POSTED: March 13, 2020
Everywhere you look there is evidence of the growing concern over the novel coronavirus, COVID-19. Things like toilet paper being stockpiled, hand sanitizer and disinfectant being stationed around your workplace, and coworkers getting alarmed when you cough are a few examples. For those of us in Cyber Risk, it’s impossible to ignore the potential impacts of this global event. How will COVID-19 impact your business, and are there any factors that can be or need to be controlled? Last Friday the Collaboratory sat down with industry IT and Cybersecurity professionals from around the Columbus area to explore this topic.
COVID-19 is the abbreviation for Coronavirus Disease 2019 which is a respiratory disease first detected in China that has now been detected in more than 100 locations internationally. A report out of China states that the disease only presents severe conditions in 16% of patients, generally the old or patients with otherwise compromised immune systems. While the health risks to people remain relatively low, the impacts to businesses may still cause major disruptions. Those disruptions may then result in increased threats and vulnerabilities on the technical side.
Everyone should be on the lookout by now for scams and fraud using a natural disaster to cash in on both the charity and fear of the public. But what does a pandemic event mean to your business in terms of your security posture? To get to the answer to that question it is necessary to analyze both how security controls are affected, and also how risk tolerances change during and after the pandemic event. The following are some things to consider during this process.
A mature security program requires remote access to be tightly controlled. For most, remote access isn’t something broadly available across the company and when it is, it is probably not meant as the standard means of access to corporate networks for the entire workforce. If it is, you’re probably working at a small and very agile business or you’re living in the future. For everyone else, the COVID-19 outbreak will signify changes to remote access operations and how it is controlled from a security perspective.
Depending on your organization’s capability maturity, there are quite a few things happening right now. Remote access is being scaled to incorporate a broader remote workforce, stress testing is being conducted to ensure broad access is both achievable and sustainable, and risk tolerances are being evaluated to consider remote access for those roles previously restricted due to associated risks.
Regardless of where you are in responding to the outbreak, a balance needs to be struck between quickly scaling, maintaining reliable and sustainable remote access, and ensuring that security can and is maintained. Here are a few examples of remote access security controls that may need to be re-evaluated during this type of event:
- Role-Based Remote Access
If your organization limits remote access based on role, more than likely you’ll be re-evaluating those risk tolerances to allow for an expanded remote workforce. The possibility of restricted access to facilities creates a shift in risk where the negative impact is greater to not consider allowing remote access, as opposed to potentially no access at all. For administrative roles, network and security operation roles, and roles with access to sensitive data, remote access that previously may have been restricted might be less of a risk than dealing with the potential consequences.
- Split Tunneling
Disabling split tunneling ensures that remote hosts are sending all traffic through your data center, which reduces your attack surface by leveraging network bases security appliances. Network-based Firewalls, IDS/IPS, Web-Content Filtering, and DLP are all in line and effective, greatly reducing things like C2 traffic beaconing home directly from a remote host to the internet. The downside is that all of this traffic is now going through your datacenter, rather than directly to the internet. With the likely exponential increases in remote access, disabling split tunneling may no longer be effective.
- Host-Based Security
Mature remote access security should include hardened operating systems, digital certificates, full disk encryption, and routinely updated security software. If your organization is doing this effectively for a small subset of your workforce, are you able to provision new hosts with these controls in place quickly enough to meet the demand caused by this outbreak?
For those not familiar, pretexting is a social engineering activity where the threat actor uses a highly plausible pretext to engage with a target in order to increase the likelihood that the target divulges information or performs an activity that will enable further malicious activities. The coronavirus and similar events create some excellent pretext opportunities.
- Business Email Compromise (BEC)/Phishing
Security Awareness activities should include alerting employees to not only personal scams but also those that may compromise your organization. Emails titled “[Company] Confirmed COVID-19 Cases” as well as emails pertaining to alternate work locations/schedules and those that request that the employee check in to verify their health status could all be used to steal sensitive data including credentials and PII or compromise those accounts/systems.
