The world was already changing at a fast pace before a catastrophic, potentially black swan event like Covid-19 hit all of us. This is the first time that an event of such global magnitude has hit the entire world almost simultaneously leaving no time for businesses to adapt either to demand side upheavals or supply side interruptions.
Most organizations create, to some degree of maturity, scenarios around business continuity to deal with a catastrophic event. It is certain, however, that none of them would have envisaged and planned for an event like Covid-19. The belated and then later knee jerk reactions by governments have left businesses with very little time to plan for ways to engage with their employees or deliver on market commitments.
Concepts like work-from-home (WFH), lockdowns, curfew-like situations have put tremendous pressure on businesses to just stay afloat. If the sales of Zoom, Slack, and similar subscription services are to go by, the world is entering a new phase where collaboration technologies will enable companies to overcome the business standstill that is now visible.
The question that seems to skip everyone's mind in this scenario is, what about security?
Traditional technology models have been geared to help companies interact with each other mostly through touch and feel. The sudden move of mass self-quarantine of your employees whilst still expecting them to be productive has shifted the boundaries that companies will need to guard.
Is there a new virus pandemic (pun intended) waiting to happen, in this case, it being security related?
As a cybersecurity company, our job is to keep the wheels of business churning without minimal security-related business continuity issues. But even for us, the past few weeks have been challenging, to say the least. We have been flooded with questions from our customers who are uncertain about the path they should take to allow their operations to continue whilst still keeping the security posture as intact as feasible. WFH is creating challenges around the lack of company-owned mobile assets that can be handed out to employees.
This has forced companies to resort to short term measures such as:
- Asking employees to use their personal desktop or laptops for company use.
- Renting devices from the market and having them delivered to employees.
- Use VPN software to connect to corporate networks.
- Open up their critical infrastructure to external devices.
With a daily dramatic surge in Covid-19 updates, people are curious and inquisitive about knowing the latest statistics and cure information around coronavirus. Many websites have cropped up overnight with much content and information that seems legit, links of which are then being innocently forwarded. Hackers are now using many such malicious links that are getting propagated for them to be able to propagate malware. These malwares are used to exfiltrate logs for texts and phone calls, activate microphones and cameras and steal user credentials.
Under normal circumstances this situation would still have been difficult but controllable. Today, due to WFH, these assets are basically at your home, and you are using those assets to engage with the corporate environment.
Typically a company provided asset comes with all the security bells and whistles. Tough luck finding any of them on a home computer.
It is this device that is now being used by users to connect with corporate networks albeit with a VPN software for secure communication. With no security software in place and complete access to the corporate environment is a nightmare scenario for security professionals everywhere.
Over the past few weeks, cyber-attacks on our countries have grown manifold -- over 400% as per the latest statistics -- with relentless attacks coming in from countries that are hostile to India. The scenario would certainly be no different elsewhere as well. This combined with a weak endpoint device that could be easily compromised by a hacker can create a potent scenario for organizations. These devices would have to be considered as a trusted source and it would be quite difficult to differentiate between malicious and genuine users.
Most companies may not have the wherewithal to determine what is the best and the least cost security approach. There are few things that one can look at implementing that can improve the security posture significantly.
- Devices need security software, use free AV or 30/90 day trial version products.
- Automatic patch updates need to be enabled on all devices.
- Windows 7 is out of support so avoid if possible, if not, ensure AV is of a good standard.
- Freemium : Avast / total AV & 30/90 day free trial: Norton / McAfee / TrendMicro.
- Windows 10 comes with an inbuilt security software. Enable it.
- Also, check out www.cert-in.org.in.
- Secure the communication with VPN technology.
- Most firewalls have a VPN feature. Use the same or open-source options.
- Try and use multifactor authentication to ensure no abuse of credentials.
- Open Source: Softether, OpenVPN, LibreSwan.
- Install a firewall, if one doesn’t exist options range from low end to expensive ones.
- Review your rules on firewalls to ensure rules are correct and no gaps exist.
- Implement geo-restrictions depending on who is likely to connect to your environment.
- For every mobile user create a policy on the firewall for access.
- For sensitive internet-facing applications implement Web Application Firewall.
- OpenSource Firewall: pfSense, Untangle.
- OpenSource WAF: Modsecurity, Naxsi.
- Make sure your servers are patched and all recent vulnerabilities are fixed.
- Servers need AV too.
- All your operating systems/database/network devices are hardened.
- Review your applications and make sure they don’t have any loopholes that can be exploited.
- Ensure proper credentials and authentication mechanisms exist for your applications.
- If feasible, take up a service of security monitoring that can help you with identifying threats.
- Windows Defender is free with all Microsoft OS.
- WSUS is free for Microsoft patching.
- Several open-source vulnerability scanners: Burpsuite/ Wireshark / NMap.
There is a caveat here. This is not an exhaustive list, but a set of actions that will help you improve your security posture dramatically.
Stay safe, practice social distancing and hope that we all come out of this stronger and together.
Pankit Desai is founder and CEO of Sequretek. The views in this article are his own.