The unfolding COVID-19 pandemic presents organisations and their technology teams with many new challenges as they strive to maintain the continuity of core business functions – while supporting many new ways of working. All of this must be accomplished in the context of a significantly changed risk profile during a very turbulent time.
Of course, ensuring cyber-security resilience in any circumstance is challenging. To help organisations prioritise their efforts to successfully tackle critical security risks during COVID-19 while keeping business systems running effectively, Fujitsu’s security experts have put together the following nine imperatives.
1. Don’t let perfect be the enemy of good when it comes to patches
Many IT leaders consider applying security patches to software as something that must be highly governed to minimise the chance of negatively affecting IT operations. However, in their quest to achieve perfection, companies often fall behind in patch management routines, unnecessarily increasing their attack surface.
There was actually a patch available for the EternalBlue SMBv1 vulnerability two months before recent widespread attacks, but the number of businesses impacted because they were still to apply the software update illustrates the importance of regular patching.
IT operations teams are being significantly affected by the COVID-19 pandemic, and we expect to see unscrupulous attackers aggressively trying to exploit the change in working practices. We recommend that businesses patch frequently, according to their patch policy and in-line with their cyber risk tolerance and manage eventual outcomes, rather than waiting for months to patch perfectly. If you need to prioritise your patching, we recommend you patch business critical applications first, and don’t just rely on CVSS score to determine what to patch first. By prioritising business critical applications first, you will better protect your resilence to cyber-attack.
2. Ensure all employees know how to spot COVID-19 phishing emails – this is an increasing risk for Office 365 users
With everyone’s heightened interest in COVID-19 and the growing volume of pandemic related emails from both internal and external sources, attackers are using COVID-19 phishing lures to target Office 365 users as part of widespread phishing campaigns.
Once a hacker has successfully accessed an Office 365 account, they also have access to many other Microsoft services such as SharePoint, OneDrive, and Skype. The hacker can then hijack conversation threads for their own purposes such as misdirecting financial transactions, in addition to leveraging messaging applications to validate their requests.
Phishing attacks are all about stealing credentials. Therefore, understanding where and when a user should expect to enter their Office 365 credentials is a key element of user education. We recommend ensuring that all users understand what internal COVID-19 communications should look like, who their senders might be, in addition to teaching them to be wary of unsolicited external emails purporting to provide COVID-19 advice, updates, cures and so on.
3. Be extra vigilant around C-Suite email accounts
The sensitive data stored on devices, especially those of senior and C-suite executives are seen as a trophy for many attackers because of the sensitive data they are able to access. By assuming the identity of the compromised executives’ accounts, they can also easily attack other internal and external users, since employees and customers tend to more naturally trust links and attachments in emails that appear to be sent by senior executives.
Users should be trained to look out for emails from colleagues and management that do not feel quite right, for example in tone, where there are grammatical errors, have an unusual sense of urgency (i.e. “urgent”) or where specific things are referred to in generic terms (i.e. “the important project”).
Everyone in an organisation should know how to detect and report suspected phishing attempts. The protection of high-value senior staff accounts is obvious but total coverage across the organisation will go a long way to eradicating this form of social engineering. Other areas of potential compromise are the Human Resource Department who deal with significant areas of Personally Identifiable Information (PII), Finance (Financial systems) and Information Technology Departments (Domain account access).
4. Targeted security will be required
Current working practices have changed. Corporate networks have far more distributed users, mobile devices, and remote workers using their own devices than ever before.
Consequently, it is critical to ensure that security monitoring systems and processes can quickly identify network anomalies and signs of compromise. Organisations should take a risk-based approach to prioritise which assets, users, and systems present the highest risk to ensure that these are monitored appropriately. Priorities may have changed.
For example, e-commerce may now be the primary route to market for some vendors that operate brick and mortar stores, while collaboration tools will most likely have taken on greater importance for day-to-day operations.
5. Make cyber-security education a critical element of secure remote working
The familiar surroundings of working from home can have the adverse effect that users are more likely to visit potentially dubious sites and click on links that they would not have in an office environment.
At a time when attackers are actively exploiting remote working vulnerabilities, organisations must ensure that employees do their part to keep the enterprise secure. Businesses must share best practice, provide workers with consistent security awareness training focused on the home office, and allow them to easily report incidents in real time.
6. Ensure reliable and secure network access
Keeping network access reliable and secure is more critical than ever. It is equally important to make sure that all users and devices have access to the resources they need to do their jobs. This means preventing unauthorised users and devices from gaining access to network resources.
It means keeping an eye on the use of shadow IT and promoting the use of approved tools, messaging, devices and applications – for example, approved file-transfer and document-management tools. Secure network access via VPN should include Multi-Factor Authentication (MFA). This will make it significantly harder for attackers to breach VPN controls by targeting weak passwords.
Make sure users are aware of their responsibilities when using corporate devices and networks and ensure that they are well-informed about relevant policies, and have clear guidance on which tools and applications are/ are not acceptable.
7. Redefine trust for your people
Secure remote access has become critical to effective operations. This means rethinking the old concept that any device inside the secure network can be trusted and that any device outside the network cannot.
With corporate and personal devices asking for legitimate access to data and systems from both inside and outside the corporate network, IT security teams will need to consider Zero Trust models that transfer the “trust” formerly ascribed to a device to the individual user.
This means access to business systems should be granted when a trusted person with the correct identity and credentials requests it, and not when a device that just happens to be in the right place makes the same request. This may mean that unpatched computers, or devices with out of date certificate, cannot access corporate assets until all mandatory security updates are applied to the device.
Keep your operations and customers secure by giving your people the trust they need to work remotely by implementing a Zero Trust model for devices.
8. Consider the physical elements of cyber-security
By definition, remote workers are not within the trusted secure, physical environment of an office. Consequently, businesses should consider how to help remote users to maintain physical security standards.
Many enterprises provide workspace equipment for remote workers to ensure that they are compliant with health and safety policies – now is a good time to consider adding security equipment to the provided kit.
Enforce session time-out measures for sensitive applications to ensure systems cannot be compromised when employees forget to lock their systems. Also consider including privacy blackout filters screens to help ensure data will not be compromised.
These measures are particularly important in cases where employees reside in shared accommodation.
9. Working together for the greater good
The unprecedented nature of the challenges that security teams are facing means that many are constructing new security strategies and formulating responses rapidly and with limited information. Yet we are all facing the same challenges and attempting to solve them alone does not benefit anyone.
Sharing cyber-security challenges, best practices and lessons learned with your peers and drawing on external sources of intelligence and inspiration will accelerate the development of a secure strategy and will ensure resilience throughout your entire supply chain and industry.