March 19, 2020
ISSP Continues Operations in Face of COVID-19 Epidemic
June 26, 2020
A Cybersecure Way to Return to the Office after Lockdown
When the coronavirus pandemic started and companies sent their employees to work from home, it gave hackers new opportunities to penetrate corporate networks. Information security services in many organizations faced new threats as staff left the protected perimeter. Now that governments worldwide are gradually lifting restrictions and employees are starting to return to their offices, additional opportunities arise for hackers and security departments are in for new challenges.
During the lockdown, companies have used two basic remote work models. In the first model, employees work on laptops taken from the office and use a VPN to access corporate resources from home. In the second model, employees use their personal computers and companies grant them access to corporate machines using remote or virtual desktop technologies.
The need to work remotely has seriously exacerbated cybersecurity threats. Many companies have built their control, monitoring, and information security systems using the “campus” model based on a protected perimeter. That is, there’s a certain technical perimeter shielding all of a company’s work processes, and employees are physically present in the office with controlled access to the segmented local network and a secure internet connection protected by firewalls, internet gateways, and other security solutions.
When employees left their corporate perimeters and began working remotely, a number of monitoring and protection tools became less effective or even irrelevant. Due to the transfer to remote work, monitoring processes within protected perimeters stopped. The secure perimeter at best moved to each individual device, meaning each laptop or desktop had to operate under its own security umbrella. This required building security perimeters around each user and each individual account rather than focusing on the security within a general perimeter.
It’s also important to realize that whereas employees may work from home temporarily and due to the prevailing circumstances, hackers always act remotely. The remote work period has been especially favorable for hackers, as scattered security perimeters increase the overall number of potential vulnerabilities and significantly expand the playing field for attacks. This has allowed hackers to more efficiently penetrate corporate infrastructure.
The most effective way to break into corporate infrastructure is to compromise an account by stealing a user’s login and password. In this way, a hacker can operate within the infrastructure with the user’s stolen credentials. Phishing — a method of social engineering when a message is masked to make it look like it comes from a trusted source, thus persuading the user that it’s safe to perform certain actions — is often used as well.
The coronavirus lockdown has created a breeding ground for phishing attacks and has made them more successful. Hackers have used phishing attacks based on “breaking news,” “announcements” from government agencies and international organizations, and imitations of corporate communications. In the first days and weeks of lockdown, companies were sending a lot of internal communications, including remote work instructions. And while users act in a single communication space in the office, at home they can receive a phishing email disguised as a message from their supervisor or the IT department with a request to follow a link, run a certain application, or share their password without noticing any malicious intent. In companies that were not well prepared for the transition to remote work, internal communications were quite chaotic, allowing attackers to use phishing emails very effectively.
During the lockdown, the rapid development of advanced persistent threat (APT) attacks also remained a valid threat. After all, when infrastructures were modified, the field for attacks also changed, and therefore monitoring systems had to be reconfigured accordingly to control activities in remote workplaces.
But despite many predictions about a permanent change in our mode of work, most businesses will resume the traditional office routine after the lockdown is over. And if companies failed to establish active monitoring, account control, and remote computer upgrades during the lockdown, they face the risk that the computers of employees who worked outside the corporate security perimeter may be compromised.
How can you get back to office work while minimizing information security threats?
Your starting point should be considering the broad picture (rather than focusing on one or two computers that might be vulnerable) and answering some fundamental questions. To what extent was the network controlled in the period of remote, internal, or mixed connections? Is it necessary to revert the network segmentation if it was changed? Did you follow a protocol for any network changes made during the lockdown? Are critical security controls active and have they been adapted for the return of staff to the office?
These are all very important questions, which is why it’s necessary to see the whole picture as well as to understand the state of each individual network resource. This is where compromise assessment is needed. It allows you to analyze the whole history of events that occurred during the lockdown: what happened, how data flows moved, how user accounts behaved. Such an assessment reveals existing problems and vulnerabilities and provides sufficient information to build an infrastructure design transformation plan.
The second important step you need to take after the lockdown is to raise the level of your staff’s cyber awareness (which is important even disregarding the new risks posed by the coronavirus lockdown). The lockdown showed that the number of phishing attacks increased because companies’ usual modes of communication were interrupted. When everyone works remotely, on the one hand there are many virtual meetings and video calls, and the workday rarely ends at regular hours. On the other hand, the feeling of a shared corporate workspace formed by the company’s corporate culture and regulated by office policies disappears. Remote work makes people more susceptible to information: they tend to get distracted more often from a mixture of work-related, personal, and COVID-19-related emails. Proper cyber hygiene skills allow employees to safely work and navigate the information space, identifying existing threats and thus protecting your company.
It’s extremely important to establish a robust information security culture in your organization rather than just offer a couple of lectures on cyber hygiene to your staff. A comprehensive approach aims to change the attitudes of employees to data security, influence their behaviors and perceptions, and set rules and responsibilities regarding cybersecurity.
Introducing an information security culture is now critical and must be supported by management and recorded in your organization’s policies. Once an information security culture is implemented, you should regularly evaluate its effectiveness. And employees need to understand and support this work, which requires continuous communication with them.
Roman Solohub, CEO of ISSP