2020
Cyber Security Risk Breaches

Common Causes for the Recent Major Spike in Security Incidents

With the quick response to transition internal office employees to teleworkers companies have scrambled to ensure remote access was available for all staff members. In many environments the VPN solution was not meant to handle utilization for the entire organization. Impressively, many of HALOCK’s clients had been able to make the changeover smoothly. However, as the initial wave of help desk tickets and service requests have been remediated, HALOCK started getting a significant increase in calls to our emergency help line. Hackers were taking advantage of these newly distributed workforces and newly configured network environments.

While HALOCK’s response and forensics engineers were tending to the spike in incidents our consultants reached out to current clients to understand how the COVID-19 Stay-at-Home order as impacted either their compliance requirements or information security programs. Our breach response teams and security consultants were finding the same thing: Many establishments have significantly reduced their ability to manage corporate endpoints and have implemented multiple ad-hoc changes to the infrastructure to accommodate employee needs as they transition to their work at home environments. And these were creating new and easy opportunities for hackers.

As a result of these trends, HALOCK is urging all of our clients to review remote access systems and teleworker practices to ensure you are providing your user base a secure and compliant solution in the near-term and going forward. Here are a few insecure practices and threats HALOCK has identified:

 

End user devices are susceptible to malware and malicious activity due to missing security controls that were applied by the internal enterprise security solutions.
    • The organization does not enforce the use of company own devices and/or lacks centralized management of corporate assets.
    • Endpoints lack web filtering services to block unapproved personal email and file transfer services (Google, Dropbox, Box, Google Drive, etc.).
    • Data Loss Prevention (DLP) solutions has not been implemented to restrict the transfer of sensitive information from the corporate network or email to the local workstation.
    • Scheduled endpoint patching has not been validated to ensure the remote system is updated to protect against the latest known vulnerabilities.
    • When necessary logging of system and security events are not off-loaded to the enterprise SIEM, including Host Intrusion Detection alerts.
    • Employees are storing business critical information and sensitive data on their local workstations that is not being stored encrypted and regularly sent to the enterprise back-up solution encase of recovery.
  • Lastly, to ease support calls employees have been given local admin rights on their devices to make changes as needed.

 

Multiple security weaknesses have been found in the configuration of VPN infrastructures that may allow an attacker the ability to gain access to the corporate network through a compromised remote endpoint.
    • Weak authentication services have been configured to give quick access to corporate resources for remote workers, including a lack of multi-factor authentication, strong encryption, password complexity, and VPN specific credentials separate from the users Active Directory accounts.
    • Companies are utilizing insecure architectural designs that lack proper segmentation and monitoring to ensure if a remote system is compromised security personnel are alerted and the incident is contained to reduce the potential impact.
    • Endpoint devices themselves are not authorized before connecting to the corporate network through a certificate and ensuring an approved updated anti-virus solution on the asset has been established.
    • Firewall and VPN configurations have been modify through ad-hoc activities to reduce the impact to business processes or inconvenience to employees.
  • The VPN infrastructure has not been in scope for external vulnerability scans or a formal penetration test.

 

HALOCK found similar results for those companies that have moved or are in the process of moving critical services to the cloud. Organizations seem to have relaxed in configuring access control best practices and compliance standards within these hosted solutions.
    • Weak authentication services has been configured to give quick access to SaaS solutions for remote workers, including a lack of multi-factor authentication (MFA), strong encryption, password complexity, IP whitelisting and in some cases authentication is established with only a certificate lacking username and password challenge.
    • Hosting environments have not been implemented with Virtual Private Cloud (VPC) segments or micro-segmentation standards and lack sufficient monitoring to ensure security personnel are alerted and any incidents are contained on the compromised virtual asset.
  • Cloud environments were not in scope for vulnerability management solutions, including annual penetration testing.

Partnering with our clients, HALOCK has seen an increase in work effort for both the hardening of these controls and the recovery from adversaries that have compromised these known vulnerabilities. As we help clients move into the next phase of this pandemic, HALOCK wants to ensure other organizations are continuing to meet compliance requirements and protecting their user base from these common security weaknesses we have identified.

Identify current business continuity gaps and encourage management to adopt modern security best practices as we proactively prepare for phase 2 of this pandemic, and other emergencies.

Keep safe and stay secure.