Cybersecurity Impacts of Remote Work During Coronavirus 2019 (COVID-19)

7
Cybersecurity Cybersecurity for Executives Insights December 2, 2020

9-minute listen

The Coronavirus 2019 (COVID-19) pandemic has forced businesses, organizations, and government agencies to immediately change their operating model, resulting in furloughs and sending workers home to telework. Employers are struggling to ensure their employees are safe, healthy, productive, and equipped during this time. Many organizations who were never designed to support WFH are finding they lack the proper IT infrastructure and digital capabilities to support this model. The lack of a properly architected remote work capability is resulting in all new cybersecurity vulnerabilities that are exposing people and organizations to new risks.

CYBERCRIMINALS ARE EXPLOITING THE CORONAVIRUS

We are already seeing a dramatic increase in cyberattacks exploiting the fears and concerns of people. For example:

Graph of COVID-19 related domain name registrations
SOCIAL ENGINEERING REMAINS THE HIGHEST THREAT
Social engineering attacks primarily conducted through phishing emails has historically been the most common way attackers compromise systems and networks. An already successful attack vector is even more powerful in a situation such as a pandemic because clever attackers exploit the fears of people to get them to click a link or open an attachment.
 

Here are some examples that we are seeing in phishing attacks related to COVID-19:

  • Phishing emails offering free COVID-19 tests or vaccines
  • Malware is being embedded in COVID-19 tracking maps and mobile apps
  • Emails being sent asking for donations or assistance to help fight the Coronavirus outbreak
  • Legitimate looking emails that purport to come from a government organization with important COVID-19 information with malicious attachments or a link that goes to a malicious URL
NEW VULNERABILITIES FACING ORGANIZATIONS

Organizations that did not have policies, procedures, and technology solutions addressing remote work before the pandemic are finding themselves at increased risk in a number of areas. Some of these risks include:

  • There is no remote access capabilities such as a Virtual Private Network (VPN) to allow workers to securely access company or agency assets. Or, if there are VPN capabilities the infrastructure and/or licensing limits are inhibiting the entire workforce to function
  • Organizations lack a collaboration tool such as WebEx, Zoom, Teams, Skype, Slack, etc. so employees are either using anything they can find online, or organizations are quickly procuring something without taking into account the privacy and security concerns. Zoom, for instance, has been highly criticized over its privacy policy (which was recently changed) and lack of complete encryption
  • System alerts that may normally go into a Security Operations Center (SOC), Managed Security Services Provider (MSSP) or some other monitoring dashboard may not be seen
  • Security monitoring staff may be unable to keep up with the increased remote traffic and tools such as Network Intrusion Detection and Prevention (IDPS), full packet capture, and Network Traffic Analysis (NTA) tools may not be able to keep up with the throughput, leaving the organization blind to malicious activity
  • Security staff may not be able to work from home, outsourced security staff may be getting sick, and other distractions may reduce the effectiveness of either organic or outsourced security incident responders
Additional Security Risks
Organizations should consider these additional security risks:
  • Commercial Cloud Service Providers (CSPs) are under unprecedented demand for services, which has resulted in a diminished experience in some cases. This includes the timeliness of notifications such as security events. For security tools in the cloud such as a vulnerability management tool or Security Information and Event Management (SIEM) tool, they may have degraded performance.
  • Organizations must consider temporarily turning off or significantly throttling vulnerability scans against systems that are no dispersed at private residences. Network bandwidth to the vulnerability management scanner and on home networks may not be able to handle the traffic. Scanners may just need to be looking for the most several vulnerabilities only to limit traffic
  • A reduction in vulnerability information and the inability to scan systems for compliance changes (such as with DISA STIGs or other hardening benchmarks) with a SCAP tool will occur.
  • Systems and peripheral devices are being taken home that were not intended to leave an office. Because of this, systems may not be secured properly, such as having full disk encryption (FDE) and data on those devices are susceptible to unauthorized disclosure in the event of a theft or home burglary
  • Users may take it upon themselves to “get the job done” and bypass security controls such as using personal email or cloud storage that may expose the organization to risk or regulatory compliance violations
 
Alexa deviceNEW PRIVACY CONCERNS
Since many organizations lack policies for telework and most employees were not setup with a home office before the pandemic, it opens the door to an increased risk to privacy. As employees begin using technologies they are not familiar with (such as video conferencing), are not working out of a secured home office, and have home technologies that introduce new challenges, employers must provide guidance to employees to protect the privacy of clients, patients, customers, and other employees.

Here are some privacy considerations that organizational leadership should consider:

  • If a policy doesn’t already exist about WFH, make sure to draft one and communicate it out to the workforce
  • Ensure employees understand how to keep computers and mobile devices secure and that family members and others at the home should not use work-related devices
  • Consider policy that requires the removal of smart home devices like Amazon Alexa or Google Home from any room where work-related discussions are taking place. It’s widely known that these devices record and store conversations that they overhear
  • Make sure employees are only using organizationally-approved devices and applications to conduct work. Don’t rush to procure something without vetting it first from both a cybersecurity risk and a privacy risk.
ADMINISTRATIVE RECOMMENDATIONS

Enact these administrative recommendations within your organization:

    • Begin an immediate public education campaign with employees, highlighting the increased risk that organizations now face and reinforcing that security policies are still in place. Consider using SANS deployment kit available here
    • Ensure everyone knows how to reach the IT security team. Consider adding real-time access to the incident response (IR) team / SOC with tools like Yammer, Teams, Skype, or Slack
    • Educate users on how to secure their home networks
    • Determine a solution for dealing with derived credential expirations and other Identity and Access Management (IAM) challenges with an entirely remote workforce
    • Ask your employees to watch this quick video from SANS on securing their home
TECHNICAL RECOMMENDATIONS

Enact these technical recommendations within your organization:

  • Block endpoints from navigating to unknown / not seen before domains
  • Consider having endpoints check for endpoint security definitions directly from the vendor instead of coming through the corporate network, if it is possible
  • Consider pushing GPO changes to have systems reach directly out to Microsoft or Apple for system patches and updates instead of coming through the VPN for centrally managed (e.g., SCCM) patches to reduce bandwidth needs and delays in patching
  • Consider minimizing monitor and control activities to focus only on those of the highest risk to reduce alert fatigue of SOC analysts and to ensure capacity for alerts you truly need to care about
  • Test your incident response capabilities by using things like the EICAR file on remote systems to ensure alerts are being sent and how long of a delay IR teams should expect
ADDITIONAL RESOURCES
 

SANS: For Individuals – Securely Working From Home Factsheet: PDF, DOC
SANS: For Organizations – Securely Working From Home Deployment Kit
World Economic Forum: https://www.weforum.org/agenda/2020/03/coronavirus-pandemic-cybersecurity/
C-M Alliance: Remote Working Cybersecurity Checklist for all organizations: http://bit.ly/RWChecklist
NIST: Preventing Eavesdropping and Protecting Privacy on Virtual meetings – Blog
NIST:NIST SP 800-46r2, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security

At Natsar, we are continuously improving our products and services. Please let us know how we did and if this information and resources were helpful to you.

 
 

Leave a comment

Our website uses cookies from third party services to improve your browsing experience. Read more about this and how you can control cookies by clicking "Privacy Preferences".
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.
Privacy Policy
You have read and agreed to our privacy policy
Required
Privacy Policy Cookies Policy
Top Searches:
Policies Courses Digital Forensics Cybersecurity Compliance Documents