Digital Forensics & Incident Response Strategic Services Advanced Testing Services Managed Security Services
March 16, 2020
Mitigating the Cybersecurity Impact of the Coronavirus

The unprecedented impact of the Coronavirus is challenging cybersecurity in two major ways – through both increased attacks and also the security challenges arising from a remote workforce.

Scams and Attacks

Bad guys don’t have ethics, so it’s no surprise that they are capitalizing on the Coronavirus.

Scams and phishing attacks are out in force, from fake CDC alerts to bogus health information. One common phishing scheme promotes a fake updated Coronavirus map; when users click on it, a virus uploads to their systems. Another particularly disheartening scam targets concerned parents, impersonating a state entity sharing false information about newly diagnosed virus cases at specific schools.

When people are scared and hungry for information, they are more susceptible to falling for these types of attacks. As always, remind your users not to fall for it, and never click on attachments that could introduce Ransomware or other viruses to compromise credentials or gain access to unauthorized information. Inform them about current scams and what to look for and guard against, both personally and professionally. Consider directing your users to reputable websites for entities like the CDC and Johns Hopkins, instead of clicking on emails claiming new information.

Embed cybersecurity messages – from VPN and wi-fi policies to spotting and avoiding attacks – into the heavy communication currently being created for and shared with employees around issues including travel regulations, work from home policies, and health insurance benefits. This is a perfect time to ensure cybersecurity messaging is part of the organizational response and information given to employees.

Remote Considerations

The huge increase of people working remotely to quell the spread of the virus has introduced a great deal of risk to organizations.

Some companies are better positioned to manage this than others – especially if they already support telecommuting, with good controls and countermeasures in place to manage employees working remotely and gaining access to data on home systems. Unfortunately, many if not most companies are not prepared to deal with such large proportions of their organization suddenly working remotely.

Organizations are particularly challenged in terms of VPNs and firewalls.

VPNs

It may be helpful to adopt a crawl, walk, run approach, in regards to enabling your workforce to work remotely, depending on how prepared you are. The most important thing is to address the current risk immediately, as you develop even more thorough or powerful medium and long-term solutions.

Crawl

If you don’t already have it, get VPN connectivity.

The first priority is ensuring you have a secure tunnel between endpoints and headquarters. If you are purely cloud, you won’t need a VPN.

If you are not purely cloud and you don’t have a VPN, you need to get one quickly. If you have done an analysis on critical employees, start there instead of boiling the ocean.

If you are just flipping on VPN remote connectivity, it is imperative to use two-factor authentication. A password as the lone gate to gaining access is extremely risky, and is a highly exploited vulnerability.

Walk

If you do have VPNs, ask your employees to do client host integrity checking. Usually done on remote access solutions, this checks individual laptops to make sure they are running the minimum standards for security.

Location awareness is another good endpoint security solution that can determine where users are – an airport or Starbucks vs. the corporate headquarters – to apply different policies to their laptop. Some organizations have the capability to manage their employees’ laptops remotely, but if you don’t, you can send a link to your people to download software to manage their devices wherever they are.

Run

Of course, the best long-term approach is to have a strong EDR solution. Many solutions, such as those offered by CrowdStrike, are extremely effective at protecting endpoints, offering the same level of protection on the outside as on the inside.

Firewalls

Behind the brick and mortar of headquarters and offices, employees are protected by firewalls, intrusion detection systems, etc. – but once they leave that environment, those safeguards are absent. Surprisingly, in many organizations, firewall policies are not in place on a large number of endpoints when people are at home, or using wi-fi at Starbucks, airports or other locations. Firewall + VPNs will take care of this.

Crawl

If you are NOT well-prepared for this, a good immediate step is to get Windows Firewall enabled with suitable rules. Don’t be fancy at first; just get something out there to address the immediate risk.

Licensing and cost can be an issue for many organizations, which lack the licenses or infrastructure for everyone to work remote.  Due to the Coronavirus, many organizations like Microsoft are donating licenses for VPNs. If you need more licenses, work with your vendors to obtain them for you, temporarily and possibly for free or at a reduced cost. If your vendor won’t work with you, consider leveraging a VAR or finding another vendor who is willing to help you out. This is a good opportunity to test and build your relationships with your vendors and suppliers.

Walk / Run

Once again, some EDR solutions are extremely effective at protecting endpoints. You should consider getting EDR. If you ARE already well-prepared, stay the course.

Test the Plan

The Coronavirus is a hard reminder of how important it is to dust off and test your DR plan, then update it and keep the learnings. It’s a good test of your organization’s ability to be agile, and a way to strengthen your aptitude to respond to similar situations in the future.

Document and Transfer Knowledge

You may soon have people not just working remotely, but out sick or quarantined. Now is a good time to focus on your knowledge capture system, documentation of your policies and procedures (making time for people to actually DO the documentation).

Leverage this Experience for the Future

As you go through this, keep an eye open for insights and best practices to build into your long-term plans. Unfortunately, this Coronavirus may not be the last virus or similar global situation that we have to deal with. The silver lining is that our experience this time should help us to be better prepared in the future.

About the Authors
Eric Randle
Manager and Senior Penetration Tester
CBI - Shaun Bertrand
Shaun Bertrand
Vice President, Advanced Testing Services
Shaun Bertrand leads the Red Team, CBI’s Advanced Testing Services practice. Shaun brings over 20 years of experience in the information security field with a core focus of providing penetration testing and vulnerability assessment services to enterprise organizations. Shaun has been CISSP certified since 2004 and is proficient in several technical services including AV obfuscation, social engineering, exploit development, critical systems protection, endpoint security, event management, incident response, intrusion detection, ICS/SCADA, and malware prevention. Shaun has taught security classes at the University of Michigan and Eastern Michigan University and is a frequent speaker at security conferences and local hacking groups.
I Need To...
S
Safeguard my data and my brand
Solutions
E
Envision my cybersecurity program
Digital Forensics & Incident Response
C
Comply with regulations
Strategic Services
U
Uncover what I have
Advanced Testing Services
R
Run my cybersecurity operations
Managed Security Services
E
Elevate my business
Why CBi