Risk scenarios and recommendations

History tells us that unscrupulous actors will exploit any crisis, and COVID-19 is no exception. Attackers wasted no time building coronavirus-themed phishing emails and malware-laden websites purporting to track the coronavirus’s spread across the globe. These opportunistic attacks were an expected variation on well-known themes that use fear to engineer an individual’s behavior. But unlike the typical crisis – a natural disaster or terrorist attack contained in time and space – the pandemic’s effects are global and protracted and stoke paranoia in ways that terrorist organizations only dream of.

While there are many ways to exploit a global pandemic, cyberattacks are an obvious and particularly combustible option. Cyberattacks can be deployed quickly, globally and with virtually no risk to the attacker. They can support any motive, from financial gain to espionage, sabotage and terrorism. And they can exploit new fractures in our already weak cyber defenses fueled by global distraction and fear, and an unprecedented level of remote work. Likewise, a distracted workforce coping with working in unfamiliar places is more likely to make mistakes when handling sensitive data.

This post outlines risk scenarios organizations are likely to experience during the pandemic and recommendations to mitigate them. As organizations rightly focus on protecting life and safety, some of this risk is unavoidable and must be accepted. But with proper communications and planning, organizations can reduce some risk now while preparing to address other concerns as circumstances normalize.

Likely Risk Scenarios

A significant event like COVID-19 generates vulnerabilities that expose organizations to threats ranging from nation-state actors to distracted employees. Understanding the range of potential risk scenarios is the first step to mitigating them.

Strained security staff leads to fragile defenses

Technology and security staff may be stretched thin by increased workloads and concern for personal safety. Staff reductions and distractions may affect monitoring and response times, leaving organizations more susceptible to destructive or debilitating attacks. On the evening of March 15, for example, an adversarial actor targeted the Department of Health of Human Services with a denial-of-service attack to disrupt its external communications. The attack appears to have been coordinated with disinformation that the U.S. was implementing a complete national quarantine. Government, critical infrastructure and medical institutions should assume attackers will look for opportunities to disrupt response efforts with the goal of causing mass panic or manipulating markets.

Strained staff may also fall behind on critical patching and maintenance, leaving networks exposed to network intrusions. Just five days ago, researchers disclosed details of an unpatched remote-code execution vulnerability in newer Microsoft operating systems (CVE-2020-0796). Microsoft released steps to mitigate the vulnerability, but organizations may be slow to respond to this and other maintenance during the pandemic. Attackers may exploit this delay to find and penetrate vulnerable networks.

Remote work expands the attack surface

Organizations rushing to support workers who are practicing social distancing and in self-quarantine may inadvertently expose themselves to significant risk of attack. Some may deploy insecure solutions such as remote desktop (RDP) servers with only basic authentication or unpatched software. Others may allow corporate virtual private network (VPN) connections from employees’ personally owned systems, exposing the network to these less-protected systems. Or they may fail to secure remote VPN access with strong multifactor authentication (MFA). The latter two may be acceptable temporary risks to keep work going; the former probably is not. An insecure and publicly exposed RDP server is almost certain to be discovered and exploited through attackers’ routine sweeps of the entire internet, allowing an opportunistic criminal or terrorist attacker to bring an already fragile organization to its knees with a ransomware attack or other extortionate demand. It does no good to facilitate work from home if the net result is the network’s complete destruction two weeks later.

It’s not just about the adversaries

Malicious actors are not the only threats likely to affect organizations in this crisis. Distracted and anxious employees working in unfamiliar environments are more likely to make mistakes that inadvertently expose data. They are also more likely to fall for the COVID-19–themed attacks launched by criminal and nation-state actors – anxiety and stress are powerful forces that counter the best awareness training. And remote work may lead to unmanageable data sprawl as employees transfer data through unauthorized physical devices and cloud services. These unauthorized services fall outside the organization’s auditing, data loss prevention and data destruction controls and increase the risk of data theft or loss.

Current risk – delayed impact

Organizations may not immediately experience the impact from many of the risk scenarios described above. Certainly, opportunistic actors looking to capitalize on the crisis right now will strike while the iron is hot. Actors using phishing emails and banking trojans to collect financial details will drain accounts now. Ransomware and other extortion-based actors will launch attacks now to hit organizations while they’re most fragile. And nation-state, terrorist and financially motivated criminal actors with specific agendas will act now to disrupt response efforts, stir up panic and manipulate markets.

But the effects of many risk scenarios will not materialize for months to come. The data sprawl caused by workers’ remote activity may lie dormant for many months, until the data is exposed by a security researcher or other unexpected disclosure. Emergency and undocumented infrastructure changes, cloud deployments and other workarounds to accommodate an unprecedented level of remote work is creating technical debt today that may plague organizations for months or years to come. We can imagine the breach explanations we’ll hear in a year’s time that begin with this preamble: “Remember when we had to send all our workers home during the COVID-19 outbreak? Well, here’s what we had to do to make it work … .”

And perhaps most troubling is the likelihood that the most sophisticated actors will exploit the crisis to secure a foothold now for future attacks. Nation-state actors are well-practiced in playing the long game, deliberately taking small, incremental steps to avoid detection, collect information and set the stage for a potential future attack. We should expect these activities against government agencies, defense contractors, critical infrastructure, and healthcare organizations or other entities with large amounts of sensitive data with espionage value. Imagine also a nation-state actor that compromises state government systems before the 2020 election but delays activity until a more critical time closer to the election.

