Chris Kubic is the Chief Information Security Officer (CISO) at Fidelis Cybersecurity. Kubic brings with him more than 30 years of experience driving Information Assurance and Cybersecurity initiatives... Read More
Several months ago, I provided guidance on what to consider when shifting your workforce and business operations to a work at home posture and as expected, cyber criminals and nation state attackers took advantage of the COVID-19 situation to ramp up their attacks against work at home employees and remote access solutions. Attackers used (and continue to use) a variety of attack vectors to compromise our remote access solutions to include COVID-19 themed Phishing attacks, attacks against unpatched vulnerabilities in VPNs, and attacks against popular software and services such as web browsers, remote desktops (i.e., RDP), consumer-grade routers, and cloud based applications like Zoom.
As we begin to shift employees back to the office, it is safe to assume that attackers will shift gears once again to try and take advantage of seams created by our employees (and their IT devices) returning to the office. It is also safe to assume that the shift back to office won’t happen overnight, so we need to be prepared for an environment where some workers are in the office, some are continuing to work from home, and some are shifting back and forth. As you pull together your company’s plans and procedures for returning employees to the office, I thought it would be a good time to update my previous work at home guidance to highlight the cybersecurity considerations for returning employees to the office.
As employees return to the office, many will be bringing the device they have been using to work from home (e.g., corporate laptop, personally owned computer, mobile device, etc.) with them and will want to connect that device to the Corporate network to continue working from that device and/or to sync up files loaded on that device with their corporate account. The risk this poses really depends on how well those devices were secured and managed while being used to support work at home operations.
If the devices were corporately managed and included robust endpoint protections, meaning they were configured to meet your corporate security policy, regularly updated and patched, have robust anti-virus and malware protections in place, and remotely monitored by your corporate IT/Security team, then it would be relatively low risk to reconnect those devices to your corporate networks. If that was not the case, then you will want to develop a process for safely reintroducing those devices and/or the data from those devices onto your corporate networks. At a minimum, you will want to ensure that the device software is up to date, the device is properly patched, and the device and data are free of malware before reintroducing the device and/or data to your network.
As processes are prone to human error, I would strongly recommend that you deploy capabilities, such as Fidelis Network Traffic Analysis (NTA), to your network to enable you to detect and block malware should a compromised device be accidentally reconnected to your networks. The key consideration here is that you will be introducing potentially malicious devices behind your corporate Internet boundary (and your Internet security sensors) so you will want to ensure you can adequately monitor your internal “East-West” network traffic as well as the “North-South” traffic traversing your Internet boundary. Don’t forget to think through WiFi connectivity. If your employees are returning with devices that had connected to the WiFi network before moving to a work at home posture, those devices will likely automatically reconnect to the network when they return. Changing you WiFi Access Point passwords would be a good way to prevent WiFi devices from connecting before you are ready for them to reconnect.
There are numerous NTA solutions on the market including Fidelis Network. The following guide is a good resource for implementing a Network Traffic Analysis solution and highlights some of the features to look for in an NTA tool.
Unpatched vulnerabilities in systems have been heavily exploited by cyber criminals and nation state attackers during COVID-19 and I expect that trend will continue as we shift back to working from the office. If you are interested in better understanding current and emerging threats related to COVID-19, Fidelis Cybersecurity has produced a very informative podcast on the topic.
Cyber criminals and nation state attackers are opportunistic and are taking advantage of current events. We can’t let that happen, so I encourage you to continue to be diligent with your updates and patches. Fidelis Cybersecurity NTA solutions can assist by generating terrain maps of your infrastructure and an inventory of devices and software deployed within your infrastructure, mapping your devices and software against CVEs, and reporting the update and patch status of each device. An awesome feature of our NTA platform is the ability to generate risk scores for each device that takes into account the device’s connectivity (exposure), mission criticality, and patch status to provide a prioritized, “1 – n” list of vulnerable devices. The NTA platform risk scores (and threat detection rules) are enriched by Fidelis Cybersecurity’s Threat Intelligence feed, which ensures that risk scores and attack detections are continually updated to track new and emerging threats. I find this risk scoring feature to be a great metric for me to track overall enterprise risk and for our security operations team to focus their limited resources on remediating the devices that pose the greatest risk to our enterprise.
As you return to the office, it’s a good time to assess your data management practices and policy and corral the corporate and sensitive data that has been created, copied, shared, and maintained on work at home and mobile devices. As the quarantines are lifted, those work at home and mobile devices will become mobile again, potentially exposing that sensitive data to loss or theft. Some things to consider: Is the data encrypted at rest (or preferably encrypted at the individual data record level) on your remote employee’s device(s), is the data automatically backed up to your corporate servers or to the cloud so that you can maintain a corporate record of all critical data, do you have adequate monitoring on your endpoints to detect misuse by your employees or data exfiltration by an attacker? A suggestion would be to review your business workflows (particularly those related to work at home employees that required access to sensitive data), validate that the workflows continue to meet your compliance and data protection rules/regulations for employees continuing to work at home, and develop procedures for reintroducing any locally stored data into the corporate environment.
We saw numerous examples of cyber criminals and nation state actors using COVID-19 themed Phishing attacks to compromise work at home devices and I expect Phishing attacks to remain a leading attack vector as we return to the office. While Phishing is certainly not a new cybersecurity concern, the return to the office is a good time to remind employees of your corporate policies related to online activities, your expectations for proper online behavior/etiquette, and tips for staying safe online. For instance, don’t click on links in an e-mail or open e-mail attachments from an unknown or untrusted source. You will also want to reiterate what they should do if they receive a suspicious email – delete the message, forward to your security operations team, etc. Try and make it as easy as possible for employees to report suspicious e-mails and activities to increase the likelihood that they will reach out to your security operations team if something does not look right to them.
 Citrix Gateway (CVE-2019-19781), Pulse Secure (CVE-2019-11510), and Fortinet Fortigate (CVE-2018-13379)
 Apache Struts (CVE-2017-5638, CVE-2017-12611, CVE-2018-11776), Microsoft Office (CVE-2017-11882), Oracle WebLogic (CVE-2019-2725), and a popular WordPress plugin, InfiniteWP (CVE-2020-8772)
 Maintaining Your Cybersecurity Focus as you Shift to Work at Home