Time to bolster your User Authentication and enforce the Mobile Device Policy
Core To Effective Business Continuity Management.
There is no doubting the fact that the percentage of employees working remotely will be significantly higher when our way of life settles to a new normal, compared to pre-COVID-19 outbreak.
From Cyber security standpoint, there should then be a shift in focus to a better remote authentication implementation -logical access control- and mobile device policy enforcement, two areas where hackers are also now likely to focus on and exploit for their known weaknesses.
Two-factor authentication – as minimum for remote authentication.
Many organisations still only use username/password via the VPN as the means of authenticating into their corporate network.
An effectively crafted and professionally deployed phishing and spear-phishing attacks are still being used to obtain users’ login credentials. Once in possession of valid credentials, the attacker will be able to connect to your VPN as a legitimate user, gain full access to your network and steal information or cause other types of damage that may result in shutting down the network.
Remember the famous Target attack of 2014? Though the report did not make clear the level of security involved for remote authentication, but it was generally agreed that a vendor’s login credentials were stolen through installed malware, to gain access into the network.
Organisations still fall victim of phishing attacks and subsequently resulting in financial losses.
Therefore, for organisations to be able to improve on authentication based only on VPN connection, a minimum of two-factor authentication must be implemented for a stronger authentication process.
This will involve, in addition to the VPN login, a one-time code generated by a token from an item possessed by the user, the code needs to be entered in the logon dialogue before access can be granted.
An attacker would not have access to the code to use, even if they know the username and password.
Mobile Device policy
This is the organisation’s approach to securely managing laptops, mobile phones, tablets and PDAs.
These items are easily transportable in bags, pockets, they are ubiquitous and can be used anywhere, and more so, where there are Wi-Fi connections.
Therefore, a policy for the handling and applying security measures on these devices must be created and enforced where possible. The enforcement aspect must not be left to employees.
- Disabling the USB ports -to eliminate introduction of malware/virus onto the network
- Only enable where there is strong business case
- Blacklisting websites using proxy server, or setup a firewall that offers URL filtering to blacklist certain categories-to avoid malicious downloads
- Disabling the administrative rights of users on laptops – to enforce installation of only approved software
- MDM implementation for mobile devices to enforce acceptable use and remote wiping if necessary
- Encryption of laptops to a minimum of 128 bits
- Automatic screen locks for laptops/desktops -5minutes maximum after inactivity
In addition to be above, your incident response process -which must have referenced your business continuity plan- must be up to date and employees reminded on how to report on loss of mobile device to the appropriate department.
With adherence to the measures mentioned above, there should be a high degree of confidence to reducing a myriad of events that can lead to a major incident or crisis in organisations. This, however, is in addition to the regular information security awareness training.
Josh Subair AFBCI, Lloyd’s Register
Lead Auditor (CISSP) - UK & Ireland, Business Assurance