Insights: Article

COVID-19: Is it business as usual for cyber security?

Heightened cyber security awareness is crucial as we all transition to remote modes of working. However, cyber security teams must remain cognisant that it’s business as usual for hackers, so it’s business as usual for us too. While it’s easy to become distracted during a time when our health, safety and economic stability is at risk, not all hackers and cybercriminals are focusing on coronavirus phishing scams.

Don’t lose sight of the real cyber security threats – it’s not just phishing scams

On Monday, 23 March 2020, Microsoft published details of two new vulnerabilities discovered in the Adobe Type Manager Library, a particularly dangerous pair of bugs for Windows 7 users. As remote code execution vulnerabilities, there are several ways attackers can exploit them, such as convincing users to open specially crafted documents via spearphishing or viewing it in Windows Preview.

Making matters worse, there is currently no patch. Microsoft says Windows 10 users are protected, but if you are not running Windows 10 then you’ll need to follow one of these action plans:

  1. Disable the Preview and Details Panes in Windows Explorer.
  2. Disable the WebClient service.
  3. Rename ATMFD.DLL or disable the file from the registry.

RELATED CONTENT: Cyber security awareness: Treat it like OHS

Patching is a top priority

What this shows is that while the world is distracted by the coronavirus emergency, the activities of cyber security teams must continue regardless. Patching is and always will be a top priority since many of the attacks delivered through phishing campaigns need to exploit an operating system vulnerability or application weakness to be effective. In most cases, except for a few like this recent Microsoft zero-day, vendors will already have patches available and they should remain a key priority for IT teams to deploy and manage.

Vulnerability risk assessments

A vulnerability risk assessment is crucial in your patching process since the context of your organisation – the systems, applications, controls and enterprise architecture – dictates how you prioritise patching over other activities. For example, if you have a couple of machines on an extranet running Windows 7, where the Adobe Type Manager Library vulnerabilities may be exploited, you might focus on protecting your core network, patching these systems when the next standard patch cycle comes around.

On the other hand, if your fleet of frontline medical staff uses Windows 7 laptops, then this should be today’s top priority. Risk assessments help cyber security teams make better decisions. While there is no hard and fast rule as to how you scale threats, likelihoods and impacts (it’s different for each organisation) common sense will quickly tell you what’s important.

Protective monitoring, vulnerability management, endpoint detection and incident response continue as key priorities that should remain front of mind for cyber security teams.

RELATED CONTENT: Common cyber security mistakes and 3 simple ways to fix them

Protective monitoring

Your cyber security operations team should continue scrutinising your systems, networks and applications for access violations, behavioural anomalies and indicators of compromise. Fast detection, incident triage and notification to the appropriate incident management teams are essential to ensure attacks are quickly shut down before they cause harm.

Vulnerability management

Scouring your enterprise for vulnerabilities and configuration weaknesses is a critical aspect of managing your cyber security posture. With risk-based vulnerability scoring you can quickly make decisions as to what to fix immediately and what can wait for normal maintenance windows. Vulnerability management, as opposed to individual vulnerability assessments, is the process of managing the detection and response to findings across the entire enterprise. It’s an ongoing process, designed to flag new vulnerabilities across your fleet as they are detected. Any system you select should update its database of known issues in real-time, and detections should be as near real-time as possible.

RELATED CONTENT: 6 cyber security tips to work from home more securely

Endpoint detection and incident response

Endpoints are where most attacks gain a foothold in your business, which is why endpoint detection and response (EDR) platforms are usurping traditional antivirus platforms as the endpoint control of choice. EDR combines anti-malware, fileless attack prevention, behavioural anomaly detection and process whitelisting, with log collection and analysis to offer situational awareness across the entire enterprise endpoint fleet.

For further advice or guidance on your organisation’s security,  get in touch with Kinetic IT’s cyber security experts, PROTECT+.