Freely subscribe to our NEWSLETTER

A health crisis as a trigger for cyber-attacks :

The current health crisis is straining companies’ resilience. The COVID-19 pandemic has forced companies to adapt very quickly to protect their collaborators and to ensure business continuity. However, among the wide range of security measures that have been implemented, only few organisations have incorporated Cybersecurity into their crisis management system in order to protect their information assets, and more importantly, their vital operations. Yet, the constantly growing number of cyberattacks since the beginning of the crisis and the setup of social distancing measures such as teleworking, now the new working “standard” working organisation mode, until a vaccine or an efficient treatment is developed and even beyond, have made it essential to conduct a thorough review of companies’ Cybersecurity systems.

As a matter of fact, cyberattacks are rapidly spreading around the globe as they exploit security loopholes linked to disorganisation caused by the pandemic. From the beginning of the lockdown, attacks like phishing have increased due to infected links allegedly selling FFP2 masks or hydroalcoholic gel that were out of stock at that time. Websites impersonating COVID-19 map took advantage of the situation by hiding malware payload. Due to the lockdown, the use of visio conference applications, for the purpose of teleworking distance learning, family reunions or even virtual friendly aperitifs, has also increased.

Some platforms such as Zoom are victims of their own success. Indeed, the American platform had reached 300 million users, but security issues were piling up, such as Zoombombing, which allowed unexpected intruders to disrupt the conference (insults, harassing, display of inappropriate content, etc.).
The United Nations Under-Secretary-General of Disarmament Affairs has recently declared that a cyberattack happens every 39 seconds in the world, according to the Organisations’ observations. More sophisticated attacks, like ransomware or DDoS, are becoming more and more frequent, and are massively targeting sectors that are currently under great pressure. The recent critical data breach of the biggest Japanese telecommunications company and the embezzlement of European universities’ supercomputers for the sake of crypto mining are a perfect illustration of that.

As a response to increased cyber-threats, cybersecurity measures need to be strengthened :

In order to face the rising number of Cyber threats and the growing attack surface, it is essential that companies strengthen their Cybersecurity posture through appropriate measures such as:
• Conducting targeted awareness campaigns, especially about phishing, social engineering, « Fake President » frauds and risks caused by the use of non-recommended tools by the company.
• Reducing delays of - robust and unique - password renewals. This measure is even more important because if the company does not implement a Single-Sign-On (SSO) system, the users will have a tendency to reuse the same password for different applications and platforms.
• Implementing multi-factor authentication (MFA) mechanisms to limit the risks of identity theft.
• Systematically using a VPN access solution dedicated to the company, ideally [IKEv2/]IPsec or alternatively TLS, to secure remote access to the internal network and company’s applications.
• Defining a clear and adapted security incidents management process.
• Information labelling and DLP systems hardening in order to avoid any data leakage, whether deliberate or unintentional. Also, the reinforcement of barriers such as CASB are necessary to limit information transfer to Cloud platforms considered reliable by the company.
• Using secure videoconference solutions, specific to the company and preferably recommended by a trusted certification bodies.
• Blocking USB ports, at least as long as teleworking is implemented, to prevent users from plugging-in personal storage devices, potentially compromised or unauthorised.
• Monitoring computers inventory transactions, and ensuring that users have up to date EDR on their workstations.
• Promptly applying security updates and creating patch management procedures adapted to remote access issues and performance, especially on equipment and software exposed to the Internet, such as VPN, remote office, messaging solution, etc.
• Hardening proxy rules, limiting them to the strict minimum. As an example, collaborators who work from home can browse extra-professional platforms from their personal equipment. An extension of the list of "blacklisted" sites or keywords will enable the use of corporate tools strictly for professional use and will reduce the risk of compromising them. Also, it is recommended to limit as much as possible downloading external files via the company’s Information System.
• Strengthening monitoring and remote connection security to ensure that any exchange of company-related data is secure. To achieve this, among other things, the automatic expiry time of inactive user sessions should be reduced. For companies allowing BYOD, the implementation of VDI environments should be encouraged, and to which the connection is solely possible through strong authentication.
• Deploying a competent and qualified Helpdesk system, well trained regarding Cybersecurity issues with dedicated reflex sheets, to handle quickly urgent or complex requests, especially those related to access and authorisation management.
• Forming a Cybersecurity Crisis Cell placed on pre-alert in order to perform a continuous and proactive monitoring and ensuring the Cell’s complete operational capacity following its activation.
• Backing-up critical data, including those related to BYOD. It is also recommended to have a recent copy of these backups, isolated from the company’s network.
• Strengthening of the company’s physical security, having sites sparsely or not occupied but still respecting the clean desk policy.
• Regularly reviewing Internet-exposed services’ access logs to detect suspicious behaviours.

