Author: Dale Meredith
We’re living in an interesting and confusing world. One minute we’re working, shopping, hitting the gym, living everyday life. The next minute we’re arm wrestling for toilet paper and hand sanitizer. And the drastic behavioral shifts we saw overnight came from every direction—especially impacting how we work.
In response to the pandemic, millions of companies transitioned from corporate network infrastructures to work from home (WFH) environments—and at an incredibly fast pace. It made my security-sense fire off, and for good reason. We’re already seeing an increase in attacks.
A recent Threatpost poll revealed that 40% of companies have seen an increase in cyberattacks as they enable remote work. So, let’s put on our “BlackHats” and explore all the vectors that security professionals should be considering during this time.
Influx of new devices
Thousands of new laptops and mobile devices were purchased and introduced into corporate environments to make sure all employees had a way to WFH. How many of these devices were deployed without going through your organization’s security policies? And if you found yourself in this camp, what are you doing about it now?
Patches and updates
History tells us that the lack of patching and updating is THE major vector that attackers will leverage against you. Figure out how your IT teams can make sure these new (and existing) remote systems are always patched and updated. How will patches and updates be handled since these devices are now remote? (Just this week, we all learned of two vulnerabilities that affect Windows 7-10 Server 2008-2019 which haven’t been patch and won’t be patch (RED FLAG!) until April 14th.)
Have security teams communicated your process to all employees? Have you given them the workarounds to help protect their systems from this vulnerability?
Personal cloud storage
Now, don’t get me wrong here. I have nothing against solutions like Dropbox, OneDrive, Google Drive, etc., but I am aware of several large organizations that have security policies in place to deny employees from using these types of online storage systems. The reasoning behind this policy is that IT departments have no control on passwords used nor what information is being stored or shared. Do you have a policy in place? Is it easy to understand, and are your employees aware of it? And, the key question, is it keeping your organization safe?
A lot of IT and security teams were blindsided by how fast the WFH transition took place. In some cases, they didn’t have the option to purchase new laptops or tablets to get employees up and working from home—either because devices were sold out or because it was financially unrealistic. In these situations, companies may have allowed BYOD without proper evaluation or configuration. Organizations might have opened new ports to install new services on network devices just to “get things to work.” I get why, but someone needs to backtrack and clean up any loose ends that could be putting their organization at risk. Do you have a solid—and timely—plan for that in place?
Ah, the low-hanging fruit that keeps on giving. We’re already seeing an uptick in phishing emails hitting the internet. We may have previously trained our employees on handling phishing when it comes to internal emails, but now attackers might be able to take advantage of employees that may be using company devices for personal use. Imagine getting an email like this:
The company email isn’t working for me at the moment, but I have a situation that is pressing so I’m using my personal account. Blah, blah, blah, send me money. Blah, blah, blah, take a look at this document. (See attachment or click on this link.) Blah, blah, blah, send me 50 Amazon $100 gift cards.
Are you training your employees on these new possible phishing threats and how to respond to them?
Attackers are looking at home users’ networks and then looking for systems that they can use to pivot and gain access to the corporate infrastructure. If this pandemic continues, organizations that are serious about security should really look into the possibility of providing new home routers for employees. These routers should be updated and configured (no default settings folks!) for deployment. (After all, do you know when the last time every employee updated the firmware on their home routers?) What’s your plan here? Have you raised this possible vulnerability with your c-suite? Has the organization committed to a go/no-go timeline for new routers?
It goes without saying that most organizations are suffering financially during this time. In the past, the two budgets to be cut first were IT and training. Listen. This is the time and situation where these two departments shouldn’t be cut. It will cause you to lower your guard and overload your employees—both of which will result in consequences that could be devastating to your organization. If during any conversation around the core technology of the organization you hear, “we just can’t afford to do ‘x,’” watch that area very closely. It will become a weakness for attackers now and later if no one remembers to go back and fix it after. But before you get to that point, champion to keep the technology in place. Just as important, advocate for employee training.
Employees should be trained about the new terrain that they’re navigating and exposing themselves to. How are you standing up for your technology and training budget? What plans are you putting into place to mitigate the risk associated with the potential cut to one or both of these line items? IT and security professionals: Remember to double and triple check all your endpoints. Trust me, Coronavirus isn’t the only thing that could affect your company this year. Just wait. Six months from now, we’ll be reading stories about companies that were breached during the COVID-19 outbreak because they failed to consider at least one of the above areas of security.