To CyFlare Partners & Clients
We know that our partners and clients depend on CyFlare for cyber security services. Due to the pandemic, and the havoc that is being experienced across the world, we wanted to offer up some preventive measures as a follow-up to ensure security compliance.
As IT organizations modify and change controls to enable business resumption for remote workers, changes to operations and Identity & Access Management changes, this can result in human error with mis-configurations, other un-controlled actions etc. IT groups are being tasked to get employees and other remote services setup and running with new configurations.
Below are some “use cases” identified for your awareness to potential exposures created due to emergency actions / reactions during this time. Please validate and address these areas to reduce potential exposures:
- Lock Down RDP – Triple check access control lists responsible for limiting access to machines allowing RDP connections from the public internet. This is one of the most common but critical mistakes a security team can make. If you must expose a machine, be sure your whitelists are very explicit. We also have simple to deploy solutions that take away any requirement for public exposure to RDP.
- Scrutinize VPN – Setting up VPN tunnels to access the entire network with trusting everything and everyone. Be sure your VPN ACL’s are heavily scrutinized and limit VPN users to just the specific items needed. Bad actors are extensively targeting VPN’s for obvious reasons.
- Scrutinize Firewall ACL’s – Mis-configuration of Firewall’s that may expose some specific group’s/users/machines to the Internet. This allows for scanning, brute force capability, exploit delivery and additional reconnaissance that must be avoided.
- Identify & Monitor Un-Managed Devices – Un-managed devices allowed to access corporate resources allows for irregular and dangerous situations. Allowing un-managed machines or devices to access corporate networks and resources unrestricted allows for countless possible catastrophic scenarios . Constant monitoring and paranoia for anomalous internal and external traffic must be investigated immediately, particularly if it is an un-managed machine.
- User Behavior Analysis – User behavior and login activity monitoring is now more complicated to interpret due to the remote workforce. Keenly check for any UBA related detections such as login location anomalies, application usage anomalies, payload anomalies, login time anomalies etc.. Machine learning is now essential to capture these changing behaviors. Static analysis will not be effective.
- Force Endpoint Protection All Devices – Not having a proper Endpoint Protection solution on un-managed devices may also cause possible bad download, misc alarms, anomalous processes that in turn causes data leakage, loss of confidential information, harvesting etc., but still visible in the network due to the traffic being captured by the sensor that may trigger alarms.
All of these lead to increase attack potential and can cause account take overs, privilege escalations due to accessibility / usability, suspicious IOC’s and many other use cases that may not have been thought through.
At CyFlare, our Analyst are aware that Clients are making various changes to their environment and want to ensure your IT organizations review all changes to avoid incidents. We look at these areas outlined as part of our initial steps of our triage process in incident response.
Thank you for being a CyFlare clients and entrusting us with your Cyber network threats and security needs. These are challenging times, but I want you to know that we stand ready to help however we can. We understand the critical role we play in the Cyber Security of our partners and client’s infrastructure and we are continually humbled by the trust you place in us. Together, we will get through this.
Please subscribe, if not already to the CyFlare Trust page to receive continued updates and instant notification should there be any disruption to service or related communications.
CyFlare, LLC ( www.CyFlare.com )