Picus Security provides 8 steps defenders can take when employees are working remotely due to COVID-19. The steps include: 1) increasing employee awareness of social engineering risks, 2) securely enabling remote tools for employees, 3) identifying and monitoring high-risk remote user groups, 4) expanding monitoring activities to cover remote work, 5) reviewing incident response protocols, 6) identifying shadow IT systems, 7) scaling up multi-factor authentication, and 8) implementing compensating controls for internal applications accessed remotely. The overall approach emphasizes balancing security and usability while employees work from home during times of disruption.
8 steps defenders can take during times of remote work
1. Cyber Rangers by Picus Security
8 immediate steps defenders can take in times of flux
COVID-19 Case
2. 2
About the speaker
Pablo Ridgeway
Senior Solution Engineer at Picus Security Inc.
20 years experience in networking and security
3. 3
What we covered in our previous episode...
Adversaries take advantage of #trendingtopics and
● Improve engagement by instigating curiosity
○ Corona-virus-Map.com.exe Malicious File
● Improve legitimacy by disguising as a trusted party
○ Email disguised as WHO or other legitimate government body
● Create a sense of urgency and play on fear of users
○ Emails call for urgency with subjects such as ‘Cancelled Shipment due Covid-19’
4. 4
Actions blue team members can take:
Leveraging people, process and technology
Technology
People
Process
01
03 02
6. 6
● Employees may feel like their behavior isn’t monitored in their remote work setup which makes them more prone to
social-engineering attacks
● This is true to a certain level - certain controls would not work in their home environment which limits your ability to
control their activities
● Their chance to click on a malicious link or visit a malicious website would increase and adversaries are aware of this
fact and double down on #trendingtopics
● Solution: Help them understand risks
Make your colleagues understand the risks
7. 7
● COVID-19–themed social engineering campaigns
have been increasing, security teams must inform
employees about attacker’s techniques to avoid being
tricked.
○ Fear
○ Stress
○ Curiosity
○ Uncertainty
○ Abusing trust
● Use our previous web series episode, explain with
examples!
Step 1: Increase awareness around social engineering and phishing
8. ● Don’t be a disabler and tell them that they can’t use Zoom,
Webex, Hangouts :)
● Enable your colleagues:
○ Select and approve certain tools to be used in WFH
scenarios,
○ Promote the use of approved tools,
○ Explain the risks associated and benefits of these tools.
● You need to compensate for the loss of F2F interactions. Set up
two-way communication channels that let users
○ Post and review questions,
○ Report incidents in real time,
○ Share best practices.
8
Step 2: Securely enable your employees
10. 10
● Most of business processes are not designed to support extensive work from home scenarios and lack the proper
embedded controls.
● Certain controls basically don’t work in WFH environment.
● Users and endpoint become the weakest link.
● Solution: Put complementary security-control processes and put emphasis on detection
Compensate lack of controls with processes
11. 11
● Now that most of your employees are working from
home, you have so many nodes that you need to analyze
- use the Pareto Principle! 20% of the users would pose
80% of the risk.
● Users working with personally identifiable information
(PII) or other confidential data, pose more risk than
others.
● High-risk users should be identified and monitored for
behavior that can indicate security breaches.
○ unusual bandwidth patterns
○ bulk downloads of enterprise data
● Also think of preparing tailored messaging for high-risk
user groups, if you can communicate with them directly.
Step 3: Identify, monitor and inform high-risk user groups
12. 12
● Basic boundary-protection mechanisms (e.g. proxies, web gateways, IPS) won’t secure users
○ working from home
○ off the enterprise network, and
○ not connected to a VPN.
● Rethink your monitoring activities particularly for data and endpoints around WFH practices
○ Widen the scope of monitoring activities particularly for data and endpoints,
○ Update SIEM systems with new rule sets taking WFH into consideration,
■ Beware! Focus on creating relevant rules, don’t overburden yourself with alerts
Step 4: Expand monitoring
13. 13
Step 5: Review incident-response protocols
● Review your incident response processes, focus on what's important
○ Security teams are also working from home!
■ Decision makers may not be reached easily
■ Normal escalation pathways may be interrupted
○ Cybersecurity leaders should build redundancy options into response protocols so that responses don’t stall
● In times of flux communication is crucial, definition of critical security incident may change - make sure that your
team is constantly sharing insights
15. 15
● 71% of employees use so-called shadow IT systems*,
○ they set up and administer without formal approval
● Extended work-from-home operations will expose such systems
○ business processes that depend on shadow IT in the office will break down.
● Prepare to transition, support, and protect business-critical shadow assets.
● Keep an eye out for new shadow-IT systems that employees use or create to:
○ ease working from home
○ compensate for in-office capabilities they can’t access,
○ get around obstacles
* Source: OneLogin
Step 6: Use this to you advantage and identify shadow IT
16. 16
● WFH practices increase cyber risk from two dimensions:
○ Companies roll out technologies that enable employees to work from home and maintain business
continuity. The rapid proliferation of work-from-home technologies expand our attack surfaces.
○ For most security teams trying to achieve WFH at scale will not be easy and is going to take time
○ Defensive capabilities will be limited for a period of time.
● Solution: Review your control stack by taking into consideration changes in your attack surface
Make sure the appropriate controls are in place
17. 17
● Employees working remotely must use MFA to access networks and critical applications.
● If setting up MFA for all users is challenging, prioritize users:
○ who have elevated privileges (such as domain and sys admins)
○ who have access to critical data (PII, intellectual property, etc.)
○ who work with critical systems (for instance, money transfers)
○ who work in cybersecurity teams
Step 7: Scale Up Multi-Factor Authentication (MFA)
18. 18
● Some applications are available only to users working onsite at their organizations’ facilities.
● Companies must protect those apps with special controls to make them available to remote workers.
● If you have enough resources, activate corporate VPNs for all users.
● However, most of VPNs are dependent on traffic over the public Internet
○ translates into slowdowns and reduced quality of service overall.
● As a solution,
○ activate VPNs and use MFA to reach internal critical assets
○ use MFA alone when accessing less critical parts of the corporate environment (like cloud hosted
applications)
Step 8: Implement compensating controls for internal applications
19. Summary Slide
19
Make people aware of the risk and part of the solution
Security teams should be an enabler at times like this
Use Pareto Principle - 20% of users would bear 80% of the risk
Focus on monitoring and detection - but be smart about it!
Find the delicate balance between security and connectivity or usability