Coronavirus and Information Security

-

 Like a whole lot of other people, to help prevent the spread of COVID-19, you may be either working from home or helping ensure others can, or both. Like a lot of people you may also be searching for information and resources to help cope. 

Unfortunately criminals realize that we are doing this. Whether they are doing it to advance the interests of a nation state or to make money, they are taking advantage of the situation, the fear, and confusion caused by the pandemic. I thought it might make sense to put together some pointers for how to protect the digital lives of you, your loved ones, and those whom you are protecting.

Phishing

As with every other crisis, criminals are using the pandemic to try to entice people into clicking on phishing emails. They use all the same tricks they always use. They try sending email from anyone who may be trusted, like the Department of Health and Human Services, or Johns Hopkins University, which is tracking the outbreak. Legitimate organizations will never send you unsolicited email with attachments that instruct you how to avoid the virus. All of these are fake.

The Electronic Frontier Foundation has a very good article with some easy to consume information on how to avoid getting scammed. 

Meanwhile, according to Krebs on Security someone is selling a malware kit using the Johns Hopkins interactive map (https://coronavirus.jhu.edu/map.html) of the infection status on Russian malware forums.

This will only get worse. Everyone needs to be vigilant and do these two things:

  1. Immediately delete any email that looks suspicious, too good to be true, or that claims to be from anyone you have no reason to receive email from.
  2. Harden yourself against phishing and other attacks.


Harden Yourself against Attacks

Whether you are supporting hundreds or thousands of people who work from home, or you are just looking after your own computer, there are several standard security steps that are more important to take now than ever.

Get A Password Manager

Some people will argue that putting all your passwords in one basket, I mean, one vault, makes you less secure. Yes. It does. It makes you less secure than if you generated random passwords in your mind and somehow remembered them all. But, unless you can remember a few hundred randomly selected passwords and which place they go with, it is far better than the alternative. Using a password manager you can use random, very strong passwords that are unique. I’ve yet to meet the human who can do that at the scale we need today.


Many password managers also come with a browser add-on. I know many security professionals that refuse to use them because they add attack surface. Many of those same security professionals use ad blockers, which add far more attack surface. The average end user will be far more secure with a password manager with a browser add-on.Those add-ons will only offer to auto-fill passwords on the sites that those passwords were registered for, which prevents phishing. There are other ways to prevent phishing, but this is probably the most broadly effective way available today since the vast majority of sites today still do not support WebAuthn (I’ll talk more about that in a later article). 


Use Two-Factor Authentication

Any two-factor authentication (2FA) reduces the risk of phishing. Some types of authenticators drastically reduce it, and some eliminate it entirely. If they are supported, use them.


Some password managers will actually inform you which sites support two-factor authentication. 1Password does this, for example. 



You can use this feature to discover sites where it is available and you are not using it.


If you have the option of putting services behind a single-sign-on (SSO) solution do that! Passwords people don’t have are passwords that can’t be leaked and the 2FA you use on your SSO solution now applies to those services as well. 


If end-users can access corporate services on computers that you cannot posture check and cannot know are issues by the company, you should also consider using one of the more phishing resistant 2FA options, such as TOTP or WebAuthn/U2F.

Patch All The Things

Many employers are sending people who usually do not work outside the office home. Many of those people will be working from unmanaged computers. It is imperative that those computers are patched. If you are in charge of a VPN infrastructure make sure there is a posture check deployed that looks for patch state. 


If you are having people work from home using Virtual Desktops (VMWare Horizon, Symantec Luminate, AWS Workspaces, Azure Windows Virtual Desktop, etc) posture check may still be possible depending on the service and the configuration. If you cannot guarantee that the computers used on people’s desks are fully managed you need to make sure the users of those computers understand that it is their responsibility to patch them. Your best bet while investigating a posture check solution may be to track network traffic, but that will not detect a keystroke logger on a home computer.

