COVID-19: Fortify Security Defences and Improve Situational Awareness

While the ramifications of the coronavirus global pandemic continue to worsen, opportunistic attackers are coming out in droves. From phishing campaigns to ransomware and malicious domains, attackers are seizing the opportunity to capitalize on this life changing crisis.

Proactively taking the needed steps to protect your work from home (WFH) and enterprise environments is critical to minimize risk. The first area of focus in both environments is to evaluate your attack surface. WFH certainly has a large impact here so it is important to reduce exposure and minimize the endpoints in your environment wherever possible.

Focusing on mobile device security, social activities, network monitoring and multifactor authentication will enable security teams to react quickly. The technical checklist that follows breaks down the steps you can take within each of these areas to harden security and expediate response times.

Immediate Actionable Steps To Take:

Protect The WFH Environment

Attack Surface Management

  • Continue to reduce the attack surface area of both corporate and BYOD assets and network connections
  • Wireless networks, regardless of the hosts connecting, should be secured with proper encryption
  • Use WPA2 or WPA3 with a strong passphrase of at least 12 characters, or longer, comprised of complex characters
  • Ensure that firmware is at the latest version for home routers/wireless access points, as well as other devices on the home network, such as network printers; If available, enable automatic updates
  • Change default passwords on home routers/ access points as well as other networked devices on the home network
  • Ensure that when a wired connection is used, wireless access is turned off (this prevents potential bridging of networks)
  • Ensure a minimum baseline standard is enforced against antivirus/anti-malware, operating systems type, version, and patch level and that web browsers are up to date
  • Ensure HTTPS is used wherever possible. Manually search or navigate to sensitive sites such as single-sign-on (“SSO”) portals and financial sites

Mobile Device Security

  • On mobile devices, do not install mobile applications from untrusted (non-App store) or unauthorized repositories
  • Ensure the wireless networks mobile devices connect to do not require new profiles to be installed

Social Activities

Be wary of phone calls from unverified sources. If suspicious, hang up and verify from a trusted source
Flag emails that contain a call to action, or subject lines relating to COVID-19/ Coronavirus, economic stimulus claims or other economic relief
Hover the mouse cursor over email links before clicking. Attackers can make a link appear legitimate but redirect to a hidden URL

Protect The Enterprise

Attack Surface Management

  • Continue to reduce the attack surface area in the enterprise » Deploy secured VPN, SSO and MDM. Offensively test all controls in these deployments to ensure efficacy of controls
  • Configure full-tunnelling VPN solutions if bandwidth is not an issue
  • Allow split-tunnelling for VPN connections in conjunction with a robust least-privilege policy for VPN traffic if bandwidth is a concern
  • Network Monitoring

  • Increase network monitoring and logging around WFH users accessing trusted internal networks

  • Consider implementing network EDR, lateral movement detection mechanisms, and/or deception technology in the networks where remote access solutions terminate to detect malicious traffic hiding amongst legitimate traffic

  • Consider implementing full packet capture technologies to enhance logging, as well as for forensic purposes if a compromise occurs

  • Mobile Device Management (MDM)

Ensure mobile device enrolment is authorized correctly to reduce an opportunistic attacker from registering an unauthorized device

  • Align device enrolment authorization with the proper internal user identity and a corporate email. Consider using out-of-band authentication (OTP through SMS) for enrolment of the intended device
  • Consider BYOD containers in the MDM solution, as well as application reputation and mobile anti-malware solutions as part of the MDM deployment
  • Multifactor Authentication

Implement proper MFA controls for remote access solutions, including VPN, VDI and applications through SSO

  • Follow best practice guidance from the solutions providers in deployment and configuration, as well as standards bodies around MFA
  • Ensure that an OATH compliant MFA client is used where possible, and if MFA push is enabled, ensure users are educated around the solution. MFA push “fatigue” can be taken advantage of if credentials are compromised and users want to dismiss push notifications