The 2019 Novel Coronavirus pandemic has caused major disruption for many businesses, and while it is far from business as usual for many firms, work has been continuing by letting employees work from home but doing so opens a business up to new cybersecurity risks, some of the most important of which we have covered in our COVID-19 cybersecurity checklist.
Under normal circumstances, the risks from allowing workers to spend some of their working week at home can be effectively managed, but having virtually the entire workforce working remotely creates many cybersecurity challenges. Further, threat actors are exploiting the pandemic and are actively targeting remote workers.
COVID-19 Cybersecurity Checklist
To help you address the risks of remote working we have produced a quick reference COVID-19 cybersecurity checklist covering some of the most important aspects of cybersecurity that should be addressed, in light of the recent rise in cyberattacks on remote workers.
All remote employees should be using VPNs to access corporate systems, but VPNs can also introduce vulnerabilities. There has been an increase in attacks exploiting unpatched vulnerabilities in VPNs during the pandemic and scans are being performed to find vulnerable VPNs.
VPNs clients must be kept up to date and patches should be applied promptly. There have been several attacks reported recently that have exploited the Pulse Secure vulnerability CVE-2019-11510 to deliver ransomware, even though a patch was released to correct the flaw in April last year. Vulnerabilities in other VPNS have also been targeted.
You should also consider disabling split tunneling for VPN profiles to prevent employees from accessing the internet directly while they are connected to corporate information systems or should ensure all internet traffic is routed through the VPN. You should enable multi-factor authentication for VPNs and create a separate VPN zone in your firewall and apply security policies to protect incoming and outgoing traffic.
Remote Desktop Protocol
Many businesses rely on Remote Desktop Protocol (RDP) to allow their employees to connect remotely, but If you do not use RDP, you should disable port 3389. There has been a growing number of brute force attacks on RDP. A recent Kaspersky report showed brute force attacks on RDP increased. There was a major increase between January and February, with global attacks rising to 93,102,836. In April, attacks had increased to a staggering 326,896,999.
If you use RDP, make sure strong passwords are set, enable multi-factor authentication, and ensure connections are only possible through your VPN – Do not allow RDP connections from outside.
Communication and Collaboration Platforms
You will need to use some form of communication and collaboration platform, such as a videoconferencing solution, to allow workers to easily get in touch with colleagues. There are many choices available, but the security capabilities of each can vary considerably. Some solutions that were considered to be secure, such as Zoom, have been shown to have vulnerabilities, some of which have been exploited in attacks. The U.S. National Security Agency (NSA) has recently issued a useful checklist for selecting appropriate communication tools along with information on how they can be used securely.
With everyone at home, burglaries may be down, and lockdown have reduced the risk of loss and theft of mobile devices, but encryption is still important. All corporate owned mobile computing devices should have encryption enabled, which is straightforward for Windows devices by enabling BitLocker. You should also encrypt web applications and FTP to ensure any data that is uploaded or downloaded is encrypted.
Ensure Firewalls are Enabled
Your employees will be beyond the protection of the corporate firewall so they should have local firewalls enabled. The easiest and most cost-effective way of applying a local firewall is to use the Windows Defender firewall, which can be configured through your MDM solution or Group Policy.
The volume of phishing emails may not have increased by a very large degree during the COVID-19 lockdown, but there have been a large number of phishing related data breaches. Phishers have changed their campaigns and are now extensively using COVID-19 themed campaigns, which are proving to be very effective. People crave information about COVID-19 and are responding to COVID-19 themed phishing emails in large numbers. Many of the emails we have seen have been highly convincing, spoofing authorities such as WHO and the CDC.
You should consider adding an additional layer to your email defenses if you are only using Microsoft’s Exchange Online Protection (EOP). Many phishing emails are bypassing Microsoft’s defenses and are being delivered to inboxes. SpamTitan can be layered on top of Office 365 protections and will greatly improve the detection of phishing emails and zero-day malware and ransomware threats.
Multi-factor authentication for email accounts should be set up. In the event that email credentials are compromised, multi-factor authentication should prevent those credentials from being used to access accounts.
You should also set up a system that allows employees to report any suspicious emails they receive to the security team, to allow action to be taken to remove all similar messages from the email system and to tweak email security controls to block the threats.
With email security improved, you should also take steps to block web-based attacks. Malicious websites can be accessed by employees through general web browsing, redirects via malvertising, malicious links on social media networks, and links in phishing emails. A DNS filtering solution such as WebTitan Cloud prevents employees from visiting known malicious websites and will block drive-by malware downloads. WebTitan Cloud will protect employees whether they are on or off the network. If you don’t have web filtering capabilities for remote workers, ensure that internet access is only possible through your VPN to ensure bad packets are filtered out.
Cybersecurity Alerts and Log Checking
You should have systems in place that generate cybersecurity alerts automatically and you should enable security logs and regularly check them for signs of compromise. Monitor the use of PowerShell and red team tools such as Mimikatz and Cobalt Strike. These tools are often used by manual ransomware attackers to move laterally once access to networks is gained.