Home
%3CLINGO-SUB%20id%3D%22lingo-sub-1251983%22%20slang%3D%22en-US%22%3EEnsuring%20Security%20during%20COVID-19%20Operations%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1251983%22%20slang%3D%22en-US%22%3E%3CP%3E%3CEM%3EThis%20article%20was%20originally%20published%20on%20my%20LinkedIn%20page%20on%2016%20March%202020.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E(FYI%3A%26nbsp%3B%20As%20I%20was%20writing%20this%20post%2C%20the%20news%20reported%20that%20HHS%20had%20been%20hit%20with%20what%20appears%20to%20be%20a%20denial%20of%20service%20attack.)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20the%20cybersecurity%20community%20there%20is%20a%20saying%20%E2%80%9CCyber%20can%20impact%20physical%20and%20physical%20can%20impact%20Cyber%E2%80%9D.%26nbsp%3B%20We%20normally%20think%20of%20this%20in%20terms%20of%20warfare%2C%20such%20as%20what%20happened%20with%20the%20Ukrainian%20power%20grid%20a%20few%20years%20back.%26nbsp%3B%20But%20as%20the%20COVID-19%20crisis%20continues%20and%20drives%20more%20organizations%20to%20enable%20remote%20work%20scenarios%2C%20cybersecurity%20professionals%20need%20to%20be%20tightly%20integrated%20into%20our%20organization%E2%80%99s%20contingency%20planning%20to%20ensure%20we%20continue%20to%20protect%20the%20business.%26nbsp%3B%20What%20we%20don%E2%80%99t%20want%20to%20have%20happen%20is%20a%20data%20breach%20or%20other%20security%20incident%20to%20occur%20during%20or%20immediately%20following%20the%20crisis.%26nbsp%3B%20Having%20helped%20with%20contingency%20planning%20in%20the%20military%20for%20many%20years%20and%20from%20my%20experience%20helping%20customers%20with%20cloud%20security%2C%20here%20are%20a%20few%20tips%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3EDocument%2C%20Document%2C%20Document!!!%3C%2FSTRONG%3E%20%E2%80%93%20During%20situations%20like%20this%20it%20is%20normal%20to%20want%20to%20execute%20quickly%20to%20meet%20mission%20requirements%20and%20while%20doing%20so%20not%20documenting%20the%20changes%20you%20are%20making.%26nbsp%3B%20I%20know%2C%20%E2%80%9Csay%20it%20isn%E2%80%99t%20so%E2%80%9D.%26nbsp%3B%20When%20this%20is%20over%20that%20documentation%20will%20be%20critical%20for%20understanding%20what%20was%20done%20and%20more%20importantly%20backing%20out%20any%20changes%20that%20you%20no%20longer%20need.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EImplement%20a%20running%20risk%20assessment-%3C%2FSTRONG%3E%20In%20the%20military%20we%20did%20a%20risk%20assessment%20for%20every%20event%20and%20updated%20it%20based%20on%20changing%20conditions.%26nbsp%3B%20I%20recommend%20that%20you%20get%20with%20the%20business%2C%20determine%20their%20mission%20requirements%20and%20start%20a%20continuous%20risk%20assessment%20process.%26nbsp%3B%20One%20key%20outcome%20of%20this%20process%20will%20be%20to%20identify%20where%20your%20data%20is%20vulnerable%20and%20then%20help%20you%20implement%20compensating%20controls.%20(%3CA%20href%3D%22https%3A%2F%2Fmy.nps.edu%2Fdocuments%2F103449465%2F112525310%2FDD_Form_2977_Deliberate_Risk_Assessment.pdf%2F1f408904-25fb-4e7b-bc6d-53cedb8e4551%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EExample%20Risk%20Assessment%20from%20Army%3C%2FA%3E)%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EMFA%20all%20the%20things%20%E2%80%93%3C%2FSTRONG%3E%20If%20you%20are%20allowing%20any%20type%20of%20remote%20access%20to%20data%20or%20services%2C%20it%20needs%20to%20be%20protected%20with%20Multi-Factor%20Authentication.%26nbsp%3B%20Unfortunately%2C%20the%20world%20contains%20a%20lot%20of%20bad%20actors%20who%20will%20take%20advantage%20of%20this%20situation%20to%20steal%20information%20or%20deploy%20ransomware.%26nbsp%3B%20Many%20of%20these%20attacks%20will%20attempt%20to%20take%20advantage%20of%20a%20vulnerable%20identity%20perimeter%2C%20a%20properly%20implemented%20MFA%20solution%20will%20protect%20against%20most%20(~99%25)%20of%20these%20attacks.