If you're like me and love watching movies, don't be deceived by the title. The CIA does not represent the Central Intelligence Agency who infiltrates the criminal organizations undercover and takes them down once they have enough evidence. The CIA referred to here is the CIA triad that all security fundamentals and frameworks are built upon. It is the Confidentiality, Integrity, and Availability that we take into consideration when architecting solutions for our organizations.
CIA Triad
If you've been involved in security and have some certification from a security program, you would have come across the CIA triad and how it should be the foundation for architecting solutions. The three principles are not optional when starting the solution design. You cannot decide to implement Confidentiality and Integrity and not Availability or implement Confidentiality and Availability and not Integrity. Nothing precludes you from doing that, but the design will be flawed from the inception. You might have seen this in many organizations when the model is flawed. Digging a bit deeper into the design, you quickly recognize which part of the CIA triad was excluded from the implementation, and, worst-case scenario, finding out which leg was missing is when a compromise transpires, or something goes amiss.
COVID-19 and Social Distancing Times
A lot of people are already tired of hearing about COVID-19 and Social Distancing. Still, in reality, this current scenario has been exploited by cybercriminals by increasing their number of targets and raising the bar on how they approach their next victim. A recently presented detail supported by the Pentagon says that the COVID-19 situation has presented numerous opportunities to cyber-criminals, and there has been an increase in cyber-attacks. In this article, they state that anyone on the Internet is "fair game" for phishing attacks.
We quickly forget that all of us that used to access systems and data, whether company data or customer data, do not reside within the four walls of the company anymore. With the majority of people now working from home, this has created an enormous challenge for companies and their security personnel. With access methods now being forced from all over the country, and not being restricted to a few individuals like before, the potential for compromise has increased exponentially.
The activity of accessing anything remotely has put the CIA triad in jeopardy.
Expanding the Workplace Walls
When you look at Availability, if an individual's system had a virus, or did not work anymore, they cannot just quickly call the IT department to fix the problem. The duration of Availability has dropped significantly, and this potentially unlocks the door to quick solutions that will put the organization at risk. For example, visualize that your laptop stopped working but must access systems as a matter of urgency. IT allows the individual to make use of their home computer, which might have no virus protection, outdated software, and, of course, could have been used for connecting to infected websites for downloading our favorite television series. This is a suitable situation where cyber-criminals could use that computer to gain access to the organization and exploit systems with minimal effort. Not to mention the networks that we use at home that are most definitely not as secure as the networks at work.
Due to this expansion of workplace walls, the confidentiality and integrity of the data we access is at increased risk. Data in a machine that has not been hardened, vulnerable networks, and no logging on the end-user device leaves the security team blind when there is an attack launched from these remote locations. Confidential information used to be within a closed office but is now at home where it can be accessed by anyone who walks into the room. Many might say this can be the case in the workplace as well. However, we would like to believe that there are more security controls in place at the workplace than at the homes of hundreds of employees.
With remote connectivity being allowed for the masses instead of the few, and with the pace that this had to occur, the integrity of the environment has been put in jeopardy. When personnel are required to do things with a big bang approach and at a rapid pace to ensure staff are still able to work, there are bound to be mistakes. These mistakes are generally identified when something goes wrong. Let's face it, who is actively busy with auditing their environment when they are required to guarantee availability?
A few weeks ago, we touched on business continuity, and the one key feature that can be observed in many of these scenarios is the reality that uptime is more crucial than security during a disaster. These situations create the opportunity for cyber-criminals to exploit the vulnerabilities associated with COVID-19 and Social Distancing.
Ensuring Confidentiality, Integrity and Availability
The crucial aspect to take into consideration during what the current affairs are exhibiting is that organizations should ensure that the Confidentiality, Integrity, and Availability of their systems remain intact. This can be done using the following methods:
- Instead of opening connectivity to employees by connecting to external IP addresses, which allow access to web applications or other systems, organizations could make use of the following:
- Utilize a VPN that uses proper encryption over the end to end connection. Robust encryption algorithms would include RSA 2048-bit and stronger, as well as AES 128-bit or stronger. Other algorithms are still allowed, but it is best not to take any chances.
- Instead of only utilizing standard authentication with either a pre-shared key (bad idea) or username and passwords that can be compromised through brute force attacks, implement multi-factor authentication (MFA). Implement it at the edge of your network to ensure you make it harder for cyber-criminals to gain access to the environment. You wouldn’t want attackers to gain access to the VPN, which already provides them access to your network. This might happen if you manage your MFA on a bastion host or individual systems. There are always methods to bypass MFA if you can gain access to routers or firewalls that are not always protected with MFA.
- Once connected to the corporate network, utilize the least privileged access. If a set of user credentials are compromised, the attackers will have minimal access to confidential data.
- Increase the log monitoring activities and look for abnormal behavior. This will be more difficult now since there are a lot more connections to the environment from an external perspective than usual.
- Change the way you perform threat analysis. Focus on ways to narrow down your dashboards and alerting. Unnecessary alerts will blur the identification of actual attacks.
- Before systems connect, ensure you have policies implemented that all systems shall be up to date with their patches and anti-malware definitions. Have your anti-malware application scan on access to ensure that systems can identify malicious software immediately instead of when it does its weekly scan.
Takeaway
The methods above do not require any additional acquisition of products or solutions. These are applications and solutions that most companies should have in place already. The crucial part is where it would be most beneficial to implement these technologies and how to tweak the way we look at the detail so that we do not get a blurred view with an abundance of data. Minimize the information that is reviewed so that you have a more unobstructed view to identify when a possible compromise is occurring.
Humans are very seldom eager to ask for help when in need. This is the time when we all should stand together and assist one another in this fight against cyber-attacks. Foregenix can assist in auditing the environment to find potential holes that require attention or consult on how to change your approach in threat management to identify attacks before they turn into a compromise, so feel free to get in touch.