There have been ample warnings about phishing emails capitalizing on the coronavirus outbreak, as phishing attacks tend to employ current fears to entice users. That much should be well understood as it occurs each time there are new widespread fears.
A less understood security consequence of coronavirus is that large number of employees in affected areas are all of a sudden working from home, accessing enterprise data and applications from unmanaged devices (such as a personal computer). In some parts of the world coronavirus has resulted in heightened security risks as a consequence. Criminals look for the easiest way to steal sensitive corporate data, and accessing a corporate network remotely from a compromised unmanaged device is the softest route.
Remote access from unmanaged devices introduces elevated risks as the device has a lower security posture, has higher risk of compromise, runs counterfeit or unlicensed software, or operates from an untrusted network. The enterprise has no control over what software is running or has previously executed on the device. Unmanaged devices accessing a corporate network have higher risk of stolen sensitive data (including corporate login credentials) from attacks involving keylogging, screen capture / screen grabbing, man-in-the-browser, saved account detail harvesting, screen mirroring, man-in-the-middle, DLL injection, and RDP double-hop.
Security-conscious enterprises take steps to ensure that unmanaged devices remotely accessing the corporate network have the same security posture as managed devices within the corporate perimeter. This includes ensuring that applications accessing the network are isolated from the rest of the potentially-compromised unmanaged machine, protecting against kernel-level threats commonly missed by anti-virus software such as keyloggers, preventing malicious screen capture and screen grabbing, and preventing DLL code hooking injection. In addition, browsers accessing the corporate network should be locked down including url whitelisting, enforced certificate checking, and enforced https. Additional sensible security measures on unmanaged machines include login credential checking and advanced mechanisms to identify malware C2 communication. These protections are the device facemask that are appropriate in the risky circumstances.
These security measures are relevant not only in coronavirus hot spots such as Wuhan but for all environments involving remote access from unmanaged devices. Most organizations have more and more people working remotely and need to implement these security measures as well. It is important for organizations to ensure a common security posture for all access into the corporate network – employee remote access as well as customer and supplier remote access, should all have the same security posture as access from managed devices within the corporate perimeter. Not only is this good business sense, but common posture from all touch points into the corporate network is becoming a compliance necessity in a growing number of sensitive sectors.
Leave a Reply