Due to coronavirus crisis, companies are seeing an unprecedented amount of remote work.
While this move creates obvious challenges for IT in terms of infrastructure and capacity, it’s also creating challenges for security teams as they push to scale remote work on a rapid and global level.
Many are utilising remote working systems that have not been operationally tested as part of their core security operations monitoring. For many, the likely result is fewer security alerts and issues because the corporate infrastructure will not be subject to the same levels of usage in areas such as internet browsing, and users may be working from web-based applications on non-company-sanctioned assets.
For security operations centre (SOC) analysts, this may seem like a heavenly situation: Fewer false positives to deal with, lower likelihood of security policies being broken and more time to deal with all those things they want to concentrate on but never had the time for before.
But fewer alerts does not equate with being more secure; rather it might mean you are more blinded by the lack of visibility. Lack of visibility does not equate to a lack of security vulnerabilities.
Gartner recommends that security leaders consider these new risks to our organisations:
Will we even know that data and systems are being compromised?
Are we now dependent on a wide range of key remote working solutions that don’t have proper resilience?
Once all this is over, will we know where all our sensitive data resides?
Are we still compliant with the IT security regulations that we need to be?
Gartner further suggests that organisations gather a team that includes not just management, but a variety of security skill sets. The goal should be to help security operations prioritise a strategic response to this potential crisis so that they are not negligent.
This team should answer a couple of the key questions:
- Are we still looking in the right direction? Are the use cases, security data sources, endpoint agents, and more all focused on the areas that will keep our business in business, and are there any massive gaps?
- Do we have a plan to revert to normal working when all this is over? How are we recording where our data is going, and how do we make sure it remains secure?
- Are we still running the right security operations model?
The solution to these issues lies in solid processes, not technology, according to Gartner.
The goal is twofold: establish a set of priorities for the security operations team; and focus on an adjusted set of business risks. But don’t neglect to establish a path to return to normal in a non-disruptive way when the time comes.
As business requirements shift and flex in the current environment, Gartner stress that security use cases will require reevaluation. First, companies need to account for any new data sources and new ways of working. Second, they should think about the protection of new key business enablers (such as remote working platforms or VPNs).
Part of this process will be to meticulously document all changes so they can be reversed at a later date, understanding and recording where everything that creates new risk now resides. Even if these are strategic changes, evaluate carefully, as most are probably tactical at this point.
Companies will need to reevaluate the path taken to ensure it is robust.
The security part of the business needs to move quickly on this, Gartner adds. It’s not just a question of “Can our security operations and SOC analysts work remotely?” but also “What new risk does this bring?” and “Have our security priorities changed?”
Whether these changes are purely for our internal teams or whether we have to engage our security service providers about moving faster to change based on new requirements, it’s clear that organisations need to complete a due diligence exercise to make sure that what they are doing to protect the organisation matches the objectives set to keep cyber risk low.
The phishing threat
Cyber-criminals are having a field day with to many users now working remotely.
Linda Misaeur, head of global solutions at Striata, points out that the rush to equip workers with remote tools has opened up new risks.
“With employees already one of the biggest points of vulnerability, cybercriminals have taken the gap presented by the crisis, with an observable spike in phishing emails as major markets went into lockdown mode,” she says.
While the rise in phishing attacks over the past few weeks has been extraordinary – security consultancy Barracuda has recorded a 667% spike in attacks globally, since the start of March – it’s important to remember the context in which it occurred, Misauer adds.
“As companies prepared to go into lockdown, it was obviously important that they communicate to their customers what their plans were and whether they’d be able to service them during the lockdown. For good reason, most companies chose to do so via email.
“Similarly, organisations (especially large ones) would’ve been sending out volumes of internal communication detailing remote work plans and guidelines when the crisis was in its infancy.
“Amidst that deluge of communication, it would’ve been all too easy for ordinary employees to fall prey to targeted phishing attacks.”
As people adapt to lockdown conditions, however, she says the number of communications sent and received will level out and eventually return to pre-lockdown numbers.
Organisations should have learnt some lessons from the rush of phishing attacks over the last couple of weeks, and they have the opportunity now to prepare employees for future phishing attempts, Misauer says.
“It’s imperative that organisations remind employees of what they’ll never ask them to do via email. They should also emphasise that employees be doubly cautious of any email that asks them to click a link, open an attachment, or verify their details.
Organisations should also make it clear how and where to report suspicious emails.
Researchers at Check Point have observed a drastic rise in the number of “Zoom” domains registered in the last week.
Since the advent of the Covid-19 pandemic in January, 1700 new domains containing the word “Zoom” have been documented: 25% (425 domains) of them in just one week in March.
Check Point deems 70 of these domains as suspicious.
The numbers reinforce the trend of hackers taking advantage of millions now working from home through Zoom, the popular video conferencing service used by over 60% of the Fortune 500.
In addition, Check Point Research has observes new phishing websites for each one of the leading communication applications , including googloclassroom\.com and googieclassroom\.com, which impersonate the official classroom.google.com website.
Malicious files with names such as “zoom-us-zoom_##########.exe” have also been spotted.
The running of these files lead to an installation of the infamous InstallCore PUA on the victim’s computer, and could potentially lead to additional malicious software installation. InstallCore is a potentially unwanted application that installs other potentially unwanted applications and threats onto the computer.
