March 24, 2020

Can we all agree that this is a strange, confusing, and stressful time to be living through? 

That none of us really know what’s going to happen, or what the future holds? 

While restaurants, airlines, cruise ships, and countless other businesses are struggling, there’s one group of people that don’t seem to be slowing down at all, and that’s cybercriminals. 

They’re exploiting this crisis and taking full advantage of people’s fear and panic, often causing untold damage in the process. 

We at Pivot Point have received countless calls from customers with questions about the changes that this pandemic has brought on. How do they stay safe? What should they be focused on? How do they keep their companies safe during these trying times? 

While he’s usually the host of the show, on this episode John Verry, the CISO and Managing Partner here at Pivot Point Security, sat down to discuss a few of the biggest challenges he sees as companies try to stay safe in this current landscape. 


He talked through: 

  • Why all the people working from home could present a challenge
  • How to safeguard against increased social engineering and phishing attacks
  • What to do if vendors start closing up shop


To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.

If you don’t use Apple Podcasts, you can find all our episodes here.To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast
hereIf you don’t use Apple Podcasts, you can find all our episodes here.

Time-Stamped Transcript

This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.

Announcer (00:06):

You’re listening to the Virtual CISO podcast, a frank discussion, providing the best information security advice and insights for security, IT and business leaders. If you’re looking for no BS answers to your biggest security questions or simply want to stay informed and proactive, welcome to the show.

John Verry (00:25):

Hey there, and welcome to another episode of the Virtual CISO podcast. I’m your host, John Verry, and with me as always, Jeremy Sporn. Hey, Jeremy.

Jeremy Sporn (00:34):

Hey, John. Hello everyone.

John Verry (00:36):

So for anyone that’s listened to previous episodes, you know we have a tendency to keep things lighthearted and fun. We typically bring on a guest to interview about a particular topic. In light of the recent coronavirus outbreak, we’re changing things up a bit for this episode. It will likely feel more serious than normal. This is based on the questions that people have been asking us recently with regards to information security in the new COVID-19 world. So, Jeremy and I want to give people an idea of what today’s episode’s probably going to look like.

Jeremy Sporn (01:11):

Absolutely. So we have received countless calls from clients, perspective clients, just companies over the last week or so with excellent questions regarding their concerns and challenges caused by the organizational changes the coronavirus has brought on. Because of that, today’s show will feature our very own John Verry as our subject matter expert, as dangerous as that may sound. We’re going to go down that road. John will tackle concerns in what we see are basically the three main categories of challenges that things are falling into. This would be remote workforce, people mostly working from home, increased social engineering attacks and how to handle critical vendors and supply-chain. We’ll finish up with some lessons learned so far, because we all know data breeds more information and we’re getting a lot of it every day. You ready to do this, John?

John Verry (02:03):

As ready as I’m going to be.

Jeremy Sporn (02:05):

All right. So let’s start at the top. What are you hearing that is concerning people about the working from home situation and especially the transition from in office to working from home?

John Verry (02:17):

So most organizations at some level have some work from home capacity already. So as an example, one of our clients has a law firm and many of the attorneys will have laptops and the way that they secure things is they put digital certificates on these laptops, which uniquely identifies that laptop as belonging to that organization, which allows that firm to then allow remote dial in access or remote … not dial in these days. Sorry about that. I’m showing my age.

Jeremy Sporn (02:49):

Yeah, you are.

John Verry (02:49):

If I could make a modem sound, I would, but it allows them to provide secure remote access to these individuals, and they use two-factor authentication. So now the question becomes in light of the fact that they’re moving to a work from home for literally everyone in the firm, how do we give access to the rest of the staff? We haven’t given them laptops. We only allow remote machines to connect in if they’ve got certificates. And on top of that, they also use a two-factor authentication. They’re using Okta as the two-factor authentication scheme. So the question becomes is, okay, how do we provide a mechanism in a short compressed timeframe to be able to do that?

