Last Updated on April 6, 2020
In response to the stream of calls that Pivot Point Security has been fielding from clients and others expressing their questions and concerns brought about by COVID-19, we recorded a special episode of the “The Virtual CISO Podcast”. Here Pivot Point CISO and Managing Partner, John Verry, offers key advice on the three main categories of cybersecurity challenges that businesses face due to the coronavirus outbreak:
- Work-from-home and remote workforce issues
- New and increased social engineering/phishing attacks
- Critical vendor and supply chain concerns
Organizations of all sizes across industries are impacted by these challenges, and John’s guidance will help alleviate some of the added information security risk from these changes. If you have concerns and are seeking best practices and/or workarounds, watching/listening this 20-minute podcast will be time well spent.
Let’s dive into the issues brought on by a remote workforce.
“Any sensitive data or authentication credentials sent as cleartext over unencrypted wi-fi can be “sniffed” and exfiltrated by hackers (pretty easily).”
Most organizations had some level of work-from-home capability in place when the pandemic hit. For example, one of our law firm clients gives its attorneys laptops on which they put digital certificates that uniquely identify the machines. These digital certificates, along with a two-factor authentication strategy, enable the firm to give its attorneys secure remote access.
But now what? Suddenly everyone in the firm has to work from home. The other staff have no company laptops and they’re not using the 2FA. There’s no time or budget to distribute more company laptops. How can a business in this position quickly enable secure access across the board without seriously eroding its security posture?
Home-based computers often need to be part of the equation. But these are explicitly outside the organization’s control and you wouldn’t want to put digital certificates on them. How can you know if someone’s personal laptop is properly secured? And if they’re using wi-fi, how can you know if it’s properly protected? Any sensitive data or authentication credentials sent as cleartext over unencrypted wi-fi can be “sniffed” and exfiltrated by hackers (pretty easily).
Here are a few possible options that might help in your unique situation:
- Our example law firm client has a Cisco firewall that supports network access control (NAC). This looks at a machine’s configuration prior to allowing it to connect to the network, which helps protect sensitive data.
- If your firewall doesn’t support NAC, how can you ensure that someone’s home machine is at least “reasonably” secure? Another of our clients is asking staff to download and run a free tool called Malware Bytes, which can diagnose “infestations” and reduce the chances of a compromised machine connecting to the network. It’s not ideal to ask non-technical people to run this software, but it’s better than nothing.
- Another approach is to reduce staff access to sensitive data. With secure remote access at the VPN level, or with tools like Citrix or Amazon Workspace, minimizing nonessential access to data is fairly easy to achieve. If you don’t have one of these solutions, implementing one down the road might be a good idea. But for now you might need to segregate data some other way; e.g., at the application level. At a law firm, for instance, hopefully you can provide access to a system that houses billing data without also opening up the door to client data.
- We have a podcast coming up about Internet of Things (IoT) security concerns. It’s important to remind staff that unsecured home cameras, baby monitors and so on can be used to eavesdrop on your home. A cybercriminal could be sitting in on every meeting you have. Two fascinating (and scary) websites that can help protect you and also clue you into the scope of this issue (it’s much more prevalent than you might think) are shodan.org and inseccam.org.
- Another problem many companies are having is maxxing out the capacity of their VPNs. We found a creative solution for a multinational pharmaceutical client. Their VPN could just about handle access for their US or their UK staff, but not both at once. So with a six-hour time difference there was a problematic two-hour overlap window. We suggested moving the US work timeframe “back” an hour and the UK timeframe “forward” an hour to mitigate the overlap with no other changes.
For many companies there will be compromises and a need to accept additional risk to address these issues, especially where timeframes are tight. The goal is to balance the need to maximize efficiency and productivity while minimizing impacts on security.
Good luck and stay safe and well out there!
Link to The Virtual CISO Podcast Episode: Staying Secure in a COVID-19 World