By Derek Manky, Chief, Security Insights & Global Threat Alliances, FortiGuard Labs
It may feel too simplistic to be talking about cyber hygiene with CISOs. But in my years as a threat researcher, and now running a global team of threat researchers, data analysts, and forensics experts, I can say authoritatively that the lack of consistent cyber hygiene is the largest and most persistent threat inside most organizations. And the risk continues to grow as organizations continue to grow their networks and expand their attack surfaces without a holistic security architecture or management system in place.
The concept of cyber hygiene is a deceptively simple one: It involves a series of practices and precautions that, when repeated regularly, keep us safe and our devices working as they should. But that’s easier said than done with distributed networks, IoT everywhere, the adoption of multi-cloud infrastructures, and a growing reliance on SaaS application usage. Add the convergence of IT and OT, and the number of aging devices that cannot be taken offline because they monitor or manage critical systems 24×7, and the risks are greater, and the table stakes are higher, than ever before.
Keeping Remote Workers Safe
One of the most critical places on which to focus cyber hygiene efforts is remote workers. The rapid growth in a mobile workforce and their reliance on personal devices and home networks is just the latest example of the challenges that IT teams face. Unfortunately, enforcing cyber hygiene for remote workers seems to be low on the list for overworked IT teams – somewhere below keeping the business up and running and ensuring access to business applications and essential resources.
Of course, the challenge is that employees working from home are using unsecured personal devices, from laptops to smartphones to tablets, to stay connected during the workday. And these devices, attached to weaker and far more vulnerable home networks, have created the perfect platform from which cyber criminals can launch attacks on enterprise data.
Over the past several months, cybercriminals have combined social engineering tactics that exploit fears about the Covid-19 pandemic with older exploits targeting unpatched vulnerabilities found in devices deployed in many home networks. They have also modified their strategies, switching from email-based attacks, which many remote users have been trained to avoid, to new browser-based attack vectors. And once the corporate network has been breached, cybercriminals are delivering new, more malicious strains of ransomware and other malware.
Adapting to the Post-Pandemic Threat Landscape
While 2020 is currently on track to break the record for the number of vulnerabilities identified and published in a single year, these vulnerabilities also have the lowest rate of exploitation ever observed in the 20-year history of the CVE (Common Vulnerabilities and Exposures) list. Instead, vulnerabilities from 2018 have claimed the highest exploitation prevalence (65%). And more than 25% of firms have reported attempts to exploit CVEs from 2005. At the same time, exploits targeting consumer-grade routers and IoT devices have been among FortiGuard Labs’ top IPS detections according to our research. While some of these target newer vulnerabilities, a staggering volume have targeted exploits first discovered in 2014.
The critical lesson is this: Do not assume that older vulnerabilities, including those more than 15 years old, cannot cause problems.
What these trends show is that cybercriminals are extremely agile. Within days of seeing that companies were switching workers to remote status, the dark web was filled with phishing exploits targeting novice workers. Within weeks, threat sensors saw a dramatic drop off in threats targeting corporate resources and a corresponding spike in new attacks targeting consumer-grade routers, personal devices, gaming systems, and other devices connected to home networks. Cybercriminals are clearly more than willing to put in the work to find vulnerabilities that still exist within home networks that can then be used to enter the corporate network.
Of course, many of these attacks are based on the same bad tricks these criminals have relied upon for years simply because they work. With this in mind, organizations must do two things. First, act swiftly to inform employees about cyber hygiene practices. And second, prepare them and their defenses to repel traditional threats like phishing scams and ransomware attacks, as well as new browser-based web attacks, especially as they continue to work remotely. Hosting video conferences to spread cybersecurity awareness across all arms of the business, sending out regular email updates, and urging employees to keep an eye out for unusual or suspicious emails and webpages are just a few examples of the initial steps to take.
Top 10 Cyber Hygiene Tips to Employ Right Now
Thankfully, despite the continued prevalence of ransomware and the spike in HTML/phishing attacks, there are a number of simple steps organizations and their employees can take to build a stronger barrier against threats. Some of these steps are as simple as creating stronger passwords and performing regular software and application updates. Others may require the addition of newer, more advanced endpoint security software.