John Verry (03:27):

So some of the things we’ve talked about are some of the challenges let’s say as an example with home-based machines. So a home-based machine is a machine that’s outside of our control. How do we know if that machine has been properly secured? Or think about open wifi. So, if somebody is working from the airport or somebody is working from a Starbucks, although you can’t do that today, they just closed that today. But how do we know that the wifi is appropriately protected? Because if you’ve got an open wifi, non-encrypted wifi connection, a non WPA2 connection, then anything which is being sent across clear text is going to be something that somebody could theoretically eavesdrop on. They can sniff that traffic, is typically referred to.

John Verry (04:07):

And if you were authenticating to a system or if sensitive information was being sent in that communication, you’d be able to see that. So how do you allow these individuals to work from home, but do it in a way which doesn’t reduce your security posture? So some of the things we’re been looking at, like an example with that particular client, they have a firewall. It’s a Cisco firewall that has some ability to do something with what we call NAC, or network access control. And what network access control is something which looks at the configuration of a machine prior to allowing it to connect to the network. So in light of the fact that they don’t have the bandwidth or time to get these certificates out, you don’t want to put certificates on home machines, that’s what we’re hoping is going to work.

John Verry (04:52):

Where that might not work, or for another client that we’ve been talking about where they don’t have that ability to do knack at the firewall, how do you ensure that someone’s home-based machine is at least reasonably secure? So for another client, what they’re asking them to actually do is run their own … They’re running a tool called Malwarebytes. You could use other tools, but what they’re going to do is run a free version of Malwarebytes which will look at the machine and determine whether or not there’s a lot of crap on there and minimize the likelihood that a compromised machine is connecting to the network. Of course, they won’t be able to run them centrally. They’ll have to actually ask people that are not necessarily the most well versed in IT to actually download these tools and run them and then assert that they’ve actually run them. That make sense?

Jeremy Sporn (05:37):

It does. So it sounds like there’s a lot of middle ground that you have to reach. There’s a lot of compromise, especially when the timeframes are tight.

John Verry (05:45):

Yeah, I mean, look, we’re not going to be able to work as absolutely remotely secure, excuse me, work as secure in a remote manner as we are inside of an office. The question is how can we maximize efficiency and productivity while minimizing the impact on security?

Jeremy Sporn (06:03):

Makes perfect sense. Is there anything that organizations should look to do as the days and weeks progress? Because if this goes on for a long period of time, it’s possible that this new normal could last maybe months or longer.

John Verry (06:17):

Well, if we get to that new normal, so as an example, the law firm that I was referring to, they probably would issue laptops to a greater number of people. There’s some other things which, A, we need to be careful of and B, we probably should account for. So another thing that you can do is reduce the amount of access that they actually have. So with a secure remote access, with a VPN or with using Citrix or Amazon Workspace or one of these remote tools, work from home tools, one of the things that we can do if you’ve got the right tool or the right type of tool is you can minimize the level of access that they have.

John Verry (06:54):

So if you’ve got a device which is allowing you to just expose a certain number of applications, so Citrix as an example, can publish applications where you can do the same thing with an SSL VPN. What you’re doing there is you’re limiting their access to only those applications versus a conventional old-school VPN is what we refer to as a layer two VPN, which means that you’re connecting in and you’re on the wire and it’s as if somebody walked in with a laptop and plugged it in into your office network.

John Verry (07:25):

So that’s a good thing to aspire to. Maybe right now you’re willing to live with a little bit greater risk, but eventually we need to move down towards where we begin to choke that down and we restrict access to only those systems that we absolutely need them to have access to. So if you’ve got a, again, in a law firm, maybe what we don’t give them is full access into a system which houses a lot of client data, but you might give them access to a system that houses billing data. Billing data is sensitive, but it’s not nearly as sensitive as client matters. Makes sense?

Jeremy Sporn (07:59):

Absolutely. And I think that’s actually a pretty good segue to topic number two.

John Verry (08:03):

Nope. Nope. Nope. Not yet. Not yet. A couple of-

Jeremy Sporn (08:06):

You wouldn’t think so yet?

John Verry (08:08):

No. A couple of other things I just want to point out that I saw something today on, which concerns me. So you know how we have talked about the internet of things, you and I at least, and we’ve got an episode coming on that. One of things which is very interesting is I saw someone talking about today, is that the malicious individuals are already thinking about ways to use those systems. So if you’ve got home cameras, if you’ve got baby monitors and things of that nature, they can be used by a malicious third party to pay attention to what’s going on in your house.

