For the past ten years, RiskIQ has been crawling and passive-sensing the internet to help security teams prepare for a digital revolution that would cause their attack surfaces to move beyond the firewall and outpace traditional security. New initiatives would demand migration to the cloud and call for the immediate adoption of web, mobile, and social platforms, demonstrating the limitations of network security controls.
This digital revolution happened quickly, but with the outbreak of COVID-19, it has suddenly gone into hyperdrive. Almost overnight, workforces and business operations decentralized and were flung all over the world, widening the protection gaps. In only the past two weeks, security protocols have completely changed—firewalls, DLP, and network monitoring are no longer valid. Attackers now have far more access points to probe or exploit, with little-to-no security oversight. Meanwhile, IT is feverishly standing up new systems, new access, and new channels and likely succumbing to human error, such as critical misconfigurations.
The COVID-19 pandemic is a grave and challenging situation for enterprises, but RiskIQ and our customers are uniquely prepared.
With a network of globally-placed sensors, proxies, and web crawlers, RiskIQ has been collecting, analyzing, and storing internet data for more than ten years. This data shows us what the internet looks like, its interconnectivity, how each business, organization, government, and threat actor appears on the open web and the cloud. This includes new infrastructure that’s stood up remotely.
The COVID-19 pandemic requires immediate action by security teams. Here’s what you should do to get started.
1. Shadow IT gets a big boost, be prepared
As IT teams and other staff stand up new external assets to enable customers and a remote workforce—websites, web portals, mobile apps, and more—security officers must continuously track it all. Having a running, continually updated inventory of everything connected to the organization outside the firewall will be crucial because attackers will be looking for them, too. Knowing their targets’ defenses are spread thin, they’ll search for unknown, unprotected, and unmonitored digital assets. It just takes one for them to get access and move laterally across an organization’s network.
Learn more >> Extend Vulnerability Control Beyond the Firewall
2. Identify and locate all remote access points
Many employees can get their work done from anywhere due to the increased interconnectedness of modern technology. Yet, while it is possible to work from home, proper network security for remote employees is just as important as a secure network within the office building. Being able to scan for access points across your organization’s network quickly to know who has access and where it’s coming from is essential. The same goes for customers––if you’re an enterprise software platform, customers may have more access than anyone realized.
Learn more >> Secure Cloud Expansion
3. Pinpoint configuration errors
To accommodate a remote workforce with as little loss in productivity as possible, IT teams are standing up new systems quickly. They might make sure all the patches are applied. But, at this pace, they are likely making mistakes. Having a full inventory of systems associated with your organizations so you can scan them for misconfigurations will help build a secure external network that gets business done outside the office.
Learn more >> Forrester Webinar: Keys to Modern Vulnerability Risk Management
4 Find and secure cloud assets and services
Remote workforces will leverage the cloud more than ever. As more things are stood up to the cloud and moved there in the coming weeks, it will be crucial to have a full inventory of cloud assets to determine ownership—as well as what’s potentially accessible to attackers such as orphaned, abandoned, and shadow IT.
Learn more >> Ransomware Attacks the Consequence of the Coronavirus Outbreak
5. Detect malicious, rogue assets
Unfortunately, threat actors are taking full advantage of the global anxiety over COVID-19 and the confusion and challenges it’s causing businesses. Scams, phishing, and malware campaigns that leverage your brand and impersonate your infrastructure to fool customers and employees will run rampant if left unknown. Organizations must have situational awareness of these attacks, and access to internet-wide visibility to detect new infrastructure targeting them so they can neutralize the threat before it causes damage.
6. Prepare the WFH-Force
According to RiskIQ’s i3 threat intelligence group comprised of former U.S. government agency analysts, the FBI announced on March 20th that there had been a significant spike in cybercriminals targeting employees working from home. Here’s what they advise employees should be doing to keep themselves and their company safe.
- Consider implementing a weekly cybersecurity check for all employees working from home. During this pre-arranged time, employees can confirm that all security software is up to date (e.g., privacy tools, add-ons for browsers, and other patches).
- Critical company files should be regularly backed up to a remote location in case of disaster, hardware failure, or ransomware attack. Notably, most ransomware attacks take place during the night or over the weekend, according to a recent FireEye report, likely because many companies don’t have IT staff working those shifts.
- Employees should ensure their WiFi router is secure, and patching is up to date. This guide from WIRED is an excellent primer on router security. It provides a general how-to for changing passwords for both connections and administrative access, as well as updating firmware, hardening, and network segmentation.
- Employees should be aware of current threats, as well as the basics of password security—recognizing phishing emails, phishing pages, scam pages, social engineering attacks, and incident reporting.
- For advanced and persistent threats, education and awareness may not be enough, and you may want to consider RiskIQ support. RiskIQ can ingest suspected phishing URLs and intelligently sort phishing pages from legitimate sites, automatically validating the vast majority of phish.
- Define a clear procedure to follow in case of a security incident. Employees should be encouraged to report cyber incidents or suspicious emails and websites. This information can be used to isolate any ongoing attacks and prevent similar incidents in the future.
- Enforce the use of multi-factor authentication for connecting to all corporate assets.
- If possible, provide remote employees with a hardened, dedicated work machine with hard drive encryption and enforce an automatic patching policy on that device.
- Protect your employees’ work devices, including laptops, tablets, mobile devices, and more. You may want to consider an endpoint security solution, such as that described by Crowdstrike here.
- Provide a VPN solution for connecting to assets on the internal corporate network. According to ZDNET, enterprise VPN servers have now become paramount to a company’s backbone, and their security and availability must be a focus going forward for IT teams. The use of a VPN also calls for endpoint protection, as compromised devices that are connected to the corporate network risk spreading infections to other devices.
- Make sure any VPN solution is patched and up-to-date. Last year, the UK’s National Cyber Security Centre reported that Advanced Persistent Threat actors were exploiting vulnerabilities in multiple enterprise VPN solutions. We expect attacks on vulnerable VPN solutions to increase apace with the growth in usage.
The time to get started is now
Without ensuring network and computer system security, employers run the risk of breaches for both their remote employees and their corporate headquarters. A lack of security is especially critical now as we have observed a surge by cybercriminals looking to use this time of uncertainty to launch attacks. Contact us today.
How RiskIQ can help you and your organization
RiskIQ has a daily Covid-19 briefing prepared by our I3 team. In the report, we give you the latest information about Covid019 from around the world. It also gives you the latest information about cyber threats (phishing, malware, ransomware) related to Covid-19.
Discovering Unknowns and Investigating Threats Amid a Global Pandemic
RiskIQ can illuminate your external attack surface and continuously monitor it to give your organization full visibility. This information can be useful in finding assets, misconfigurations, vulnerabilities, or whom to call if the asset has a problem. Your internal systems and vulnerability management systems can use this information to get you accurate risks and exposures in our new ever-expanding digital world we are living in.
RiskIQ Digital Footprint
RiskIQ can also take your internal security information and expand your visibility by enriching it to include external threat intelligence from the internet. EDR systems, for example, can take an IOC and use RiskIQ to understand the full extent of a threat actor or attack, so you have 360° visibility from inside and outside the firewall. This information can then be used to see if any other systems are also compromised but initially not alerted on by your EDR system.
You’re not alone, and we can help. Call us today if you would like to expand or jump-start your visibility to discovery unknowns in your attack surface and investigate threats to you, your organization, and customers. We can help you manage your attack surface and protect your organization from the expanded threats due to remotely doing business due to Covid-19.