Tag: Covid 19

  • The Most Important Cybersecurity Lessons of 2020

    At the close of a year that turned our world upside down, it’s more than fair to wonder and worry about what 2021 might bring. Even as we pray for health, prosperity, and peace, cybersecurity professionals understand that these blessings will remain under constant attack by malicious actors for whom every upheaval in our lives is an opportunity to strike. 

    Despite the high-profile breach of SolarWinds and ongoing attacks from state-sponsored actors, I believe the COVID-19 pandemic best illustrates that point in a couple of different ways. Here’s why: In 2020, companies worldwide asked their teams to work remotely all or part of the time. But not all of them had appropriate security protocols in place beforehand, leaving their networks vulnerable to attackers as they made the transition. 

    I’m not suggesting that business owners (or even health professionals) should have predicted the arrival of the novel coronavirus, but there are any number of natural and manmade disasters that can force us out of our offices. We all need to have a continuity plan – and cybersecurity should certainly be one of its guiding principles. 

    For those who did have a plan, now is the time to ask if it was followed correctly and if it worked effectively. I strongly encourage CEOs and business owners to include your infosec teams in these discussions and perhaps have them take the lead. More importantly, listen and act on their recommendations because the new normal will come with new challenges for all of us. 

    Assuming that the US and other nations are able to contain the spread of COVID (as we hope and expect), some companies will ask their workers to return to an office environment, some will make the remote model a permanent feature, and still others will adopt a hybrid approach that features elements of both. Safety and productivity are the factors that will most likely (and appropriately) drive those decisions. But effective cybersecurity measures should be a non-negotiable feature regardless of the workplace model.

    Not to turn this post into a commercial, but Raxis (and some other pen-testing companies) can be of great help in this process. That’s because we understand where attackers are most likely to focus their efforts and thus where your company is most vulnerable. We speak the same language as your infosec team, so we can work with them to come up with a plan that gives you the most flexibility to meet your business needs, but still keeps you and your network safe from attackers.

    My hope is that an enduring lesson from the COVID-19 experience (and other events in 2020) is that more organizations need to take a proactive approach to cybersecurity. Though we can’t predict who will be breached and when, we know for certain that the attacks will continue indefinitely. And while we don’t know when a global or local disaster will disrupt our operations, we should be ready to respond swiftly and securely if it does.

    Here’s to a safe, secure, and prosperous new year for your business. At Raxis, our business is helping you stay that way.

  • An Earth Day Message from Raxis

    With our planet in the grips of the COVID-19 pandemic, Earth Day 2020 definitely has a different vibe this year. In some ways, the virus serves as a reminder of how closely connected we are to one another and how little control we actually have over nature. Our activities can severely impact it, and our technology can sometimes predict it, but all it takes is a tiny strand of RNA to remind us that we are inhabitants of Earth and not its masters.

    If there can be any upside to this worldwide tragedy, it may be that many more businesses are coming to understand the benefits of allowing team members to work from home. At Raxis, we’ve enjoyed those advantages since we launched the company in 2011. For us, it makes sense on many levels.

    Atlanta is a large city and, no matter where we put an office, some of us would face commute times of an hour or more. As penetration testers, we have little need to share infrastructure or applications – we have our own tools and leverage VPNs. We have also become experts at online chat and audio/video conferencing, and we hold frequent team-building events to nurture camaraderie and friendship.

    For Raxis, the remote-work model continues to pay dividends in terms of productivity and quality of life – but that’s just at the company level. What’s really exciting is to think about the prospect that thousands of other businesses might now join our ranks. That’s because, in the few short weeks that COVID-19 has forced us to stay home, we’ve seen air quality improve around the world and greenhouse gas emissions dropping dramatically. Fewer cars on the roads also means fewer accidents and lower insurance costs. And for many, less time in their vehicles has meant more time with family, hobbies, and exercise.

    We won’t miss social distancing but imagine the improvements we could see over the long term if remote work becomes the norm.

    As a cybersecurity company, we can’t ignore the potential threats from hackers and scammers. In fact, my Raxis colleagues and I spend a lot of time warning businesses and their employees about the risks of working from home. With diligence and appropriate safeguards in place, however, a home office isn’t necessarily less secure than a traditional office.

