There is nothing like a global crisis to bring out the best in people. But sadly, it also brings out the worst in some, and the COVID-19 pandemic has created a feeding ground for cybercriminals. A joint alert from the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Centre (NCSC) warns of “growing use of COVID-19-related themes by malicious cyber actors. At the same time, the surge in teleworking has increased the use of potentially vulnerable services, such as virtual private networks (VPNs), amplifying the threat to individuals and organizations.”
The alert warns that advanced persistent threats (APT) and cybercriminals are not discriminating – they are targeting individuals, small-to-midsize businesses and large organizations alike with scams and phishing emails that prey on elevated fears and a heightened sense of alarm. Some of the threats noted include email and SMS phishing campaigns using coronavirus or COVID-19 related subject lines or text, and exploitation of telework infrastructure such as VPNs and remote desktop programs.
MSPs now, more than ever, are in the position of needing to protect their users, their users’ clients and their own workers through a combination of education, enhanced security protocols and constant vigilance. So when even the most basic techniques can be mission-critical, it’s important to have a comprehensive to-do list for everyone involved.
All the security measures in the world won’t do any good if you don’t have a set of rules in place that all employees must follow. Under normal circumstances, studies have found that around 90% of all cyberattacks stem from human error, which means having a set of rules and regulations is a must. Right now, as hackers and cybercriminals are actively trying to take advantage of an unusual situation, an error that might have gone unnoticed could have devastating consequences, and the need for strictly enforced requirements is greater than ever before.
There are some basics rules and security measures that should always be in place here – multifactor authentication, for example, set at the administrator level so all users are required to use it. Likewise, password complexity requirements must be strong and the use of a password manager is recommended. And role-based security ensures permissions are set based on user job requirements, limiting access and ensuring that if the first two requirements fail, access to specific files, silos or other critical areas are limited and the damage can be less than if the hacker had full access to a network.
Naturally, the first level of pushback will come from the least tech-savvy users – the ones who respond with “I don’t understand two-factor authentication,” or “How do I know if I shouldn’t click on a link?” A detailed how-to document or, even better, an internal video or screen-share to demonstrate, will go a long way. Even the least adaptable of employees are going to need to understand the basics.
Equally important is end-user training on security threats and how to recognize them. Phishing has always been a common technique for malicious actors, but now more than ever an emotionally vulnerable population is easy prey for emails titled “Coronavirus Updates” or an SMS with a link to apply for alerts or economic assistance. The best advice for everyone is simply, “don’t click anything.” Also important, though, is that the IT team or MSP is alerted to the attempt. By encouraging recipients to forward any questionable email or text (be prepared to create a how-to document on taking a screenshot or forwarding a text), they can feel sure that they aren’t missing out on legitimate messages and the MSP/IT team has information on potential scams that can be then passed along to other clients.
Advanced endpoint protection
Antivirus tools are just not adequate in today’s threat environment; their abilities are limited and miss many types of intrusions, and a threat actor can often be present without detection. It is imperative that you have advanced endpoint protection tools coupled with a 24x7x365 fully managed Security Operations Center (SOC). Endpoint protection should be present on servers and individual computers at a minimum, and it is suggested for mobile devices and IoT devices as well.
The endpoint tool, while important, cannot protect you alone. A highly trained SOC monitors the messaging from the tools and takes action when malicious activity takes place. Cybercriminals know to be active when you are most vulnerable; they are thankful that you are enjoying Thanksgiving dinner, for example, because it provides a perfect time and long weekend to take advantage of your vulnerabilities. The faster you act during a cyber event, the better the outcome. A sophisticated SOC reacts immediately and is full of highly compensated, sophisticated isolation and remediation experts.
Many traditional office workers have office-issued laptops that are either their primary device or a company-supported option for travel. However, many others previously had a desktop as their only computer, and when telework became a fast-tracked health measure, IT departments began to scramble. Were users allowed to bring desktops home? Now, devices that were not meant to leave the office are doing so, and employees in roles that have compliance requirements must somehow continue to do their jobs.
Encryption services come in two basic formats — file-level and full-disk encryption. Full-disk encryption, or FDE, is a hardware-level, protocol-agnostic option that converts data on a hard drive into encrypted data requiring a key for access. It is automatic and generally easier to deploy and manage. It also meets compliance regulations for “data at rest” – data that would typically also be protected by outer defenses like firewalls that, if in place at all on a home network, are not likely to be enterprise-grade. An FDE solution deployed on all company devices can help ensure compliance, and also avoid some of the compatibility issues that may be presented by native Windows or Mac solutions.
VPNs have become more common for consumer use, and products like Nord VPN or Private Internet Access are readily available. Myriad articles warning of the dangers of public Wi-Fi have prompted many consumers to download these products, and they certainly serve the purpose of securing a connection and protecting data in transit when connected to a hotspot in a public place. But for a robust, secure connection that is configurable by an MSP or IT provider, business or enterprise-grade VPNs are best. They are designed to protect an entire network, allowing remote users to tunnel into a dedicated server, giving an admin full control over connections.
It is worth noting that CISA issued an alert on enterprise VPN security on March 13, which was the point at which work-from-home orders were just beginning to become common. At that point, CISA noted that more vulnerabilities were being found and targeted by malicious cyber actors, later noting in a joint CISA/NCSC alert that actors had been observed scanning for publicly known vulnerabilities in Fortinet, Palo Alto, Citrix and Pulse Secure. However, by following guidance and with the ability to deploy system-wide updates allowed by enterprise VPNs, it is possible to keep the network secured, even when it is being accessed from multiple home connections.
The best-laid plans still need a backup strategy, so it is critical to have a reliable backup and disaster recovery (BDR) service in place. A scalable, adaptable BDR solution will cover all the situations mentioned previously, automating backup while shielding against ransomware and encrypting data. A cloud-based solution, even as a backup to an on-premise solution, will ensure that valuable data is protected, encrypted and backed up from any location. Integration with commonly used systems like Office 365, SharePoint, G-Suite and more will ensure that all critical data gets backed up and is easily accessible for restoration from anywhere.
We are living in interesting times – unprecedented times. But for IT departments partnering with experts and providing essential services in the best of times, the worst of times are merely an extra challenge they are well-equipped to meet.
As of right now, we have no idea if or when we’ll return to “normal,” but it seems certain that whenever it is, it will not be the normal we used to know – it will almost definitely be a new normal. As organizations learn that more jobs than previously thought lend themselves to being done remotely, workers may continue to work remotely even after business as usual returns. The ability to provide a smooth transition and necessary support for that remote workforce will be an important one, and we may soon have a workforce that is far more security conscious than ever before.
Security is not an area to go it alone. A well-managed SOC coupled with the right toolset looks to follow the framework set forth by the National Institute of Standards and Technology (NIST): identify, protect, detect, respond and recover in the event of a problem. Learn more about the NIST Cybersecurity Framework at https://www.nist.gov/cyberframework.
John Schweizer is Vice President — Channels and Business Development, Connectwise. John has had tenured runs in key executive positions at office equipment giants like Alco Standard-IKON, Ricoh and most recently as the CEO of a Xerox owned company. He also had principal ownership in a dealership in San Diego. John currently serves as a member of the advisory board for the cybersecurity firm, Fhoosh.