A pandemic and remote working: Cyber security under the microscope

Highlighting advice available from the NCSC, Hunter Seymour reports on the cyber security issues that have affected so many IT and security teams during the COVID-19 pandemic as employees have moved to remote working.

Earlier this month, a warning flashed on my computer. The inbox opened with this message from a favoured charity, Sightsavers:

“I am writing to tell you about a data security incident involving a large technology company called Blackbaud . . . cybercriminals were able to make a copy of the data stored in parts of the Blackbaud system. This included data for numerous charities and organisations, including Sightsavers . . . we are confident this incident poses a very low risk to our supporters, and that credit card and bank details were not involved.”

Blackbaud, we are told, met the cybercriminals’ ransomware demand and received assurances from the hackers that the data had been destroyed. The National Trust and some 33 UK charities hacked in this data breach have advised the UK’s Charities Commission.

Please pardon a home-worker’s post-COVID paranoia, but does this mean that even now (gulp) these keystrokes you read here are infected by malware? And, as these words fly across the internet, are they spreading an unknown computer virus to lock your system?  It’s a suspicion that demands closer examination.

Remote working: 127% increase in endpoint vulnerability

Specifically, since April when the number of worldwide coronavirus cases passed one million, we have been warned by the NCSC (National Cyber Security Centre, a part of GCHQ) that the post-COVID surge in home working has resulted in a significant increase in the use of Remote Desk Protocols (RDP).

The NCSC tells us: “Attacks on unsecured RDP endpoints (i.e. exposed to the internet) are widely reported online, and recent analysis has identified a 127% increase in exposed RDP endpoints. The increase in RDP use could potentially make IT systems, without the right security measures in place, more vulnerable to attack.”

In their identification of the vulnerabilities of exposed remote desk access software, the NCSC in effect issues a general warning to all home-workers: the possibility of data breaches due to the work-related environment becoming available to household members.

Clearly, then, the work and play of staff should be strictly segregated. To attain high-level security their work activities should be done on a workplace device, with personal activities restricted to employee-owned devices. For the concerned CISO (Chief Information Security Officer) the challenge is to provide home-working employees with company-owned and secured end-user devices, while restricting their usage to work-related activities only.

CISO best practice for remote working

News this month that the UK’s largest listed asset management firm has told its 5,000 workers they are permitted to work permanently from home has sent shock waves through the City. This move is all the more surprising when, only a month earlier, the firm’s view was: “We think it is premature to assume that the office is dead,” citing some “companies that adopted remote working earlier, like IBM, have subsequently reined in the practice.”

Premature or not, today’s CISO must consider the prospect of a prolonged period of home-working for company staff as a distinct trend and, therefore, they must address the challenges raised by increased vulnerabilities that could provide opportunities for attackers to gain access to company systems.

It follows that your critical objective should be to bring your home-workers’ remotely-used devices under your control, so that appropriate security measures can be applied. A checklist of priorities to prompt your security planning should include several actions, including, but not limited to, those listed below.

Safeguarding end-point connectivity

• Review anti-virus protection of devices
• Reassess resilience, configuration and deployment of your company’s VPN (Virtual Private Networks), including legacy intranet interactions.
• Apply regular software updates to patch security flaws and deny hackers access
• Filter out unauthorised access to your network
• Limit user privileges and restrict administrative entry to supervisory levels
• Advise staff to change any easily-guessed passwords to three random words and implement 2-factor (or multi-factor) authentication to reduce access points for penetration of home-based networks
• Discourage use of public Wi-Fi networks, which could provide easily accessible entry points for hackers
• Monitor and test security controls, including system integrity possibly compromised by IoT devices and their peripherals
• From the start explain clearly your Remote Management Regime, its applied technology and rules for home-working employees, with regular training to maintain network vigilance.

Resisting malicious COVID-19 cyber activity

The NCSC also warns that cybercriminals and APT (Advanced Persistent Threat) groups are likely to continue to exploit the COVID-19 pandemic over the coming weeks and months. Due to the pressures of COVID-19, attacks thrive against newly (and often rapidly) deployed remote access or remote working infrastructure.

READ: Coronavirus related cyber scams continue to rise

Unparalleled opportunities exist for criminals to compromise a company’s network security in scams that lock down systems once access is gained. Such enticements as Phishing or Spear phishing succeed by using the subject of ‘Coronavirus’ or ‘COVID-19’ as a lure in personalised targeted emails which appear harmless at first.

Similarly, distribution of Malware can use ‘Coronavirus’ or ‘Covid-19’ themed lures (e.g. an invitation to open an attachment or download a malicious file from a linked web page). Therefore, use monitoring tools to detect network-users’ poor judgement such as clicking on suspect sites or downloading attachments from unverified senders masquerading as a trustworthy source with ‘COVID-19’ as a pretext. Essentially, use a secure search engine and communication platform that shields users from malicious sites and malware.

Endpoint management roadmap

The NCSC continues to offer CISOs essential guidance to Indicators of Compromise (IOCs) for detection of cyber threats, as well as mitigation advice on hazards arising from the “fast-moving situation” shaped by the global pandemic. Examples include the NCSC Advisory note, or the infographic pictured below.

The great emphasis the NCSC places on the vulnerability of exposed Remote Desk Protocols must not go unheeded, because the ramifications of this neglect can be critical. Cyber security specialists, Reposify, have Identified “the fact that IT teams have much less visibility” when it comes to security of their Cloud assets. This observation should be considered in the context of RDPs exposed to the internet and hosted in the Cloud “without IT teams’ awareness, something which is unlikely to happen in cases of RDPs in internal networks, where there are firewalls and stricter procedures.” 

Such a case for cybercriminal exploitation is bound to arise from increasing separation of workforces due to the COVID-19 fallout.

Wish-List: white corpuscles to defeat virus

This precautionary guidance to overcome this undesirable aspect of Cloud hosting is echoed by the Editor of CyberSecurity magazine in his recent online interview, How the Covid-19 Crisis Changes Cybersecurity. What emerges from this in-depth debate on the implications for CISOs of post-COVID impacts is that they must “rethink how they will collaborate to use the Cloud and not rely on it.” In essence: “Rethink your architecture, rethink the configuration of your remote access, and be prepared for everyone working from home . . . be prepared to embrace remote working as a reality.”

Somewhat more arcane thinking emerges in the debate’s summing-up: “Endpoint security is not the final solution. Period.” A shift more towards Security-by-Design is predicted “with the nice analogy of Self-Protecting Data like white blood cells” to counteract invasive viruses.

Evidently such a solution will be on every CISO’s wish-list but, meanwhile, with Cloud and rogue devices in mind, the bottom-line message from the NCSC is this:

Be vigilant. Embed your baseline Risk Management Regime across all devices to protect endpoint data when both inputted and in transit as well as when inactive.