John Verry (08:39):

And a really fascinating … There’s two websites you can look at which are fascinating. One to make sure that you’re not one of the people. Two, just to give you an idea of what the scope of the problem is. And the one is called Shodan, And the other one is Insecam, Insecam is scary and you can log onto a website and look through thousands of people’s unsecured video cameras. If one of those video cameras happens to be in your house and it has sound enabled, somebody can be sitting in on every meeting that you’re actually having.

Jeremy Sporn (09:12):

That is terrifying.

John Verry (09:13):

One other thing to point out as well that we didn’t cover yet is one of the challenges we’re seeing is people are having, you don’t usually architect the capacity of your VPN for everyone in your organization. Typically it’s architected to the maximum number of people you expect to be logged in at any one point in time. So we’ve got another client in the pharmaceutical space, which is really interesting in that they actually did a good job. They have it almost to the level that it needs to be for either the US or for their England operation, but not both at the same time. And of course with six hours worth of difference, we’ve got a two hour window where we’re in trouble.

John Verry (09:57):

So it was actually interesting. We chose to move the US office forward an hour or backwards an hour, whichever way you look at it, and move England in the opposite direction, which took that two hour period and made it disappear. So that way we were able to actually account for having the full capacity that we required without actually having to make any changes. So there’s a lot of interesting things like that that we’re struggling with.

Jeremy Sporn (10:21):

Very interesting. And I’ve actually heard that VPN providers have been offering free seats in a short period of time to help alleviate some of those exact challenges of having too many users to put on a platform.

John Verry (10:34):

Yeah, that is true. There’s a licensing issue, but then there’s also a hardware issue. So there’s one thing to have enough licenses to be able to do what you want to do. There’s another thing to have enough bandwidth to make it efficient. So, when you start to get to a point where you’ve got 1,000 licenses on a device that can max at 1,000 licenses, but it might not have the bandwidth and processing horsepower to run super efficiently at that point, which is going to cause frustration and might cause people to lose connections and certainly a reduction in work quality.

Jeremy Sporn (11:03):

Makes perfect sense. All right. At the risk of going on too fast, are you ready to rock and roll on social engineering here?

John Verry (11:09):

I am.

Jeremy Sporn (11:11):

All right. So are you seeing anything, have you heard anything, and it sounds like you touched upon this already, attempts to use the panic or fear caused by coronavirus to launch social engineering attacks?

John Verry (11:22):

Yeah, unfortunately as you might imagine, the bad guys are bad guys for a reason and they don’t miss a beat. So, take a look at the news and there’s a lot out there. I was reading this morning, there is one that uses a phishing email to spread what they call a Remcos RAT. A RAT is a remote access tool. And then what happens is when they have the remote access, then they download malware. And of course what they’re doing it is with a phishing email with a PDF, which is offering coronavirus safety measures. So it’s literally labeled coronavirus safety measures, that PDF, which of course some people are going to open in light of hysteria, if you will.

John Verry (12:03):

So another one that’s a three page coronavirus themed Microsoft office document that’s purported to be from the Centers for Disease Control. And what it does, it drops what’s referred as a backdoor onto the victim’s computer. It’s really cleverly done. It’s an excellent forgery and it can definitely catch some people. It gives you, what I would say, is a very realistic Microsoft login page when you click on the link. And what’s really interesting about it, because they know the email address that it came from, they append that to the link so it already pre-populates the email login. So it even feels more real. Like, hey, they knew my email address. So once you enter that password, what you’re doing is you’re giving away your Microsoft credentials. And for them to make it seem as if nothing happened wrong, once you do, they harvest those credentials and then they connect you through to the actual CDC website. So for most people, they won’t even realize that they were just compromised.

Jeremy Sporn (13:00):

Wow. That sounds even more well thought out than most attacks that we’ve seen in the past, which is very unfortunate. So marrying the first two topics, is there something that an individual should know? If they click on a link and they have any suspicion that they did something that they shouldn’t have done, what’s the very first thing they should do?

