We truly are living in interesting times.
As the threat of COVID-19 spreads fear, uncertainty, and doubt among the global populace, we see threat actors taking advantage of vulnerable organisations and individuals. Here’s a brief list of discoveries relating to COVID-19 themed malicious activity from the past couple of weeks.
Most if not all organisations are experiencing sudden and profound challenges as they seek ways to quickly support employees working from home. Maintaining security in the face of this “office exodus” frustrates things further, and sometimes is sadly pushed to the side.
Our own security research has shown a significant increase in Citrix NetScaler Gateways coming online, likely to enable remote access for their now (im)mobile workforce. This isn’t by itself surprising or concerning. What is concerning however, is that these devices are being brought online without security patching or mitigations – specifically for the well known and extremely dangerous CVE-2019-19781 which was first discovered December last year.
As we engineers race to build laptops and stand up new or existing remote access systems, we must remember to take a very brief step back and assess the risk in what we are doing. What questions should we answer before we commit the firewall rules that expose the new Remote Desktop Gateway you just spent the last day learning how to build (and building it)?
Do we have a CyberSec policy? Is it up to date? Strong security policies may already exist, but it is important to review them and ensure they are adequate as your organization transitions to having more people working from home than in an office. Security policies need to include remote working access management, the use of personal devices, and updated data privacy considerations for employee access to documents and other information. It is also important to factor in an increase in the use of shadow IT and cloud technology.
Are we allowing only work devices, or can any device connect? Employees working from home may use personal devices to carry out business functions, especially if they cannot get access to a business-supplied device as supply chains may slow down. Personal devices will need to have the same level of security as a company-owned device, and you will also need to consider the privacy implications of employee-owned devices connecting to a business network.
Will our staff be connecting from untrusted networks like home or public Wi-Fi? Employees working from home may access sensitive business data through home Wi-Fi networks that will not have the same security controls — such as firewalls — used in traditional offices. More connectivity will be happening from remote locations, which will require greater focus on data privacy, and hunting for intrusions from a greater number of entry points.
Have we configured auditing? Monitoring alerts? Security alerts? It is not unusual for personal devices to have poor cybersecurity hygiene. Employees working from home can result in an organization losing visibility over devices and how they have been configured, patched and even secured.
Do our staff know about recent scams and ransomware threats? The World Health Organization (WHO) has already warned about ongoing coronavirus-themed phishing attacks and scam campaigns. Continuous end-user education and communication are extremely important and should include ensuring that remote workers can contact IT quickly for advice. Organizations should also consider employing more stringent email security measures. Consider the section at the end of this article as a potential template for educating employees on where to find trusted information.
Can we respond quickly to a ransomware incursion or breach in our current state? A cyber incident that occurs when an organization is already operating outside of normal conditions has a greater potential to spiral out of control. Effective remote collaboration tools — including out-of-band conference bridges, messaging platforms and productivity applications — can allow a dispersed team to create a “virtual war room” from which to manage response efforts. If your organization’s plans rely on physical access or flying in technicians for specific tasks (e.g., reimaging or replacing compromised machines), it may be prudent to explore alternate methods or local resources.
Think about these questions before pushing those changes. Develop mitigations where possible, and where not possible, enable enough audit logging and alerting to ensure you can respond to incidents appropriately.
Take the risks to the business and ensure that all stakeholders are informed of what you’ve done to control those risks. With all that’s going on, the last thing any organisation wants to be dealing with is rampant ransomware or a notifiable data breach.
Trusted COVID-19 Information Sources
If you’re afraid about the spread of coronavirus, we understand. But please, do not click any links in any sketchy emails, and do not donate to any causes you have not already vetted outside of your email client.
If you want to know up-to-the-date information about the virus, please visit the following trusted resources:
The World Health Organization’s main information page on the virus
The WHO’s daily “situation reports”
The WHO’s “Mythbusters” page
The WHO’s public advice guide
The Department of Health’s main information page on the virus
Please stay safe, wash your hands, and patch your systems.