Resource Guide for Cybersecurity During the COVID-19 Pandemic
According to the results of the CSO Pandemic Impact Survey, 61% of the security and IT leader respondents are concerned about an increase in cyber-attacks targeting their employees who are working from home. They’re right to be concerned; according to the survey, 26% have seen an increase in the volume, severity, and/or scope of cyber-attacks since mid-March.
The Center for Internet Security's (CIS) Security Operations Center (SOC) has seen a marked increase in remote desktop protocol (RDP) exploitation, likely due to malicious attempts to exploit teleworking capabilities. There has also been a significant shift to using COVID-19 styled phishing and malspam campaigns.
This resource guide from CIS provides information about common cyber-attacks that are currently being reported. It also provides resources for improving cyber hygiene to enhance cyber defenses, both for organizations and their employees.
It's crucial to provide continuous support for remote employees. Don’t wait to provide guidance or reminders for cybersecurity. This guide contains actionable recommendations for your employees.
COVID-19 Related Cyber-Attacks
The Multi-State Information Sharing and Analysis Center (MS-ISAC) and Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC) Security Operations Center (SOC) is seeing an increase in specific types of attacks. Most of these can be thwarted by sound cyber hygiene, including increased vigilance from employees. Here are the prominent scams our SOC is seeing, and quick tips to help your organization not become a victim.
- Phishing and Malspam – Remind employees to be cautious when opening emails about COVID-19, especially those from outside the organization. They should exercise caution when entering credentials into a website, linked from an email, text message, or social media account, or when downloading attachments.
- Learn more: A Short Guide for Spotting Phishing Attempts
- Credential Stuffing – It may have been necessary to make services available to employees remotely, without the time to secure accounts through multi-factor authentication (MFA). Along with securing accounts with MFA, employees should make sure all passwords are secure, and should never reuse passwords on different accounts.
- Ransomware – In some cases it is possible malspam emails that start a ransomware infection will use a COVID-19 lure. While preventing ransomware attacks from being successful is the best outcome, being prepared with backups is the next best.
- Remote Desktop Protocol (RDP) Targeting – An increase in the number of employees connecting remotely means an increase in the number of systems with open RDP (port 3389) potentially being scanned. While your workforce needs to access systems remotely, limited and secure access by VPN can reduce the attack surface.
- Learn more: Security Primer – Remote Desktop Protocol
- Learn more: Intel Insights – How to Disable Remote Desktop Protocol
- Distributed Denial of Service (DDoS) Attacks – Downtime from an attack is even more detrimental with a remote workforce. A larger remote workforce can even act as an unintentional DDoS attack, simply because more users are trying to access services at the same time. To handle these possibilities, and to ensure you are protected against DDoS attacks, have increased bandwidth allocations ready, temporarily disable unused services to allow for more bandwidth, and discourage your employees from streaming videos, music, or other streaming services through the VPN.
Also, remind your employees to look out for malicious websites, apps, and non-cyber frauds.
- Learn more: What You Need to Know About COVID-19 Scams
Securing Business Networks for the New Normal
Organizations should implement CIS Controls v7.1 Implementation Group 1 (IG1) in order to enhance cyber hygiene. These 43 actions are prescriptive and prioritized to help prevent many of the previously mentioned attacks. You can use the free CIS Controls Self Assessment Tool, CIS CSAT, to measure progress toward implementing the CIS Controls.
The following CIS Sub-Controls (in v7.1) are particularly important in securing home IT environments:
- CIS Sub-Control 8.2: Ensure Anti-Malware Software and Signatures are Updated
- CIS Sub-Control 10.1: Ensure Regular Automated Backups
- CIS Sub-Control 10.2: Perform Complete System Backups
- CIS Sub-Control 10.4: Ensure Protection of Backups
- CIS Sub-Control 10.5: Ensure Backups Have at Least One Non-continuously Addressable Destination
- CIS Sub-Control 12.4: Deny Communications Over Unauthorized Ports
- CIS Sub-Control 17.6: Train Workforce on Identifying Social Engineering Attacks
Learn more: CIS Controls Implementation Group 1
Securing Employee Home Networks
While conducting business through a VPN can add a layer of security, there are simple steps employees can take to secure their home networks. Employees need to know what devices they are using while working from home. Once they've identified the devices they're using, have them download the instruction manuals from the respective manufacturer websites. These instruction manuals will give them step-by-step instructions on how to enable security settings like these:
- Practice smart password management and enable two-factor authentication (2FA) wherever possible.
- Enable automatic updates for all routers and modems. If equipment is outdated and can no longer be updated, it should be replaced.
- Turn off WPS and UPnP.
- Turn on WPA2 or WP3.
- Configure the router or modem’s firewall with a unique password and enable the firewall.
Employee Personal Device Security
Some employees may be using personal equipment instead of, or alongside, company-issued hardware. Here are some steps employees should take to secure their personal devices, especially when they're using them for work purposes:
Learn more: CISA Home Network Security Tips
- Patching – Patching systems to remedy known vulnerabilities continues to be essential. Your organization’s plan for doing so may need some adjustment with a largely remote workforce.
- Home Computers – Recommend employees implement security on these devices including installing anti-virus, firewall, and anti-spyware, and apply security settings in web browsers.
- Printers – Employees should look up printer security for their printer make and model to ensure security of the device and network connection. If printing, use an appropriate shredder based on company best practices.
- USB Devices –Staff should use only company-approved USB devices.
- Storage – Designate how and where an employee can store sensitive information. Use hard drive encryption on work laptops or external hard drives.
- Access by Others – People who work from home during the occasional weekday usually don’t have a full house, but they might now. Ask employees to keep work devices for professional use only and lock their devices when they step away from them. Innocent activity on a work computer could lead to a breach. This is also a good opportunity to educate family on cybersecurity.
Secure Video Conferencing
Video conference capability has become a staple to help employees continue to meet face-to-face while working apart. Keeping meetings private and password-protected, with a unique password for each meeting, is essential for ensuring security.
CIS Videoconferencing Security Guide: This document provides overall security guidance to mitigate common attacks that can occur over videoconferencing systems, such as Meeting Bombing, Malicious Links in Chat, Stolen Links, and Host Privileges Transfer. Recommendations apply to a wide variety of videoconferencing systems such as Zoom, WebEx, Microsoft Teams, and BlueJeans.
CIS Zoom Benchmark: The CIS Benchmark for Zoom contains detailed security configuration recommendations for this videoconferencing platform.
MS-ISAC Webinar: The First Severe Pandemic of the Information Age
SANS Institute: Tips to Secure Your Organization in a Work-From-Home Environment
SANS Institute: SANS Security Awareness Work-from-Home Deployment Kit
Global Cyber Alliance: Work From Home. Secure Your Business.
COVID-19 Indicators of Compromise
MalwareBazaar: MalwareBazaar Database
PhishLabs: COVID-19 Threat Intelligence
Quad9 – You can point your DNS server to this system, which will block suspicious requests from your system to malicious domains or IP addresses.
KnowBe4's Ransomware Simulator – Scans for ways into your network by malicious actors.
Shodan – Finds vulnerable devices on your network.
Censys – Finds vulnerable devices on your network.