by Jacques Francoeur, Chief Scientist and Founder at Security Inclusion Now USA
Virtually overnight COVID-19 orders have unleashed a global tsunami of work-from-home employees. Office staff, managers and critical business, administrative and technical executives are now working remotely.
The pandemic has triggered a “step function” increase in work from home employees and devices, creating significant threat exposure. Additionally, the typical operational risks related to lost and stolen remote access devices will increase proportionally.
Normally, when an employee requires remote access, appropriate training and secured devices are provided. It seems unlikely that adequate protection has been applied to the COVID-19 remote access demand tsunami. The vast increase in the number of insufficiently secured devices and trained employees has created a huge exposed “attack surface.” The targets – employee, laptop, smart phone, 2nd factor token. The intent – laptop takeover.
The common and effective impersonation techniques of phishing and its more targeted spear-phishing will be aggressively used. During this period of crisis, employees are likely to be hypersensitive to protecting themselves and their families; thereby, even more susceptible to social engineering malicious pretext scams. This means the success rate of these attacks is likely to increase due to their state-of-mind. Training employees to avoid these attack techniques is critical. As simple as, when you see a link, STOP – THINK – before you CLICK.
The typical operational risks related to lost and stolen remote access devices will increase proportionally.
By installing malware, an attacker can take over an employee’s laptop and remotely perform almost anything the employee is authorized to do, often without detection or audit trail.
How to respond. First, apply a risk-based approach to make best use of scarce resources. Identify the employees with access to the most sensitive information, riskiest business functions and those related to money. This is the urgent priority.
To reduce the potential impact of an employee’s credential being compromised, use role-based-profiles and least privilege to limit access rights, especially for administrators with powerful credentials. Remove local administrator rights for employee accounts that are used daily. This drastically limits what an attacker can do. If local administrator rights are required, create a separate, rarely used account with strong multi-factor authentication.
All remote access should be considered a medium to high risk. Channels should be strongly encrypted. Simple password-based authentication is insufficient. Two-factor authentication is needed. For employees such as executives, administrators and decision makers/approvers, use a physical 2-factor token generator. For the remaining employees use a soft-factor mechanism such as an SMS-text verification to a pre-registered, independent, “out-of-band” mobile device which the attacker is unlikely to control.
Monitoring all remote access channel activity is critical. Legitimate employees have roles and corresponding access and activity patterns. This daily set of activities can establish a “trusted” baseline from which any deviations may indicate a compromised credential. Access activity should be logged and monitored for anomalies as simple as time and location-of-access. A compromised credential will “behave differently.” It may attempt to go places it has never been nor is in scope given their role.
When you see a link, STOP – THINK – before you CLICK.
Data loss prevention tools can be used to monitor egress traffic for sensitive and proprietary data and intervene as required. Information Rights Management functions of document management systems can be used to maintain control and protection of sensitive files outside the network.
Many other security measures are required to form a complete protected environment. Consider that remote access should only be permitted from a “whitelisted” registered IP address and from a “MAC address” registered laptop. Before providing access, the device health should be verified and pathed. Only use remote access devices for work functions. Do not use for Internet browsing. Inactivity time-outs should be short. Printing should be controlled. Data on remote access devices should be encrypted. Remote destruction capability can manage the increase in device loss and theft. Remote access devices should be used in private and secured physically when not in use.