Six Tips for Working (Cyber) Safely from Home During COVID-19

The past two decades have witnessed a number of disruptive events: 9/11, the financial crisis of 2007-2009 and the Ebola outbreak of 2014-2016. Fortunately, most of these events affected only a few industry sectors at a time, or were limited in geographic scope. By contrast, COVID-19 is a game-changer. In the words of one prominent CEO, the impact of the virus has been described as “worse than 9/11 and the financial crisis combined.”  With countries, states and municipalities issuing “shelter in place” or other lockdown orders, more people than ever before are working remotely from their homes while simultaneously caring for children or other family members.

This sudden shift to working from home significantly raises cyber risks to businesses. The FBI, US-CERT, and the United States Secret Service have warned of a sharp increase in cybersecurity attacks and scams, designed to steal personal information, trade secrets and other forms of data. This includes information related to possible treatments or vaccines related to COVID-19, along with an upsurge in ransomware attacks. Reportedly, several hospitals and healthcare organizations treating COVID-19 patients reportedly have been recently attacked.

Some helpful links that address these threats are found here:

• COVID-19 Exploited by Malicious Cyber Actors
• Coronavirus Fraud Schemes Surge, as FBI, HHS OIG Advise Cyber Hygiene
• Defending Against COVID-19 Cyber Scams
• COVID-19 Complication: Ransomware Keeps Hitting Healthcare

Additionally, in this uncertain time, there are several things you and your organization can do to help “flatten the curve” of COVID-19 cybersecurity risks.

1. Secure and harden your Virtualized Private Network (VPN)

In recent years, the VPN has been a convenient tool for executives and employees to safely work remotely. While access has predominantly consisted of weekend of vacation employee access, the VPN must now support an entire workforce working from home around the clock and on sensitive matters.

Tips for businesses to make VPN access scalable, reliable, and secure include:

• VPNs must be able to scale not only expected traffic, but also excess or “overflow” traffic. One provider, NordVPN, reported a 165% increase in the number of average daily users. Scalability can be handled via a software or appliance solution based upon corporate need. Certain solutions require user companies to maintain software licenses, which can generally be purchased on an individual basis.
• Use multi-factor authentication (MFA) for all VPN access. In the current cyber threat environment, MFA is crucial. If not already deployed, businesses should expand MFA to additional staff and endpoints.  While a MFA rollout may cause inconvenience at a time when workers are already disrupted, requiring MFA for VPN access is critical step in warding off unauthorized access.
• Servers running your VPN should be updated and vulnerabilities patched promptly and prioritized according to severity and likelihood that a vulnerability will be exploited. Delays in patching known vulnerabilities significantly increase the risk to your organization.
• Practice least privileged access religiously and restrict administrative access. If a large portion of your workforce has administrative access, an attacker who obtains those credentials could access your VPN and move laterally through company systems.
• Change default and administrative passwords regularly and utilize password complexity. Consider changing your password policy to require lengthier and more complex passwords.  At minimum, maintain routine password change requirements at regular intervals.
• Do not allow employees to disable security features and remote access precautions, or create security workarounds.
• Ensure executive and CISO level oversight of any change management, including to the network baseline or devices.
• Update “Bring Your Own Device” (BYOD) rules and standards, to securely manage BYOD devices using Mobile Device Management (MDM) software in order to allow secure access to internal resources. Confirm that endpoints with VPN access are equipped with adequate endpoint security software and meet system security configuration guidelines, which include Split Tunneling, least privilege, and host-based firewalls. BYOD devices with access to internal applications should be managed by MDM software in order to ensure compliance with security requirements.

2. Email Filters and Phishing Attacks

To best protect your organization, it is important to remind employees to stay vigilant and follow cybersecurity best practices while checking email and browsing websites. Companies should set up or strengthen email filters to guard against phishing and spoofing attacks.  Email filters generally work by blocking potential spam email or malicious content or through specifically configured rules-based approaches, which may be bolstered by machine learning. Additionally, a comprehensive email solution protects against threats, including phishing, impersonation tricks, and spam.  Employee training regarding phishing techniques and frequent updates to your workforce on common COVID-19 spam email campaigns are also effective in helping to keep your network safe.

