This is a continuation of the COVID-19 expert insights series (part 1 here and part 2 here). Companies need to be vigilant during this time and now, more than ever, implement strict security measures across their organization. Below, we've curated some of our favorite COVID-19 security best practices and warnings from top cybersecurity experts.
Gil Rapaport, vice president, CyberArk Alero
"For remote users who require access to critical systems, applications or accounts, ensuring that they have granular, role-based access to these resources is essential. Considering that in the instances where these users are not typically working remotely, they likely have not been provisioned tools to ensure that their access is secured as they would normally come in through the corporate network. Having tools in place to not only authenticate users to confirm identity is critical, but furthermore, ensuring that they only have access to the specific systems or databases that these users require is of the utmost importance when there is a surge or uptick in remote work being done – particularly on critical internal systems."
Will LaSala, Senior Director of Global Solutions, Security Evangelist, OneSpan
“Now is the time for banks and financial institutions to be on the lookout for Coronavirus-related phishing attacks. Researchers are discovering hackers are already disguising malicious documents relating to Coronavirus in their attacks. Fortunately, financial institutions can take steps to better protect themselves, their employees and even their customers from these threats. The first step is to be aware of the heightened risk at this time and deploy enhanced safety precautions. Banks and other financial institutions should adjust the rules engines on their fraud detection and prevention systems, monitor user behavior throughout the entire online banking session, and leverage machine learning and advanced risk analytics to identify abnormal user behavior in real time. But be warned that not all anti-fraud systems are equal – dynamic fraud solutions that are capable of automatically operating at a lower level of trust during times of increased risk are best suited to helping banks respond to the fast-paced nature of fraud during events like the Coronavirus outbreak.
Hackers will always prey upon fear to increase the impact of phishing campaigns, and risk analytics technologies are key for today’s banks to determine fraud risk in real-time for individual transactions – delivering a level of security beyond what manual processes can provide.”
Kevin Landt, VP Product Management, Cygilant
"As everyone transitions to the new normal of working-from-home, security professionals are finding that cybercriminals were already there waiting for them. In the rush to get everyone online and working quickly – so that business wasn’t lost in the meantime – many companies didn’t have a chance to double-check their infrastructure, network and security systems to make sure they were ready for a company of remote workers. On top of checking those, security professionals should pay close attention to their VPN connection’s bandwidth, user counts and security, as these are now targets for attackers. It’s obviously too late to test your preparations, so take this past week as a real-time test and review how things went. Did anyone experience any issues? Are there red flags you need to look into? If so, don’t delay. Make the needed fixes now, while employees are still getting used to the at-home situation.
There has been a significant increase in the number of phishing attempts and malware/ransomware emails that are trying to exploit the coronavirus. Everything from “free online trackers,” to portals “with the latest news,” it just proves that hackers will take advantage of any situation. The best advice we can give here is to take the time to re-educate your team on what these emails look like. Share examples, or even articles from media about what other companies have experienced. Education is the most important part of preventing a compromise from happening.
Another critical activity is to make sure you have a plan for potential staff shortages. Do you have a small team? What if you or your teammate or a family member was diagnosed tomorrow and had to focus on their health immediately? Do you have a backup plan? Are details in place to easily pass off responsibilities to another employee? There’s no time like the present to make sure you have a business continuity plan in place for your security team."
Steve Black, Visiting Professor of Cyberlaw, University of Houston and Data Breach Consultant
"Many organizations have bring your own device (BYOD) and temporary work from home policies, but many of those were put together with little thought for a pandemic that would require most, if not all, operations to be conducted remotely long-term. While it’s always better to plan in advance, an emergency is a good time to revisit policies and practices to make sure your organization is safe and is avoiding unnecessary legal and cyber risk.
Here are some of the practice and policy areas that should be reviewed by a company’s security and legal departments.
Do your policies address which devices can access sensitive or confidential data? Do you require those devices to encrypt data at rest and in transit, allow remote wiping, and be password-protected? A BYOD policy can help protect information and allow the organization to defend itself against negligence claims if a breach does occur.
2. Employee privacy
When employees are at your offices, reasonable monitoring is allowed. When employees work from home, have you considered whether your policy oversteps the privacy line by attempting to access personal emails and social media messages on personal devices? What about web browsing history, text messages, or apps and software used?
