Due to the current COVID-19 situation, many employees must work outside of the office to minimize the spread of infection. But until recently, most organizations have not required employees to work remotely, so there is now a rush to implement the necessary technology to do so.
What is commonly neglected is the need for secure channels to facilitate access to internal systems by external users.
There are severe consequences for failing to implement security controls that prevent an attacker from obtaining the same access to a company’s systems as a remote employee.
A common vulnerability is the Remote Desktop Protocol (RDP) and other remote access protocols, especially when these are open facing to the internet.
From Gridware’s experience in incident response, having RDP accessible to users outside of an organization is often the root cause of attacks that can cripple a company’s IT infrastructure and halt operations.
There has already been an immense impact on Australia’s economic growth and the livelihood of businesses due to COVID-19. Because of this, businesses are left extremely vulnerable to further malware attacks that can shut down operations permanently.
Another significant risk is the increase of phishing campaigns and scams that take advantage of people’s fear during the COVID-19 pandemic.
According to Scamwatch, there were already 2401 reports made to the Australian Competition and Consumer Commission (ACCC) of phishing scams in January 2020.
In contrast to this, as of the 20 February 2020, there has already been 2942 phishing scams reported for this month alone (https://www.scamwatch.gov.au/about-scamwatch/scam-statistics?scamid=31&date=2020).
More specifically, the Australian Cyber Security Center (ACSC) has been notified (https://www.staysmartonline.gov.au/alert-service/covid-19-scam-messages-targeting-australians) of a scam being distributed through text messages that purport to come from a “GOV” sender with a link for details on “how to get tested in your geographical area” for COVID-19.
The public is in disarray already during this current crisis, with supermarkets being left barren and shelves emptied by panic-buying shoppers. Because of this, individuals are more vulnerable to these kinds of phishing scams that play on people’s fears; many are desperate to be tested for the virus to avoid spreading it to other vulnerable family members, such as the elderly and small children, and others want to seek clarity in this current state of disorder.
It is imperative that the community is educated on the cyber threats that will arise during the current COVID-19 pandemic and that businesses have the required knowledge to secure their systems in case of attack.
To assist in this, Gridware has prepared a checklist of what remote employees need to stay cyber safe based on our experience in responding to cyber incidents:
- Ensure RDP isn’t open to the entire internet – While protocols such as RDP are necessary to allow employees to gain remote access to systems within a company’s internal network, this can be a significant security risk. If an employee can connect to a company’s internal systems from the outside, so can a potential attacker. Although having the correct user credentials is often required for RDP connectivity, it is a simple task for attackers to brute force or steal user credentials. In many incidents Gridware has been involved in, all it takes is for one insecure machine to be accessed by an attacker for malware to then spread to other connected machines within an organization’s internal network.
- Use a corporate VPN (https://www.cisco.com/c/en/us/products/security/vpn-endpoint-security-clients/what-is-vpn.html) – VPN is short for virtual private network. Using a VPN service is essentially the virtual equivalent of an internal, private network that remote users can connect to over encrypted channels. By implementing a VPN, this can allow employees to connect to an organization’s systems remotely without having to have a private network open to the entire internet, thereby ensuring that remote-access protocols aren’t accessible to unauthorized users.
- Multi-factor authentication (MFA) (https://techcommunity.microsoft.com/t5/azure-active-directory-identity/your-pa-word-doesn-t-matter/ba-p/731984#) – Multi-factor authentication is a method that uses two or more authentication factors for authenticating a user. Usually, this is implemented by requiring a user password for login and a one-time password (OTP) that can be generated by an authenticator app or sent over SMS as a one-time code. Enabling MFA on all employee email accounts can eliminate the risk of a business email compromise (BEC) occurring where an attacker can hijack an email chain from a legitimate user’s account. Additionally, MFA can be enabled for all VPN accounts that employees use to connect to the organization’s internal network and RDP clients. This can significantly reduce the risk of an attacker brute-forcing RDP credentials to gain unauthorized access to a company’s systems, ensuring that remote employees can work safely and without disruption.
- User education – last but not least, is user education. Educating users is a highly effective method and is listed as one of the Australian Signals Directorate (ASD) Strategies to Mitigate Cyber Security Incidents (https://www.cyber.gov.au/publications/strategies-to-mitigate-cyber-security-incidents). Users can be given the knowledge to avoid phishing emails, avoid unsafe websites and use strong passwords with multi-factor authentication. Education is especially important to notify users of potential scams that are being distributed during the current COVID-19 pandemic and how to avoid these.
While cyber-attacks are on the rise as businesses switch to working remotely, your organization does not have to be at risk.
Gridware has extensive experience in incident response and assisting businesses in formulating strategies to keep systems secure. For more information, consult Gridware to see how we can help you.