John Verry (13:23):

Well, that’s another great question. It wasn’t something I even had thought about talking about today, is how do our incident response plans change under the current construct? Will you have your help desk working at the same capacity? Should they still send a help desk ticket to the same location? If they make a phone call to the help desk, is it going to ring at somebody’s home on somebody’s mobile machine? So in a perfect world, you’ve got your incident response plan has been “ported” to this brave new world. So, that would ideally be that. The other thing which I think is really important is that I think we need to educate more right now, not less, to let people know about these threats. So I think it’s a good idea to say, “Hey, because you’re working from home, there are going to be a number of increased threats. You’re going to see malicious attached documents, poisoned PDF documents or poisoned word documents, which are intended to entice you to open them that are going to cause you a problem.”

John Verry (14:18):

I anticipate unfortunately that we’re going to see increase in home-based phishing. So, the types of phone calls that you get where somebody says, “Hey, I’m from Microsoft and we’re seeing a problem with your current connection to the internet. It looks like your machine is attacking another site. Hey, if you just type in this URL, we’ll be able to help you diagnose it.” And that URL is actually providing remote access into your machine. So I think that’s another thing which we need to be worried about.

John Verry (14:47):

And I thought it was really interesting that Checkpoint put out something which I thought was really interesting in their threat intelligence feeds, that since January of 2020, there have been 4,000 coronavirus domains registered legally. 3% were found to be malicious and an additional 5% are suspicious. So 8% of the 4,000, or 320 coronavirus domains are out there right now that look legit, that are something we need to worry about. So I think the last lesson here is please educate your users about these potential risks.

Jeremy Sporn (15:22):

Very good. Anything else you want to touch upon there before we jump into topic number three?

John Verry (15:26):

No, sir.

Jeremy Sporn (15:27):

All right. So that brings us to vendors and supply-chain. How do we handle these critical third party vendors that may have half staff showing up to their facilities or have closed offices? And these are organizations that we rely on to run our business.

John Verry (15:45):

So, I think the first thing that you need to do is understand what critical third parties are you relying on, truly relying on. And it’s a matter of we don’t have enough bandwidth to concentrate on everything, so concentrate on that which can hurt you worst. So, one of the questions would be do you have alternative suppliers if they’re not able to provide the product or services that you need? So we’ve got an IOT client that has a dependency on China for components for their devices. They literally have no alternatives. So at this point they cannot manufacture anything until things get cleared up a little bit. We also work with a lot of small IT and managed security services providers. So think about it from your perspective. What percentage of the people listening to this probably use an IT service provider or managed security service provider? Many of those are small organizations. Typically they’re small, somewhere between five and 50 people. If they lose a key person or two, what impact might that have on you?

John Verry (16:42):

So determining that, understanding that potential risk, and then beginning to reach out to those people is going to be important. The same way with cloud service providers. So as we go to a software as a service technology, service provider based world, are they architected in such a way that they can account for this? And one thing that’s made me more nervous than I thought I would be this morning is that today work from home became huge in Europe and before we were up, Microsoft stumbled pretty badly. Their team’s platform was down for a couple of hours. So if Microsoft has some challenges to scaling, what’s the likelihood that a smaller provider won’t?

Jeremy Sporn (17:25):

Yep, it makes perfect sense. My wife is a New Jersey school teacher and she had her first work from home day today and she was trying to get lessons done last night and Google was working at about a quarter speed as it usually did. And it was very concerning that she was actually going to be able to educate her students today, and like you said, if Microsoft is struggling, if Google is struggling, what can you expect from smaller providers?

John Verry (17:47):

Right. So one of things can do is go through your list of vendors and again, you’re not going to look through hundreds of vendors. You’re going to look through the dozen or so that might be super critical to you. And I think you need to ask some questions about how they’re handling COVID. If they’re working from home, what’s the likelihood that that’s going to reduce their security posture and the security of your data? So some of the questions you might reach out to them with is, does your company have a business continuity plan in light of COVID? Excuse me. And ask them for a copy of it or ask them to document what it is that they’re doing, so that way you can look at that and say, “Does this present a risk to me?”

