With the onset of the current COVID-19 pandemic, causing huge operational shifts for organisations, their IT operations will have to adapt in kind. Not only will organisations need to maintain their current legacy operations, they may need to leverage new tools to enable remote working. As a result, tools such as VPNs to access internal resources, or new cloud environments may be deployed to allow for operations to continue. Malicious actors, such as those focused on ransomeware or business email compromise may take any opportunity presented to them to cause negative impact. Given this, it is paramount that organisations take the time to ensure that they continue to maintain good cyber security hygiene while managing the wider risks associated to both employees and the wider business by COVID-19.
The following guidance looks at a number of core cyber security controls that should be maintained to help organisations weather the current storm.
Vulnerability Management
The first of these priorities should be to ensure that organisations continue to download and install software security updates upon release. A comprehensive patching policy, that includes operating systems and third-party software must be a cornerstone of an organisations security policy. Ensuring that potentially exploitable vulnerabilities within software are minimised and resolved as soon as possible can significantly reduce one of the primary attack vectors malicious actors will seek to target.
On some occasions, security patches may introduce bugs into the operation of that software. As a result, it is recommended that where the business has capacity, it should install these patches in a test environment to verify the stability of the software once the patches are installed, before issuing to the wider estate.
Data Backup
Another priority should be ensuring that all sensitive and important business data is adequately backed up. A robust backup mechanism, that stores current data for a short-term in one location, before appending to a longer-term, more comprehensive back up solution would ensure that multiple disaster recovery scenarios are prepared for. Especially in terms of dealing with ransomware attacks.
In the event of sudden data loss, the short term backups can be rolled out, reducing the need for operational downtime. Equally, in the event of a breach, the data can be rolled back from the longer term solution to a time before the breach occurred, removing the potential for loss of data integrity and providing a measure of non-repudiation.
Consideration should be given to ensuring that any new technology deployed (such as cloud based solutions) to enable the organisation deal with changes to working patterns are included within their backup requirements. A key question to ask, would be “Do any changes we have implemented altered where our sensitive data is held?”
Changes to the network perimeter
Due to the current government advisory of social isolation, the number of remote workers within organisations has skyrocketed. This places higher burdens on the existing remote access solutions such as VPNs to access internal resources, or forces organisations to deploy new solutions to allow access remotely. This can pose a number of risks, such as exposing services to the internet that may not have been appropriately configured. Another issue may relate to the use of outdated software if this solution has been in place for some time. Any new or existing software should be deployed to adhere to recommended good practices, such as those provided by the National Cyber Security Centre (NCSC) as part of their End User Device Security guide. https://www.ncsc.gov.uk/collection/end-user-device-security?curPage=/collection/end-user-device-security/eud-overview/vpns
Robust Password Policy
Another significant security control that must remain a focus is a robust password policy, with multi-factor authentication enforced where possible, especially where new services are being stood-up in short timescales. Modern password cracking ‘rigs’ designed to attempt to bruteforce password hashes, cloud computing resources that can be scaled up as needed to target user accounts in a number of ways or generic password guessing/brute-forcing attacks are all common attack vectors. Enforcing a strong password requirement, such as those laid out by NCSC (https://www.ncsc.gov.uk/collection/passwords/updating-your-approach) or the National Institute of Standards and Technology (NIST).
An example of NCSC’s current advise on user password creation is to allow users to use three random words as a password. That should be easy for a user to remember, but difficult for an attacker to guess, while typically being of a sufficient length to make password cracking very difficult.
Enable MFA Everywhere
Multi-Factor Authentication (MFA) can further reduce the likelihood of a successful account compromise. Other solutions may be to use enterprise Single Sign-On (SSO) solutions that are designed to reduce the number of passwords a user must remember, while allowing for access to multiple applications and services. This can allow for a stronger password to be set without the confusion of multiple passwords to manage.
Phishing Awareness
With the increase in remote working, comes the decrease in the ability for the workforce to communicate face to face. As a result, the number of emails received is likely to increase. While email security is a fairly broad topic, with a number of security controls that can be implemented, it is often the human factor that leads to issues. Phishing attacks have become more and more sophisticated, with methods to evade technical controls constantly being discovered. As a result, training plans that aid all users with identification of potentially malicious emails, as well as the process to report them, is often a crucial piece of the puzzle. This training will need to be ongoing to ensure that emerging threats and trends are taught to staff to help them with this.
Conclusion
While organisational IT operations are forced to change and evolve due to the current challenges faced by society, the core security practices we have laid out should not be neglected and ignored. They are as crucial to an organisations ongoing security now as they were a year ago. Many organisations will already have these practices implemented, while a number will still need to adopt them. Whether just rolled out, or implemented and in use for several years, auditing and security testing is vital to verifying that the controls implemented do as intended, and identifying any gaps in the control.
David Stubley (CEO) and Matt Linney (Senior Security Consultant), 7 Elements