?
Actions to be carried out to secure the business recovery :

At a time of the end of the lockdown, several other measures pertaining to cyber security policies and internal operations had to be enforced, in order not to impact companies’ Business Continuity :
• Conducting in-depth root cause analysis for each of the security incidents that occurred.
• Assessing compliance and functionality reviews for all Cybersecurity protection, detection, notification and reaction systems. Those reviews will enable the provision of required corrective actions and will identify any anomaly resulting from an attacker’s effort to conceal their malicious actions or to facilitate their attack.
• Creating and implementing a consistent, prioritised, progressive, orchestrated and shared patch management activities and updates plan with IT and businesses teams to offset any delay.
• Conducting a ‘Sheep dip’ process, where each of the company’s workstations would be connected to a dedicated computer before connecting to the internal network. This process will enable the actions below:
– Performing antivirus/malware scans, through one or several anti-virus/EDR solutions;
– Applying updates that could not be done remotely: OS, browsers, middleware, businesses applications, etc.;
– Reconfiguring the Proxy;
– Performing a data backup, through the usual backup system, and centralising them according to the diagrams;
Enforcing the renewal of the Windows passwords and/or SSO.
• Recovering scattered data and conducting data restoration tests to validate the proper operability of backups.
• Formalising a detailed post-mortem post-quarantine analysis regarding the efficiency and level of resilience of the company’s cybersecurity systems, in order to contribute to the company’s Cyber Transformation plan.
• Launching of network security audits, including IT equipment and services to identify any compromised systems which were not previously discovered.
• Safeguarding of budgets allocated to Cybersecurity, especially in this context of strong IT-dependence and where the consequences, especially financial, of a successful cyberattack would be heavy, and even fatal.
• Raising user awareness regarding new practices and procedures to adopt when dealing with [new] risks, again with a particular focus on phishing attacks, social engineering and “Fake President” frauds.
• The interruption of security waivers, external access and clearances granted on an exceptional basis.
• Updating Cyber Risk Mapping and Business Impact Analysis.
• Conducting technical security audits on contracted services and solutions acquired (or used) during periods of containment.
• Secure erasing of data stored of personal physical devices or Cloud.
• Activating the auditability clause, or any other clause, included in Services Level Agreements and Security Insurance Plans, in order to ensure the needed level of security of suppliers and subcontractors and to identify possible direct or collateral damage, related to incidents occurring on their side during the quarantine period.
• Updating security policies, processes and procedures, as well as Business (BCP) and IT (ITSCM, DRP) Continuity plans. Special attention should be paid to ransomware, DDoS and data breach scenarios.
• Active resumption of Threat Hunting operations to detect and isolate advanced threats that remain unidentified with the security measures in place.
The two above lists of measures are not exhaustive; they will have to be completed and prioritised in the light of the updated risk analysis and the cyber security maturity level specific to each company. It is also necessary to fully integrate the issue of teleworking, which will likely persist.
Beyond the duration of the crisis, it is imperative that cyber-risks coverage continues over time and that it becomes an inherent part of the company’s security practices. In order to carry on with this approach, it is necessary to develop and implement a tailor-made and pragmatic Cyber Strategy, to support, or even stimulate business, in particular by accelerating its digital transformation and the development of new services or products, thus enabling the emergence of new and more prosperous business models.

This Cyber Strategy, ineluctably end-to-end, will aim to achieve an optimal level of Cyber Resilience, considerably reinforcing the sustainability of the company’s activities in the face of the protean crises that have been announced, and positioning cybersecurity as a business enabler.

From an operational point of view, this strategy will be materialised through the implementation of a Cyber Transformation plan, structured around five streams: people, process, technology, data and innovation.