5 Top IT Best Practices to Employ During COVID-19
By Jordan Kalm, Cyber Threat Intelligence Analyst, Threat Recon Unit® (SOD)
This past week has been a different one when it comes to cybersecurity. The entire globe is dealing with a nearly unprecedented pandemic level virus or at least the looming threat of a severe impact from one. Not that this is a new concept, however, in this case it is a biological virus, not a digital one.
We’re in a New Realm
Many businesses are altering their normal business functions due to COVID-19, and the change to remote work adds more strain to network administrators and IT security teams everywhere. Due to the health risks involved with physical contact, many organizations are rapidly transforming their workforce into a fully remote-based organization. While some companies already operate in this fashion, many organizations are just now going through the pains of transferring vital business operations away from an office presence based orientation to a fully online capability. While your team focuses on supporting the influx of remote workers, hackers are quickly pivoting to target your remote infrastructure and capitalize on the fear generated by the COVID-19 outbreak.
Our Current State of Heightened Risk
Cyber-criminals, nation-state actors, and others are more than willing to adapt their tactics, techniques, and procedures to exploit vulnerable organizations during this time of transition. In fact, malicious cyber actors have already made several attempts to use this pandemic to target organizations with malicious schemes. Business Insider reported several phishing scams in which attackers posed as officials from places such as the Center for Disease Control and Prevention or the World Health Organization in emails, attempting to trick victims into downloading malicious payloads or “updating” login credentials in fake portals that are designed to steal important passwords.
The following are suggestions of best practices to apply to ensure that a security issue or incident does not arise while IT teams are distracted in supporting remote workers and infrastructure.
- Double check that your VPN services, network devices, and any device that will be virtually connected to your company network, personal or otherwise, is updated with the most recent security patches officially produced by Microsoft, Apple, or your device’s vendor.
- Ensure that your officially distributed business antivirus program is updated. If you are using a personal device, only utilize reputable antivirus software. If attempting to download an antivirus, only download it on the official website.
- Increase employee phishing awareness and training. It is critical that employees understand the risks of clicking on links and documents that are attached to emails. Most people have heard the dangers of phishing campaigns, but as people focus on the changes brought by COVID-19, many basic tech security practices may not be top of mind for employees. One best practice is to manually browse to any link in an email rather than click on the link in an email.
- Companies should also verify that their policies regarding bring your own device (BYOD) and telework security considerations are updated and those that fall under the policies are educated on what they need to be doing. NIST Publication SP 800-46 Rev. 1 is a good resource regarding this framework if policy needs to be developed for your organization.
- Multifactor Authentication should be enabled for VPN connections. Multifactor Authentication requires two pieces of evidence in order to successfully authenticate. The three mechanisms that can be used include knowledge (passwords or security questions), possession (soft or hard authentication tokens, cellular device, or separate authenticator devices such as Google authenticator), and inheritance (biometrics such as fingerprint, iris, or facial scan). It is strongly recommended that two factor authentication be used on all VPN connections or BYOD environments.
Time to Re-Assess Your Threat Monitoring Coverage
During this time, it is vital to ensure that your cyber blind spots are covered, especially with the strain on IT teams in supporting the rapid transition. There may be devices and systems that are more critical and need to be monitored for indications of a breach or an attack. Some of these technologies may include your VPNs, additional firewalls, remote desktop servers, remote authentication systems, Identity and Access Management Systems, Microsoft Azure Active Directory, AWS authentication, and others.
Our team is also ready to help. We can assist in several ways such as the following:
- Assess whether there are additional devices that you should be monitoring
- Provide Two factor-authentication (2FA) for the Client Portal to ensure extra security
- Consider adding SOD’s Threat Hunting Service (ThreatWatch Hunt) for proactive threat hunting that extends beyond the normal threat hunting the SOC does
- Add more remote-based devices, VPNs, additional FWs, remote authentication systems to your device logging scope as needed
- Audit your firewalls for risky rules, non-compliant policies, or allowed outbound traffic that makes it easy for an attacker who has compromised a remote system to exfiltrate data
Please feel free to reach out to your Customer Success Manager or Sales Representative for rapid integration of these devices or to obtain more information.
Additional resources for maintaining security can be found using the resources linked below. We encourage our clients and readers to maintain a security mind-set as the coronavirus seeks to distract IT teams. Protect your organization and take precautions as you open up networks and systems for remote access, and keep educating employees on best security practices.