Coronavirus and Information Security
Like a whole lot of other people, to help prevent the spread of COVID-19, you may be either working from home or helping ensure others can, or both. Like a lot of people you may also be searching for information and resources to help cope.
Unfortunately criminals realize that we are doing this. Whether they are doing it to advance the interests of a nation state or to make money, they are taking advantage of the situation, the fear, and confusion caused by the pandemic. I thought it might make sense to put together some pointers for how to protect the digital lives of you, your loved ones, and those whom you are protecting.
As with every other crisis, criminals are using the pandemic to try to entice people into clicking on phishing emails. They use all the same tricks they always use. They try sending email from anyone who may be trusted, like the Department of Health and Human Services, or Johns Hopkins University, which is tracking the outbreak. Legitimate organizations will never send you unsolicited email with attachments that instruct you how to avoid the virus. All of these are fake.
The Electronic Frontier Foundation has a very good article with some easy to consume information on how to avoid getting scammed.
Meanwhile, according to Krebs on Security someone is selling a malware kit using the Johns Hopkins interactive map (https://coronavirus.jhu.edu/map.html) of the infection status on Russian malware forums.
This will only get worse. Everyone needs to be vigilant and do these two things:
- Immediately delete any email that looks suspicious, too good to be true, or that claims to be from anyone you have no reason to receive email from.
- Harden yourself against phishing and other attacks.
Harden Yourself against Attacks
Whether you are supporting hundreds or thousands of people who work from home, or you are just looking after your own computer, there are several standard security steps that are more important to take now than ever.
Get A Password Manager
Some people will argue that putting all your passwords in one basket, I mean, one vault, makes you less secure. Yes. It does. It makes you less secure than if you generated random passwords in your mind and somehow remembered them all. But, unless you can remember a few hundred randomly selected passwords and which place they go with, it is far better than the alternative. Using a password manager you can use random, very strong passwords that are unique. I’ve yet to meet the human who can do that at the scale we need today.
Many password managers also come with a browser add-on. I know many security professionals that refuse to use them because they add attack surface. Many of those same security professionals use ad blockers, which add far more attack surface. The average end user will be far more secure with a password manager with a browser add-on.Those add-ons will only offer to auto-fill passwords on the sites that those passwords were registered for, which prevents phishing. There are other ways to prevent phishing, but this is probably the most broadly effective way available today since the vast majority of sites today still do not support WebAuthn (I’ll talk more about that in a later article).
Use Two-Factor Authentication
Any two-factor authentication (2FA) reduces the risk of phishing. Some types of authenticators drastically reduce it, and some eliminate it entirely. If they are supported, use them.
Some password managers will actually inform you which sites support two-factor authentication. 1Password does this, for example.
You can use this feature to discover sites where it is available and you are not using it.
If you have the option of putting services behind a single-sign-on (SSO) solution do that! Passwords people don’t have are passwords that can’t be leaked and the 2FA you use on your SSO solution now applies to those services as well.
If end-users can access corporate services on computers that you cannot posture check and cannot know are issues by the company, you should also consider using one of the more phishing resistant 2FA options, such as TOTP or WebAuthn/U2F.
Patch All The Things
Many employers are sending people who usually do not work outside the office home. Many of those people will be working from unmanaged computers. It is imperative that those computers are patched. If you are in charge of a VPN infrastructure make sure there is a posture check deployed that looks for patch state.
If you are having people work from home using Virtual Desktops (VMWare Horizon, Symantec Luminate, AWS Workspaces, Azure Windows Virtual Desktop, etc) posture check may still be possible depending on the service and the configuration. If you cannot guarantee that the computers used on people’s desks are fully managed you need to make sure the users of those computers understand that it is their responsibility to patch them. Your best bet while investigating a posture check solution may be to track network traffic, but that will not detect a keystroke logger on a home computer.
Use Current Anti-Malware
Anti-malware often misses things, at least in the early stages of a piece of malware’s distribution. However, it is a valuable line of defense and everyone working on a home computer should have some form of anti-malware. Most businesses can get free or reduced cost licenses for employees from their vendors. Windows Defender comes with Windows and is quite good. For Macs, Sophos and Avast are generally considered good.
Separate Work and Home
If you are working from a home computer, or you are asking your staff to, use a separate account for work and home. This helps separate your two lives and also makes sure there is a clean slate for work. The work account almost certainly does not need to be an administrator, at least not once whatever software you need is installed. Don’t run as an administrator if you don’t need to.
Keep a Backup
Always make sure you keep a backup of your data. For your home data, OneDrive, Google Drive, or iCloud Drive are all easy options that work pretty well. For work, every business should have a preferred option, even if it is as simple as redirecting Documents, Desktop, and Downloads so they are automatically saved on Google Drive.
Don’t Run Mobile Apps from Untrusted Sources
Mobile Apps are also used by criminals. An old colleague of mine recently wrote a good piece on a Coronavirus tracking app that installs ransomware. It is much easier to get malicious apps on jailbroken or rooted phones, phones that are not fully patched, or if you allow installation of apps from untrusted sources.
There is more we can do, but these are some basic steps that almost all of us can take to make it harder for criminals to take advantage of the Coronavirus situation. We suddenly have hundreds of thousands of people working from home that have never done so before, putting a strain on all our systems. Many may be using equipment that is not fully managed by the company they work for. Every user and every company needs to consider the ramifications of this and take steps to minimize the problem.