    Of course there are also many who cannot work from home – police, first responders, emergency room personnel, to name just a few. Even so, their working conditions could well improve if more of the rest of us do stay home. In addition to making the highways safer, for example, less congestion means emergency personnel can get to the people who need them faster. Stores, restaurants, gyms, and salons could see customer traffic spread more evenly throughout the day. All of this would likely mean less of a burden on our federal, state, and local employees as well.

    Still, it would be naïve to think that the COVID-19 emergency on its own will cause an immediate and fundamental change in the way the world does business. It’s likely that these blue skies will fade a bit when people go back to work and the pace of life picks back up. But it’s also possible that this terrible pandemic has come with a silver lining – a brief glimpse at the benefits of living and working more sustainably.

    Our hope for this Earth Day is that the time we’ve spent away from the office has given us time to consider whether so many of us need one at all.

     

  • Remote Security Series: Protect Your Network Health Like Your Own

    Most of us understand by now (hopefully) that this COVID-19 emergency is not the time to take chances with our health and safety. The benefits of being disease free far outweigh the costs of some social distancing and extra diligence about hygiene. However, I’m worried that many companies don’t seem to make the connection between what they’re doing to protect their employees and what they should be doing to protect their data.

    That’s dangerous because hackers are heartless. In their world, COVID-19 doesn’t bring suffering and death; to them, it’s all about opportunity and wealth. Like a virus, they’re attacking the most vulnerable and leaving untold damage in their wake.

    Unfortunately, we’ve seen and heard about companies across America that are making hackers’ jobs easier. For example, the additional strain of accommodating remote workers has caused many IT departments to open ports and grant access that they would never allow normally.

    RDP, VPN, oh my!

    One common problem is companies opening remote desktop protocol (RDP) access, which can be easily exploited. Others have VPN configuration errors that slow network traffic, frustrate users, and put pressure on IT staff to relax security measures in order to improve productivity. And some are not monitoring network traffic, which can open the door to brute force attacks. Raxis is seeing this firsthand in many of our external and remote internal penetration tests we are currently conducting for our customers.

    Add to this the challenge of team members accessing the network with their home devices. Each one brings with it a high degree of risk that most office-based IT teams aren’t accustomed to managing at scale.

    The bad guys know all this, of course. That’s why we’ve seen a surge of attacks, many based on the COVID-19 emergency itself. Scammers know we’re scared, tired, and worried for ourselves and our loved ones. We’re more likely to click on a malicious link or reveal sensitive information – and less likely to have appropriate safeguards in place when we do.

    Where to start

    So, what’s the solution? Our previous posts in this series have talked about ways to make networks more resilient from a technological perspective. But this is also a time when IT pros have a responsibility to safeguard their companies infrastructure and protect their employees. It’s up to you to make sure that productivity doesn’t come at the expense of security, even if that isn’t what your C-suite leaders or colleagues want to hear right now.

    The good news is that you don’t have to go it alone. Raxis experts can help you discover and document any unintended security consequences that come from your team working remotely. We can provide a fresh, hacker’s-eye evaluation of your perimeter defenses along with continual assessments to make sure they remain effective. We also offer many remote solutions that go hand in hand with the new workplace guidelines for many of our customers.

    Just as the coronavirus has made us more careful about our physical health, the resulting work-from-home experience should make us much more conscious of our cybersecurity posture. Give us a call and let’s talk about how Raxis can help you emerge from this crisis more secure and more confident about working remotely.

    Contact Raxis for more information.

    Want to learn more? Take a look at the first part of our Remote Security Series.

  • Remote Security Series: Urgent Questions You’ll Face About VPN and Remote Access

     As the coronavirus has pushed almost all of the workforce remote, IT teams have been very busy making networks accessible in ways they weren’t previously. Most organizations plan for a consistent number of users remotely accessing the network. I doubt any planned for a nearly global work-from-home (WFH) event like COVID-19. 

    As a result, I’ve worked with a few companies to help implement some very last-minute WFH solutions. I came away with a better understanding that there are some critical questions companies need to be asking (and answering) right now. 

    Do you have enough VPN licenses? Imagine being told on a Friday afternoon that everyone will be working from home for the foreseeable future. One company’s VPN was licensed for 100 users but had over 250 working remotely. Their immediate answer was to open up remote desktop ports for each user’s office computer. Bad idea, especially considering a few passwords were very insecure, including “Winter2020!” and “Corona2020$.” 