Omer Dembinsky, Check Points’ manager for cyber research, comments: “The recent, staggering increase means that hackers have taken notice of the work-from-home paradigm shift that COVID-19 has forced, and they see it as an opportunity to deceive, lure and exploit. Each time you get a Zoom link or document messaged or forwarded to you, I’d take an extra look to make sure it’s not a trap.”
How to keep people safe
As the threat to remote workers grows, every business owner and employee needs to take a new steps to ensure that they are practicing safe computing.
This is the word from Henk Olivier, MD of Ozone Information Technology Distribution, who offers the following check list:
- First, keep your data safe and secure. Ensure that every system the employee uses is password protected and that it uses a password that can actually be defined as secure. You want complex passwords that consist of eight or more digits that include caps, symbols and numbers. Do not let anyone log into the system with a password like qwerty or 1234. In the same vein, only give employees VPN access to the company data that they need, not to all company data. Set your data permissions per user to avoid any potential risk – data can be infected remotely by a compromised user so it’s best to keep any possible damage to a minimum.
- Secondly, prevent your employees from abusing the network. Create an IT policy that clearly outlines company equipment, internet and email usage so that employees understand what they can and cannot do with company resources. This will not only reduce risks but misuse which can lead to unexpected vulnerabilities.
- Thirdly, monitor employee working productivity. It’s important to ensure that employees are performing but balance this – implementing draconian working regimes will do little for morale or productivity in trying times. It’s a good idea to implement daily calls for each department that are short and run by a tight agenda. Ten minutes tops to allow people to feed back issues, outline work goals and prepare for the day. You can install software that monitors an employee’s productivity so you can see how long they spend on different programmes or the internet but this should be used with caution. Over policing people can have the opposite effect.
- Fourth, you will need to ensure that all software products and security updates on employee computers are up to date. Put an antivirus onto every computer, and then put training in place. Do not let people connect to the business VPN from a free or public WiFi network, do not let them install any software onto the company hardware, and do not let them download and install anything that hasn’t already been verified by IT. It is extremely easy for someone to pretend to be from a security software company or from a software company and con employees to handing over passwords or downloading computer access programs to their machines. Just one click on a .exe can bring the entire system crashing down.
Finally, Olivier says, the following list of employee dos and don’ts should be circulated throughout the company and reiterated regularly:
- Do not use the work email address to register for any newsletters or online websites that are not work related.
- Do not open any unknown sender emails or attachments.
- Do not use the work computer internet as a WiFi hotspot for other devices to connect.
- Do not copy data from removable hard drives to the company’s hardware.
- Do not use weak or easily hacked passwords.
- Do install antivirus software and run it regularly.
- Do check if an attachment or link sent from another employee’s email address is real before clicking.
- Do avoid downloading unknown software from the internet, no matter how reliable the site claims to be.
- Do report any suspicious activity to IT support such as sudden machine slowdowns, inaccessible data or weird software behaviour.
Cyril Voisin, chief security advisor at Microsoft, points out that many workers are battling to get to grips with the new way of working – and so they’re probably paying less attention to cyber-threats than usual.
“The reality is that many medium and large companies will already have provisions in place for secure home working,” he says. “However, many small companies sending their employees home to work for the first time are potentially more exposed.
“The good news is there are several basic and quick to implement ways they can help their remote workforce remain safe and secure during this time of unprecedented change.”
Voisin cites four best practice procedures for your business to follow:
- Implement multi-factor authentication – The most important thing to bear in mind is that remote workers still have access to all your company data, information and network. They’re now just accessing all that highly sensitive information through a greater number of devices and using a wider range of internet connections. This creates the perfect climate for hackers to go on phishing expeditions, particularly more targeted phishing campaigns with a view to accessing high profile credentials. Implementing multi-factor authentication (MFA) requires users to provide multiple credentials in order to log on and gain access, making it much harder for unauthorised users to break in.
- Identify official chat tools – Now more than ever, employees will be using chat tools to communicate and collaborate with one another. And while you want to encourage this for the sake of business continuity, you also need to make sure these applications are secure. Without the right security measures in place, cyber criminals can take advantage of these apps and deceive users into downloading malicious links. One way to avoid this is to designate official chat tools with built-in security features so that employees are provided with a safe and convenient alternative.
- Secure access to cloud apps – Though it’s fair to say most employees will likely be accessing your network from their work laptops, it’s likely you’ll still experience an increase in the number of personal devices accessing your company data. Because not all of these devices are secure, it’s advisable to use a platform like Conditional Access to secure access to cloud applications.
- Instil greater awareness among employees – Now more than ever employees themselves need to be aware of possible phishing threats. Make sure they’re aware of the warning signs – for example, urgent mails that make use of emotive language and call for a departure from company policy, and guide them as to where they can report suspicious activity. Now is also a good time to remind them of the need for strong passwords and suggest they change weak ones, especially on personal devices they now plan to use for work. Employees also need a basic understanding of conditional access policies and what their devices need to connect to the corporate network, like up-to-date anti-malware protection. This way employees understand if their access is blocked and what they need for it to be re-instated. It’s also a good idea to provide your staff with clear communication around connecting securely to the Internet.