John Verry (18:24):

If they are closing offices, which offices are they closing and when are they closing them? And will that have … Are they the type of an organization that can actually function in a work from home? Because some organizations can’t. If they are an organization that provides staff [inaudible 00:18:42] or consultants or IT services, one of the questions would be what limitations or will you be able to continue to support us at the current level that you are in the event that we are in a work from home? If we’re recording this in New Jersey today, I mean New Jersey largely shut everything down today. New York has done the same thing. It could become a national issue. So if the world organizations are going to work from home, will that impact you? If they’re providing equipment or products, what’s going to be the impact to delivery or availability of products? I mean, if they can’t manufacture them or if they can’t provide these products, you need to begin to think about how is that going to impact me and what are my alternatives?

John Verry (19:23):

And last, and we talked about this briefly, if they are providing a Clouder or a technology service provider or a communication service, can they scale to the capacity that we need for work from home? And if so, get an insight on some of the timelines and availabilities and what the potential impacts might be to you.

Jeremy Sporn (19:41):

No, it makes complete sense. I have a feeling people are going to be reviewing their SLAs very closely as time moves on. It’s going to be very interesting. All right. Anything else before we jump into the lessons learned here?

John Verry (19:53):

No, sir.

Jeremy Sporn (19:54):

All right. So let’s talk about some of the topics you wanted to cover here. Jump right in, right at the top.

John Verry (20:00):

Sure. So I mean obviously I think coming out of this we’re probably going to need to look a little bit more at IT and business continuity. Interesting that I think one of the things which is really intriguing to me about this whole pandemic is the pandemic tends to cross into two different areas that are interrelated, but I think there’s some gap as well with, and that is both business continuity and vendor or third party risk management. So I think we’re going to need to both revisit our IT and business continuity plans, and from that perspective did we account for pandemics in the way that we actually need to? This is the first time that we’ve ever dealt with this.

John Verry (20:37):

And again, also a stronger consideration within the business continuity plan of potential third party impacts. And to that extent then, at the same time, let’s then revisit our third party risk management or vendor risk management, if you will. And again, stronger consideration, where can we be hurt and what additional security due diligence needs to be done? Shoot, we have not necessarily been strong as an industry in ensuring that our third parties have IT business continuity. That’d be one area that we’re going to look. You can look for something like ISO 22301 or SOC 2 availability principle.

John Verry (21:13):

The second thing of course is I think we probably need to do a little bit deeper of a dive into what I’ll call fourth party. Third party’s third party, which speaks to supply-chain risk. And there’s some interesting issues there. As an example, when you go into a more advanced third party risk management program, they’ll ensure that they’ve got alternative suppliers, let’s say also with geographic disparity, which might not be something that you typically think about.

Jeremy Sporn (21:37):

Very interesting. All right-

John Verry (21:38):

To that end, a really interesting thing I heard on a podcast yesterday. 85% of the world’s saline bags are made in one place in Puerto Rico.

Jeremy Sporn (21:50):

It’s insane. I listened to the same thing and it’s amazing that as a people, as a species, we’ve allowed that to happen.

John Verry (22:00):

Yeah, yeah. In the same podcast, 629,000 people in the United States currently are reliant on drugs for survival that are only produced in China. So yeah, we’ve got to start looking at things a little bit differently and a little bit better. So, that would be the last of the lessons learned from my perspective.

Jeremy Sporn (22:16):

Awesome. Well, John, thank you for your time. Thank you for your insights. If anyone has any further questions, what’s the best way they can reach you?

John Verry (22:23):

Of course, through our Twitter account or [email protected], whatever’s going to make it easiest for them.

Jeremy Sporn (22:32):

Awesome. Thanks for the time today, John.

John Verry (22:34):

You’ve got it, Jeremy. Stay safe.

Jeremy Sporn (22:36):

You too.

Announcer (22:37):

You’ve been listening to the Virtual CISO podcast. As you’ve probably figured out, we really enjoy information security, so if there’s a question we haven’t yet answered or you need some help, you can reach us at [email protected]. And to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.