Image source: https://hilo.hawaii.edu/chancellor/stories/wp-content/uploads/2020/03/COVID-19-virus-880x540.jpg
The novel coronavirus (COVID-19) has profoundly changed the way all Americans and most of the world’s population interacts with each other for the foreseeable future. Unlike other pandemics in the past, our modern channels of communication have brought an onslaught of non-stop information, and often misinformation, that has caused mass panic. In order to “flatten the curve” to save our most vulnerable members of society and to prevent the collapse of our healthcare system, public and private organizations are being asked and instructed to change their hours of operation, the way they do business, and/or shut down entirely in order to practice social distancing to slow down and decrease the devastating effects that COVID-19 could potentially have.
For many companies and organizations, this means rushing to create an infrastructure with processes and procedures to have employees work from home for the first time or to increase the number of employees who work remotely. Our team at Polito applauds all our colleagues in the IT and cybersecurity fields who have put in countless hours to make this necessity a reality in order for business, and our economy, to continue. Here are some top cybersecurity tips from our team to promote good cyber hygiene and industry best practices.
Cybersecurity Tips to Get Through the Coronavirus Pandemic
Secure Connection
Secure Endpoint (computer, tablet, smartphone, etc.)
Physical Security
Adjusting Work Habits
1. Secure Connection
Virtual Private Networks (VPN) have been around for quite some time and there are many options on the market today. However, it is important for any organization who uses VPN to determine the security settings appropriate for their needs, and regulation requirements by industry, as well as the security of the VPN provider themselves.
Image source: https://images.vogel.de/vogelonline/bdb/1312800/1312888/41.jpg
The primary benefit of VPN is that network traffic gets passed through a secure tunnel from the user to the organization and vice versa. Here are some tips to keep in mind with VPN:
If VPN service is configured incorrectly, it could cause all users’ network traffic to connect over VPN, slowing down connectivity.
If VPN is configured to segregate traffic so that users have access to internal apps/resources but are not routing all web traffic, there is potential that the endpoint could become compromised, and expose those internal resources with no real log of the compromise.
ALWAYS use VPN when working remotely. Many people assume their homes are secure. While nothing is likely to happen, it is common for dozens of devices to be connected to the internet, thanks to the increase in Internet of Things (IoT) devices (TVs, security systems, washers, dryers, printers, etc.). It’s possible that some of these other devices are not secure and can allow a hacker to move laterally to the company asset.
Due to the COVID-19 pandemic, many companies, government agencies, and organizations are instituting work from home VPN solutions in droves. We highly recommend that these be reviewed immediately by an independent cybersecurity company to make sure these systems are configured and deployed properly to avoid security vulnerabilities. There have been a number of issues with commercial VPN devices to date, including denial of service, credential stealing, and even remote code execution.
Examples of compromised popular VPN solutions:
Pulse Secure
Exploitable remote code execution vulnerability
Fortinet
Buffer overflow vulnerability
Path traversal vulnerability
https://www.fortinet.com/blog/business-and-technology/fortios-ssl-vulnerability.html
Additionally, Multi-Factor Authentication (MFA) should also be enabled whenever available. MFA makes it more difficult for hackers to access company assets as they must typically also have access to a user’s smartphone or security device in addition to their username and password to login. This is the most typical MFA setup, but this could differ for your organization depending on your needs and software you use.
2. Secure Endpoint
Image source: https://s11986.pcdn.co/wp-content/uploads/2012/05/computer-security.jpg
The endpoint for most users who work from home will typically be a laptop computer. However, some organizations use tablets, smartphones, and other devices as well. It is imperative that the endpoint is secure as there is often sensitive data stored there and endpoints can have the ability to access sensitive data stored elsewhere by the organization. Securing endpoints goes beyond just installing antivirus. For organizations who already have a mature cybersecurity stack and a routinely tested and patched golden image, the process for them will be much smoother. Contact us if your organization needs a consultant to assist with this.
For other organizations, it can be a whirlwind to sift through the plethora of options available on the market today. The most important things to keep in mind when choosing what products to go with to secure endpoints are:
Ensure that endpoints connecting into your organization comply with a minimum set of security requirements. If your organization needs to comply with HIPAA, PCI DSS, or other forms of governance, regulation, and/or frameworks, make sure your endpoint security solutions complies with them.
Endpoints should have a decent antivirus and firewall solution. If your organization has the budget for it, a Malware Prevention solution, like AppGuard, and an Endpoint Detection and Response (EDR) solution, like Carbon Black or CrowdStrike, would be good to have as well.
Endpoints should be configured to log events (ideally to a controlled system, like Elastic, that the organization dedicates for logging).
Review with employees the company policies for ensuring that customer data is encrypted.
Mobile Device Management (MDM) policies should be enforced, if applicable.
Enforce Full Disk Encryption (FDE) whenever possible.
3. Physical Security
Image source: https://s11986.pcdn.co/wp-content/uploads/2012/05/computer-security.jpg
Securing one’s home and belongings is often thought of as only for personal security. However, if your organization or people within your organization deal with sensitive data or have to comply with certain regulations, it is imperative that physical security be taken into consideration.
Keep company assets in a locked drawer or similar when not in use.
If an employee lives with other people, make sure they understand that company assets are for company use only and that their family, friends, and others cannot have access to them.
Have employees set up their home offices in a part of their home that isn’t as prone to prying eyes whenever possible – avoid having screens face uncovered windows and doors.
Depending on regulations that may need to be followed for your industry, certain locks and procedures may need to be implemented.
Cabin fever can lead to lost or stolen devices. Make sure employees understand their responsibilities for securing company assets. If they leave their home and choose to work elsewhere, a privacy screen and laptop lock are recommended in addition to FDE and VPN.
4. Adjusting Work Habits
Image source: https://img.deusm.com/informationweek/2014/02/1113891/networkITworkhome300.jpeg
Working from home has many benefits but comes with many challenges as well. From a cybersecurity standpoint, here are our tips for optimal work performance and security:
Out of sight, out of mind – there are dozens of chores, household projects, and other things that can distract employees from their work. Having them set up their home offices in a part of their home that is away from these distractions will not only help them focus, it will also decrease the likelihood of them leaving their devices unlocked and unattended to.
Communication – many organizations will rely even more heavily on messaging platforms like Slack and Microsoft Teams as well as video conferencing and email. Proper etiquette and security practices should be developed and implemented, if they don’t exist already. This includes NOT sending passwords, unencrypted sensitive information, and more.
Be friendly – IT personnel often get a bad reputation for their temperament, especially when dealing with novice users. However, IT departments should WANT their users contacting them for their technical and security needs and questions. Educating users is the best way to decrease unnecessary requests and increasing security and social engineering awareness. Having a self-service password reset tool or hotline just for resetting passwords with cybersecurity industry best practices will also help.
Summary
As we all learn to deal with this new, temporary norm, we must not sacrifice our convictions for strong cybersecurity. Hackers are currently taking advantage of the overnight vulnerability of panic and impulse decision making that arose with the novel coronavirus. By being proactive and thoughtful in our decision making, organizations and individuals can and will rise above this challenge. Although it can seem daunting during a time of panic to procure, image, secure, and issue new devices, software, and procedures, because it is, know that the greater IT and cybersecurity community, including us at Polito, are here to help.
Polito, Inc. offers a wide range of security consulting services including threat hunting, penetration testing, vulnerability assessments, incident response, digital forensics, and more. If your business or your clients have any cyber security needs, contact our experts and experience what Masterful Cyber Security is all about.
Phone: 571-969-7039
E-mail: info@politoinc.com
Website: politoinc.com