Written by Ross McKerchar, CISO, Sophos
Cyberattackers are resourceful and opportunistic. They will move quickly to take advantage of the situation. COVID-19 is no different. There is a huge amount of global uncertainty and change right now which criminals are seeking to capitalize on. The risks are amplified by the immediate and unforeseen IT challenges that companies are having ensuring their staff can work from home.
There are two areas that are most likely to result in a cybersecurity incident due to the ongoing crisis: remote access and phishing. Below is a set of prioritized recommendations to prevent, or at least mitigate, these issues.
This refers to the myriad ways organizations are allowing their employees to work from home. These range from the obvious “traditional” remote access services, such as VPN and terminal service gateways, as well as cloud-native conferencing and other collaboration tools that organizations everywhere are adopting.
The key risk is weak authentication of your remote access services. Organizations have been battling for years to ensure services (particularly when internet-facing) are protected by multi-factor authentication (MFA) and only accessible with centrally-managed corporate accounts (typically held in Active Directory, Azure or Okta).
The security problems occur for a couple of reasons. Firstly changes being made quickly on the front line may not been seen or understood by leaders in the organization better placed to evaluate the resultant risk. Secondly, even when risk assessments were made, the original premises are probably no longer correct.
What should IT and security leaders do?
There are long term and short term fixes. Long terms fixes boil down to a zero-trust approach. There is no doubt this crisis will accelerate the shift towards zero trust architectures.
Organizations should focus their efforts on tactically reducing risk as quickly as possible.
Primarily this means ensuring key services as protected with MFA by any means possible. This is best tackled per service. Organizations need to identify which services are most at risk and most valuable to their adversaries. For organizations with on-premise infrastructure and traditional perimeter-based security these are likely to be VPNs and other remote access gateways.
For organizations with cloud infrastructure, the focus should be their identity provider (most commonly Azure or Okta). As the central point for authentication, simply enabling MFA here will get you the biggest and quickest win, especially as both Azure and Okta have integrated MFA capabilities and integrations with popular 3rd party providers such as Duo.
Making tough trade-offs
Even these tactical options are not easy and compromises will need to be made. The exact balance of trade-offs will be different for every organisation but here are some considerations:
If you’re backhauling client traffic to scrub, allowing “Split VPNs” (where clients go direct to the internet) is the quickest way to gain capacity and likely less risky than exposing squishy, insecure internal services directly online.
However this does depend on your clients having well-patched browsers and, ideally, endpoint based web-protection. Also be aware that if you have SaaS services relying on clients coming from known corporate IP addresses don’t simply turn off that control – replace it with MFA!
Centralized vs de-centralized MFA
Attaching MFA to your identity provider allows for a common experience across all applications. This is undoubtedly less confusing for staff and easier to rollout. It’s also a much longer route if you don’t have a centralized identity service.
There’s a lot of very valid concerns about SMS-based MFA. It’s also the simplest and quickest way to get MFA enabled, particularly as staff will likely be familiar with it.
If you’re spinning up new services (e.g. video-conferencing) and are unable to setup federated identity, employees are going to need to remember even more passwords. The biggest risk with this is password reuse. You can’t reasonably expect employees to remember dozens of unique passwords. A password manager is the best tool to get around this problem.
Beyond MFA there are a couple other related remote-access risks to consider:
VPN and Remote access gateway vulnerabilities
Patching critical infrastructure probably feels risky right now. Unfortunately in the past few months there have been some very serious vulnerabilities in common remote access equipment. If you have a vulnerable service you need to patch immediately. Just have a backup plan in-case the device fails to patch.
Endpoint security updates
Check your infrastructure to make sure that you are still receiving updates from your endpoint security provider. If you have a cloud-based management you’re probably ok but if not, it’s essential that your clients can reach updating services. This requires checking that your VPN allows access to your update server(s) (and that you have capacity).
Phishing attacks using COVID-19 as a lure are the most visible and immediate cybersecurity risk in the ongoing crisis. Firstly everyone is worried and handling an unprecedented change to their daily lives. High stress situations make everyone hungry for information and less likely to objectively evaluate any message they receive.
Secondly, IT departments and service providers are bombarding us all with legitimate messages about changes to services. Combine these issues and it’s unrealistic to expect employees to accurately identify and report all attacks. You need to assume that some will get through and some staff will be duped. Accepting this allows you to focus on being resilient to attacks rather than hoping to avoid them.
Credential phishing, whereby the attackers put up a fake login page to trick staff into entering their credentials, is the most common form of phishing. MFA is a great form of defense against this.
By encouraging phishing reports from staff you can warn others, and if you have a security operations team (or service), even analyse the attack to identify indicators or compromise to feed into threat hunting processes.
Endpoint and email defenses
Your security software has multiple chances at catching a phishing attack. The more chances you give it the better the overall protection:
- It can refuse to even receive the email as it knows it’s coming from spammer.
- It can scan the email and all the attachments and URLs in order to block it.
- Web filtering can block connections to malicious websites or spot a malicious payload on the site.
- Endpoint software can spot malicious files and behavior should all the previous defenses fail and the employee ends up running something malicious on their system.
The better-configured and effective all these defenses are the less likely an attacker will manage to evade everything.
Drive-by-downloads are less common nowadays but still a real risk. Patching browsers, mail clients and applications (such as Microsoft Office) which are regularly used to open attachments will limit the really nasty attacks that rely on minimal user-interaction.
Lastly, there are few reasons to be running browser plugins such as Flash, Java, etc. nowadays – disable them if you possibly can, it’s much easier and safer than trying to keep them update. Stay vigilant. Coronavirus-related attacks will likely ramp-up over the coming weeks and months.