When employees work from home, the lines get blurry. Organizations should consider what types of monitoring and investigation they absolutely need and policies should inform employees about what types of access they are granting.
3. Controlling Devices
When the device does not belong to the organization, wiping a device can implicate questions of trespass or tort claims. In some instances, organizations can require personal devices to be wiped, locked or surrendered as part of a response to a security incident. Organizations should carefully consider what their response would be, inform employees, and obtain permissions in advance.
4. Offsite Response
Does your Incident Response Plan include a section on what to do if an incident happens offsite? Many organizations are prepared to act if a breach happens in their office, but what if the breach happens at an employee’s home? How long will it take you to discover the breach? Will you be able to access the affected computers or devices? Will you even be able to get into the employee’s home to conduct an investigation?"
Nitin Agale, VP of products and strategy, Securonix
"As enterprises enforce remote working – at short notice – they face the question of how will their security teams identify bad actors and vulnerabilities in a time of massive user behavior change?
Here is how:
Log all remote access events. Attribute events to the associated user and monitor for anomalies using security monitoring tools such as security information and event management (SIEM) and/or user and entity behavior analytics (UEBA).
Monitor your data exfiltration points. Users will need to download data to their machines in order to work from home. It is critical to monitor, attribute, and analyze logs from key exfiltration points – including VPN session logs, data loss prevention (DLP) solutions, Microsoft Office 365, Box, and other data sharing solutions, as well as email gateways such as Cisco ESA (IronPort) or Proofpoint – in order to detect any malicious exfiltration attempts.
Log access events and transactions for your critical applications and analyze them for anomalies. Typically, the focus of security teams is on protecting the network, they seldom look at applications. However, with application access moving out of the corporate network, application security becomes paramount, even more than network security.
Monitor user entitlement (user access) details. Monitor both Active Directory as well as other critical applications. Analyze for anomalies such as terminated user accounts that may still be active, sudden privilege escalations, and the use of dormant accounts.
Monitor for credential sharing. Employees may be tempted to share credentials in order to get quick access and avoid lengthy access request processes. Monitor specifically for land speed anomalies such as a user simultaneously logging in from multiple locations, or a user badged into an office but logging in remotely.
Monitor remote access devices. In addition to proactively monitoring your internet-facing RDP/VPN infrastructure, we recommend leveraging the NIST guidance regarding securing enterprise and telework access to implement the additional required controls to help further mitigate the risks associated with malicious threat actors possibly obtaining and exploiting RDP shop-based access credentials.
Ensure that your internet-facing VPN/RDP servers are up to date. Also, make sure that they are ready for spikes in remote access activity depending on your current situation.
Beware of COVID-19/Coronavirus-related phishing schemes and fake alerts/health advisories. We’ve been observing malicious phishing implants increasingly evading sandboxing/detonation. Our recommendation is to implement a more in-depth “Assume Breach” approach in your environment. If your IOC (Indicators of Compromise) and sandbox-based checks fail, make sure you have checks and monitoring in place for staging/post-exploitation detection.
Enforce multi-factor authentication where possible. Dictionary attacks is the most common way of compromising credentials on internet facing devices. With the increase in remote access for employees, contractors, and business partners, you should consider enforcing strong authentication and authorization controls to minimize the risk of compromise.
Enforce peer based and segregation of duty (SOD) checks. With a large number of employees requesting remote access, the business is likely to push to allow employees as much access as possible in order to avoid business disruption. However, it is important for security and IT teams to maintain SOD and peer-based checks to ensure that the access granted is aligned to the job role of the employee."
Michael Morrison, chief executive officer at CoreView
"It may not have been obvious when COVID-19 first began to wreak havoc around the world, but our technology and processes have prepared us to weather this storm. It gives us the ability to be agile while working from all corners of the globe, the ability to easily communicate and share information at a moment’s notice and also have ‘virtual’ coffee breaks mid-morning and ‘virtual’ beer breaks at the end of the day in Milan when the pressure escalates,” CoreView CEO Michael Morrison explained. “The beauty of Microsoft Teams and Outlook is that these collaboration, communication and productivity solutions allow us to support existing customers and secure new customers without always having to be face-to-face."