Practically every organization (that’s not wholly shut down) has been forced by COVID-19 into a rapid “digital transformation mode” by working from home, and to one degree or another they’re managing to keep operating.
Many of these organizations didn’t have formal business continuity plans to deal with this sudden change. Even those who had formal, well thought-out and executed plans had not been prepared for the logistics of suddenly having their entire workforce working remotely, simultaneously, and for an extended period of time. This means there’s a significant portion of their workforce suddenly trying to work from home, making do with substandard facilities (e.g. computers, internet capability, remote access software, information security measures, separate office space, information disposal facilities, etc.)
Many organizations either had no sufficient licenses for their remote access and/or endpoint security software or are quickly trying to spin up something inexpensive and/or easy to use. These organizations are likely less prepared to defend against attacks, and indeed this makes it easier for attackers.
The COVID-19 “forcing function” that necessitated work-from-home has widened the aperture for attackers who suddenly have a richer field of attack to millions of poorly secured, widely dispersed endpoints. Attackers continued to deploy their arsenal to gain access to systems for their own purposes (generally, financial gain), whether it be through business email compromise, ransomware, banking information or other fraud. Data from our Security Operation Centers (SOCs) showed there was no decrease in attacks through phishing, malicious document attachments, watering holes and social engineering.
Despite this, organizations continue to operate (some more effectively than others) in this new mode. On the near horizon, there are questions of when can offices re-open, and it’s important given our current footing to think about what that will look like. What security issues are your end-users bringing back to the office (B2TO), and how can you prepare?
I’d suggest several bullet points, which require a blend of process, procedure and technical measures:
1) Perform a manual anti-virus check. Ensure that process is running properly and the signature file is up-to-date. It should be a red flag if either of these is not the case; often attackers disable either the application or the update signature capability once they gain access.
2) Ensure that all patching is up-to-date. Patching has historically been a painful process, and within a work-from-home context it is not made any easier. Microsoft generally releases a large patch bundle on “Patch Tuesday.” It’s important that all patches released are well-tested and implemented as part of a B2TO process.
3) Audit local applications. What new applications were installed on corporate hardware while working from home? Ensure that only corporate-authorized software is installed.
4) Audit user additions. Have unauthorized users (family, friends, attackers) created accounts on the hardware?
5) Schedule and perform a vulnerability scan. A broad vulnerability scan can help to highlight gaps in security posture exacerbated by long-term remote connectivity.
6) Ensure that your endpoint software is up-to-date. While working remotely, capable corporate-grade endpoint security software is your final bulwark against attackers. Confirm that it’s operating effectively.
7) Watch for unmanaged devices. Have new (unauthorized) devices been added, which might give attackers access or leak personal data? This could include fitness trackers or other plug-and-play devices.
8) Watch for “Shadow IT.” While people have been working remotely, it’s possible that they’ve taken advantage of personal-grade third party service offerings instead of corporate-grade services. This could include VPN capabilities, remote backup and other cloud offerings that might contravene your contracts, or compliance measures.
9) Finally, keep an eye out for unusual behavior. Behavior such as unusual spikes in network or CPU usage and unauthorized remote access detected may be an indicator that there are unwanted entities in your environment.
In short, what has changed since working from home (generally, a more permissive environment)?
As we prepare to move back to a more disconnected office environment, it is important that we seriously think about resilient processes and infrastructure. Consider every part of the business that previously was tooled requiring physical proximity will need to be reviewed and updated (including authentication, authorization, on/off-boarding, and incident response planning) and what this should look like as people return. An unplanned and haphazard move back to the office may cause considerable pain, but there’s still time to prepare.