Recommendations

Unusual times require unorthodox actions to maintain life and safety, and to keep the national economy afloat through continued operations. This is not a time for dogmatic adherence to data protection laws and technical control frameworks. But with some planning and proper workforce communication, organizations can limit data sprawl and technical debt, reduce the risk of an immediate crippling attack, and prepare now for long-term recovery efforts.

Regulatory burdens must be lifted to promote life and safety

To reduce anxiety and promote a focus on immediate preservation of life and safety, regulators should use whatever powers they have to delay, suspend or modify noncritical regulations that may impede organizations’ response efforts. Where this is not a legal option, they should announce their intent to provide relief by exercising reasonable prosecutorial discretion. On March 17, the Department of Health and Human Services announced it will use its discretion to not penalize any healthcare entity that uses a noncompliant remote conferencing tool to provide telemedicine, lifting the anxiety of compliance burdens while organizations struggle to provide basic care without spreading infection. More regulators should follow. For example, the California Office of the Attorney General – which has not yet even finalized its regulations under the California Consumer Privacy Act (CCPA) – should take whatever action it can to delay the CCPA’s enforcement and implementation (note that although most healthcare organizations enjoy an exemption for HIPAA-covered data under the CCPA, that exemption does not apply to the private right of action for data breaches). Likewise, state attorneys general and international data protection authorities should speak with one voice to advise organizations they will take a measured and reasonable approach to technical rule violations while a state of emergency exists.

Limit risk from work-at-home solutions

Organizations that must support remote work with immediate changes can still limit their exposure to an immediate and catastrophic attack during the crisis. Smart choices now can also limit data sprawl and future problems. While it’s not reasonable to deploy every solution in a crisis, businesses should evaluate the biggest risks and options to eliminate them.

• Avoid exposure from the riskiest options, like RDP. Organizations should avoid supporting remote work through the riskiest options, such as RDP connections protected only with a username and password. If a risky solution is necessary, reduce the number of authorized users and ensure systems are patched and users have strong, unique passwords (consider deploying password managers, as well). More robust VPN options are a better choice, and certain providers are offering discounts and rapid deployment to support the need. VPN connections may also help protect employees who will use insecure network connections while working remotely.
• Use MFA, if you can. Where there is the option to deploy MFA, do it for every type of remote access to your network or sensitive data (that includes email, network access and access to SaaS/cloud applications housing sensitive data like HR, payroll and CRM). This is especially important when lifting other access controls like IP address whitelisting, which limits access to logins from internal company locations. Where you can’t place the entire workforce on MFA, do so for as many employees and applications as possible. Start with employees with administrative access, executives and those who handle the most sensitive data and processes (e.g., HR, payroll, patient data). Also focus on applications that contain the most sensitive data. Again, certain providers like Okta are offering free services during the crisis. (References to providers in this article are not endorsements but examples of services. Search for the solution you need plus “COVID-19” or “coronavirus” and you are likely to find many offers – but ensure you are visiting the authorized site and not an imposter location.)
• Provide sanctioned services so employees don’t find their own. Remote work requires access to file-sharing and collaboration tools. Obtain enterprise solutions, where possible, so employees don’t find their own, which contributes to data sprawl and insecure settings. Some providers like Cisco (for Webex) are offering free services to organizations to help them during the early stage of the crisis. If a need is not being met, encourage employees to ask for an enterprise solution before finding their own.

Communicate good guidance to the remote workforce

Now more than ever, employees need clear guidance on how to work at home safely. This is not just about phishing awareness. It should include information on softer skills like how to balance work and family and ensure the employees are not “always on” to reduce stress and anxiety. Less anxious employees will be less prone to mistakes. Consider the free resources from SANS and KnowBe4 for remote workforce communications and training. Also, consider these articles on the softer skills from Psychology Today and Forbes.

Focus your monitoring efforts

Remote work continues the trend of the past decade to a decentralized network with no defined boundary to protect. With a limited and strained security force, focus logging and monitoring efforts on the areas that matter most right now: VPN or other remote access, access to critical SaaS applications and logging around your most critical data stores. Note that the change in baseline activity from on-premises to remote work may also unexpectedly expose anomalies or latent intrusions in place since before the crisis.

Document what you’re doing

You may not have time or resources to follow your usual change management practices, but be sure to document the changes you make to your environment and the new services you deploy. This will help you roll back the riskiest services when circumstances allow and mitigate the risk of unnecessary exposure well after the crisis ends. It will also help articulate when and why the organization took certain actions if necessary during a future inquiry.

When you can, prepare for the recovery

As we settle into the new normal, think about how the organization will recover from immediate changes. What changes and services must be modified or hardened? Where did we fall behind on patching and other fundamental controls, and what is the plan to get back on track? What gaps did the crisis expose that the organization must address going forward? And what steps will we take to ensure that exposed systems were not compromised during the crisis? Organizations in the highest risk categories should consider the need to examine their networks for latent threats once the crisis has subsided.