This article appeared in Cybersecurity Law & Strategy, an ALM publication for privacy and security professionals, Chief Information Security Officers, Chief Information Officers, Chief Technology Officers, Corporate Counsel, Internet and Tech Practitioners, In-House Counsel. Visit the website to learn more.
Companies determined to protect their employees and minimize the impact of COVID-19 are enforcing travel restrictions and strong work-from-home policies. However those actions can be used against employees as any firms are likely unprepared for the criminal appetite for the cyberattack exploitation of a remote workforce. Here are some of the key issues of which law firms and companies need to be aware and steps that should be considered to minimize the risk to keep everyone — and client data — safe.
What you don’t know can hurt you
When we are unaware of a risk or threat, and without knowledge of the threat, we generally don’t take any precautions.
Criminals are willing to kick you while you’re down and we are witnessing evidence of this now. For example, a Coronavirus-themed email is targeting healthcare workers. The email sent from their IT teams with the subject “ALL STAFF: CORONAVIRUS AWARENESS” informs employees that “the institution is currently organizing a seminar for all staff to talk about this deadly virus” and solicits employees to click on a link to register. In one case, a Czech hospital was shuttered after a Coronavirus-themed attack.
TechRadar reports fraudulent outbreak maps are being used to attract unwitting victims and then deliver malware through various well-test tactics. And ThreatPost is reporting two Coronavirus-themed campaigns that use PDF and Microsoft Word documents to deploy remote access tools (RAT), clipboard-copying, keystroke logging, desktop image capture, and a cornucopia of malware. CheckPoint security discovered another Coronavirus-themed campaign targeting Japan that delivers the reigning champion of credential harvesting Emotet.
This is nothing new. It’s a well-rehearsed playbook, exploiting the chaos and fear caused by major weather or other natural disasters. eSentire reported a similar attack back in 2012 and early 2013 during and after the chaos caused in New York by Hurricane Sandy. During the weeks around the debilitating storm, client traffic dropped by up to 30%, while malware and other malicious traffic increased by the same percent.
Using your own tools against you
As workforces take up social distancing to shelter at home, the risk of attacks against corporate remote access systems goes up. Criminals target employees to harvest their VPN credentials as a backstage pass to corporate assets.
VPN credentials grant legitimate access to remote administrative tools, like PowerShell and Microsoft Remote Desktop Protocol (RDP). These tools are the keys to the kingdom and a preferred vector of criminal exploits. At the microscopic level, the difference between legitimate admin activity and malicious behavior is obvious. But to the naked eye, it often goes unchecked and is only discovered once the cyber event matesticizes and the crippling symptoms emerge.
Steps to securely enable your teams to work effectively from home
There are specific controls and practices that firms should put in place to protect themselves during times of chaos and uncertainty:
Revisit your business continuity plans
Every company should have a business continuity plan (BCP) designed to minimize the impact of a prolonged power outage, major storm, pandemic or IT system failure. The point is to know where the emergency exits are located, and the gathering point outside the building before someone pulls the fire alarm. Your plan should include contingencies to provide uninterrupted service through a secured, remote workforce. Ask yourself if you can secure a distributed workforce to the same level you can within the confines of your firewall.
Keep your employees informed
The easiest way to minimize risk is to keep your employees informed of Coronavirus-related scams, phishing schemes and fraudulent websites. When it comes to best practices, your employees should be getting their information from you in a transparent fashion, and not social media sites like Facebook or other potential sources of misinformation or exploitation.
Firms should publish weekly updates that reinforce company policies, security protocols and clear lines of communication. Employees should also have a mechanism through which they can safely report suspicious activity, such as questionable emails.
Use protected and trusted internet connections
Firms should prohibit working from public places, such as coffee shops or on public transportation, where third-parties can view screens and printed documents. Laptops should always be deployed with privacy screens. Employees should only connect to trusted, password-protected internet connections, such as home wifi, and avoid public hotspots which can be spoofed.
Use a VPN to protect remote connections
This goes without saying. Data at rest (stored on a drive) should be encrypted. And all connections should be encrypted with a Virtual Private Network (VPN) service. This is table stakes in any cybersecurity protocol. In businesses with a hardy remote workforce, using a VPN is common practice. For more gregarious businesses with traditional office arrangements, using a VPN might not be as familiar. Ensure your workforce is trained and understands how to use the VPN properly.
