The Log4j vulnerability has demonstrated the importance of supply chain security. In this blog post we consider the best course of action that companies can take to protect their software supply chain.
Market researchers are reporting divided opinion on the pros and cons of remote working. While some research reports an overwhelming majority of employees as die-hard remote working fans who never want to drink miserable coffee in shared kitchens again, others can hardly wait to flock back to the office. However, no matter how workers and employers end up dealing with the situation in the aftermath of the coronavirus pandemic, remote working – where possible – is the safest alternative at the moment. Organizations will therefore still be dependent on remote working infrastructure for the coming weeks and months. With this in mind, it couldn’t be a better time to look closely at this infrastructure.
When employees were requested to stay at home and work remotely, the situation developed very quickly. Understandably, function was prioritized over following procedures in this unprecedented situation. Under these circumstances, some ad hoc VPN systems may not be as strictly compliant with internal policies as they should be. Now the immediate demand for remote connectivity has been dealt with, it is time to review remote access concepts and make changes if necessary. If your company has policies on remote access – as should be the case in any company with an ISMS – the next goal is to implement all the specifications listed there. Has the VPN gateway been implemented and configured according to the internal policies? Are all rights granted to the administrators in accordance with the procedure and according to least privileges? Is the gateway connected to a central management system, are all logs forwarded to the SIEM or at least to the event manager? Depending on the infrastructure, firewalls should also be implemented to protect gateways from automated attacks, this may have been omitted and the public IP of the gateway released directly to the outside. There are many security safeguards, most organizational or process-oriented in nature, which should be observed for VPN gateways.
It is very important to close vulnerabilities in the firmware before deploying gateways online. This has often been overlooked due to the urgency of the coronavirus pandemic. But this is exactly what many attackers rely on when they automatically scan for VPN accounts and test for known, unpatched vulnerabilities. Healthcare companies and government agencies have become even greater targets. Employees have also been thrown in at the deep end. Depending on the corporate culture, remote working procedures may be more established at some organizations rather than others. While remote working has been part of daily operations at IT companies with locations throughout Germany, it may have been a new and unfamiliar concept for SMEs and organizations outside the IT sector. And new systems often bring teething problems. Users may have had difficulties accessing the network, dealing with two-factor authentication or contacting support staff due to bottlenecks – the list goes on. And here, too, the attackers were well prepared to take advantage of the situation. Attack vectors have included calls from alleged hotline employees looking for credentials and phishing emails linking to malicious software with a backdoor or ransomware disguised as free VPN clients.
In many cases, companies have not protected their internal networks sufficiently and client malware could gain lateral entry to the network. This should not pose too much of a problem for prepared IT staff as users usually work without local admin rights and an end-user laptop should not have access to server administration. Finally, companies should also consider the availability of the VPN service. Although a single gateway may have been sufficient to cover a handful of sales reps, the entire workforce now depends on the accessibility and functionality of remote access. Clustering and protection against DDoS attacks is therefore far more important than before the coronavirus pandemic and is also worth the additional costs involved. As always: Companies that take information security seriously with a holistic approach have little to fear, even in the event of a crisis.