West Monroe’s March 23 article, Cybersecurity Concerns in the Age of COVID-19, provides guidance on where to focus IT security efforts as employees shift to remote work and organizations implement new remote connectivity methods to enable their workforces.
As mentioned in that article, the stay-at-home orders and general business disruption resulting from COVID-19 mitigation practices have not put a damper on ransomware activity or on attackers’ ability to compromise corporate environments and hold organizations hostage for their data. In fact, with IT teams away from the office, it may be easier than before for attackers to compromise environments, move laterally within them, and launch attacks unnoticed.
West Monroe has seen several ransomware attacks recently using new and more disruptive mechanisms to gain access to and encrypt customer data, in some cases requiring additional effort to recover, and in other cases potentially permanently altering files.
Two examples:
- Hackers used a compromised set of privileged credentials to seize ownership of the files and folders on hard drives and strip all permissions from the files prior to encryption, requiring significant manual effort or recovery from backup to restore permissions that may be critical to secure sensitive information or for business applications to run. How to mitigate this risk: Develop a specific process and monitoring mechanism for file permission changes.
- Attackers encrypted not only the guest operating systems of running virtual machines but also attacked the hypervisor layer itself, encrypting the virtual machine containers themselves within the VMware datastore. Recovery required multiple rounds of decryption before services could be restored. How to mitigate this risk: Configure firewall rules on hosts, ensure unnecessary services are disabled, and actively monitor VMware for configuration changes.
Cybersecurity tips for remote work
Especially with increased numbers of users working away from traditional offices, and with potentially new remote access solutions in place, increased attention should be paid to hardening and security measures designed to protect corporate systems.
- Update incident response plans. Ensure employees know what to do if a device is lost or compromised, especially if they suspect they are the victims of a scam. Update response plans to account for the distributed nature of employees and IT teams, including hard copies of contact details and additional out-of-band communication methods.
- Secure new remote access mechanisms. Implement only secure and trusted remote access tools and avoid the temptation to expose internal systems publicly in order to allow employees to work remotely. Use multi-factor authentication to guard against attackers using compromised credentials to access the environment.
- Monitor and protect devices on work-from-home networks. Be sure devices are still patched frequently, can be monitored and managed remotely, and are not unnecessarily exposed to additional threats in home or external environments.
- Refresh training. Communicate work-from-home and acceptable use policies, and provide updated guidance on current threats, such as COVID-19 related phishing attacks. Consider launching a mock phishing campaign to heighten awareness and test your employees’ knowledge and response.
Does your organization need assistance with cybersecurity? We can help. Contact a member of West Monroe’s Incident Response & Recovery Team.