%26nbsp%3B%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-mfa-mfasettings%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3ELINK%3C%2FA%3E)%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EBlock%20Legacy%20Authentication%20%E2%80%93%3C%2FSTRONG%3E%20If%20you%20are%20leveraging%20Office%20365%2C%20Azure%2C%20Azure%20AD%2C%20etc.%26nbsp%3B%20you%20should%20try%20to%20remove%20any%20legacy%20authentication%20from%20your%20environment.%26nbsp%3B%20This%2C%20along%20with%2C%20MFA%20are%20the%20most%20effective%20ways%20to%20protect%20your%20Microsoft%20Cloud%20environment.%26nbsp%3B%20If%20you%20can%E2%80%99t%20remove%20all%20requirements%20for%20legacy%20authentication%3A%20identify%20where%20it%20is%20used%2C%20put%20a%20sensor%20on%20it%20and%20monitor%20it%20closely.%26nbsp%3B%20There%20are%20also%20technologies%20such%20as%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Funtrusted-networks%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Active%20Directory%20Conditional%20Access%3C%2FA%3E%20that%20can%20be%20tremendously%20helpful%20at%20controlling%20access%20as%20well.%20(LINK)%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EBe%20aware%20of%20Illicit%20Consent%20Grant%20Attacks-%3C%2FSTRONG%3E%20In%20Office%20365%2C%20an%20illicit%20consent%20grant%20attack%20is%20where%20a%20bad%20actor%20gets%20a%20user%20to%20register%20an%20application%20in%20Azure%20AD%20with%20permissions%20to%20their%20data.%26nbsp%3B%20Once%20the%20user%20has%20done%20this%2C%20the%20application%20no%20longer%20needs%20an%20organizational%20account%20to%20access%20data.%26nbsp%3B%20I%20have%20seen%20an%20increase%20in%20these%20types%20of%20attacks%20recently%20as%20organizations%20implement%20MFA%20which%20blocks%20traditional%20attacks.%26nbsp%3B%20Be%20aware%20of%20the%20steps%20to%20detect%20and%20respond%20to%20these%20attacks.%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Foffice-365-security%2Fdetect-and-remediate-illicit-consent-grants%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3ELINK%3C%2FA%3E)%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EProtect%20the%20data-%3C%2FSTRONG%3E%20I%20work%20with%20healthcare%20organizations%20who%20are%20on%20the%20frontline%20during%20this%20crisis.%26nbsp%3B%20Suddenly%20many%20of%20these%20organizations%20who%20had%20very%20limited%20remote%20work%20scenarios%20previously%20are%20now%20rolling%20out%20work%20from%20home%20(WFH)%20for%20their%20employees.%26nbsp%3B%20As%20this%20happens%2C%20we%20need%20to%20think%20about%20how%20we%20control%20that%20sensitive%20data%20when%20folks%20are%20accessing%20that%20data%20from%20their%20home%20PC.%26nbsp%3B%20This%20is%20where%20tools%20such%20as%20Cloud%20Access%20Security%20Brokers%20(CASBs)%20and%20information%20protection%20solutions%20can%20help.%26nbsp%3B%20Organizations%20should%20be%20implementing%20these%20protections%20prior%20to%20or%20in%20parallel%20with%20any%20remote%20work%20platforms%20such%20as%20real%20time%20collaboration%20tools.%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fproxy-intro-aad%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3ELINK%3C%2FA%3E)%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EHeightened%20vigilance-%3C%2FSTRONG%3E%20Bad%20actors%20have%20already%20started%20using%20COVID-19%20as%20part%20of%20their%20phishing%20campaigns%2C%20this%20will%20only%20get%20worse.%26nbsp%3B%20And%20with%20everyone%20being%20focused%20on%20meeting%20critical%20mission%20requirements%2C%20the%20potential%20for%20users%20%E2%80%9Cclicking%E2%80%9D%20on%20that%20link%20or%20transferring%20funds%20is%20higher.%26nbsp%3B%20You%20can%20also%20expect%20our%20adversaries%20to%20look%20for%20ways%20to%20disrupt%20services%20and%20to%20deploy%20ransomware.%26nbsp%3B%20We%20must%20be%20extra%20vigilant%20and%20ready%20to%20%E2%80%9Cprotect%2C%20detect%20and%20respond%E2%80%9D%20to%20these%20attacks%20while%20continuing%20operations.%26nbsp%3B%20Tools%20such%20as%20Endpoint%20Detection%20and%20Response%2C%20Next%20Generation%20Firewalls%20and%20Intrusion%20Detection%20platforms%20can%20help%20protect%20our%20assets.