The Covid-19 pandemy and cybersecurity By: Andang Nugroho, CISSP Entering my fourth week of WFH (working from home) today. For those who have not met me for a long time, the above picture probably pretty closely represents how I look like right now; a “cateyed” Tom Cruise. “Tom Cruise” due to constant streaming of many of his movies (especially “Top Gun”) the past couple of weeks, but “cat-eyed” due to staying mostly inside at home and only going under the sun for 30-minute daily to get my dose of antibody-inducing UV light. Four weeks into working from home, can’t help but thinking ahead, after all this pandemy is said and done, would things come back to how it used to be? Would things come back to normal? How fast, how soon? And what is normal, the old normal or a new normal? Virtual Private Network (VPN) The first stress point hit by WFH initiatives would be the VPN infrastructure. Designed to be used by select individuals who spend much time outside of office but with a need to connect back in, now it is used and hit by almost all of our work mates. If it is by usernames, then there were frantic calls to the vendor asking for additional user licenses. If it is appliance-based, then the constant monitoring of the new heavy load and occasional crashes (maybe?). If nothing happened because you have around 300% capacity buffer designed and prepared for times like now, then good for you, bravo! But I don’t think you had that luxury. No. And the next questions would be, what do our users access office with? Do they bring office PCs home for WFH? Are they already assigned company notebooks but don’t usually need VPNs? Or are they asking to connect using their privately owned notebooks? I personally found that notebooks are hot selling and disappearing fast from market, with schools are now also conducted over the Internet. Even if we want to buy new company notebooks to assign to those new users, we probably can’t. Then, how to standardize access? User posturing is key, before we allow access to users, old and new, we need to check whether they access securely or not. How are their computers protected, OS updated and patched? Running currently updated antivirus? Unlicensed software installed and running on their computers? Personal firewall and anti-malware activated? Accessing from insecure wifi network? Then, what data are they bringing in and, especially, out? Can we limit the access only to data that they really need? Another set of frantic calls to have Zero Trust network and DLP installed. Remote Desktop vs Private Cloud Next question: most of my data, most of my old emails, are stored in my desktop in office. I need access to them, says users. Some of them are even smart enough to leave their computers on before WFH, with the remote desktop active. Then, it’s a matter of working from home, but accessing our PCs as if we were in office. Are they doing this with VPN, or even without VPN? Don’t be surprised with the answer. Users want speed and convenience, and those mostly come at the expense of security. Indeed, SANS put out an article -accessible here- observing the increase of RDP scanning the past three months. The graph below is from that article, quoting Shodan’s report that clearly shows an uptick in scanning activity looking for innocent misconfigurations from unknowing users on RDP. SO, the bad people out there really knows what’s going on. While at it, check out also SANS Deployment Guide for secure WFH, accessible here, good for organization as well as employee level. The key takeaway is that technology can’t protect us 100%, we need users to be constantly aware of the risks of using Internet for their work. These users are vulnerable to attacks, and phishing has been #1 on the cyberattack list for quite some time. Recently, both US and UK cybersecurity authorities has warned of yet increasing phishing attacks exploiting FUD (fear, uncertainty, and doubt) caused by Covid-19. Sites covering Covid-19 are springing up left right and center, some with good and valid information. But, along those fine lines, criminal lurks to take advantage. Again, updated and aware users are among our best defenses. Read the article here. Didn’t we mention private cloud? Yes, and we digressed. But, sadly, our users do store most of their files locally in their PCs. Now, we need access to those data remotely. How? Companies, if not already, should start to deploy central repositories of user files. All of the four major cloud services (Alibaba, AWS, Google, and Microsoft) all have solutions for the type of local folder syncing to the cloud object storage solution, some with on-premise private cloud option, some purely Internet cloud services but with back-channel federation. Even object storage appliance vendors also embed this type of solution with their products. We need it, now. Migration to cloud is clearly unavoidable. Having private cloud infrastructure for our users now is a good transitional step. While also waiting for regulatory bodies accepting cloud services, which again is clearly unavoidable even if heavily resisted for now. Moving storage to private cloud improve accessibility, collaboration possibility, and yes, security. With USB ports disabled in most organizations, having (private) cloud storage as backup and a means of remote access will be greatly appreciated by users and user support alike. So, yet another frantic call to either one of those four big global cloud providers, or to our object storage vendors, to get the private cloud storage implemented. Heck, in the next few years, the concept of private network would probably start to sound foreign, and archaic. People don’t buy PCs no more, and sales of smartphones are outpacing that of notebooks. Smartphones can now even be more expensive than notebooks. The next few years, when we talk about end-user devices, what would we see? So what now? More frantic calls to our SD-WAN and VDI vendors. Remote collaboration tools While working from home, our users absolutely need collaboration tools. Voice and video conferencing, including desktop and presentation sharing, is among the top needs. It’s in the top list for CIOs right now, see McKinsey article here. And no, not like before. Prior to this WFH, video conference sessions are more IT-setup events with specific venue setup to host the session(s). Right now, any users anywhere anytime want to setup video sessions with their peers, internal or external to company, with or without accounts to the solution owned by company. This is where Zoom excels, although branded enterprise solution, it is clearly focused to retail customers, complete with free accounts having almost full features. And during the pandemy time, the 40-minute limit to these free accounts are mostly lifted, at the discretion of Zoom. Zoom itself is not without problems, and there are many articles on the Net to read about them, but one thing for sure, any other “enterprise” solutions now must have Zoom-like features and user friendliness to compete with Zoom. Collaboration tools like these are here to stay, and are increasingly used directly by users, and with other users; IT steps aside and just be there to support when trouble comes. Some users still like to travel and meet in person, but significantly more users are finding talking online with others quite useful. Since now (almost) everything is online We said above, updated and aware users are among our best defences. In fact, updated and aware customers are also one of our best defenses. During the pandemy, the volume of online transactions shoots up the sky. And not likely to come down anytime soon. Everybody is deploying their online services, at the risk of losing business if not doing so. Customers not usually found online, are pushed to use these services. Having them knowledgeable and familiar with our services and also aware of Internet risks is the key to safe transactions. Thus, it is a bit baffling to see that even in the US, customers doing online for the first times are still significantly large in numbers. Look at the table below, and yes, believe your own eyes, half of US banking customers will need support in moving to online services. Read the full article here. Then, how about our customers? How about our industries? At least, in the insurance industry, customers are reaching the tipping point of going into digital services, forced into or not, faster than initially expected. That is the conclusion of the article by the Digital Insurer (TDI) here. People are now selling fresh fish and lobsters online, relatively at par with market price, for now. Market being the traditional wet market, not supermarket or hyperstore prices. I bet in the near future that they could undercut market prices, first the supermarket prices and then further down. Then, they would also be approaching the tipping point of going digital and direct to customers. All said and done, there would be new normal after the pandemy is gone. New normal in more aspects of our lives. Being online, and being secure doing it, would rank near the top. In the next wave of being online, with IOTs and OT (Operational Technology) at the forefront, being secure online will never be more important. Being appropriately prepared will be the tipping point of our companies, industries, and country excelling above the competition, or dwindling into obscurity, in not too distant future. (Original picture courtesy of Paramount Pictures, with a bit of editing to show how the world is according to me now, hope it is going to be OK) https://www.linkedin.com/pulse/covid-19-pandemy-cybersecurity-andang-nugroho-cissp