2. IT SECURITY IN COVID-19
Presented by,
Nagesh Lad, CISSP, CISA
3. Speaker’s Profile
• Bachelor of Engineering (B.E.) in Electronics from Mumbai
University
• CISA, CISSP, CPISI, ACSA, DCL, ITIL, CEH, CCNA Certified
• 18+ years of industry experience
• Worked for BFSI (Stock Exchange, Banks, Clearing
Corporation, Insurance) and IT Service Industry
• Working as CISO for Private Indian Insurance Company for
more than 7 years
4. Agenda
• Assumptions
• Different Phases handling current Pandemic Situation
• Enabling WFH Facilities
• IT Security Practices in COVID-19
5. Assumptions
Organizations are following Information and Cyber Security Practices
which may include but not limit to:
• Secure Network Architecture
• Secure SDLC Practices
• Multi-layered Security Controls / Protections
• Secure Configuration Practices
• Patch Management
• Vulnerability Management
• Data backup & restoration practices
• Role based & least privilege access rights and revalidation practices
• Continuous Monitoring & Responding to Security Alerts
• & others …
6. Different Phases
Every organization would have gone through below phases
while handling current COVID-19 Pandemic Situation
• Invocation of BCP Plan
• Enabling WFH Facilities
• Educating Users on Do’s and Don’ts
• Re-aligning Security Controls / Practices
• Fine-tuning Monitoring Practices
7. Invocation of BCP
• Many organization were having documented & tested
BCP Plan
• But very few were ready for such a long lock down period
• WFH has became new way of delivering business
activities
• Many would have revised their BCP Plan to include such
pandemic scenario
9. Challenges Faced
• Organizations were having remote access facilities like
VPN and VDI over Internet – but for limited users
• Limited Licenses
• Limited Device Capacity
• Laptops were assigned to limited users based on their
role
• Limited Internet bandwidth
10. Few Approaches Taken
• Enabled VPN accesses on organization’s securely
configured laptops
• Enabled VDI over internet access for users to connect
from their personal systems
• Allowed users to take organization’s desktops at their
home – risky option if not controlled properly
11. Steps taken to enable WFH
• Purchased or rented Laptops in bulk quantity
• Increased licenses and capacity of VPN and VDI Solutions
• Increased internet connection bandwidth
• Enabled VPN & VDI accesses to large set of users
• Performed Risk Assessment on Service Provider’s WFH
facilities
• On-boarded new vendors who were ready to deliver services in
WFH scenario – e.g. call center agent solution for WFH
12. Communications from Regulator
• Regulators were sending frequent security advisories /
notifications to guide organizations
• Number of advisories received from IRDAI on WFH
Security Guidelines, BCP / DR Guidelines for COVID-19
• RBI sent notifications related to DDoS & Phishing
Campaigns from China
• Organization should monitor such communications & take
necessary actions
14. User Awareness
• Educating Users on Do’s and Don’ts for Information and
Cyber Security point of view
• Creating situation based awareness e.g.
• Conducting video conference calls,
• Accessing organization’s systems from home
• Wi-Fi Connection Security
• Handling COVID-19 phishing emails etc.
15. End Point Security
All organization’s end points (laptops) should be securely configured
• Normal access rights to End Users
• Installation of agents like
• Device Control Management
• Internet Proxy Client
• Host based DLP
• Antivirus
• EDR Solution
• Installation of Regular updates & patches
• Weekly complete scanning of End Point to identify / clean any
infection
16. Network / System Security
• Enable DDoS Protection
• External Penetration Testing to identify & mitigate vulnerability
present (if any)
• Secure Configuration Review and Vulnerability Assessment of
WFH Solutions – VPN, VDI etc.
• Vulnerability Assessments of Internet Facing Systems & Critical
Systems
• Blocking of traffic coming from out of India specially for WFH
Solutions (basis of nature of business & spread of end users)
17. Security Controls for VPN
• Allow access to only limited secure ports over internet
• Admin interface should be blocked over internet
• Enable 2FA Authentications mechanism
• Allow users to connect to VPN only from organization’s
securely configured laptops
• Enable secure posture validation for End Points
• Configure devices securely and test them periodically
18. Security Controls for VDI over Internet
• Allow access to only limited secure ports over internet
• Admin interface should be blocked over internet
• Enable 2FA Authentications mechanism
• Ensure restriction of copy-paste rights
19. Security of Collaboration Solutions
• Organization enabled accesses to collaboration solutions like video
conferencing e.g. webex, google meet, MS team, Zoom
• Earlier, such accesses were restricted to limited set of users
considering data security & other risks
• Organization should set security guidelines for users while using such
solutions. For e.g.:
• Secure distribution of meeting invite to limited required participants
• Enabling waiting room, allow known participants in the meeting
• Restricting presentation access to host
• Disabling remote accesses etc.
• Educate users on these security guidelines
• Keep software updated with latest version & patches
20. Firewall Rulebase
• Enable accesses basis of User roles and requirements
from VPN & VDI Systems
• Do not enable complete access to Production Network
• Block black listed IP addresses on perimeter devices
• Block IOCs available in active attacks in the news
• Periodically revalidate accesses enabled from VPN & VDI
Systems
21. Security Monitoring Practices
• Integrate security and audit logs from all security & perimeter
devices and from critical systems
• Fine-tune use cases basis of current situation and active attack
patterns
• Continuously Monitor & respond to DLP and EDR Alerts
• Monitor of traffic coming from VPN Users
• Perform trend analysis to identify deviation from normal
patterns
• Fine-tune Cyber Crisis Management Plan (CCMP) to include
WFH Situation
22. Third Party Risk
• Many organizations outsource number of activities to third party
e.g. callings, data entry
• Many of these Third Parties are connected using leased lines,
IPSec Tunnel to organization network to access applications /
systems
• Assess risk introduced by WFH facilities at third party end
• Keep eye on security news to monitor any news related
associated third parties
• Services available which monitor risks from third parties to the
organization and provides reports / alerts for the same –
organization can avail such services
23. Privilege Access Management
• Ensure no admin module directly available over internet
• Enable Privilege access rights using PAM Solutions
• Enable 2FA Authentication Mechanism
• Enable access rights based on role and least privilege
principles
• Periodically revalidate need for Privilege Access Rights
24. User Access Revalidations
• Enable user access rights “need to know” and “least
privilege” basis
• Follow entry – exit process to grant & remove access
rights
• Periodically revalidate existence of user and need of
access rights basis of user’s role
• Frequently check inactive users (e.g. inactive for 10 days)
• Remove dormant & orphan User IDs
25. Back to office
• Slowly governments are allowing companies to call their
employees back to office
• User may bring infected system to office
• User may also bring their personal system to office
• NAC control should be effective to keep infected system
out of network or in an isolated segment
26. Governance Practices
Set governance practices
• To ensure execution of all critical activities which were
getting delivered from normal work scenario
• To monitor effectiveness of security practices built &
security posture of the organization
• To identify, review & track severe risks
• To take decision on mitigation of severe risks