- Help Desk/IT Administrators
These personnel will be inundated with legitimate requests for assistance, asking for help with remote access as well as requests for access to applications, software, systems, and networks. This is a huge opportunity for an attacker to submit their own requests. Help Desk personnel should be on the lookout for the angry executive calling in stating that they can’t gain access and they have an important meeting, why not just disable MFA for now? Awareness is vital especially because a pandemic outbreak may mean that staffing may be degraded, and new or temporary staff may be used to handle the increased volume and unavailability of regular staff.
- Physical and Environmental
While the likelihood of a physical action being a factor in a breach of security remains low, that risk may be elevated during a pandemic outbreak. Consider controls that are degraded by someone in your organization wearing a mask. CCTV, photo ID badges, and personal recognition are prominent here. There is also the pretext of disguising oneself as an additional hire-on disease testing service and deep cleaning workers.
Global efforts are underway to lessen the spread and the impact of the virus. This includes the World Health Organization, the Center for Disease Control, and governments at every level. Direction may come down from any level stating that restrictions travel, attending events, going to school, and perhaps even going in to work. Additionally, employees may not be able to make it to the office due to needing to care for themselves while sick, for sick family, and for children that can no longer attend school or childcare. How does this affect your business and is your Business Continuity Plan (BCP) ready to handle it? Here are some relatively unique considerations that set a pandemic event apart from other various Business Continuity/Disaster Recovery events.
Pandemic Continuity Planning
A pandemic is an event that has unique considerations when it comes to how it affects an organization. While the primary concern for all disasters and events is always human health and safety, few others have such a considerable emphasis on this topic.
One thing that makes pandemic continuity planning unique is the possibility that the organization will need to operate in a limited or alternate capacity for an extended period of time. This is important when analyzing essential business functions and essential roles. Does your BCP account for events lasting longer than 30 days? 60 days? A year? When looking at essential business functions and roles your answer may change on who or what is essential based on the timeframe of the event. Perhaps your organization can get by simply ‘keeping the lights on’ for a week or two, and in the event of most other continuity/disaster events this response can get you through the event and back to normal operations. What happens when that event persists? Pandemic continuity plans will need to incorporate these extended time frames, so these decisions aren’t forced during a crisis.
- Workforce Impact
Another condition of a pandemic that is relatively unique is the increased likelihood of the event affecting multiple geographically dispersed facilities. Most organizations plan for a specific office or facility to be out of commission in the event of inclement weather, disaster, or outage by providing remote access to those affected personnel to work from home. Is your organization ready and capable of handling not just a single office but your entire workforce?Additionally, a pandemic event greatly increases the likelihood of essential personnel being temporarily, and unfortunately permanently unavailable. An important part of continuity planning is ensuring that essential roles have backups and alternates that can assume critical responsibilities for both planned and emergency leaves of absence and this is vitally important for pandemic planning.
- Supply Chain
While supply chain disruptions are not unique to a pandemic event, what is unique is the likelihood that multiple suppliers as well as your own organization experience a disruption simultaneously. Each of your critical third parties must be evaluated with the considerations for timeframe and workforce impact noted above. Highly unlikely scenarios like losing multiple suppliers simultaneously need to be considered and prepared for, where possible. As with all business continuity/disaster recovery events, communication is vital to resilience and recovery objectives. Your organization should be prepared to maintain open channels with all affected 3rd parties and customers as well.
For Business Continuity planning, a pandemic response is now more important than ever. Many organizations will be conducting continuity operations whether or not they’ve planned for it and this is a great time to create and update that plan based on how things go in the coming days, weeks, and months. For more guidance see the FEMA Pandemic Template and the DHS CISA Risk Management Insight Brochure for Novel Coronavirus.
If you have any questions about how to prepare your company for the challenges ahead, please contact us for guidance.