COVID-19: A black swan event fraught with cyber risks

As the world goes into a huddle to take on nature’s version of a zero-day malware in the form of COVID-19, organizations are activating their business resilience plans by ensuring a majority of the workforce operates seamlessly out of the safety of their homes. Work from home (WFH) enablement by the corporate world’s IT warriors is a strong response to encourage social isolation and winning the war against community spread of COVID-19. The speed of enabling WFH if not structured well is fraught with cyber risk. The two cornerstone principles most relevant to IT and cyber security teams at this crucial juncture are:

• “Remote but secure” - work remotely but in a planned and secure manner
• “trust but verify” – ensure that personnel accessing systems and devices used are trusted devices but validated adequately

Given the current situation where corporate world and society together battle for the protection of humankind from the impact of the contagion, the sectors that need to pay extra attention to security and not let down their guards while enabling WFH are Health care providers, Power and water utilities, Banking and Insurance, chemicals, consumer products and pharmaceuticals.

Some of the risks/threats that can develop in this situation which security monitoring teams need to keep an extra lookout for are Ransomware infections to cripple critical service providers; Malicious remote access into IT infrastructure due to compromised endpoints; Man in the middle attacks; Vulnerability exploitation; Phishing emails (to internal employees or end customers with themes around misinformation campaigns, credential extraction/harvesting), and SCADA/ICS attacks on manufacturing/utilities companies to cripple manufacturing operations

Remote access enablement/WFH – basic bedrock principles for cyber defence

Cyber defence strategies and mechanisms to enable WFH are not just about switching on remote connections on the perimeter, but involve implementing intricate multi-layered protection mechanisms that counter threats at various levels. Some bare minimum protection measures (depending on the IT landscapes of enterprises) that need to be put in place for enabling secure remote working are as under the following:

Network Level

• Secure Virtual Private Network (VPN) tunnels avoid open source to save on license costs with adequate VPN hardware sizing and licenses to avoid outages/accessibility issues
• Avoid usage of open-source VPN’s
• Provide access and rights on a “need to do basis” and avoid granting “power of God” rights remotely
• IT administrators and power users access control through PIM for all mission-critical applications
• As far as possible, permit access through company-owned devices
• Evaluate virtual desktops for contractors for remote access to ensure data stays within the corporate network
• Adequate Web Application Firewall (WAF) capacity for extensive web traffic for web-facing apps
• Evaluate implementing Run Time Application Self Protection (RASP) for critical servers
• Ensure all network devices and systems are patched

End point protection

• End Point Detection and Response (EDR) implementations to prevent outages on account of ransomware or malware
• Avoid usage of public hotspots for remote connection to offices – use secure wifi
• Encrypted disks – to protect data in case devices are stolen
• Data Loss Prevention (DLP) implemented to prevent data leakages
• Master Data Management (MDM) enablement for all people accessing critical apps and server consoles through mobile devices

Security monitoring

• Design use cases on Security Information and Event Management (SIEM) for remote access connections monitoring for critical systems in order to detect malicious outsiders
• Heightened threat hunting to detect lurking attackers before they execute their objectives
• Evaluate options to execute remote incident response to deal effectively with cyber attacks

Soft controls: Cyber awareness

• Create clear do’s and don’ts for all employees during WFH
• Focussed periodic campaigns on various threats that can hit people during WFH
• Inventorize all remote access, privileges, entitlements provided for easier rollback during Business As Usual (BAU) stages

Post-event horizon: A detailed stocktake of unaddressed threats and impacts

WFH enablement has its own challenges and stresses and takes maximum attention. However, when the COVID-19 scourage eventually dies down (hopefully sooner than later), it’s vital for enterprises to do the following post-event activities judiciously to ensure that insider threats or/and attackers who have stealthily opened back doors are detected:

• Immediate revocation of remote access privileges for all critical and high risks systems and devices
• Deep dive uninvestigated medium risk alerts from security systems
• Deep dive threat hunts to detect potential threats in the environment that could have been missed during crisis time operations
• Lessons learnt sessions between IT and security teams on what could have gone better

Conclusion: Security a vital cog in the wheel of business operations

As technology seamlessly integrates with business, security is an important cog in the wheel of business operations, which if ignored at any stage could lead to a severe impact on the resiliency of a business trying to pull through trying times.

By Prashant Bhat, Managing Director, Cyber Security & Privacy, Protiviti Member Firm for India