    Do you have enough bandwidth? Like VPN licenses, most companies have plenty of bandwidth to handle office data and the normal load of remote users with no issues. But with everyone working from home and many streaming media, this can cause a lot of strain on your network and lead to performance issues and outages.  

    Is split tunneling appropriate for your company? In many cases, split tunneling is a great way to address the bandwidth issue. However, you lose some encryption as you now have only certain applications and network traffic going back through the encrypted VPN. This can lead to data being mishandled, so make sure you have safeguards in place to prevent that. Also, it’s a good idea to block streaming services through the VPN tunnel or on an endpoint protection product. 

    Are your users trained to use the VPN? With the rush to get users setup, users who worked in the office every day are now trying to do the same type of work from home. This may be painfully slow if they are accustomed to 1000 Mbps in the office and get only 50 Mbps at home. Their fix will be to download files locally, work on them, and then upload them back when done (we hope). That raises a couple of other important questions…

    Do they delete sensitive data from their computers when they are done?  Do they even know they should do this? If there’s even a speck of doubt, I strongly recommend putting data loss prevention (DLP) tools on the endpoints to ensure data isn’t leaving the network unsecured.

    Do you have a ‘shadow IT’ problem you didn’t know about? Here’s an interesting issue I ran into recently: A company realized there were employees who had been working remotely for years, but who didn’t know how to use the VPN to access files they need on a daily basis. I decided they either have integrity challenges, or they have unauthorized side channels they may not know about. Let’s set aside the ethics issue and assume you suspect the latter. Now would be a good time to start monitoring traffic going out to popular file sharing services. In an incident response situation, these services create more areas to audit, and your price tag and scope just increased a lot. Imagine thinking you have 10 servers and 400 workstations to check and then adding every Dropbox, Box.net, Sync and OneDrive account and folder. 

    Is your VPN network being monitored or logged? How many concurrent connections are allowed per user? This is important if a user is compromised and you allow unlimited connections per user. A malicious person can be connected to your network and it may go unnoticed. That’s why you should enforce MFA on your remote access solution.

    Are user endpoints encrypted and patched? Your end users are now working on networks with potential default passwords and weak wireless security, which you probably can’t control. It is very important then that you harden as much as you possibly can control.  Once your WFH solutions are in place, make sure you remember to audit their security. Don’t let a rush to get users working remotely lead to costly misconfigurations and data breaches — just because they click a malicious COVID-19 update or decide to watch cat videos.

    Does your business continuity plan reflect the new reality? Remote access to critical data should be a part of your business continuity plan. Being surprised by a hard limit of users on your VPN appliance can lead to a rush to provide accessibility, which in turn can lead to bad security decisions. Testing this plan will also show you areas that need to be addressed or that would be much easier to handle if you had known ahead of time. Also, ensure you have an updated remote access and VPN policy in place. Your end users will not always make smart security decisions, so ensure that they have a document to reference.

     The coronavirus emergency is putting all of us to the test, but especially the IT teams who shoulder the responsibility for keeping a remote workforce secure and productive. Make sure you have good answers to these questions and, if you need help, remember we are here for you.

     Raxis is always happy to discuss your unique circumstances and to offer options specific for your needs as well as your budget.

    Contact Raxis for more information.

     Want to learn more? Take a look at the next part of our Remote Security Series.

  • Remote Security Series: Review Remote Workforce Policies

    The coronavirus emergency has made it clear that some companies are ready for the new work-from-home (WFH) reality, with mature and tested policies for managing remote business workflows. Others were caught off-guard and now find themselves developing and refining their procedures even as they’re being implemented.

    Especially in times of crisis, we humans need structure, boundaries, and clear guidance to help us feel secure and remain productive. So much so that we’ll create our own in the absence of any guidance. And while a little flexibility is a good thing, remote work brings technology and cybersecurity challenges that demand clear, relevant, and effective policies to protect the company’s network.

    Turning the problem into an opportunity

    Though most companies are now facing the radical shift to a remote workforce, the smart ones are using this emergency as an opportunity to review and update their remote work policies. Even for those that have transitioned smoothly to WFH, the scale of this change makes it prudent to double check the security posture of their teams. Those that do will find more ways to make their operations more secure and efficient; those that don’t may become corporate casualties of the coronavirus.

    Safeguarding sensitive data

    One of the biggest security issues for businesses is handling sensitive data like Social Security, credit card, or bank account numbers. Do you have procedures in place to make sure that information can be sent and received securely? Take a close look at how sensitive data flows across your newly extended network boundaries. Make sure you’ve accounted for identity management, client information, and any type of financial divulgence or payment.

    Like a rubber band, your network perimeter thins as it expands. Remote workers are at a heightened risk of direct attacks against their personal data. Emphasize the importance of documented policies regarding internal communications. Some examples might include never asking for passwords, verifying critical or sensitive requests, and MFA support.

    Business continuity processes (you do have them, don’t you?) no longer enjoy the luxury of encompassing a small number of sites. They now must accommodate an increasingly dynamic footprint of inputs from remote workers. Use this experience to update them to include such things as better internal communications, more productivity checkpoints, remote device wipe, and alternate contact information for remote workers.

    Include guidance about the personal use of business assets and make sure your VPN enforces a minimum level of security compliance before authorizing network connections. That should include requiring the use of company devices, keeping your endpoint protection up to date, and making sure any necessary agents are installed.

    In addition, you should enforce MFA on all systems that connect to network resources. Implementing MFA requires planning, but it offers much more robust security at the perimeters.

    All of these efforts are important, but they’re doomed unless you also have an effective way to let your workers know about them. Now is the time to communicate more frequently about security and be on guard against localized attacks like phishing and spear-phishing. Not sure about that email? Don’t open it. Hold off on sending hyperlinks so that any links received stand out for additional scrutiny.

    Where to start

    These are just a few of the ways you can make sure your business turns the problems you face with remote work into opportunities to make the experience more effective for your company and your team.

    If you need more help or want experts to help you transition to WFH, Raxis offers thorough security reviews and guidance on Teleworking, Security, and Business Continuity / Disaster Recovery (BC/DR) policies.

    Contact Raxis today for more information.

    Want to learn more? Take a look at the next part of our Remote Security Series.

  • Remote Security Series: Stay ahead of the phishing attacks that follow COVID-19

    In these uncertain times, many companies are allowing employees to work from home more than ever before. Essential personnel onsite at the workplace are kept to a minimum and are offered remote support when issues occur. The scope of remote work is unprecedented and brings up a lot of questions for managers aiming to support their employees.

    This series will discuss security testing and consulting options that Raxis offers to help companies work as securely as possible while employees work from home using home wireless services and systems or jump on the company VPN in unprecedented numbers.

    Phishing

    Raxis expects a rise in phishing attempts — emails, texts & phone calls — as attackers realize that employees are at home and not as easily able to verify that requests are legitimate.

    Let’s start with your VPN itself. It’s likely at least a few of your team members are going to have problems logging on. Though they may be overwhelmed, your help desk workers are inclined to be helpful. Verification is a step that might easily be skipped in a rush to get an exec or senior manager online.

    Finance is another point of vulnerability. Say that you receive an email from your boss saying to approve a new vendor payment. Normally your boss would never send that in an email . . . but these are not normal times, and you’re both working from home. You think of giving her a call, but she just told you she’s busy setting up her children’s new online school meeting. Do you approve the request? How are you sure that it’s legitimate?

    What if it was a phone request from a customer who is working from home? He’s on his cell phone. Are you sure it’s really him? Should you verify before telling him customer financial information? Sure you should, but you’re out of your normal environment and he sounds really annoyed. What do you do?

    And what about your teammates? Your employee texts you and asks for the password to an old system with a shared password. Do you text them back? Do you check the number first? Send it in email?

    These are different questions than you ask when you’re in the office and can lean over the cube wall. It pays to make sure all your employees know the answers (or at least ask the questions) before they face them in the real world from home.

    Where to start

    Raxis has a number of phishing tests that fit these scenarios, and we are happy to work with you to customize a test that fits your needs. We provide a report and a debriefing call to help you educate your employees with real world examples. Whether they pass or fail, it’s an opportunity to safely assess their readiness and reinforce their training.

    Take a look at our social engineering offerings. As always, Raxis is happy to advise you and work with you to customize a test that meets your needs. If you have concerns, we’d be happy to chat with you about options that work for you.

    Contact Raxis today for more information.

    Want to learn more? Take a look at the next part of our Remote Security Series.