It’s also important to note that certain types of business resources are at particularly high-risk for attacks in the current climate. These include financial systems, customer support systems, and research and development resources. Extra measures and precautions may need to be taken beyond the steps outlined below to protect these sensitive, high-priority assets.
- Ensure all employees receive substantial training, both when hired and periodically throughout their tenure, on how to spot and report suspicious cyber activity, maintain cyber hygiene, and now, on how to secure their personal devices and home networks. By educating individuals, especially remote workers, on how to maintain cyber distance, stay wary of suspicious requests, and implement basic security tools and protocols, CISOs can build a baseline of defense at the most vulnerable edge of their network that can help keep critical digital resources secure. This can involve online learning and workshops with experts.
- Run background checks before designating power users or granting privileged access to sensitive digital resources. By taking this extra step, organizations can make informed decisions that will inherently mitigate the risks associated with insider threats.
- Keep all servers, workstations, smartphones, and other devices used by employees up to date by applying frequent security updates. Ideally, this process should be automated, and enough time allowed for updates to be vetted in a testing environment. Proximity controls, such as cloud-based access controls and secure web gateways, can help secure those remote devices that cannot be updated or patched.
- Install anti-malware software to stop a large majority of attacks, including phishing scams and attempts to exploit known vulnerabilities. Try to invest in tools that offer sandboxing functionality (whether as part of an installed security package or as a cloud-based service) to detect Zero-Day and other unknown threats. New Endpoint Detection and Response (EDR) tools should be on every CISO’s shopping list as they are not only very effective at not only repelling malware but can also identify and disable malware that manages to bypass perimeter controls before they can execute their payloads.
- Ensure an incident response/recovery plan is in place, including a hotline through which employees can promptly report a suspected breach, even when they are working from home. This way, in the event of an attack, downtime will be minimized, and employees will already be familiar with critical next steps.
- Use secure access points, whether physical or cloud-based, and create a secured and segmented network for employees to utilize when connecting remotely. VPNs allow organizations to extend the private network across public Wi-Fi using an encrypted virtual point-to-point connection; this both enables and maintains secure remote access to corporate resources. And a zero trust network access strategy that includes NAC and network segmentation should also be in place.
- Implement a strong access management policy, requiring multi-factor authentication when possible and maintaining strict standards for password creation. Employees should not be allowed to reuse passwords across networks or applications, whether corporate or personal, and should be encouraged to set complex passwords with various numbers and special characters. Consider providing password management software so they can keep track of passwords.
- Encrypt data in motion, in use, and at rest. However, VPN and other encrypted tunnels can also be used to securely inject malware and exfiltrate data. Which means that organizations need to invest in technologies that can inspect encrypted data at business speeds as well as monitor data access, file transfers, and other significant activity.
- Keeping up with the speed and volume of attacks can scale well beyond the limitations of human security analysts. As a result, machine learning and AI-driven security operations are no longer optional. They enable organizations to see and protect data and applications across thousands or millions of users, systems, devices, and critical applications—even across different network environments, such as multi-cloud, and the full range of network edges, including LAN, WAN, data center, cloud, and remote worker edges.
- For security solutions to be as agile as the networks they need to protect (and the cybercriminals they need to defend against), they need actionable updates to keep pace with the shifting threat landscape. This means that even the fastest and most adaptable security solutions are only as effective as the threat intelligence infrastructure and researchers that support them.
Final Thoughts on Good Cyber Hygiene
In the wake of COVID-19, CISOs have been faced with a seemingly impossible task: Keep enterprise networks secure while employees continue to work from home, perhaps indefinitely. And they have needed to do so on a limited budget, fewer resources, and a team of security professionals that’s already stretched thin. The solution? Enact an organization-wide cyber hygiene protocol, building the remote network security infrastructure from the ground up.
By focusing on training, awareness, and education, employees will be better able to perform basic security tasks such as updating devices, identifying suspicious behaviors, and practicing good cyber hygiene across teams. After that, it is essential that organizations invest in the right systems and solutions – from VPNs to anti-malware software and encryption technologies – that enable clear visibility and granular control across the entire threat landscape. Complexity is the enemy of security, so the best response to an increasingly complicated and highly dynamic digital world is to get back to the basics. And that starts with cyber hygiene.