As many countries enter their second full month of Covid-19 lockdown, its impact on the threat landscape and enterprise cybersecurity is starting to become clear. I spoke to several experts a few weeks back for an Infosecurity Magazine news feature on the topic.
Some of the key challenges facing organisations are in enabling secure remote working en masse without impacting productivity.
“The fact that employees are transitioning to working from home is the key risk. All these employees are now working in new environments using technology and processes they are not used to, something bad guys will take advantage of,” SANS Institute director of security awareness, Lance Spitzner told me.
“All of this change creates an environment where it is very simple for bad guys to take advantage of and trick people working from home for the first time. They don’t have all the security technology protecting them at home that they normally would at work.”
The SANS guide to secure home working advises users to: be suspicious of any emails trying to create a sense of urgency to click through or enter info; take steps to protect home Wi-Fi (change default passwords and restrict access); create strong passwords on any websites; ensure all devices are running the latest software; and don’t let family and friends use work devices.
Proofpoint’s senior director of threat research and detection, Sherrod DeGrippo, agreed that users are at the frontline when it comes to tackling Covid-19 cyber-threats.
“We recommend that organisations prioritise a people-centric approach to security that protects all parties (their employees, customers, and business partners) against these threats, including layered defences at the network edge, email gateway, in the cloud, and at the endpoint, along with strong user education,” he told me.
“Users should be encouraged to approach all unsolicited emails with caution, especially ones that request the user to act, like downloading/opening an attachment, clicking a link, or entering credentials.”
Restricting users according to least privilege policies is also a must-follow best practice, as hackers go after VPN log-ins to directly access data and applications, DeGrippo added. In fact, there have been widespread reports of cyber-criminals targeting remote access infrastructure; not only via phishing emails and brute forcing but also exploiting unpatched vulnerabilities. Microsoft has warned of APT-like behaviour from many well-known ransomware groups, which are targeting hospitals.
Time to automate?
However, aside from the uptick in Covid-themed phishing, which is delivering crypto-jacking malware, ransomware, info-stealers and more, the pandemic has forced IT security teams to work in different ways. Michael Armistead, co-founder and CEO of Respond Software, argued that SOCs and security departments are faced with both minor and meta challenges.
“Making sure practitioners can perform their jobs remotely with adequate bandwidth and communication platforms, and have the ability to act on security incidents will be a challenging undertaking for many firms,” he told me.
“I believe many of those tools and platforms are in place … but you just never know how well they will work in practice if an organisation is now distributed for the first time. Still, I’d count these very real and very practical issues as minor because they can be solved in relatively short order.”
In fact, research emerging suggests that security teams are struggling. A global poll by industry body ISACA found that only around half (59%) of members feel their cybersecurity team has the right tools and resources at home to perform their job effectively. Tellingly, just 51% are highly confident that these teams are ready and able to detect and respond to rising volumes of threats. A separate study from (ISC)² revealed that nearly half (47%) of global security professionals have been taken off some or all of their typical tasks to support other IT-related jobs, like WFH. A third report, from Barracuda Networks, ominously suggested that 41% of firms have actually cut IT security budgets to save money during the crisis.
In fact, investments in specific technologies could be a smarter way of reducing costs and improving security outcomes during the crisis, according to Armistead.
“The situation screams out for automation to relieve the pressure on people to sift through mountains of data and to act quickly,” he said. “SOCs and IT security teams need to look at their processes and procedures in light of the distributed workforce. Do they make sense and how quickly can issues be resolved?”
The immediate future remains uncertain, but if remote working is to become more widespread as the pandemic recedes, IT and security leaders better adapt to the new reality fast.
The UK has a profound productivity problem. Growth has been flat over the past decade and still lags pre-financial crisis levels. In this environment it’s vital that IT departments support employee demands for more flexibility in where and how they work.
Employers must provide flexible working options by law in the UK. But beyond this is just makes good business sense, helping improve job satisfaction, reduce churn, and drive that elusive productivity. It could even help firms to downsize offices to lower rent and overheads. The big problem is the cybersecurity risks it introduces.
I spoke to some experts for an upcoming Infosecurity Magazine feature to find out more.
Duo Security’s Trusted Access Report notes that over 40% of requests to use corporate applications come from outside the secure networks.
“Users are demanding flexible working conditions to perform their jobs and security needs to enable these practices as well as not inhibit them otherwise users will just find work-arounds. The risk may be increased as users log in to unprotected Wi-Fi spots that may have been set up to deliberately trap them or be infected by malware to perform attacks,” the vendor’s advisory CISO, Richard Archdeacon, told me.
“This way of working enables a situation where a hacker using remote access with stolen credentials may be able to perform a sophisticated attack. We need to ensure that users are aware of this risk and that their endpoint devices are as up to date as possible, which will help reduce the potential of compromise.”
A Zero Trust approach, in which the default setting is to assume users and devices have been compromised, offers a way forward, he claimed. It should include not just security on each mobile endpoint but also multi-factor authentication (MFA) so that remote workers can prove they are who they say.
Raghu Konka, iPass VP of engineering, pointed to the risk of passive data collection and man-in-the-middle attacks via public Wi-Fi, as well as “untrusted sources” such as websites and email attachments.
“Rather than everything being neatly secured on the company’s network in an office building, mobile workers can be accessing data from anywhere, and this opens them up to a number of threats,” he told me.
“Malware downloaded onto the victim’s devices in these attacks can be used to steal personal, financial or business information or lock access to data. Email fraud is another growing concern for enterprises when employees work remotely, as these workers are used to receiving instructions or conducting business via email rather than face-to-face, and therefore may not see the need to verify that the requests are legitimate.”
For SANS instructor Lee Neely, the flexible working risk can be split into two components: security of the connection and security of the environment.
“Users working from locations outside the corporation pose physical risks, as in theft of the device, unauthorised observation of the contents, and possibly non-employees having access to the device,” he said of the latter.
“Screen protectors, full disk encryption, and replacement of sleep mode with hibernate go a long way here, but still cannot protect an open system which is grabbed out of a user’s possession. Sandboxing with authentication to access corporate information in those areas can reduce the likelihood of access on a shared system, but you cannot get to zero risk.”