%26nbsp%3B%20Add%20tools%20like%20CASB%E2%80%99s%20and%20Cloud%20Security%20Posture%20Management%20for%20detection%20and%20protection%20in%20cloud%20platforms.%26nbsp%3B%20%26nbsp%3BWe%20also%20need%20to%20ensure%20our%20Security%20Operations%20Center%20is%20ready%20for%20the%20increased%20activity.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EImplement%20a%20rest%20plan-%3C%2FSTRONG%3E%20You%E2%80%99re%20probably%20saying%E2%80%A6%E2%80%9DWhat%20does%20that%20have%20to%20do%20with%20Cyber%3F%E2%80%9D.%26nbsp%3B%20This%20situation%20is%20going%20to%20be%20with%20us%20for%20a%20while%20and%20we%20can%E2%80%99t%20afford%20to%20burn%20people%20out.%26nbsp%3B%20%E2%80%9CIt%E2%80%99s%20a%20marathon%2C%20not%20a%20sprint%E2%80%9D.%26nbsp%3B%20In%20scenarios%20like%20this%20we%20tend%20to%20go%20all%20hands-on%20deck%2C%20which%20is%20required%20initially%2C%20but%20can%E2%80%99t%20be%20sustained%20long%20term.%26nbsp%3B%2024%2F7%20operations%20will%20probably%20be%20required%20in%20many%20organizations%20that%20haven%E2%80%99t%20previously%20required%20them.%26nbsp%3B%20Leaders%20put%20together%20a%20work%2Frest%20plan%20and%20ENFORCE%20IT!%26nbsp%3B%20(That%20includes%20for%20you%20by%20the%20way)%20You%20will%20always%20have%20those%20folks%20that%20will%20say%20%E2%80%9CI%E2%80%99m%20good%2C%20I%20can%20hang%E2%80%9D%E2%80%A6.they%20will%20burn%20out.%26nbsp%3B%20Make%20them%20take%20a%20break.%26nbsp%3B%20Not%20only%20are%20exhausted%20people%20less%20functional%20for%20mentally%20challenging%20work%2C%20they%20will%20also%20be%20more%20susceptible%20to%20getting%20sick.%20(%3CA%20href%3D%22https%3A%2F%2Fcircadian.com%2Fblog%2Fitem%2F68-5-tips-for-managing-24%2F7-operations.html%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3ELINK%3C%2FA%3E)%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EI%20have%20in%20no%20way%20covered%20all%20the%20items%20that%20need%20to%20be%20accounted%20for%20in%20this%20scenario%2C%20but%20hopefully%20this%20will%20help.%26nbsp%3B%20I%20encourage%20you%20to%20share%20any%20thoughts%20or%20ideas%20you%20have.%26nbsp%3B%20Working%20together%20we%20can%20get%20through%20this%20crisis!%26nbsp%3B%20Oh%2C%20and%20%3CSTRONG%3E%3CEM%3E%E2%80%9CWash%20your%20hands!!!%E2%80%9D%3C%2FEM%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EMore%20Reference%20Links%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Foffice-365-security%2Fresponding-to-a-compromised-email-account%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EResponding%20to%20a%20Compromised%20Email%20Account%20in%20Office%20365%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Foffice-365-blog%2Fhow-to-quickly-optimize-office-365-traffic-for-remote-staff-amp%2Fba-p%2F1214571%22%20target%3D%22_blank%22%3EHow%20to%20quickly%20optimize%20Office%20365%20traffic%20for%20remote%20staff%20%26amp%3B%20reduce%20the%20load%20on%20your%20infrastructure%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1251983%22%20slang%3D%22en-US%22%3E%3CP%3E....%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-right%22%20image-alt%3D%22Clinicians.jpg%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F179357iD51D95DF76325DAB%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22Clinicians.jpg%22%20alt%3D%22Clinicians.jpg%22%20%2F%3E%3C%2FSPAN%3Eas%20the%20COVID-19%20crisis%20continues%20and%20drives%20more%20organizations%20to%20enable%20remote%20work%20scenarios%2C%20cybersecurity%20professionals%20need%20to%20be%20tightly%20integrated%20into%20our%20organization%E2%80%99s%20contingency%20planning%20to%20ensure%20we%20continue%20to%20protect%20the%20business.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1251983%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Ecybersecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Ehealthcare%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ELife%20Sciences%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