Enforce multi-factor authentication
While a VPN provides a layer of security, credential harvesting is an easy way for criminals to travel your safe corridors alongside legitimate employees. Using multi-factor authentication (MFA) can reduce the risk of compromised VPN connections. MFA requires a second source of user validation (such as entering a key texted to a secure phone, a pre-generated token or other mechanism) tied to a certificate-based system. It doesn’t eliminate the risk, but it certainly reduces it.
Disable administrative privileges
Criminals access remote access tools using a legitimate VPN account to create new accounts with administrative rights. These avatars can then move freely through your network, access network infrastructure, deploy script and collectors on services and even disable security mechanisms.
Most employees do not require administrative rights. What’s worse, it’s often senior management or rainmakers who are granted full rights and privileges — and they are the ones with access to the most valuable information. It’s counterintuitive from a security perspective. So disable them. Or at least consider suspending administrative access.
For IT managers and team members who require administrative rights, consider two controls. The first, never use first.last name nomenclature for accounts with administrative powers. These types of usernames are easy to engineer from public information like LinkedIn. So, an IT employee will have multiple accounts. Perhaps the first.last account for normal employee activities and communications, but another more complex account for administrative IT activity.
The second, more advanced, control is Privileged Access Management (PAM), which provides limited and expiring access to specific systems. In this way, an IT employee is granted administrative rights to a critical system for a specific (documented) purpose that must be completed within a fixed period of time. This means, a senior employee validates and authorizes the work in a logged system. This makes hijacking remote access extremely difficult from criminals.
Protect your endpoints
Many firms rely on faulty security architecture when it comes to remote workers. Most firms are well protected within the confines of their office spaces, but their mobile endpoints, like laptops and smartphones are only protected when inside the firewall. Remember, many attacks use zero-day malware (undetectable) or non-malware-based attacks (like VPN hijacking) that evade traditional antivirus systems.
For this reason, many firms deploy endpoint protection platforms (EPP) and endpoint detection and response (EDR). These systems provide additional layers of detection capability, local forensics to determine impact, and even limitation mechanisms through device isolation. In essence, EPP and EDR extends your protective cloak from the core network to the mobile devices, and offers mechanisms to respond to a threat while the device remains quarantined.
Manage BYOD devices
If you allow personal devices, consider limiting access to critical systems from these devices, or deploying enterprise device management (EMM) or mobile device management (MDM) tools that provide layers of control to minimize access from personal devices, and enforce security controls on the devices themselves. And, employee devices to be running the latest manufacturer software updates prior to permitting access to any remote systems. It’s good hygiene.
Consider running a COVID-19 exercise
The biggest challenges IT leaders face is getting the C-suite and managing partners to understand the risks and challenges raised by cyber threats leveraging the confusion and fear around the Coronavirus outbreak. One of the best ways to gain aligned mindshare is to run a tabletop simulation. The point is to face the worst-case scenarios in a safe environment, and build consensus around proactive and ethical response. For example, run an exercise in which a key employee tests positive for COVID-19, after meeting with their team and clients in face to face meetings. Consider quarantine, exposure risks, and the specifics of communication with employees and customers.
Digital transformation is dominated by nebulous perimeters, distributed workforces, global connections, artificial intelligence-driven decision-making and critical systems moving to the public cloud, and these changes are only going to increase in speed and complexity. The Coronavirus serves as a warning of a much larger issue.
As we enable a distributed workforce, we must weigh the risks against the rewards. We must remember that criminal elements are willing to exploit the chaos of a global event, or even the confusion around the deployment of new technology.
Like all disasters and major global events, Coronavirus will pass. Let’s use this event as a call to arms and ensure we are prepared for a world of distributed workforces, always-connected systems and critical assets stored outside the confines of our traditional security walls.
Mark Sangster is a cybersecurity evangelist who has spent significant time researching and speaking to peripheral factors influencing the way that legal firms integrate cybersecurity into their day-to-day operations. In addition to Mark’s role as VP and industry security strategist with managed cybersecurity services provider eSentire, he also serves on our Board of Editors and as a member of the LegalSec Council with the International Legal Technology Association (ILTA). Look for Mark’s new book, “No Safe Harbour: The Inside Truth About Cybercrime, and How to Protect Your Business,” coming this Fall. He can be reached at [email protected].