Author: Bob Weiss March 16, 2020 0 Comments

This article by Bob Weiss first appeared in in his web log at https://wyzguyscybersecurity.com

Usually, I am combating computer viruses.  These days, I am defending against the coronavirus, and COVID-19.

Why am I, as a cybersecurity professional, posting an article on COVID-19?  Cybersecurity covers more territory than many people realize.  Of course, a cybersecurity professional is always focused on protecting systems, networks, data, and information.  But any cybersecurity certification I have personally taken has always had a section on physical security, such as locks and surveillance cameras.  These certifications also consider the importance of human safety, of protecting the people who use the computers, systems, and networks that we secure.  It is part of the curriculum for a cybersecurity professional.

To protect ourselves and fellow employees from the dangers of COVID-19 infection, many companies are sending their staff home to engage in social distancing and self-quarantine.  The goal of social distancing and self-quarantine is to slow down the rate of new infections to a level that will not overwhelm the health care system, and cause more human deaths than necessary.  With these measures, the infection rate cold be as low as doubling every two weeks.  Without these measures, the number of infections can double as frequently as every 4 days.  The first we can handle.  The second we cannot.

Teleworking or work-from-home options are being put into place and deployed as quickly as possible.  As our users move outside the usual defensive perimeter of the on-premise network, home-bound employees find themselves working on networks and systems that are not defended in the same way from cyber-attackers.  This creates additional new cybersecurity risks for both employees and their companies.

And this is a new major issue for IT departments and cybersecurity teams.  To help my professional peers with this endeavor, I have collected resources from credible experts and the responsible state and federal agencies.

• Implementation of Mitigation Strategies for Communities with Local COVID-19 Transmission from the Center for Disease Control.  This is a downloadable ten-page PDF document.
• Coronavirus Disease 2019 (COVID-19) – Guidance from the State of Minnesota.

  • Current recommendations

    • Stay home if you have cold or flu-like symptoms and avoid close contact with people who are sick.
    • Cover your coughs and sneezes with a tissue and throw the tissue in the trash.
    • Wash your hands often with soap and water for 20 seconds, especially after going to the bathroom or before eating. If soap and water are not readily available, use an alcohol-based hand sanitizer that contains at least 60% alcohol.
    • Avoid touching your face – especially your eyes, nose and mouth – with unwashed hands.

    Resources

    • Minnesota Department of Health’s website and hotline for the public: 651-201-3920
    • Centers for Disease Control and Prevention website
    • The state’s Employee Assistance Program provides free, confidential consultation on matters involved in your personal or professional life
    • The Ready.gov website offers tools to help you make and practice a preparedness plan

    Frequently Asked Questions

    •  What are my leave options if I get sick with COVID-19 or I have to care for my family member who is sick with COVID-19?
    •  Can I travel out of state for work?
    •  What is a state of emergency?
    •  Can I telework?
    •  How do I implement social distancing?
    •  What about staggered work schedules?
    •  What if I live in another state and commute to Minnesota for work?
    •  What are my work options if I am at risk for severe disease?
    •  If schools or daycares are closed, can employees take leave to take care of their children?

• CISA warns of cyber criminals taking advantage of coronavirus concerns from the Federal News Network.

• DHS’ cybersecurity agency to test remote capabilities amid coronavirus –  Last Friday, March 13 ( yeah Friday the Thirteenth) CISA tested teleworking with their own employees, in order to provide guidance other governmental agencies and businesses.

• AA20-073A: Enterprise VPN Security from US-CERT / CISAOriginal release date: March 13, 2020
  

  Summary

  As organizations prepare for possible impacts of Coronavirus Disease 2019 (COVID-19), many may consider alternate workplace options for their employees. Remote work options—or telework—require an enterprise virtual private network (VPN) solution to connect employees to an organization’s information technology (IT) network. As organizations elect to implement telework, the Cybersecurity and Infrastructure Security Agency (CISA) encourages organizations to adopt a heightened state of cybersecurity.

  Technical Details

  The following are cybersecurity considerations regarding telework.

  • As organizations use VPNs for telework, more vulnerabilities are being found and targeted by malicious cyber actors.
  • As VPNs are 24/7, organizations are less likely to keep them updated with the latest security updates and patches.
  • Malicious cyber actors may increase phishing emails targeting teleworkers to steal their usernames and passwords.
  • Organizations that do not use multi-factor authentication (MFA) for remote access are more susceptible to phishing attacks.
  • Organizations may have a limited number of VPN connections, after which point no other employee can telework. With decreased availability, critical business operations may suffer, including IT security personnel’s ability to perform cybersecurity tasks.

  Mitigations

  CISA encourages organizations to review the following recommendations when considering alternate workplace options.

  • Update VPNs, network infrastructure devices, and devices being used to remote into work environments with the latest software patches and security configurations. See CISA Tips Understanding Patches and Securing Network Infrastructure Devices.
  • Alert employees to an expected increase in phishing attempts. See CISA Tip Avoiding Social Engineering and Phishing Attacks.
  • Ensure IT security personnel are prepared to ramp up the following remote access cybersecurity tasks: log review, attack detection, and incident response and recovery. Per the National Institute of Standards and Technology (NIST) Special Publication 800-46 v.2, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security, these tasks should be documented in the configuration management policy.
  • Implement MFA on all VPN connections to increase security. If MFA is not implemented, require teleworkers to use strong passwords. (See CISA Tips Choosing and Protecting Passwords and Supplementing Passwords for more information.)
  • Ensure IT security personnel test VPN limitations to prepare for mass usage and, if possible, implement modifications—such as rate limiting—to prioritize users that will require higher bandwidths.
  • Contact CISA to report incidents, phishing, malware, and other cybersecurity concerns.

  References

  • NIST Special Publication 800-46 v.2, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security
  • CISA Cyber Essentials
  • CERT/CC: VPN – A Gateway for Vulnerabilities
  • National Security Agency Cybersecurity Advisory: Mitigating Recent VPN Vulnerabilities
  • CISA Insights: Risk Management for Novel Coronavirus (COVID-19)
  • Telework.gov Guidance

• Remote working due to coronavirus? Here’s how to do it securely – From Sophos Naked Security blog.  They offer a 5 step checklist for IT departments to follow:

  • Make sure it’s easy for your users to get started
  • Make sure your users can do what they need
  • Make sure you can see what your users are doing
  • Make sure they have somewhere to report security issues
  • Make sure you know about “shadow IT” solutions
• Coronavirus and Cybersecurity: Remote Workforce Risks to Track – From SecureWorld.  This article offers a similar list of concerns:
  • Requiring all employee devices to be equipped with the employer-provided security software and the latest manufacturer software updates prior to permitting access to any remote systems;
  • Requiring multifactor authentication upon each login to a company portal;
    Only allowing remote access through a virtual private network (VPN) with strong end-to-end encryption;
  • Prohibiting working from public places, such as coffee shops or on public transportation, where third parties can view screens and printed documents;
  • Prohibiting use of public Wi-Fi, and requiring the use of secure, password-protected home Wi-Fi or hotspots.
  • Imposing additional credentialing with respect to the ability to download certain sensitive data.

• Managing through and building resilience during the COVID-19 outbreak.  And this guide from Facebook

The death toll and economic impacts are looking bad and getting worse.  But if we all take care, maybe extraordinary care, we should be able to weather this storm and come out the other side, alive and reasonably unscathed.