This article was originally published on my LinkedIn page on 16 March 2020.

 

(FYI:  As I was writing this post, the news reported that HHS had been hit with what appears to be a denial of service attack.)

 

In the cybersecurity community there is a saying “Cyber can impact physical and physical can impact Cyber”.  We normally think of this in terms of warfare, such as what happened with the Ukrainian power grid a few years back.  But as the COVID-19 crisis continues and drives more organizations to enable remote work scenarios, cybersecurity professionals need to be tightly integrated into our organization’s contingency planning to ensure we continue to protect the business.  What we don’t want to have happen is a data breach or other security incident to occur during or immediately following the crisis.  Having helped with contingency planning in the military for many years and from my experience helping customers with cloud security, here are a few tips:

  • Document, Document, Document!!! – During situations like this it is normal to want to execute quickly to meet mission requirements and while doing so not documenting the changes you are making.  I know, “say it isn’t so”.  When this is over that documentation will be critical for understanding what was done and more importantly backing out any changes that you no longer need.
  • Implement a running risk assessment- In the military we did a risk assessment for every event and updated it based on changing conditions.  I recommend that you get with the business, determine their mission requirements and start a continuous risk assessment process.  One key outcome of this process will be to identify where your data is vulnerable and then help you implement compensating controls. (Example Risk Assessment from Army)
  • MFA all the things – If you are allowing any type of remote access to data or services, it needs to be protected with Multi-Factor Authentication.  Unfortunately, the world contains a lot of bad actors who will take advantage of this situation to steal information or deploy ransomware.  Many of these attacks will attempt to take advantage of a vulnerable identity perimeter, a properly implemented MFA solution will protect against most (~99%) of these attacks.  (LINK)
  • Block Legacy Authentication – If you are leveraging Office 365, Azure, Azure AD, etc.  you should try to remove any legacy authentication from your environment.  This, along with, MFA are the most effective ways to protect your Microsoft Cloud environment.  If you can’t remove all requirements for legacy authentication: identify where it is used, put a sensor on it and monitor it closely.  There are also technologies such as Azure Active Directory Conditional Access that can be tremendously helpful at controlling access as well. (LINK)
  • Be aware of Illicit Consent Grant Attacks- In Office 365, an illicit consent grant attack is where a bad actor gets a user to register an application in Azure AD with permissions to their data.  Once the user has done this, the application no longer needs an organizational account to access data.  I have seen an increase in these types of attacks recently as organizations implement MFA which blocks traditional attacks.  Be aware of the steps to detect and respond to these attacks. (LINK)
  • Protect the data- I work with healthcare organizations who are on the frontline during this crisis.  Suddenly many of these organizations who had very limited remote work scenarios previously are now rolling out work from home (WFH) for their employees.  As this happens, we need to think about how we control that sensitive data when folks are accessing that data from their home PC.  This is where tools such as Cloud Access Security Brokers (CASBs) and information protection solutions can help.  Organizations should be implementing these protections prior to or in parallel with any remote work platforms such as real time collaboration tools. (LINK)
  • Heightened vigilance- Bad actors have already started using COVID-19 as part of their phishing campaigns, this will only get worse.  And with everyone being focused on meeting critical mission requirements, the potential for users “clicking” on that link or transferring funds is higher.  You can also expect our adversaries to look for ways to disrupt services and to deploy ransomware.  We must be extra vigilant and ready to “protect, detect and respond” to these attacks while continuing operations.  Tools such as Endpoint Detection and Response, Next Generation Firewalls and Intrusion Detection platforms can help protect our assets.  Add tools like CASB’s and Cloud Security Posture Management for detection and protection in cloud platforms.   We also need to ensure our Security Operations Center is ready for the increased activity.
  • Implement a rest plan- You’re probably saying…”What does that have to do with Cyber?”.  This situation is going to be with us for a while and we can’t afford to burn people out.  “It’s a marathon, not a sprint”.  In scenarios like this we tend to go all hands-on deck, which is required initially, but can’t be sustained long term.  24/7 operations will probably be required in many organizations that haven’t previously required them.  Leaders put together a work/rest plan and ENFORCE IT!  (That includes for you by the way) You will always have those folks that will say “I’m good, I can hang”….they will burn out.  Make them take a break.  Not only are exhausted people less functional for mentally challenging work, they will also be more susceptible to getting sick. (LINK)

I have in no way covered all the items that need to be accounted for in this scenario, but hopefully this will help.  I encourage you to share any thoughts or ideas you have.  Working together we can get through this crisis!  Oh, and “Wash your hands!!!”

More Reference Links: