BUILDING RESILIENCEAGAINST CYBER ATTACKSDURING COVID-19 CRISIS

A P R I L 2 0 2 0

PREPARED BY :

NATIONAL CRITICAL INFORMATIONINFRASTRUCTURE PROTECTIONCENTRE

ADDRESS :

BLOCK III, OLD JNU CAMPUS, NEWDELHI-110067, INDIA

N C I I P C P A G E 0 1

MISSION COVID-19

To identify Threat Actors activeduring COVID-19 outbreak allover the world. These includethose who are targeting CriticalInformation Infrastructure ofIndia.

MissionSafe and Secure Cyber Space forCritical InformationInfrastucture of India.

Vision

Information collection, analysisand dissemination from & to allStakeholders in time-boundmanner.

Values

N C I I P C P A G E 0 2

COVID-19 THREATLANDSCAPE

•Links to live tracking map and Mobile Apps•Email attachments with malicious docs•Donations for COVID-19 •IT fraud for credential harvesting (VISHING)•Business Email Compromise / impersonation

• RDP and VPN credentials brute force•SOHO Devices•Invitation to fake VC/RAT application urls

Social Engineering

Remote Access

GUIDELINES During COVID-19 Crisis

N C I I P C P A G E 0 3

N C I I P C P A G E 0 5

GUIDANCE TO LEADERSHIPAND MANAGERS

To

su

pp

ort

IT

& I

S t

eam

s in

pro

tect

ion

of

the

org

anis

atio

n's

cri

tica

l as

sets

an

d t

og

et

pro

du

ctiv

ity

fro

m t

he

ir r

em

ote

ly w

ork

ing

sta

ff/

em

plo

ye

es

and

co

ntr

acto

rs.

purpose

Identify all business critical functions of the organisation/critical e-governance and service delivery functions of theGovt, which have to be operational during the lock down.Choose only what is essential but everything that is essential. Assess how these critical functions can be delivered by on-site andremote workers. What are the controls in place and how do thesecontrols protect the applications and data from large scale cyberattacks on confidentiality, integrity and availability. Carry out risk assessment – enable work vs cyber threats, businesscontinuity and cyber crisis management plans. Focus on employeeawareness training. Ensure IT &IS Teams are not overwhelmed by urgent but lowpriority IT support calls from employees. IT & IS Teams shouldfocus on Critical aspects of business operations and businesscontinuity. Organise remote working awareness training for employees, if notdone already.

Allow remote access to the organization's internal network strictlywith MFA and through proxy servers. Apply application whitelisting, block unused ports, turn off unusedservices, monitor network traffic to prevent suspicious activities. Apply least privilege controls to applications. Security update/patches for all devices firmware/application. Closely monitor privileged users/ administrators of criticalaccounts. Track all CRUD (Create-Read-Update-Delete) activities inIdentity and Access Management (IdAM), AAA servers, NAC etc. Backup of all configurations, networks, systems, databases, useridentity and access data etc. Specifically focus on resilience ofbackups against ransomware attacks. Check that all stakeholders are clear on Business Continuity andCyber Crisis Management Plans and the actions they need to take ifBCP or CCMP is activated.

N C I I P C P A G E 0 5

GUIDANCE FOR IT/ IS TEAM

To

pro

tect

th

e o

rgan

isat

ion

's c

riti

cal

asse

ts a

nd

en

able

em

plo

ye

es

and

con

trac

tors

to

wo

rk r

em

ote

ly.

purpose

N C I I P C P A G E 0 7

MANAGE EMAIL PHISHINGRISKS

Enforce Multi-factor Authentication (MFA) to access business email. Configure Spoof Protection Controls  : Ensure spoofing controls such as SenderPolicy Framework (SPF), Domain-based Message Authentication, Reporting, andConformance (DMARC), and DomainKeys Identified Mail (DKIM) are fullyconfigured for mail-enabled domains with hard fail and reject policies, whereapplicable. Validate Email Security Gateway Implementation: Scan and sanitize all emails andattachments from malicious content and embedded URLs. Block certain fileattachment types automatically (e.g., .scr, .exe, .chm, etc.) along with implementautomated email warning reminders for external email. Block Macros in Microsoft Office Documents. Validate Web Proxy or URL FilteringConfigurations. Implement Strong Password Policies, ensure sufficient logging and altertingmechanism in place. Develop and operationalize Phishing Incident ResponsePlaybook.

N C I I P C P A G E 0 5

GUIDANCE TO EMPLOYEES

Tak

e r

esp

on

sib

ilit

y t

o p

rote

ct t

he

org

anis

atio

n's

ass

ets

purpose

Identify and secure devices to be used for remote working withlatest versions, patches and updates of Anti-virus/ anti-malware , OSand other application like MS Office/Libre Office suite/ webbrowsers/ Acrobat PDF Reader/ web conferencing utilities likeSkype/ Webex/ Zoom etc. Strong password protection, Firewall, Drive Encryption of thedevice to be enabled. Do not share devices with other family members, specially childrenfor the duration of remote working from home. If sharingis  unavoidable, log off from your account and let them accessthrough their own login account, which has no administrativeprivileges and cannot install applications. Ensure that web browser protection feature is enabled and active.This will flag unknown and risky websites. Secure the Home Router by changing the Admin and WiFipasswords and use strong wifi protocol. Actively participate in all employee awareness training programsand strictly follow the advisories and guidelines given by ITand IS teams.

N C I I P C P A G E 0 8

TIME IS CRUCIAL

Situation is Ad-hoc butLearning is long term

Challenge is to supportscaled up 'work-from-home' employees andaccess to CriticalInformaiton in a Securemanner.

Online Training andAwareness program is crucial for Employeesand Management

Best Practices

This document is intended to be shared withall NCIIPC Stakeholders to make them awareof ongoing Cyber Threats and OrganisationBest Practices related to COVID-19 pandemic. Feedback/Suggestions are welcome athelpdesk1@nciipc.gov.in CopyrightNCIIPC, Government of India

" Its our responsibility to

protect Critical

Information

Infrastructure of India .

We are prepared to

defeat COVID-19 Cyber

Threat together ."

N C I I P C P A G E   1 0