In the initial phase of remote working, the priority had been to get users up and running and establish foundational security, like PC and mobile device protection, VPN, Firewall, DNS and other network security measures. As businesses prepare to open up, health and medical concerns will require organizations to continue remote working where possible. Meanwhile, as we are getting more data on remote working infrastructure, traffic patterns, vulnerabilities and threats, IT departments will now be able to quantify the risk and take measures to balance productivity with security. This article explores what’s next for prolong remote working.
Responding to the immediate need of mobilization
As LAN traffic is routed to WAN, new usage patterns and vulnerabilities are emerging. While mobilizing remote workforce, most organizations have implemented endpoint security management agents, which are now providing data on the usage patterns and threat activities. Increased WAN traffic stretched bandwidth availability for business work due to (a) limited home networks bandwidth versus increased streaming traffic. (b) increase in audio and video traffic due to collaboration apps and (c) increased non-business traffic through VPN. Companies are responding to these by increasing VPN bandwidth, using WAN optimization software, applying load balancing.
Some companies are also implementing split tunnelling and even paying to increase employees’ bandwidth. Security experts also realized employee home network can have many IoT devices or outdated devices in the same network that are not safe. So some companies are also offering network and endpoint security management of employees’ home technology infrastructure. Implementing these measures with speed, trust and confidentiality could be challenging, because employees may feel comfortable of their employers monitoring their home network security.
Understanding the vulnerabilities
Working remotely does not create security risk because people are careless about security at home. It is mostly due to the lack of infrastructure and limited understanding of the security risks. Some of the common vulnerabilities are:
|►Most home networks do not have a firewall, which separates the internal LAN traffic from external internet||►Employees working normally to exchange data and documents may not be aware that those are now going over public internet
|►Mixing personal and business data on the same device due to using personal device for work or vice versa
|►Business confidential or customers private data may reside on personal devices which could cause both security and legal risk|
|►Lack of industrial strength endpoint protection, monitoring and threat mitigation on personal devices
|►Antivirus or anti-malware for personal computers are not sufficient to protect business data, especially for regulated industries, like financial, legal or healthcare. This require end-point agents for continuous monitoring and Advanced Threat Detection (ATD) and SOC monitoring and SEIM services, depending on the industry|
|► Unencrypted Wifi or outdated encryption
|►Many home users are not aware if their router has WPA2 encryption enabled. And some routers may even be too old for that|
|►Not using VPN while using public or unencrypted home Wifi
|►Prying data on the wire on unencrypted Wifi is easy. Yet many home users do not use VPN while using Wifi, exposing business data to risk|
|►Many home devices are on Windows 7 or Windows 10 Home edition, which are not suitable for business level security
|►Old, outdated or inadequate software version could expose to risks like zero day attack and inability to support disk encryption or group policy etc.|
|►Regular patching and security update
|►Not all patches or updates are tested or regularly applied on personal devices, which cyber criminals use to compromise these devices|
|►Disk encryption rarely used for personal devices and many business computers
|►With average cost of corporate data breach ~3.8 million, data stored unencrypted disks/ media introduces significant security and legal risk, especially if the device is lost|
|►Many routers still have default admin login and passwords
|►Attackers gaining control of router can send malicious codes that turn routers into bots that spy on user activities and collect sensitive data|
|►Most home users do not have email encryption, although email is the most commonly used tool for business data exchange||►Unencrypted emails could be intercepted, as 67% of the organizations reported increased spoofing, while ransomware activities are up by 26%
|►Employees using their mobile devices to access work email, documents and apps without any MDM protection||►Mobile attacks and data breaches are rising including in business data leakage, text phishing, Wifi interference and crypto jacking
|►Lack of data protection, back up and recovery solutions. Survey shows ~95% of PCs do not have adequate data backup solutions||►Consumer tools like Google drive or Dropbox do not have commercial level encryption, access control, privacy or recovery efficiency following a disaster
|►Physical security is difficult to ensure with remote workers
