Matt Miller Best Practice, Current Events Attack Surface, Best Practice, COVID-19

COVID-19 Attack Surface Implications

The COVID-19 pandemic has reshaped our organizations as we know them. For many, they have shifted from an on-site location to primarily working from home. What was first thought to be a few weeks, has now turned into a few months, and likely the impacts of this pandemic on your organization’s IT operations and procedures will last into the future. After all, it has been proven we can work from home for the last 3 months so it is going to be hard to go back to everyone working from an office. With that being said, it is time to focus on the COVID-19 attack surface implications and understanding the threats associated with your new IT landscape.

As we have discussed previously, understanding your attack surface is one of the most important steps in securing your organization. Simply put, your attack surface is all of the avenues available to an attacker on the Internet when they are trying to find a weakness and gain unauthorized access to your company. This can include your VPN, email server, web servers, etc. Over the past few decades, organizations have been spending a considerable amount of resources to reduce and secure this attack surface. The rise of VPNs and SSO portals have tremendously reduced the avenues available for attack. Additionally, organizations are keeping a close eye on all the services that are exposed to the Internet in most cases, with those systems patched, hardened, and monitored.

In a typical external penetration test, it is pretty rare for us to actually break into the internal network, all things considered. However, once access is gained and we shift to more of an internal penetration test, the vast majority of tests end with us gaining full control of network. This is indicative of the emphasis organizations continue to place on perimeter security.

What COVID-19 attack surface implications are you facing? Have you taken the time to consider the impacts of those? Now that we are three months in, we can no longer treat them as temporary necessities and everyone should be considering how to secure these assets long term and how they fit into your overall compliance strategy. Here are some things to consider:

Is your VPN full-tunnel or split tunnel? Remember, if you are running split tunnel, that may help with the overall bandwidth required, but your attack surface now includes every employee’s home network plus any public networks they connect to.
Have you stood up any new portals or services for employees to use? Have these gone through a hardening process? Has a security assessment been performed?
Do you allow your employees to use cloud services like DropBox, Google Drive, OneDrive, Trello? Has this been clearly communicated to employees? Are there checks performed on the data leaving your control?
Are employees connecting their own devices to the network via VPN? Is there a clearly communicated policy? What about ways to detect rogue devices connected?
What IT projects are put on hold? Do any of them have any security implications? Are there any IT projects in progress that have exposed services or untested functionality?
Are any security assessments or ongoing maintenance delayed? Are you still sure about what services are exposed and the weaknesses presented by those?