RADIUS, Kerberos, etc.) that are still in place to support authentication in traditional architectures.
With business fighting to survive, business continuity and availability should take precedence. The security problems occur for a couple of reasons. Firstly, quick front line changes may not be seen or understood by leaders in the organisation. Secondly, even when risk assessments were made, the original premises are probably no longer correct. Only a few weeks ago we were expecting everything to be back to normal in a month or so. It’s now becoming very clear that this new reality may be long term and the window of exposure resulting from poorly protected services could extend months, or even years. Furthermore, it’s going to be very hard for organisation to go back to previous working models once employees realise you can work from home very effectively.
In short, organisations must not assume they will quickly be able to remove all these risky internet-facing services. They instead need to figure out how to secure them.
There are long term and short-term fixes. Long terms fixes boil down to a zero-trust approach. There is no doubt this crisis will accelerate the shift towards zero trust architectures. Unfortunately, organisations cannot and should not rush in this direction as it requires large IT infrastructure investment and changes to organisational mindset to be executed successfully. Organisations should thus focus their efforts on tactically reducing risk as quickly as possible.
Primarily this means ensuring key services as protected with MFA by any means possible. This is best tackled per service. Organisations need to identify which services are most at risk and most valuable to their adversaries. For organisations with on-premise infrastructure and traditional perimeter-based security these are likely to be VPNs and other remote access gateways. For organisations with cloud infrastructure, the focus should be on their identity provider. As the central point for authentication, simply enabling MFA here will get you the biggest and quickest win. Organisations that haven’t managed to centralise cloud identities will need to look at specific applications and see if they offer their own MFA capabilities.
Phishing
Phishing attacks using COVID-19 as a lure are the most visible and immediate cybersecurity risk in the ongoing crisis. This isn’t surprising as we’ve seen attackers use current events as a lure for many years. Unfortunately, the risks this time are higher.
Firstly, everyone is worried and handling an unprecedented change to their daily lives. High-stress situations make everyone hungry for information and less likely to objectively evaluate any message they receive. Secondly, IT departments and service providers are bombarding us all with legitimate messages about changes to services. Combine these issues and it’s unrealistic to expect employees to accurately identify and report all attacks. You need to assume that some will get through and some staff will be duped. Accepting this allows you to focus on being resilient to attacks rather than hoping to avoid them.
Credential phishing, whereby the attackers put up a fake login page to trick staff into entering their credentials, is the most common form of phishing. MFA is a great (albeit not always perfect) form of defence against this.
The better-configured and effective your endpoint and email defences are, the less likely an attacker will manage to evade everything. Also, by encouraging phishing reports from staff, you can warn others, and if you have a security operations team (or service), even analyse the attack to identify indicators or compromise to feed into threat hunting processes.
Conclusion
To summarise, the unprecedented situation created by Covid-19 has the ability to create an unprecedented security situation in the IT landscape. To avoid “IT lockdown”, it is imperative for CIOs and CISOs to revisit their IT building blocks and start improving the security around them to avoid “IT distancing”. Criminals are already taking advantage of COVID-19 in their cyberattacks, and remote access and phishing are the two areas most likely to result in a cybersecurity incident. We’ve covered a number of steps you can take to mitigate this risk. Stay safe!
