COVID-19 has impacted our personal and professional lives in multiple ways and is likely to do so for at least another six months. On the work front, many of us are now working from home which is a huge change for many who are used to being either at the office or client site amongst human interaction.
The sudden and massive increase in remote working has brought with it multiple challenges. Remote access infrastructure is coming apart at the seams as most organisations’ remote access infrastructures are designed to cater for just 20% of their workforce working from home at any given point in time. This risk is exacerbated by adversaries who see this as an opportunity to steal more data and other commodities they prize. As COVID-19 distracts our attention, malicious cyber attackers see this as an opportunity to exploit any gaps in our control measures to get what they desire. As the saying goes, “never let a good crisis go to waste”!
The good news is that there are a few simple things that we can focus on to reduce our attack surface and show resilience in the face of adversity. I will first discuss the risks and then suggest some countermeasures.
The following are the key risks and corresponding countermeasures are emerging as a result of COVID-19:
Risk 1: VPN not scaling as needed – Current VPN infrastructure is set up to cater for 20% of the work force working from home. With the number of remote workers rising to 80-90% due to COVID-19, VPN infrastructure are running out of capacity, resulting in costly and time consuming upgrades required to VPN infrastructure.
Countermeasure: Deploy technology that allows client machines access to critical servers without using the VPN. Technology currently exists that effectively creates a cloaked, cryptographic peer to peer network between the end points and servers freeing up the load on the VPNs while providing access based on least privilege.
Risk 2: VPN allowing unnecessary access – VPNs, by nature, allow an employee full access to resources once they have authenticated to the network. This may be ok when they are within the confines of an office environment, but may not be the case if they are working remotely. In general, 80% of employees will only need access to 20% of the infrastructure and applications. Therefore, it makes sense to restrict access to this 20%to reduce the attack surface and follow the” principle of least privilege” i.e. limit access rights for users to the bare minimum permissions they need to perform their work.
Countermeasure: Again technology exists that not only allows users access to critical applications securely, but allows granular access controls based on identities. This not only restricts access to the required application, but also enforces granular role based access controls greatly reducing the attack surface.
Risk 3: Increased risk from phishing and ransomware attacks on endpoints, servers and backup infrastructure – the volume of phishing attacks related to COVID-19 is increasing. Adversaries use interest in, and concern about, COVID-19 as a means to trick users into click on malicious links or download malicious apps that spread ransomware, harvest credentials, and so on.
Countermeasure: The same technology mentioned above cloaks endpoints and servers making them invisible to network mapped (nmap) scans, making them very difficult to hack. This technology can also integrate with your SIEM or other security software which, upon detection of a security incident, can instruct the software to isolate the endpoint or server preventing east-west infection. This software can cryptographically segregate and cloak your backup infrastructure preventing ransomware encrypting backups. These controls must be augmented by good user education about the risks of phishing, downloading malicious apps and other cybersecurity hygiene, as well as good email and web filtering technology that can prevent phishing emails and other malicious downloads.
Risk 4: Attacks on endpoints – as more endpoints make it out into the open as a result of growing BYOD and mobility, adversaries increasingly target them to exploit endpoint vulnerabilities and use them as a conduit to get a foothold into corporate environments. The big issue is that many organisations have been forced to allow BYOD due to not having sufficient laptops available to rapidly move their workforce to a remote working environment. It’s these BYOD devices that are of particular concern as they may not have the same controls in place as corporate endpoints.
Countermeasure: As above, cloaked endpoints that are invisible are near impossible to hack. This is particularly important as a single mitigating control for BYOD devices that may not be as secure as corporate devices. Additional controls such advanced malware protection, host intrusion detection systems, host firewalls and adequate patching should be implemented. Also consider disk encryption and multifactor authentication.
Risk 5: Man in the Middle attacks – as users increasingly work from home, their communication channels become targets. Adversaries seek to intercept communications, such as via a compromised wireless access points, in order to steal critical data such as passwords.
Countermeasure: The same technology mentioned in 1-4 above will also encrypt all traffic between endpoints and servers using IPSEC VPN tunnels. The keys used are ephemeral keys thus removing the need for complex key management and risks around discovery and replay.
NOTE: The big advantage of using one technology to achieve these five controls is ease of deployment and management which is critical given the current situation. Please also note that a lot of the controls discussed in 1-5 are key to a zero trust architecture hence the use of a common control plane to address these risks.
Risk 6: Vulnerabilities at vendors and third parties – your vendors and third parties are likely to be facing the same issues as you are. Ensure that your vendors and third parties have the necessary controls in place so as not to put themselves and your organisation at risk.
Countermeasure: Have an open discussion with vendors and third parties around the increased risks due to COVID-19. Ensure that they have the relevant controls in place to safeguard their data and yours. Where vendor and third party controls are found to be lacking, access can be restricted using the software discussed in risks 1-5 above to specific areas of the environment, thus containing any potential intrusions.
Risk 7: Denial of Service attacks and hiding malicious traffic with legitimate external traffic – adversaries can also use the increased external traffic coming into organisations as an opportunity to overwhelm your external and web infrastructure via a Denial of Service attack, or hide malicious traffic amongst the increased legitimate external traffic to evade detection. This malicious traffic could be as a result of compromised endpoints or stolen credentials which can easily go undetected due to the rapid change to a remote working environment.
Countermeasure: Talk to your telcos and other providers of denial of service mitigation services to help mitigate these types of attacks. An additional investment in user and network behaviour analysis, combined with the controls discussed above, can assist with detecting malicious traffic masquerading as legitimate traffic.
Risk 8: Inadequate Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) measures – unfortunately a lot of organisations were unprepared for how fast COVID-19 came into play. As a result, many organisations scrambled to rapidly roll-out remote working facilities. Unfortunately this mean that many put cybersecurity requirements as a secondary concern, providing opportunities for adversaries to exploit potential control gaps.
Countermeasure: A key lesson from COVID-19 is that organisations must always be resilient and a big part of this is to ensure you have a robust, up to date and well tested BCP and DRP plans.
There are a lot of lessons to be learnt from COVID-19. With climate change and ease of global travel, unfortunately, COVID-19 may not be the last of this type of event. CISOs must focus on cyber resilience to ensure their organisations can survive another bushfire or COVID-19 event. I have discussed 8 key risks and countermeasures that will go a long way towards helping an organisation’s resilience. My only request is that you look at your organisation and ask if you it is resilient enough. Then start working on a plan to immediately address any gaps exposed by COVID-19.