Cybersecurity for your suddenly remote workforce by Arctic Wolf
Remote worker challenges:
Lack of IT security policy, procedures and solutions for a remote workforce are being identified/built "on the fly"
IT processes and resources will be impacted during the transition.
Resource limitations for existing infrastructure will be tested.
Hardware sourcing will become a challenge as demand surges.
Standard employee behavior is changing - workers are using home networks in ways they didn't used to.
COVID-19 Emerging Threats
Phishing and social campaigns centered around COVID-19. HR and IT departments are notorious for being spoofed and used for phishing lures. Phishing emails are inciting fear of outbreaks and firing for not complying with social distancing. Impersonation of official government agencies, elicit donations via bitcoin to help create a vaccine, DIY coronavirus at home testing kits which capture credit card information are also being sent. Recommendations: 1) Increase user awareness training 2) put the word EXTERNAL on all emails coming from outside the company so they draw more attention to end users and make end user aware of scams.
The use of COVID-19 for malware distribution. 1) Mobile apps are being used to ransom encrypted data and threaten to leak data on apps about mapping COVID-19. 2) Hackers are also using global shipping/supply chain fears as a lure and targeting industry like manufacturing, industrial and pharmaceutical. 3) Home routers are being targeted for DNS redirection. Recommendations: 1) Reinforce security training and implement an MDM solution. 2) Maintain or establish a good vulnerability management process including patch management! 3) Make sure you have good endpoint protection, especially on the remote workforce that is not behind the firewall. 4) Enable secure DNS technologies on home routers.
Business attack surfaces are expanding. There has been a 170% increase in Open Ports since January of 2020. Recommendations: 1) Vulnerability management and patch process 2) Firewall review 3) External posture assessment - what services are open and not open.
Sophisticated attacks leveraging business email compromise on the rise. Leveraging executives' titles to receive aging reports from finance team, using the aging reports to send collection notices to customers and using COVID-19 to say they are changing banks and the way they are collecting money so they nee to update the payment information and then process the outstanding invoice. Recommendations: 1)Implement a policy for validation of fund transfers 2) add [EXTERNAL] to the subject line 3) add MFA to policies and procedures involving money transfers.
Increased personal account takeover and credential stuffing. Spycloud has observed an increased number of credential stuffing schemes including taking over meal-kit delivery services by modifying the shipping address back and forth. Recommendations: 1) Enable MFA 2) Monitor for account takeover/breaches 3) establish 24x7 monitoring
Industry Recommendations for Securing Remote Workers
Communicate to employees of impending scams related to the pandemic
Reinforce security training (don't click!)
Leverage a VPN to access company resources - don't just enable RDP
Maintain/establish a vulnerability management process (patch!)
Enable MFA on all authentication wherever possible - start with admin accounts
Have a strong backup/DR policy
Establish 24x7 Monitoring of infrastructure and cloud services
Monitor for account takeover/credential data breaches
Implement advanced threat detection and response capabilities
Keep IT healthy and well-staffed
Arctic Wolf Security Recommendations
Add [EXTERNAL] to all inbound email subject lines
Don't click links, hover and validate location
Establish procedure for when/how financial transactions are approved. Email can't be the final say.
Enable Sender Policy Framework
Validate endpoint prevention tools are installed and updated
Validate vulnerable software is patched/updated
Company data should not be stored on private computers
Sharing corporate computers with family members should not be allowed
Company data should only be shared on sanctioned cloud applications
Increased Attach Surface
Firewall review - external posture / attack surface before and after, recent changes (get into change control/tracking), backup
Active Directory Review - Review privileged group memberships and validate appropriate audit configuration settings.
General Infrastructure Audit
Ticket/document ALL changes during this time. You won't remember when life returns to normal what needs to be changed back to the way it was.
Track all license increases so when things return to normal renewals don't happen automatically.
Enable secure DNS on your router and add a guest wireless network that is segregated from your home network for your corporate devices.
Leverage a password manager for accounts - Lastpass, Dashlane
Disposable Email Addresses
Use disposable email addresses for new accounts that forward to your work email account.