News & Analysis

How Companies Can Weather the Coronavirus Crisis

By Ross McKerchar

Cyber attackers are resourceful and opportunistic. They will move quickly to take advantage of a situation. With COVID-19 now, there is a huge amount of global uncertainty and change right now which criminals are seeking to capitalize on. The risks are amplified by the immediate and unforeseen IT challenges that companies are having ensuring their staff can work from home.

There are two areas which are most likely to result in a cybersecurity incident due to the ongoing crisis: remote access and phishing.

Remote Access

By remote access I’m referring to the myriad ways organizations are allowing their employees to work from home. These range from the obvious “traditional” remote access services, such as VPN and terminal service gateways, as well as cloud-native conferencing and other collaboration tools that organizations everywhere are adopting in a hurry. The key risk is weak authentication of your remote access services.

Organizations have been battling for years to ensure services (particularly when internet-facing) are protected by multi-factor authentication (MFA) and only accessible with centrally-managed corporate accounts (typically held in Active Directory, Azure or Okta).

Doing this well is a real challenge at the best of times and requires IT staff to have intricate knowledge of SAML, OpenID and various other technologies and standards that support our modern identity management. This is, of course, on top of all the legacy technologies (LDAP, RADIUS, Kerberos, etc…) that are still in place to support authentication in traditional architectures. Throw in a global crisis with IT teams worldwide scrambling to keep services accessible and it’s obvious the complexity of identity federation and MFA claims will not be top of mind. This is perfectly understandable and, in most cases, taking risk to get services online is absolutely the right decision.

With business fighting to survive, business continuity and availability should take precedence. The security problems occur for a couple of reasons.

Firstly changes being made quickly on the frontline may not been seen or understood by leaders in the organization better placed to evaluate the resultant risk.

Secondly, even when risk assessments were made, the original premises are probably no longer correct. Only a few weeks ago we were expecting everything to be back to normal in a month or so. It’s now becoming very clear that this new reality may be long term and the window of exposure resulting from poorly protected services could extend months, or even years.

Furthermore, it’s going to be very hard for organization to go back to previous working models once employees realize you can work from home very effectively.

Phishing attacks

Phishing attacks using COVID-19 as a lure are the most visible and immediate cybersecurity risk in the ongoing crisis. This isn’t surprising as we’ve seen attackers use current events as a lure for many years. Unfortunately the risks this time are higher.

Firstly everyone is worried and handling an unprecedented change to their daily lives. High stress situations make everyone hungry for information and less likely to objectively evaluate any message they receive.

Secondly, IT departments and service providers are bombarding us all with legitimate messages about changes to services. Combine these issues and it’s unrealistic to expect employees to accurately identify and report all attacks. You need to assume that some will get through and some staff will be duped.

 What should IT and security leaders do?

There are long term and short term fixes. Long terms fixes boil down to a zero trust approach. There is no doubt this crisis will accelerate the shift towards zero trust architectures. Unfortunately organizations cannot and should not rush in this direction as it requires large IT infrastructure investment and changes to organizational mindset to be executed successfully.

Organizations should thus focus their efforts on tactically reducing risk as quickly as possible. Primarily this means ensuring key services as protected with MFA by any means possible. This is best tackled per service. Organizations need to identify which services are most at risk and most valuable to their adversaries. For organizations with on premise infrastructure and traditional perimeter-based security these are likely to be VPNs and other remote access gateways.

For organizations with cloud infrastructure, the focus should be their identity provider (most commonly Azure or Okta). As the central point for authentication, simply enabling MFA here will get you the biggest and quickest win, especially as both Azure and Okta have integrated MFA capabilities and integrations with popular third party providers such as Duo.

Organizations that haven’t managed to centralize cloud identities will need to look at specific applications and see if they offer their own MFA capabilities. Mail, collaboration, CRM and ERP systems are the obvious places to start. Also consider highly-critical but less widely accessed services such as your security management tools.

As we understand that Criminals are already taking advantage of COVID-19 in their cyberattacks, and remote access and phishing are the two areas most likely to result in a cybersecurity incident, we’ve compiled a list of the top seven steps we recommend all organizations take to mitigate the risk.

  1. Ensure all internet facing services are protected with MFA (SMS-based MFA is better than no MFA)
  2. Patch remote access services – particularly VPN and terminal service gateways.
  3. Monitor phishing reports and get your operations team or MTR service to hunt for associated IOCs.
  4. Check remote clients are still receiving their endpoint security updates.
  5. Ensure your OS, browser, email client and software commonly used to open attachments is set to update automatically.
  6. Disable browser plugin such as Java, Flash and Acrobat.
  7. Use identity federation to ensure all cloud services are accessed with corporate credentials.

Stay vigilant. Coronavirus-related attacks will likely ramp-up over the coming weeks and months.

(The author is chief information security officer (CISO) at Sophos and the views expressed in the article are his own)

Leave a Response