Uploaded by nuke

Pandemic crisis and cybersecurity

advertisement
The Covid-19 pandemy and cybersecurity
By: Andang Nugroho, CISSP
Entering my fourth week of WFH (working from home) today. For those who have not met me for a
long time, the above picture probably pretty closely represents how I look like right now; a “cateyed” Tom Cruise. “Tom Cruise” due to constant streaming of many of his movies (especially “Top
Gun”) the past couple of weeks, but “cat-eyed” due to staying mostly inside at home and only going
under the sun for 30-minute daily to get my dose of antibody-inducing UV light.
Four weeks into working from home, can’t help but thinking ahead, after all this pandemy is said and
done, would things come back to how it used to be? Would things come back to normal? How fast,
how soon? And what is normal, the old normal or a new normal?
Virtual Private Network (VPN)
The first stress point hit by WFH initiatives would be the VPN infrastructure. Designed to be used by
select individuals who spend much time outside of office but with a need to connect back in, now it
is used and hit by almost all of our work mates. If it is by usernames, then there were frantic calls to
the vendor asking for additional user licenses. If it is appliance-based, then the constant monitoring
of the new heavy load and occasional crashes (maybe?). If nothing happened because you have
around 300% capacity buffer designed and prepared for times like now, then good for you, bravo!
But I don’t think you had that luxury. No.
And the next questions would be, what do our users access office with? Do they bring office PCs
home for WFH? Are they already assigned company notebooks but don’t usually need VPNs? Or are
they asking to connect using their privately owned notebooks? I personally found that notebooks are
hot selling and disappearing fast from market, with schools are now also conducted over the
Internet. Even if we want to buy new company notebooks to assign to those new users, we probably
can’t. Then, how to standardize access? User posturing is key, before we allow access to users, old
and new, we need to check whether they access securely or not. How are their computers
protected, OS updated and patched? Running currently updated antivirus? Unlicensed software
installed and running on their computers? Personal firewall and anti-malware activated? Accessing
from insecure wifi network? Then, what data are they bringing in and, especially, out? Can we limit
the access only to data that they really need? Another set of frantic calls to have Zero Trust network
and DLP installed.
Remote Desktop vs Private Cloud
Next question: most of my data, most of my old emails, are stored in my desktop in office. I need
access to them, says users. Some of them are even smart enough to leave their computers on before
WFH, with the remote desktop active. Then, it’s a matter of working from home, but accessing our
PCs as if we were in office. Are they doing this with VPN, or even without VPN? Don’t be surprised
with the answer. Users want speed and convenience, and those mostly come at the expense of
security. Indeed, SANS put out an article -accessible here- observing the increase of RDP scanning
the past three months. The graph below is from that article, quoting Shodan’s report that clearly
shows an uptick in scanning activity looking for innocent misconfigurations from unknowing users on
RDP. SO, the bad people out there really knows what’s going on.
While at it, check out also SANS Deployment Guide for secure WFH, accessible here, good for
organization as well as employee level. The key takeaway is that technology can’t protect us 100%,
we need users to be constantly aware of the risks of using Internet for their work.
These users are vulnerable to attacks, and phishing has been #1 on the cyberattack list for quite
some time. Recently, both US and UK cybersecurity authorities has warned of yet increasing phishing
attacks exploiting FUD (fear, uncertainty, and doubt) caused by Covid-19. Sites covering Covid-19 are
springing up left right and center, some with good and valid information. But, along those fine lines,
criminal lurks to take advantage. Again, updated and aware users are among our best defenses.
Read the article here.
Didn’t we mention private cloud?
