On May 1st, President Trump signed a state of the emergency order that declares foreign cybersecurity threats to the electrical system a national emergency. Shortly afterward on May 15th, a cyber attack was reported in the U.K. National Market. Cyber-attacks are increasing during this crisis at an alarming rate. Phishing emails are up as much as 667% during this pandemic, “Of the COVID-19 phishing attacks, 54% were classified as scams, 34% as brand impersonation attacks, 11% blackmail and 1% as business email compromise (BEC).” Hackers love to take advantage of a good crisis because they can use the confusion it creates as a cover for attacks that they launch. The COVID-19 pandemic creates a perfect storm for small businesses because they are already hurting for sales during the economic downturn that has been created. A small business attacked by ransomware right now would be at the hacker’s mercy. SMB’s are doing everything they can to make sure their digital presence is still up, running, and ready for business.
Companies do know what they are up against and do seem like they know it needs to be more of a priority. 70% of Organizations plan to increase Cybersecurity spending following the COVID-19 pandemic. Most companies had to react incredibly quickly with how they responded to this brave new world. Some of these companies even had to do some drastic measures to figure out how they were going to keep the company running. From one aspect this is the reason why Security and Information technology teams should be separated. Now that things are returning back to normal, the holes that have been opened to allow for business to keep flowing need to be looked at for any vulnerabilities that might have cropped up with the mad scramble it took to get everyone working from home and being productive again.
Let’s readdress the separation between IT and security.
Many organizations feel that information technology can also handle security risks associated with their IT systems as well. However, when you look at it they have vastly different job functions. As a CEO, if you were given a mandate from the state to move everyone to remote work, you would rely on your IT staff to make it happen to keep the business running. Your IT staff would see this as an emergency and do whatever it would take to keep the availability of the business up in the air because that is usually their main concern. Security during an effort like this tends to fall to a secondary priority. Your IT personnel might say they will look at it however, in a scenario where they're also troubleshooting VPN issues and handling customer problem tickets, it might never happen. Now, as a CEO, you might never understand the full risk to your network and what kind of attacks you’ve opened yourself up to. This is why IT and security should be completely separate and both departments should report directly to the CEO. It provides a separation between availability and risk that is imperative to understand as a business owner.
Data-loss Prevention through VPN’s
Would you know if you had data loss from employees working from their personal devices during the sprint to shut down home offices? Many companies have been using VPNs to make sure employees are up and running at home. From an information technology perspective, this makes sense, but do you have data loss prevention systems that protect your company’s sensitive data from leaving your network while employees are connected to your network? Hopefully, you didn’t let your employees connect their home computers to your protected network, but if you did you might want to also closely audit what they had access to and figure out a way to implement a least-privilege approach as you move into the future.
An overloaded VPN
This has been one of the main problems when shifting everyone to a “work from home” existence. The VPN concentrators that enabled the 10-20% of the workforce to connect remotely while they were out in the field might not be able to handle a 100% remote workforce. This tended to cause availability problems through small networks around the country. To deal with this, many organizations only allowed a limited number of employees to use these remote connections at a given time. It does not take much of a denial of service attack (DOS) to bring down an already maxed out VPN. Now that offices are planning to reopen again, it's worth addressing backup systems. If we see another surge that forces us all back to the home office, it might be worth taking some of that funding you’ve been planning to spend on adding in a second VPN to handle increased load and even fail-over circumstances.
Secure your video conferencing
The vulnerabilities associated with video conferencing has been all over the media this year. Many companies are relying solely on these platforms for keeping their organizations running. Make sure you are aware of these attacks and are following the security standards put forth by application vendors as well as using best practice guides for setting up this equipment. Your IT administrators might have stood up these communication methods quickly to get you up and running, however as I mentioned before, they don’t always have security in mind when dealing with an emergency. You can find a link to some of the more popular attacks that have been used as well as how to defend against them here: COVID-19: Teleconferencing Concerns.
Physical Security can’t be overlooked either.
The first day back in the office I forgot my employee badge. How many other people are going to do the same thing? Has your company hired any new faces during the past couple of months? Would you even know a new face if it was covered by a mask that’s mandated by your new company policy? These are all risks that are going to present themselves as soon as the doors open. Larger businesses might be more susceptible to this but, it does present an open door for an attacker if they want to take advantage of it. Once the intruder is inside the building, how many people forgot basic security measures while they were leaving their computer unlocked while at home? This makes it easy for an attacker to jump on your network and steal data. This can usually be solved by security awareness programs and training. Make sure your employees remember how to act in the office environment again and challenge people who might not be wearing a name badge.
A New Normal
In the end, we will return to a new normal. If your company consistently uses good security hygiene, you should be well prepared for any disaster that can manifest itself. However, if you’ve suffered a crash course in problem management over the past couple of months, it might be worth learning those lessons and improve your security posture before it happens again.
Written by Grant Codak
Grant has over a decade of IT experience spanning a variety of domains with a focus on defensive security. Grant is currently a Cybersecurity Expert at TechGuard Security where he performs a wide variety of proactive security services, including penetration testing. He also holds the following certifications: CISSP, CEH, Security+, Network+, A+, and Metasploit Pro Certified Specialist. Recent responsibilities include, a Senior Web Security Engineer at a Fortune 50 organization along with a variety of application administration roles in security operations. His past project work includes, web tool development as well as firewall and web proxy migrations. Currently at TechGuard Security, Grant conducts audit control assessments, penetration tests, vulnerability assessments and social engineering exercises. Grant ties his knowledge together with his deep understanding of network operations and security architecture to deliver approachable report analysis to clients. Grant is also a nature enthusiast and enjoys mountain biking, hiking and kayaking.