Companies will feel the effects of the global pandemic for several years, and many businesses won’t survive the transformation tsunami that’s slowly, but surely coming. Organizations that survive won’t stay the same, and that also applies to their security practices. Security teams have to identify the cybersecurity obstacles the company faces and explain them to top management.
Cyberattacks have been on the rise for several years. More and more criminal groups have appeared on the world stage, looking to grab a slice of an ever-expanding cybercrime pie. Cybersecurity defenses scaled along with the attacks, but then came COVID-19 and the situation suddenly got worse.
Society may return to normal in the next few years. People will shake hands again, gather at concerts and in stadiums, and reclaim some of the lost social ground. Cybersecurity doesn’t have the same luxury. It can’t return to the way it was because it’s not a unilateral move. Bad actors have found new ways to attack organizations – and there’s no turning back. The threat actors now exploit the misconfigurations to the company’s infrastructure left behind by IT and security teams accommodating remote work. Even network security policies that took into account perimeter security hardware are often still in effect on endpoints that no longer reside within the company’s internal network, and attackers can exploit these forgotten misconfigurations to their advantage.
A recent Bitdefender study found that 50 percent of infosec professionals had no contingency plan for the pandemic, and the nature of the emergency ensured that companies had a difficult time adapting. Security teams had to make emergency plans on the spot, and policies that would typically take months to implement were applied overnight.
Criminals will use any situation that leverages uncertainty to their advantage, and that's exactly what's happening during the pandemic, with 86 percent of infosec professionals reporting an increase in the number of attacks, according to the same Bitdefender survey. Phishing and whaling attacks are leading the charge.
Among the obvious targets are professionals working from home, and there are numerous reasons for concern. Bitdefender’s survey shows that 34 percent of security professionals fear that employees are more lax about security issues because of their surroundings, while 33 percent worry that employees are not sticking to protocols, especially in identifying and flagging suspicious activity.
Other problems exist, although they are not all that obvious at first glance. Consider that remote workers are connecting to the corporate infrastructure from unsecured networks, sometimes through vulnerable routers, introducing new risks and expanded surface areas.
Two in five infosec pros say that employees using untrusted networks pose a risk to their organization, while 38 percent say there’s a risk in another person having access to an employee’s device. Additional issues include other people using the same devices for their work and personal lives.
Organizations are looking to implement new technologies that improve their visibility into this new networking environment. When everyone was under one roof, tracking network activity was more manageable, but now that most employees connect remotely, new tools are needed. Let’s consider what organizations should plan for as they consider the long-term implications of extended remote work environments.
- Train the staff. Companies have to train people to deal with the new normal. Humans are usually the weakest link in an attack kill chain, and they are often easier to bypass than security. Businesses should instruct staff on new security policies, make them aware of the current threats their organization faces in terms of malware, and even how to spot and report suspicious emails and phishing attempts.
- Rethink the company’s security priorities. Cybersecurity consists of a two-part equation, with employees on one side and the security team on the other. Companies have to reflect the massive changes in infrastructure by creating new threat models, and they must reconsider existing policies. Such upheavals usually lead to blind spots for security teams, missed alerts, or even alert fatigue if systems are not properly set up. For example, some company polices took into account network security appliances. In the new work-from-home scenario, those policies are often not as reliable because employees work on a home network that lacks such appliances.
- Focus on threat intelligence telemetry. These products are crucial for companies looking to prevent, investigate and respond to threats. Threat intelligence lets IT and security teams focus on relevant security alerts that could indicate a potential breach or compromise. While security pros may not automatically consider an alert such as a PowerShell script executed from an employee endpoint a security threat, from a threat intelligence perspective it could flag a behavior associated with an advanced threat. Since scripts, such as Microsoft Office Macros, PowerShell scripts, or WMI scripts, are not malicious per se in the eyes of a traditional security solution, attackers often use them to run instructions with output that may compromise security, such as disable applications, other malicious payloads downloaded, or sending system information to attached-controlled servers.
- Deploy analytics. Companies serious about cybersecurity have to undergo endpoint risk analytics (ERA) and determine the right steps for hardening. This often includes keeping the OS up-to-date to curate any running services and shut down unnecessary ones, and continuously monitoring endpoints for misconfiguration. Endpoint misconfigurations are far more relevant than they might seem, especially for SMBs. According to a Bitdefender survey, endpoint misconfiguration represents 27 percent of the threat entry points exploited by attackers, and they are usually related to accounts, password storage and management, internet settings, and remote desktop protocol management.
- Communicate goals to top management. Security pros have to explain these plans to top management so they can get sign-off on security budgets to develop training and awareness programs, reassess policies, and deploy threat intelligence and analytics. CEOs now understand that a major security breach can end their career. Don’t use scare tactics, but point out the risks and offer a reasonable budget and holistic plan that top management can get behind.
While it’s challenging to predict what the future brings, it’s clear that life won’t go back to the way it was, and organizations are already doing their part to adapt. Following these security guidelines will make their path clearer and safer going forward.
Liviu Arsene, global cybersecurity researcher, Bitdefender