Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Network Security Perspective on Coronavirus Preparedness SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Network Security Perspective on Coronavirus Preparedness

With the new Coronavirus outbreak starting to dominate the news, I want to go over some cybersecurity effects of a disease like this that you should prepare for.

There are two cybersecurity-related aspects of an emergency like this:

  • Fraud and other ways of how criminals try to take advantage of situations like this.
  • Business continuity preparedness.

In past disasters, we have seen different ways of how criminals try to take advantage of a situation like this:

  1. Fake Donations

Various entitles have already started to register domain names around the name "coronavirus." In past events, we have seen some of these domains being used for fake donation web sites. They may also be used for other less legitimate business purposes like selling overpriced supplies. At this point, all the domains I have seen are parked or not yet active with content, so it is hard to tell what will happen.

  1. Malware

Malware authors are always looking for new ruses to get people to open their attachment. In the past, we have seen malicious videos and other attachments being used to spread malware.

  1. Fake News

Fake news is not only used to influence elections. Sometimes it is done to attract more eyeballs to a YouTube channel. Be careful who you trust, and don't let sensational news cause you to panic. Panic is not the right state to make sensible decisions.

Please let us know if you see any of this.

From a business continuity perspective, I like the CDC checklist (https://www.cdc.gov/flu/pandemic-resources/pdf/businesschecklist.pdf ). I only highlight some items from it. Another excellent resource is the response plan published by Public Health England: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/344695/PI_Response_Plan_13_Aug.pdf

I only highlight some items from it.

First of all: Unless your business is supporting critical infrastructure or healthcare, employee safety has to come before business continuity. Sometimes it is just best to shut down and go home until the crisis is over.

  1. Remote Access

Even during a relatively mild outbreak, people may not be willing or able to come to work. Even for the common flu, it is much preferred for someone to stay at home and maybe do a little bit of work vs. coming to work and infecting others (remember the flu is estimated to kill 8,200-20,000 people this season in the US alone). You must have functional and secure remote access set up. There are several different VPN and similar solutions. Voice and video conferencing solutions should be part of this. It should be easy for people to stay at home for a few days. You may also want to consider loaner laptops. It is much simpler and more secure to have employees working from home use corporate computers with a known secure configuration vs. using a random home computer. Test remote access while you still have people in the office to fix issues. This is in particular important if you need remote access for administrative purposes like rebooting systems. Many organizations have migrated systems to the cloud and should be used to manage them remotely (but if you did it right, you may have whitelisted specific IPs for remote management access)

In a pandemic situation, the remote access solution may be the resource that is constrained. Considerations should be put into investigating shorter timeout value and determine who are the critical users to be put in a special group for more extended and continuous access. Regular users can have a different profile to consume less load on the VPN equipment.

  1. Biometric Identification

Many biometric identification systems are problematic. Fingerprint scanners often do not work with gloves or can be a conduit for infection. Facial recognition does not work while someone is wearing a mask. Devise some alternative means to authenticate for emergency access. At the very least, have some sanitizer ready to clean surfaces people need to touch to authenticate.

  1. When and How to Shut Down

In some cases, it may be best to just shut down for a while If your business is not part of the health care or critical infrastructure. Business continuity plans should not endanger anybody's life. Have a plan for when and how to shut down. Which systems are shut down first? How can we reduce the load on system administrators and security analysts, so fewer of them have to come to work? If you decide to shut down all the way: How do you ensure some physical security of your space (boarding up, a company monitoring the space?).

  1. Supply Chain Continuity

It appears to be already apparent that the Chinese economy will, at least in the short term, be significantly affected. Some of the effects are delayed due to scheduled shutdowns during the lunar new year. Of course, similar travel restrictions could also affect other countries. How many critical supplies do you have on-site? Most modern businesses try very hard to minimize the amount of inventory, which in turn makes them very vulnerable to supply disruptions. The availability of supplies could also affect your decision to shut down. Do not overlook your “internal supply chain”. Which locations/individuals are critical to your operations?

  1. Emergency communication plan

Now is an excellent time to make sure your phone lists are up to date. Make sure critical people can be reached. If possible, there should be diverse methods to reach each other (really hard to do with "everything over IP"). Another part of this is how the organization will communicate its plan to employees, suppliers, and customers. There should be multiple means, and they need to be communicated ahead of time. (Website, Twitter, phone number to call). Miscreants may exploit any weakness in your communication plan to spread rumors about your organization or to impersonate your company. Your escalation plan should be included in the review of your communication plan.

  1. How can you help others?

During a crisis, first responders will likely soon get worn out and need support. There may also be assets (space, materials…) that your company does not need right now that you can use to help. Typically, this can only happen if you made necessary connections ahead of time.

And of course: Please let me know what else should be noted (or point out any mistakes I made above)

---
Johannes B. Ullrich, Ph.D., Dean of Research, SANS Technology Institute
Twitter|

I will be teaching next: Intrusion Detection In-Depth - SANS Rocky Mountain Summer 2020

Johannes

3877 Posts
ISC Handler
Jan 27th 2020
Report of fake Chinese news:
https://nationalfile.com/photo-of-coronavirus-hospital-posted-by-chinese-state-newspaper-is-actually-alibaba-stock-photo/
Anonymous

Sign Up for Free or Log In to start participating in the conversation!