There was a time, years ago, when I wasn’t just the highly capable security practitioner you see before you. I was also a Soldier. I wore a uniform for 22 years altogether, most of the time as an Infantryman in my state’s National Guard.
I always find it interesting how many concepts that I learned while preparing for combat (or in combat) translate directly to information security operations.
Today we’re going to talk about everyone’s posture in response to the COVID-19 threat and what some of our next steps should be. As a sort of interesting exercise, I’m going to draw some parallels from the Soldier’s Handbook 3-21.76—affectionately known as the Ranger Handbook. It’s the ultimate source for small unit Infantry operations and we’ll have some fun analyzing the similarities of at least one of the tasks to something you’re probably seeing in your network today.
Working from Home: Your New Patrol Base
Many of you have just completed or are in the process of completing a paradigm shift to support a primarily remote/work-from-home work force. You worked long, hard hours to protect the safety of your fellow employees, their families, and potentially your customers and their families as well. I hope everyone can feel some pride in the work they’ve already accomplished. To draw our connection to Ranger operations, you’ve just completed a difficult operation and have now established your organization in what is likely a temporary location—that is, supporting the bulk of your employees from their homes. You are now occupying a temporary position and conducting operations from there. Think of this as something like a Patrol Base.
A military unit will occupy a patrol base for many reasons, such as avoiding detection or reorganizing after completing a mission. Patrol bases are often used to establish a place from which to execute several consecutive or concurrent operations.
In the case of working from home, you’re establishing a base from which to execute your business operations. This is your network in its new configuration, supporting a large mobile work force.
Establishing Your Priorities
Now that you’re in your patrol base, the Ranger Handbook says you have the following priorities of work:
- A withdrawal plan
- A communications plan
- Mission preparation
- Weapons and equipment maintenance
- Water re-supply
- Mess plan
Most of these concepts can actually map to your ongoing tasks as a knowledge worker or information technology team, but we’re going to focus mainly on the first one: security.
We published an article a few weeks back on some of the important security considerations in your organization’s response to COVID-19, and hopefully you were able to apply some of the advice there. But whether you were or not, here are some of the next things you should be considering:
Securing your perimeter
In the Ranger Handbook, you’re advised to use all passive and active measures to cover 100% of the perimeter 100% of the time. Think about this in terms of your network’s perimeter… and how that may have recently changed. You’ve probably lost a lot of visibility with users now logging on from computers at their house.
Some things you want to consider are:
- How to control their traffic
- How to determine their endpoints remain safe
- How do you keep tabs on those computers.
You also want to observe and protect your base from being breached from the outside by tightly controlling access to your base using two factor authentication, encryption, and perhaps even things like MAC address control or checking connected devices for current patch levels and anti-virus software.
If you’re using cloud-based solutions for things like anti-virus, log analysis (SIEM), or endpoint detection & response (EDR), make sure there are no access controls which would prevent your distributed workforce from connecting to and using these solutions.
If you sent employees home with laptops owned by your organization, that’s going to put you several steps ahead in these aspects. You should be able to have your security software already installed and hopefully you have the ability to manage it during this time as well.
If your employees need to connect with their personally-owned devices, then you have some additional things to consider.
Using a web-only front end and a browser-based RDP client will mitigate some of the danger, as will using host checking solutions. Host checking is the practice of verifying that systems connecting to your VPN meet some kind of standard regarding anti-virus, host-based firewall, patching levels and/or the existence of other software on the system.
One main mistake you need to avoid is leaving port 3389/RDP open to the internet. This is a red flag attack vector and will get you breached almost every time. Also, assess the needs of your user base and consider using geographic IP policies in order to limit the availability of your VPN solution to only those geographical regions where you know your users are located.
Securing Your Communications
Now we’ve provided some additional security on systems which are entering the network, but there are plenty more things to consider and you’ll find parallels in the Ranger Handbook again.
Let’s talk about your communications plan.
The basic requirements of combat communications are to provide rapid, reliable, and secure interchange of information. How is your organization meeting those communication requirements while positioned as a remote workforce? Your first thought is probably email. But is your email platform providing you with rapid and reliable security to protect your communications in these circumstances?
If your platform is capable of advanced security features beyond secure message delivery—think spam blocking, file and link sandboxing, and more—it’s a good idea to enable those features now that your workforce will be relying on email as a primary communication method internally and externally.
If your workforce also utilizes a video conferencing platform, make sure it is being kept up-to-date and patched on all devices. Services like Zoom have already discovered security holes and released subsequent patches to resolve them. This will be the case for most software and platforms you utilize during this time so it’s important to keep this question at the top of your mind:
Is the method by which you’re communicating a secure one?
Maintaining Remote Security
And finally, don’t forget maintenance. In a military patrol base, this would be cleaning of weapons and other equipment, making sure you keep fresh batteries in radios/GPS handsets/flashlights, and so on. But for your information technology environment, maintenance could mean a lot of different things.
One to focus on here is patching and vulnerability management. The time to find out about a new zero-day threat to your operating systems couldn’t be worse than when your entire force is working from home. But with the right solutions in place, you can still manage patching, vulnerability scanning, and policy compliance from cloud-based solutions to keep both your remote devices and office-bound systems secure while you’re away.
You don’t need to stop your regular security awareness training either! In fact, you could potentially craft phishing tests focused on COVID-19. I promise you the bad guys already are. Make sure you’re communicating with your users often about newly discovered threats.
Improve Your Position!
So, phase 1 is complete. Now it’s time to improve your position and focus on some of the ideas we’ve discussed here.
Remember, the bad guys watch the news too.
They know many of us are now working from home—in fact, they may be working from home as well with extra time on their hands—and they’re crafting their attacks to take best advantage of this. Make your patrol base safe from enemy attack. With some planning, imagination, and a small amount of work, you can protect your employees and their families as well as your organization’s information assets.
Good luck, everyone please stay safe, and remember Rangers Lead the Way!
Written by Jeff Murphy, Security Engineer.