COVID-19 has upended our way of life, and in doing so, has unleashed a Pandora’s box of new cyber threats. Security teams not only face the universal challenges imposed by this crisis but must also overcome unique obstacles such as protecting a new remote workforce and stopping pernicious attacks targeting remote users. Here are five top security risks that teams must deal with, as well as technology and user education best practices to keep users and data safe:
1. Weak remote access policies
Once attackers get access to a virtual private network (VPN), they can often penetrate the rest of the network like a hot knife through butter. Historically, many companies deployed VPNs primarily for technical people needing access to critical technology assets. Not so much the case anymore – VPNs are often encouraged for all users as a more secure connection than home or public networks. The problem is that many legacy firewall rules enable access to practically everything in the network. We’ve shared examples of this type of vulnerability being exploited by disgruntled former employees, and it can just as easily be exploited by attackers.
Recommendation: It’s critical that companies enforce access based on user identity, allowing specific groups access to only what they need to get their jobs done, and expanding access from there on an as-needed basis. You can also reduce an attacker’s ability to move laterally through the network with network segmentation and Layer 7 access control, patching internal servers and clients and leveraging advanced threat prevention capabilities and antivirus to block exploitation attempts. These Zero Trust principles can help limit your exposure.
Resources: Learn the 5 Steps to Zero Trust and extend this methodology to your remote access policies.
2. A deluge of new devices to protect
Global “stay at home” policies have forced many organizations to purchase and ship new laptops and other devices to their newly remote workforce. Some organizations are allowing employees to temporarily use personal home devices for business purposes. This surge in new devices presents unique challenges for security teams. Teams must ensure that these devices are protected against malware and viruses. With a geographically distributed workforce, they need to make sure they can install, manage and support security products remotely.
Recommendation: If you haven’t done so already, start by extending endpoint security – both endpoint protection as well as detection and response capabilities – to all of your remote users. Consider endpoint and network security solutions that are designed for geographically distributed workforces, such as cloud-native approaches. These solutions should block endpoint threats such as malware, exploits and fileless attacks, but also detect risky behavior, such as employees using unauthorized desktop sharing applications at home. Limit corporate network access to only trusted devices (e.g., those who meet defined criteria through host information profiles).
Resources: Find out how Cortex XDR provides the best protection available against endpoint attacks, and see how Prisma Access extends network protection to remote devices.
3. Lack of visibility into remote user activity
With the sudden explosion in remote workers, security teams must monitor a new host of endpoint devices for malware, fileless attacks and a flurry of threats targeting remote users. However, many security teams lack visibility into remote user activity and into east-west traffic inside the network, so they can’t detect advanced threats from remote users or identify an attacker jumping from a compromised user’s machine to hosts inside the network. Security analysts – like the rest of the workforce – are often also working from home, which exacerbates existing SecOps challenges such as managing siloed detection and response tools and pivoting from console to console to investigate threats. This combination of problems makes it easier for adversaries to slip under the radar and carry out their attacks.
Recommendation: Rather than invest in point solutions, consider security platforms that maximize integration between systems, limiting the amount of switching between tools and providing visibility into all data – including remote user activity. Extended detection and response (XDR) not only protects endpoints, but also applies analytics across all your data to find threats like unusual access or lateral movement, and simplifies investigations by stitching together data and identifying the root cause.
Resources: Find out how Cortex XDR can detect and stop attacks involving remote users by integrating with Prisma Access, Next-Generation Firewalls and third-party security products.
4. Users mixing home and business passwords
Users have a bad habit of reusing passwords over and over again. They are either unaware or negligent of the risk that one site gets hacked, their password gets published somewhere like pastebin.com, and boom – attackers now have access to all of their accounts, including their corporate ones. With a remote workforce, this problem becomes exacerbated by employees using personal devices and networks with much lower standards of security than their corporate-controlled alternatives, making it easy for attackers to access company data.
Recommendation: If some on-premises network and email security mechanisms are no longer available, security teams should double down on educating users to identify phishing attempts and to choose strong, unique passwords, encouraging the use of a password manager. They should also implement client certificates and multi-factor authentication in order to prevent attackers from gaining access through unsecured devices.
Resources: Learn how security profiles in Next-Generation Firewalls and Prisma Access can help you enforce multi-factor authentication and block network-borne attacks. See how User-ID and credential theft prevention can stop workers from using corporate passwords in non-corporate websites.
5. Opportunistic phishing attempts
Phishing is still the number one way to gain access to corporate networks. A global pandemic provides the perfect conditions for phishing, as adversaries often use fear, urgency and panic as tools to pressure people into clicking malicious links. Coronavirus-based spam is now being used as a lure and the over-communication and panic will cause some users to click practically anything.
Recommendation: Again – user education is paramount! Make sure everyone in your company knows how to identify and report suspicious links and emails, and that they are being extra cautious during this time both with their business accounts and any personal accounts that they may be accessing on their work computers. Make sure your email security is up-to-date and that your endpoints are protected to help prevent and detect malware.
Resources: Learn how the cloud-delivered WildFire® malware analysis service – which is built into Cortex XDR and many other Palo Alto Networks products – aggregates data and threat intelligence from the industry’s largest global community to automatically identify and stop threats. Additionally, URL Filtering blocks access to malicious sites to help prevent phishing attacks.
Learn more about how Palo Alto Networks can help you secure and protect your remote workforce.