|►Physical security is not trivial. A USB stick that can type pre-programmed sequences at 1000 words/ min can breach a PC in a few minutes if left attended in a public place|
|►Legal and regulatory compliance is difficult to monitor or assure with remote workforce
|►Breach of sensitive data or PII could lead do non-compliance with PCI-DSS, HIPAA, SSAE16 SOC II, and other state/federal regulations, which could be unsustainable for already struggling small businesses|
|►Employment agreements or HR policies do not cover liability or responsibility in case of a breach during remote work situation
|►This could impose risk for both employer in terms of financial, legal or reputational damage, and for employee a breach occurs by inadvertent action|
|►Administrative enforcement and training are often lacking for SMBs who are already stretched in the current situation||►Without voluntary compliance through education, and administrative enforcement using technology and people, policies and produces exist only on paper and do not mitigate material risks|
Threat landscape: Vulnerability x Threat = Risk
Vulnerabilities do not manifest into risk, unless a threat actor is trying to exploit it. Employees worked remotely before COVID-19 as well, but that did not always translate to risk, so why now? For that we need to understand the modern cybercrime enterprise, which consists of many criminal “experts” and are well funded to prepare for months to research vulnerabilities, design and develop malicious software, and set up complex infrastructure to launch attacks with large payoff targets. It’s no wonder that major enterprises like Equifax, Adobe, Facebook, Target, Marriott could not avoid such attacks. Home networks are no match for such criminal enterprises, but there was not much ROI (3) to attack the home networks earlier. With large number of employees handling business data from home network, suddenly makes it a lucrative target, which ironically is easier to breach than corporate network. Before the pandemic, cost of cybercrime damages were expected to be $5 trillion worldwide in 2020 (under the assumption of working within company network). With most employees working from home, it is not difficult to predict the direction it will trend post-COVID. Attackers do not know in advance which remote employees work for large corporations. Thus small businesses got caught in the middle and became the same level of target as the major corporations.
Trends from post-COVID threat landscape
We can look at the DHS, CISA and NCSC data to review the threats that are manifesting in this environment. These security agencies are urging organizations to take measures to increased COVID themed cyber crimes, such as:
◙ Malware download link malware pretending to be real time corona-virus tracker
◙ Attacks against newly deployed remote access and teleworking infrastructure
◙ Socially engineered HR emails asking employees to read important notice or policy
◙ Phishing texts and emails pretending to be unemployment and financial support from government containing
◙ Phishing emails pretending to be health information from hospital, government or health agencies with attached document that contains malware macros
◙ Fake emails from “Director of WHO” containing Agent Tesla” keylogger malware
◙ Email with malicious links pretending to be for supply of masks, sanitizers and PPEs
◙ Launching malware and ransomware attacks on hospitals under pressure
◙ Phishing emails with false hope like corona virus cure, containing malware or ransomware
◙ Exploiting known vulnerabilities in VPN products from Pulse Secure, Fortinet, and Palo Alto to compromise teleworking infrastructure
◙ Exploiting collaboration platforms like Zoom and MS team with phishing emails containing malicious files, like“zoom-us-zoom_###.exe or microsoft-teams_V#mu#D_###.exe
◙ Increased attacks on RDP to gain unauthorized access to remote PCs, which has increased by 127% since the pandemic
Cybersecurity industry response
Last month, malware miscreants’ promise to refrain from attacking healthcare organizations during the crisis turned out to be a head-fake. Within weeks, cyber criminals launched attacks against healthcare and other critical facilities with malware, phishing emails and ransomware with 150% increase. Google alone is blocking over 18 million COVID-19 phishing emails per day.
In response, cybersecurity experts from Microsoft, DEF CON, Okta, Clearsky Cyber Security etc. formed COVID-19 Cyber Threat Intelligence League (CTI League), to defend healthcare infrastructure against cyber threats. Within weeks number of volunteers increased to 1,500+ in 76 countries across 45 sectors, who have so far taken down 2,833 cybercriminal assets including 17 impersonating government entities, UN and WHO and removed 2,000 vulnerabilities in healthcare institutions in more than 80 countries. Some serious vulnerabilities are escalated to FBI or Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) for follow up actions. CISA and CTI League are collaborating with Health-ISAC (Health Information Sharing and Analysis Center) for collection and sharing of threat intelligence analytics data and indicators to better pinpoint vulnerabilities.