Yes, and we digressed. But, sadly, our users do store most of their files locally in their PCs. Now, we
need access to those data remotely. How? Companies, if not already, should start to deploy central
repositories of user files. All of the four major cloud services (Alibaba, AWS, Google, and Microsoft)
all have solutions for the type of local folder syncing to the cloud object storage solution, some with
on-premise private cloud option, some purely Internet cloud services but with back-channel
federation. Even object storage appliance vendors also embed this type of solution with their
products. We need it, now. Migration to cloud is clearly unavoidable. Having private cloud
infrastructure for our users now is a good transitional step. While also waiting for regulatory bodies
accepting cloud services, which again is clearly unavoidable even if heavily resisted for now. Moving
storage to private cloud improve accessibility, collaboration possibility, and yes, security. With USB
ports disabled in most organizations, having (private) cloud storage as backup and a means of
remote access will be greatly appreciated by users and user support alike.
So, yet another frantic call to either one of those four big global cloud providers, or to our object
storage vendors, to get the private cloud storage implemented.
Heck, in the next few years, the concept of private network would probably start to sound foreign,
and archaic. People don’t buy PCs no more, and sales of smartphones are outpacing that of
notebooks. Smartphones can now even be more expensive than notebooks. The next few years,
when we talk about end-user devices, what would we see? So what now? More frantic calls to our
SD-WAN and VDI vendors.
Remote collaboration tools
While working from home, our users absolutely need collaboration tools. Voice and video
conferencing, including desktop and presentation sharing, is among the top needs. It’s in the top list
for CIOs right now, see McKinsey article here.
And no, not like before. Prior to this WFH, video conference sessions are more IT-setup events with
specific venue setup to host the session(s). Right now, any users anywhere anytime want to setup
video sessions with their peers, internal or external to company, with or without accounts to the
solution owned by company. This is where Zoom excels, although branded enterprise solution, it is
clearly focused to retail customers, complete with free accounts having almost full features. And
during the pandemy time, the 40-minute limit to these free accounts are mostly lifted, at the
discretion of Zoom. Zoom itself is not without problems, and there are many articles on the Net to
read about them, but one thing for sure, any other “enterprise” solutions now must have Zoom-like
features and user friendliness to compete with Zoom. Collaboration tools like these are here to stay,
and are increasingly used directly by users, and with other users; IT steps aside and just be there to
support when trouble comes. Some users still like to travel and meet in person, but significantly
more users are finding talking online with others quite useful.
Since now (almost) everything is online
We said above, updated and aware users are among our best defences. In fact, updated and aware
customers are also one of our best defenses. During the pandemy, the volume of online transactions
shoots up the sky. And not likely to come down anytime soon. Everybody is deploying their online
services, at the risk of losing business if not doing so. Customers not usually found online, are
pushed to use these services. Having them knowledgeable and familiar with our services and also
aware of Internet risks is the key to safe transactions. Thus, it is a bit baffling to see that even in the
US, customers doing online for the first times are still significantly large in numbers. Look at the table
below, and yes, believe your own eyes, half of US banking customers will need support in moving to
online services. Read the full article here.
Then, how about our customers? How about our industries? At least, in the insurance industry,
customers are reaching the tipping point of going into digital services, forced into or not, faster than
initially expected. That is the conclusion of the article by the Digital Insurer (TDI) here.
People are now selling fresh fish and lobsters online, relatively at par with market price, for now.
Market being the traditional wet market, not supermarket or hyperstore prices. I bet in the near
future that they could undercut market prices, first the supermarket prices and then further down.
Then, they would also be approaching the tipping point of going digital and direct to customers.
All said and done, there would be new normal after the pandemy is gone. New normal in more
aspects of our lives. Being online, and being secure doing it, would rank near the top. In the next
wave of being online, with IOTs and OT (Operational Technology) at the forefront, being secure
online will never be more important. Being appropriately prepared will be the tipping point of our
companies, industries, and country excelling above the competition, or dwindling into obscurity, in
not too distant future.
(Original picture courtesy of Paramount Pictures, with a bit of editing to show how the world is
according to me now, hope it is going to be OK)
https://www.linkedin.com/pulse/covid-19-pandemy-cybersecurity-andang-nugroho-cissp
Download