Homeland Security Guidance on Working from Home
Updated: Jun 2, 2020
As many businesses rushed to pivot to work from home (WFH) the Cybersecurity and Infrastructure Security Agency (part of DHS) posted best practices for WFH during Covid-19. Many of these recommendations are basic security best practices that they have been recommending for years but are even more critical now.
According to CISA, hackers are exploiting the pandemic to distribute ransomware and other malware. Attacks are often delivered via phishing methods, whether by email or SMS. These sneaky and clever techniques will try to present the attacker as being from a government agency and could be used to compromise credentials, facilitate fraudulent transactions, or to deliver malware.
Here is one example from our partners at Fortinet. This email is designed to cause users to open a document that delivers Lokibot which can steal credentials. This is because phishing emails are created using certain triggers as noted by the NCSC which include authority, emotion, and current events.
Given the current environment, these triggers make phishing emails powerful tools. In this case, the authority is represented as the WHO, the current event is Covid19, and the emotion targeted is a worry about the virus and having accurate information about it. It is only natural for us to want to be informed about Covid19 and users should not be punished for being tricked by phishing emails like this. It is the responsibility of the organization to implement proper security controls and awareness training.
Attackers are also targeting corporate networks because IT organizations have had to rush to provide remote access. These resources could be stood up with insecure configurations or on vulnerable infrastructure making them an easy target. This has led CISA to recommend that all companies implement MFA, patch their remote access systems, and implement system monitoring. Once users are setup to WFH we recommend that organizations review their security controls to ensure they are in place.
We recommend that all businesses review the CISA guidance published here, especially the Risk Management for Novel Coronavirus (Covid-19) document. In addition, we recommend that all organizations that use Microsoft365 and Office365 review CISA’s recommendations specific to them which is published here.
CISA’s recommendations include:
Enable multi-factor authentication for administrator accounts
Assign Administrator roles using Role-based Access Control (RBAC)
Enable Unified Audit Log (UAL)
Enable multi-factor authentication for all users:
Disable legacy protocol authentication when appropriate:
Enable alerts for suspicious activity
Incorporate Microsoft Secure Score
Integrate Logs with your existing SIEM tool
Watch the video below to learn how you can use Microsoft Secure Score to enhance the security posture of your Microsoft365 environment.
If you have any questions about any of these documents or threats, we would love to help, please reach out and schedule a time to meet here.