Coronavirus today and cybersecurity tomorrow
Blog Article Published: 04/08/2020
By Jim Reavis, Co-Founder and CEO, CSA
The Black Swan event that is Coronavirus is a challenge for our times that we must win. Some may say that this pandemic should not be called a Black Swan event because we had the warning signs. However, the Internet is a great archive and you cannot find a hint of the wholesale segmentation of humanity and the rapid shutdown of our global economy just a few weeks ago. How much the world has changed in 28 days. From a cloud and cybersecurity perspective, organizations are being challenged by a barrage of new cyberattacks and malware, while completely shifting significant portions of their compute infrastructure.
In the realm of Cloud Security Alliance, we are monitoring events, collaborating with members, communicating with researchers and chapters to start understanding and building a database of lessons learned, what is working well and what the challenges are ahead. At a high level, we are seeing a variety of security, capacity and design issues in the rush to work from home, we are facing an onslaught of COVID-19 phishing and other malware attacks and cybersecurity professionals have a more complicated work environment to solve problems. Your company may be locked into its initial Work From Home (WFH) plan, but the following are a collection of observations that may cause you to adjust some short term plans and also give you some pause to think about where this is taking us.
Malicious Attackers love a crisis. There is no honor among thieves. In the initial days of the global COVID-19, there were claims by some purported hacker groups that they would not attack the healthcare infrastructure. That lasted about a minute as the World Health Organization and hospitals have been under constant attack. The worse the crisis gets, the more active the hackers will get.
Multi-factor authentication. Let's start with MFA. This needs to be deployed everywhere, with every WFH user having it. This will prevent virtually all account takeovers from being successful. However, this is not simply a matter of home user deployment. You need to make sure that host systems, be they VPNs, cloud services or on premise servers support the authentication scheme and that legacy protocols that do not support MFA are disabled. Having Single Sign-On (SSO) on top of MFA is even better.
Traditional VPNs are insufficient. Many VPN Gateways are getting overwhelmed and were not designed for the entire workforce to be using them. If you are backhauling Internet-bound traffic to the home office and then running traffic through your security gauntlets, you are probably both creating an unintentional denial of service to your on-premise data centers and slowing cloud access to a crawl. At a minimum, you need split-tunnel VPNs to allow users to only send on-premise bound traffic to the VPN Gateway, and send the rest directly to the Internet. You don't want cloud backups going over the corporate VPN. VPN logging is important to pay attention to now. There's likely to be a lot more VPN event activity and logs may be getting "rolled over." Even if not actively monitored, establish off-device "lookback" to support potential investigations. You should be performing VPN group reviews. With many new users on VPNs, take a look at your VPN groups and consider if they meet your security goals.
Jump Boxes. If you didn't have them before, now is a great time to consider deploying jump boxes for administrators to securely access remotely managed servers - this could be an on-prem VM or a cloud jump box (check cloud provider blueprints for these).
Smart Home threat vector. In the old days, a person's home-based work computer might literally be the only computer in a house. In today's smart home, the WFH system is coexisting with dozens and even hundreds of devices. Most of these devices are poorly maintained, unpatched and full of vulnerabilities. We have heard of corporate breaches instigated by compromised smart TVs and you can be sure that there will be a second wave of WFH users attacked by their home devices, controlled by malicious attackers. Ideally, all devices would be patched and hardened. However, if we can start with making sure that the Cable Modem/Internet Gateway/WiFi Router is patched, hardened, admin is inaccessible from the Internet, all defaults are changed and a separate network is maintained for the work devices, that would be ideal. A separate network and hardened work devices also helps mitigate the risks from the curious and bored kids you may have at home.
Security Awareness. Is your corporate security awareness program up to date with this rapid shift? Make sure there are no gaps and we provide employees with appropriate guidance, such as some of the "Smart Home" issues listed previously.
COVID-19 information centers. A user in this environment is liable to click on any provocative COVID-19 message, which is a hacker's dream. Organizations can mitigate this with good awareness training and by pointing users to their own comprehensive COVID-19 information centers, that include both company-specific and general information.
State-of-the-Art Cloud Security. As I said before, VPNs are not up to the task of protecting and enabling WFH users on their own. There is a group of solutions with different category names, but they are Security as a Service solutions that provide users with granular access to cloud applications, threat protection and rigorous policy enforcement. Connecting users only to authorized applications is far better than providing a VPN with access to any service within the network's visibility. CSA's Software Defined Perimeter and Zero Trust, originally defined by Forrester Research, are two of the most important and complementary architectural frameworks embodying this principle. Identity becomes the perimeter and it is straight forward to implement least privilege protections. You will find the Cloud Access Security Broker (CASB) and Secure Web Gateway product categories have greatly matured over the years, to the point that they provide their own fast and secure global Internets that provide this type of capability. Being delivered as a service, these solutions can be provisioned immediately and allow an organization to develop agile and secure WFH deployment plans.
Staggered times of usage. You may have noticed network latency and even unavailable services when a large number of users access services simultaneously. We have even heard of politicians suggest NetFlix should throttle content delivery to maintain room for emergency services. One lesson learned is that meetings tend to start at the top of the hour and you can improve the performance of cloud conferencing by starting at 15 minutes past the hour. No doubt there are several more simple tricks like that.
Lock down locations. You may find that this is a rare point in time where you actually have a fairly good understanding of where your employees are. This could be an interesting opportunity to use filtering and access control capabilities within several security solutions to block traffic coming from many different problem locations to your applications. This may come with several caveats, but you should take the opportunity to identify previously hidden attackers.
The downside of forced agility. There is concern that in the rush to enable pervasive WFH, we may institutionalize degraded security if we are not careful. Perhaps we had to punch holes in firewalls thoughtlessly. Or, we may have lowered our BYOD security policy standards to enable users to get to work with what they have. It is important that we have documented and categorized changes that deviated from our security standards and work to remediate them as we go and/or roll them back when normalcy returns.
Where are the systemic issues? By and large, it appears that cloud has fared pretty well so far, although there have been some resource exhaustion issues and network performance has been an adjacent problem. Although pandemics may ultimately be more of an exception than a rule, we can think of many other disasters that can similarly strain existing IT architectures, at least on a regional basis. Compute, applications and data need to be resilient. Workloads need to move seamlessly. Organizations may not be 100% cloud in the future, but they will likely need a cloud-based architecture with a common orchestration, management and security framework.
Maintaining your cybersecurity workforce. One of my biggest concerns is how our profession is handling this stressful time. In addition to being worried about their own health and the health of their family, they may find the job is made more difficult by the inability to collaborate and the hours are surely long in a crisis. Add on to that the risk of being laid off, and we have a volatile combination. The denizens of the Dark Web are counting on a weakened cybersecurity workforce and we must be vigilant about taking care of our people, keeping them motivated and protecting their jobs.