Another group named, COVID-19 Cyber Threat Coalition has several thousand expert volunteers who are tracking cyber crime and sharing the vulnerabilities for mitigation. They are matchmaking volunteers to provide healthcare services access to a pool of cybersecurity experts.
What does it mean for small businesses?
While this unprecedented collaboration brings welcome relief to the overburdened healthcare sector, this is not a long term solution. Just like the biological virus, if we all do not do our parts to stop the spread, healthcare system cannot alone cure the pandemic. Technology and operational standards to implement adequate security already exists and are affordable, but the main gap is lack of education on how weak security of organizations helps spread the digital infection in general. Small businesses often have the mindset of postponing adequate security standards until business grows. However, like healthcare the risk factors and need of critical security measures are no less for a small business than a large company in the same industry (e.g. a small medical practice is not exempt from HIPAA, GDPR or CCPA).
Key questions to consider for security in the new environment
Owners and executives can consider the following questions to establish better oversight and control of security risks and compliance related to remote working environment:
◙ What additional software, technology, personnel and other resources are required for remote working safety and security?
◙ Are the changes implemented for technology and processes secured?
◙ Are all security measures, such as encryption, data protection and monitoring agents for PCs, Servers, Videoconferencing tools, etc. reviewed and tested?
◙ Are system updates and patching current, and vulnerabilities mitigated if patches are not available?
◙ What changes in security monitoring is done given the increase in remote workers? Are changes to user accounts with administrative privileges being more actively monitored?
◙ What training is conducted to educate employees of additional security risks and protocols due to COVID-19 related cyber attacks?
◙ How does any impending budget cut or workforce resizing impact the IT security? Are HR and IT security aligned for immediate removal of all access?
◙ Are critical suppliers contacted to determine if they taking additional steps to protect their networks?
◙ Are insider threats being evaluated, including revising print-from-home capabilities?
◙ Is IT team effectively managing security risk, and what are the contingency plans if key IT or security personnel require time off?
◙ What additional legal and compliance risk the business is exposed to and how can those be mitigated ?
Strategize and plan for growth post-COVID
Dealing with uncertainties is imperative in business. From historical examples, every crisis brought new challenges, but businesses who found new ways to adapt the new environment came out as winners. Example are Alibaba and JD.com from SARS outbreak and digital leaders like American Express, Amazon and Starbucks after 2008 crisis. This crisis will be no exception. Car maker GM who went from discussion to production of ventilators in 3 weeks closed half a billion dollar deal. Elsewhere, manufacturers are adapting to make PPEs and healthcare equipment to help fight the pandemic.
At CMIT, we look at technology as an enabler of strategic goals. So recommend technology spending only with sound strategic alignment. Small businesses in this environment can consider the below to determine their strategic response and align their technology accordingly:
◙ Get a realistic assessment of your target market and range of possibilities for the next 12-18 months
◙ Look at your capabilities and constraints in operations, finance, marketing, sales, HR and legal etc.
◙ Project your proforma financial and operational metrics for the next 1-2 years under various scenarios
◙ Understand the shift in the market and evaluate how you can respond best with your capabilities
◙ Assess where your clients and prospects are, their new concerns and preferences and most effective ways to engage them
Once you understand the likely outcomes for your business, plan ahead on your capabilities like:
◙ What short term and long term financing do you need and what are the available options?
◙ What short and long term projects do you need to undertake for best outcome of your business and what’s the budget?
◙ What technology enablement your business and team need to achieve your goals and what’s the appropriate spending?
◙ Do you have the technology for immediate needs and short term goals? If not, how much can you spend for the critical needs?
◙ Is the new environment exposing your business to additional legal or compliance risk and how can you mitigate that?
If you want more details with the next steps, email us at CMIT_Marketing@cmitsolutions.com.