It’s common among the many areas of knowledge to separate subjects by specialization, dividing efforts between people in order for us to evolve as a species from the contribution of each form of work, each science, or each perspective of reality. However, nobody is an island, and the coronavirus pandemic is a proof of this, having repercussions in psychology, politics and economics. Of course, all of this affects security as well, because when the sense of emergency, haste, and fear start to dictate reality, we stop doing important things, expose ourselves to unnecessary risks, and become an opportunity for criminals to make easy money.
That’s why we, at Tempest, understand the need to share as much content as possible, helping people and businesses protect themselves from cyber-attacks while facing the enormous challenge of balancing personal life and work in a situation like the one we’re in. However, we do not want to recommend what is ideal or indicate what is expensive or impossible. Basically, what we’re going to do in this series is to give tips considering the circumstances, and we intend to do this until this storm passes.
In this first section we look at companies that have faced the challenge of setting up a remote access infrastructure very quickly.
In the Heat of the Moment
Companies whose business doesn’t assume remote working have possibly had (or are currently having) to set up client-to-site VPNs in a hurry. The technology literature talks a lot about the importance of planning and defining security requirements before deployment, but it’s clear that we’re a long way from the ideal, so if you’ve implemented this infrastructure without considering security, it’s perfectly understandable.
Getting everyone to work from home is the priority, but as soon as this phase is over special attention needs to be paid to a few points such as authentication, vulnerability management, exposure, review of access permissions, and monitoring. All are very critical and cannot be neglected, but “the order of factors” depends a lot on your context and the experts you have at your disposal.
If the situation is new for you who have put the infrastructure in place, imagine for the users. Many people are scared, thinking about their elders, how to deal with the children at home, and other essentially human things. So don’t expect that everyone will create long, unique, complex passwords and that they will be stored in a protected place.
We often say in posters and awareness emails that “security is everyone’s duty”, but you can’t count on that in contingencies like this. In this situation the security officer needs to consider this issue.
The way forward is to implement a two-factor authentication solution (look for 2FA) especially in the VPN product, as this creates one more barrier against a common attack: when the criminal tries to break into the network using a repository of passwords leaked in other incidents.
There are several 2FA products to suit all budget sizes, including free versions.
Recently a study was released finding that some criminal groups specialize in exploiting vulnerabilities in VPN products from multiple manufacturers. These attacks were the starting point for establishing persistence and stealing information from a large number of companies.
Keeping systems up to date is something that should be prioritized in technologies that are in contact with the Internet, and VPN systems may be the most critical point in your infrastructure at this point, because what attracts the interest of attackers is that if he manages to circumvent the security of this mechanism, he can, among other things, pass himself off as a legitimate user accessing the corporate network.
The use of 2FA can make attacks like these more difficult, but it doesn’t solve all problems. It’s important to consider that it’s common to have the VPN platform exchange information with other important services, such as the domain controller that authenticates users. Exploiting vulnerabilities in these technologies can serve as a pivot to attack other internal systems.
In addition to updating systems, it’s necessary to parameterize technologies in such a way as to avoid insecure configurations. An essential part of this, for example, is to change default passwords or remove unnecessary access.
The Center of Internet Security is an organization that creates guides (which they call benchmarks) for security configuration of various technologies. These are free downloadable documents with step-by-step instructions on how to configure each setting, but you need to use them carefully as some of these settings may be too restrictive for your context. Try to understand the possible impacts before applying them.
Keeping up to date with new vulnerabilities can also be essential in protecting your environment. The incident response center of the US government publishes a bulletin every week containing details about vulnerabilities released the previous week. A week may be too much in some cases but it’s still better than nothing. The entity also issues other alerts for relevant cases.
Still on the subject of vulnerabilities it’s recommended that you use specific scanning systems, some are free (search for “vulnerability scan”). These systems are not always completely reliable, so it’s important to be well informed about each product. Even so, they can help you get a picture of where to act if you don’t have anything in place.
Almost every day there is news about companies that misconfigure cloud systems, leaving databases exposed to anyone on the Internet. If these mistakes are made under normal conditions of temperature and pressure, imagine in a pandemic situation.
This is why it’s important to periodically check which servers are exposed to the Internet and correct deviations. The Shodan search engine can help you with this, just search for your network segment.
The “help” menu contains a lot of information on how to use the platform and the differences between the free and paid features. If you want to dig a little deeper, download the service manual.
Having all users working from home does not necessarily mean that these people will perform different activities than in the office. Therefore they do not need to access additional internal systems or have access privileges beyond what they had before.
If the systems have been hastily set up, there may be someone with more access than necessary. It’s worth taking the time to review permissions and group membership, and avoid granting access to individual users. Because it’s easier to remove a person from a group and lose all group-related access at once than it is to look up all the folders and parameters to which the person was individually attached.
Another important thing. You will need to have documented accesses in case people in your company (including yourself) contract the new coronavirus and have to leave the operation. That’s because you will need to reevaluate the accesses of the individuals who replace the sick ones. When people don’t know what access to give, they often give too many accesses.
In the case of the accumulation of accesses it’s essential to keep in mind the danger of granting both requester and approver accesses to the same person. Malicious use of these accesses (for example, if someone has stolen the system password) allows fraud to take place where the same person requests things (parts, goods, money remittances, etc.) and approves them. If many people get sick and you have no choice but to accumulate accesses on one individual, it’s worth implementing very strict monitoring of these systems and users.
Just as important as correcting failures is monitoring assets and being able to take action if something suspicious occurs. When we set up environments under a lot of pressure it’s common to put monitoring last on the priority scale, but to do so is like neglecting the symptoms of a sick person.
So, following the logic that the context is one of emergency and that there are few resources available, it is recommended to activate at least one syslog server sending security alerts to someone who will actually handle them.
There are also systems that correlate the logs (look for SIEM or HIDS) giving a slightly more contextualized perspective of what is happening and generating alerts only for the cases that are most likely to be something that truly requires attention. I leave here an implementation guide for OSSEC, a free HIDS.
I hope we’re helping you. Good luck and wash your hands!