Use Current Anti-Malware

Anti-malware often misses things, at least in the early stages of a piece of malware’s distribution. However, it is a valuable line of defense and everyone working on a home computer should have some form of anti-malware. Most businesses can get free or reduced cost licenses for employees from their vendors. Windows Defender comes with Windows and is quite good. For Macs, Sophos and Avast are generally considered good. 

Separate Work and Home

If you are working from a home computer, or you are asking your staff to, use a separate account for work and home. This helps separate your two lives and also makes sure there is a clean slate for work. The work account almost certainly does not need to be an administrator, at least not once whatever software you need is installed. Don’t run as an administrator if you don’t need to. 

Keep a Backup

Always make sure you keep a backup of your data. For your home data, OneDrive, Google Drive, or iCloud Drive are all easy options that work pretty well. For work, every business should have a preferred option, even if it is as simple as redirecting Documents, Desktop, and Downloads so they are automatically saved on Google Drive. 

Don’t Run Mobile Apps from Untrusted Sources

Mobile Apps are also used by criminals. An old colleague of mine recently wrote a good piece on a Coronavirus tracking app that installs ransomware. It is much easier to get malicious apps on jailbroken or rooted phones, phones that are not fully patched, or if you allow installation of apps from untrusted sources.


There is more we can do, but these are some basic steps that almost all of us can take to make it harder for criminals to take advantage of the Coronavirus situation. We suddenly have hundreds of thousands of people working from home that have never done so before, putting a strain on all our systems. Many may be using equipment that is not fully managed by the company they work for. Every user and every company needs to consider the ramifications of this and take steps to minimize the problem. 

Comments

Post a Comment

Popular posts from this blog

U2F, FIDO2, and Hardware Security Keys

-
  In our journey through possession proofs we have encountered hardware factors of various kinds. HOTP and TOTP is often implemented as hardware devices, and of course, so are Smart Cards. In this post we will look at authenticators that implement the FIDO standards -  U2F, WebAuthn, and CTAP2. WebAuthn and CTAP2 are collectively part of the FIDO Alliance ’s FIDO2 protocol suite. U2F and UAF are older FIDO protocols that are supported under FIDO2. They can all be thought of as being part of the FIDO2 suite of protocols.  To understand these protocols, and their advantages and disadvantages, we need to be familiar with the three fundamental actors: Relying party (RP) - Also known as the server. This is the service that a user wishes to log into. Client - This is the application that brokers the authentication from the relying party to the authenticator and eventually the user. Much of the time, this is a web browser, but it could be any application. Authenticator - This is a thing tha
Read more

The Busy Executive’s Guide to Personal Information Security

-
Congratulations. As an executive you are the favorite target of ne’er-do-wells across the world. They will spoof email messages to staff and business partners in your name. They will try to hack your corporate account, your bank account, your email account, and your phone. In addition to hundreds of messages per week from semi-legitimate vendors who want to sell you their most recent search engine optimization snake-oil you will also get a variety of Word documents, PDF files, and PowerPoint presentations, most of which are laden with malware. If this sounds depressing, it is. It is the world of Information Security. There are ways to protect yourself, however. This document will tell you the most important things you can do. 1. Patch Your Stuff! The first thing you need to do is to patch. Software and hardware vendors provide regular security updates to fix security bugs. Or, rather, the reputable ones do. The first step is to use devices and software that provide timely and reliable
Read more

Single Sign-On

-
There are two kinds of organizations. Those that manage their single sign-on (SSO) system, and those that let their users manage their SSO. The other day I was in a discussion with a number of security leaders about how important identity management is to your security strategy. Obviously, everyone agreed that identity is very important. After all, if you don’t have a strong identity strategy pretty much no other component of your strategy will be strong. There is a reason that the first function of the NIST CSF is Identity.  However, the discussion then turned to SSO and whether it didn’t constitute putting all your eggs in one basket, and whether doing so is a good idea. Yes. SSO does constitute putting all your eggs in one basket. But, that is a good  thing. Why? Because you, as a security leader control  that basket. You know where it is. You know how it is configured. You have already required strong multi-factor authentication (MFA) on it. (You have right? If not, stop reading th
Read more