The following are specific tips to convey to employees:

• Treat emails that appear to come from health authorities, such as the World Health Organization (WHO), with caution. The WHO has issued official guidance warning of threat actors impersonating organizations in order to carry out scams and attacks.
• Trust only well-known sources for information on COVID-19. Fake donation websites and email addresses are being created and used to steal passwords and financial information.
• Exercise caution when opening attachments or clicking links from unfamiliar senders or websites.
• Be wary of attempts by threat actors to reach out by telephone (vishing) or text (smishing).
• Stay alert for indicia of a social engineering attack, including a false sense of urgency, pressure to ignore security procedure, or a communication with a suspicious tone.
• Ensure the Wi-Fi router and all devices are protected by a strong password, and configure the Wi-Fi network to use the latest encryption. Use different passwords for all accounts and devices, and allow only trusted individuals to connect to your wireless network.
• Promptly install any updates to ensure your computer programs are running the latest software versions.
• Restrict access to your work computer or other devices by reminding family members not to use your work equipment.
• Notify your Helpdesk or Information Security Team immediately when you receive suspicious communications.

SANS has released guidance on securely working from home:

• Top 5 Steps to Securely Work from Home: https://security-awareness.sans.org/sites/default/files/2020-03/03-SSA-WorkingFromHome-FactSheet.pdf
• Creating a Cyber Secure Home: https://www.sans.org/security-resources/posters/creating-cyber-secure-home/80/download

3. Patching and Backups

Whether you are in the office or at home, patching and backups are critical to the security of your network.

• Ensure that your organization continues to deploy security patches for infrastructure and software. Bad actors may take advantage of lapse patching practices, so be mindful of the availability of patches to address vulnerabilities.
• Backups ensure data can be recovered in the event of data security incidents such as ransomware, system failures, and other data integrity issues. Having a reliable, recent backup that has been tested can help you avoid paying ransoms to malicious actors.
• Utilize enhanced logging. Logging will enable you to identify errors and course correct.

4. Ensure IT and Security Staff Resiliency

The exceptionally wide reach of COVID-19 may necessitate cross-training, teaming, and collaboration between IT and information security in the event that COVID-19 strikes several key employees at once. Organization should ask the following questions: (1) have we appointed a backup CISO who takes the helm when the CISO is traveling or out sick; and (2) does the incident response plan designate a backup to the backup leader, in case key personnel is unavailable?

5. Time to Review your IRP

An incident response plan (IRP) is like the coach’s playbook for an entire football game.  What happens if there is a blitz?  What an onside kick?  In addition to being required by certain regulators, a good IRP should tell the incident response team how to respond to a credential harvesting attack, a ransomware attack or a network intrusion. Also, your existing plan should be carefully reviewed to make sure it accounts for a remote workforce scenario.  Managing logistics and details are key to managing an effective incident response.

When reviewing your IRP, consider these questions:

• Do you personally have access to the latest version of the IRP from home?
• Would the IRP be accessible if company systems were encrypted in a ransomware attack or otherwise disabled?
• Does a hard copy of the IRP exist and is it easily located in a secure home workspace?
• Do other critical team members have copies, or should the plan be redistributed?
• Does the IRP include updated cellphone contact information for all incident response team members?
• Does the IRP include alternate email addresses and a plan for off-line or out-of-band communications, in the event that connectivity is disabled or the threat actor is inside the network?

6. Managed Security Service Providers and Managed Defense Services

When healthcare organizations are inundated with patients, they cannot afford downtime due to data security incidents.  As government and other charitable organizations step in to assist, malicious actors look to take advantage of the situation or seek to disrupt services. When security teams are shorthanded, personally impacted by the virus, or must care for a loved one who is ill, oversight of IT systems may be affected. Unfortunately, this is the time when cyber criminals take advantage of organizations.

To best manage a potential perfect storm, there are active defense solutions, and consider engaging a trusted cybersecurity firm to provide managed security services. These solutions can help your security team augment managed detection and response in order (i) to identify threats early; and (ii) reduce the consequences of a breach. A Security Operations Center (SOC) can provide remote monitoring of IT systems to detect intrusions and anomalous activity. Implementing 24×7 managed detection and response can allow internal teams to focus on building the necessary resilience in this uncertain climate. Also, if not already done, businesses should consider retaining a respected incident response firm to provide critical skills should an incident occur.