While the whole world is worried about corona virus pandemic, there are other set of problems organisations are facing. Everyone is worried about information security challenges, especially when their entire work force is working from home, or at least a bigger part of it. This article talks about various possible ways a hacker can try to exploit the situation and what organisations must do to thwart those, and ensure confidentiality, integrity, availability and privacy of their data. Although this article is scoped for IT industry, other industries can surely take clues from it for their IT infrastructure and policies and procedures. I will be using acronyms WFH (Work From Home), info-sec (Information Security) to keep things simple.
From info-sec perspective there are 3 main categories
- Companies which are certified (ISO27001 and/or ISO22301) and diligent
- Companies which are not certified (they may be following some info-sec practices)
- Companies which are certified for name sake, and hence not following anything
How hackers can exploit this situation?
Hackers are always looking for easiest ways to hack in. Before attacking organisations, they perform reconnaissance thoroughly. They are interested in the data, which belongs to that company, or their customers. In pandemic scenarios, unfortunately the hackers get a bigger playground ranging from physical infrastructure to the personnel working from home. Below are the attack vectors by which they exploit the situation.
- By targeting your physical infrastructure (Break-ins into data centers)
- By targeting corporate WiFi (because physical proximity is easily possible and WiFi are usually not setup securely)
- By targeting your external firewall (because configuration changes are done in a haste to accommodate WFH employees).
- By targeting your web infrastructure hosted externally (Web or cloud applications)
- By targeting your Cloud infrastructure (AWS S3 buckets, Azure Vaults)
- By targeting WFH and WFO employees via..
— Social engineering (by impersonating as sysadmin to ask for passwords)
— Spear-phishing (to steal information or passwords via chat boxes or emails)
Who are these hackers?
Please remember – its proven over time that internal threats are bigger than external ones. With that said these hackers may be…
- Your own employees / contractors
- Your third party vendors who provide service to you
- Unknown hackers external to your organisation
The solutions
While everyone typically takes a checklist approach, its important to note here, that checklist is not possible. This is because each org is different with a completely varied set of information security challenges. The information below attempts to provide a consolidated approach which may apply to almost all industries.
As we all know, 100% security is never possible, you can only attempt to reach close to it. At the outset, the solution is a stack of technical controls + policy/procedures + training + monitoring + continuous improvement.
So here we go in terms of what needs to be done.
Tasks for senior management
-
Designate infosec head or a team
- Circulate list of local authorities (Police, Fire, Hospitals etc)
- Circulate list of internal authorities (Infosec head, Admin head, HR head)
- Circulate updated incident response procedure mentioning key stakeholders / IT heads
- Provide clear instructions on how to handle and report/escalate an incident (theft, data-theft)
- Send email to all via legal department – mentioning that even during WFH, all the information security policies and procedures, and disciplinary actions shall apply.
Tasks for HR and Admin departments
- Get NDA signed from all, mentioning info-sec during WFH (electronically signature is fine)
- Setup quick online training on info-sec during WFH, and walk every employee through.
- Ensure that the training takes into account the POSH (Prevention of Sexual Harassment) policies.
- Have physical security guards be alert (especially for datacenters)
- Ensure the CCTV are working and storing recordings
Tasks for system administrators
- First and foremost – change critical passwords (firewalls, servers) to stronger ones.
- Second and important – ensure that all sysadmins use their own userid/passwords and not a shared account.
- Segregate file / folder access controls – based on projects or departments as per the scenario
- Segregate cloud access control – based on projects.
- Discourage team-viewer or RDP for remote connectivity. Implement VPN.
- Choose complex / non-guessable VPN key.
- For teams connecting to cloud
- For super-critical networks, change VPN key at least once in 3 days.
- Ensure that the corporate WiFi is running with WPA2 protocol. Turn off unused access points.
- Ensure that all access points and WiFi controllers traffic is routed through firewall.
- Disable audio/video bridges or conferencing equipment, keeping only limited ones working.
- Consider routing video conferencing through the firewall to avoid external hacking.
- For those who must be in office, ensure that their personal devices do not connect to corporate WiFi (unless approved by senior authorities). Consider this as an opportunity to enforce stricter BYOD policy, which is usually taken lightly.
- Completely discourage and remove shared user accounts (multiple team members using single userid/password). Let all teams login using their own userids.
- Enable elaborate logging on critical servers for monitoring and SIEM purposes
- Enable logging on front-ending firewalls and keep monitoring manually
- Bring control on production environments by segregating access control between production and non-production (which is usually partly handled by software developers)
- Lastly and extremely important
- Be sure about your measures by performing
— Let WFH teams connect to corporate LAN via VPN and from there they connect to cloud.
— If this is not possible, let them connect to cloud but enable monitoring/logging on cloud.
—- Disable access to 3rd party vendors (unless approved)
—- Patch servers
—- Ensure antivirus is running on those
—- Ensure that backups are happening
—- Ensure that offsite backups are also happening
Vulnerability assessment of your VPN
Vulnerability assessment of your cloud infra
Vulnerability assessment of your web application
Tasks for software developers WFH
- Follow SDLC / Agile rules especially for checking code in/out with elaborate details.
- Collaborate on chat often, which was otherwise being done in-person at the office. This is important to avoid code deployment confusions.
While collaborating on chats
- Enable OTP based login wherever applicable (possible for Office365/Google Suite)
- Do not send any external link to fellow team-mates.
- Do not click any link sent by fellow team-mate
- Do not circulate userid/passwords on chat
Tasks for workstations of WFH
- Note down machine serial number and MAC address
- Ensure antivirus is running and updated
- Ensure workstation is patched
- Enable screensaver locking
- While browsing non-work related websites, open those in the Private/Incognito mode.
For ISO27001 Certified Organizations
- Be strict in following all policies and procedures
- Focus specifically on section A.6.2 , A.8.1 , A.8.3, A.11, A.13
- Review business continuity process to see if it needs any changes
Stay tuned for more articles on this topic. Follow us at https://www.linkedin.com/company/valency-networks