Seemingly overnight, as society shifted to lockdowns, social distancing, unemployment, hourly data on the health effects of COVID-19 and countless other challenges, the cybersecurity world’s priorities, strategies and tasks have been turned upside down, as well. And now, large corporations such as Twitter, which employs up to 5,000 people worldwide, have announced that it will allow some of its workforce to continue working from home indefinitely if they choose. The social media company is reportedly the first to signal a new normal for a major technology company that could extend beyond the COVID-19 public health crisis. Facebook’s Mark Zuckerberg and Google’s Sundar Pichai, as well, have urged employees work remotely if possible until 2021, according to news reports.
With this sudden shift to work-from-home (WFH) operations, businesses are now forced to deal with increased activity from both independent and nation-state cybercriminals, according to Andy Sauer, Director of Cybersecurity at Steel Root in Salem, Mass.
“Unfortunately, malicious actors will exploit any opportunity to access and steal your data, to include global pandemics forcing your workforce out of the office,” Sauer says. “With entire companies teleworking from home, the risk of a compromise is heightened; in response, companies need to be more vigilant and implement new processes and procedures to ensure that cybercriminals are not successful during this time of increased risk.”
According to Sauer, there are a number of reasons why the sudden move to a remote workforce can lead to cybersecurity breaches. These include:
- Behavioral changes: Working off site, employees tend to be more relaxed and more likely to let their guard down – perhaps even answering emails designed to provide data access to hackers. Also, with stress levels increased, staff might be more inclined to be reactive and less strategic in their actions. Malicious actors typically apply high pressure and quick turnaround.
- Situational changes: Working in disparate locations, security instructions and access rules can fall through the cracks. This can result in less stringent oversight of transactions and other key workflows.
- Technological changes: Suddenly companies are forced to extend their firewalls beyond the physical boundaries of their office. Company systems are being accessed from a wide range of devices, even personal devices. These changes can lead to compromise, data sprawl and other vulnerabilities.
Yet another challenge is the changing roles of cybersecurity professionals, including CISOs. An (ISC)² Cybersecurity Pulse Survey in April revealed that reassigning cybersecurity workers appears to be one of the ways companies were, at least initially, trying to cope with the increase of employees working from home. The move comes as threat actors seek to exploit organizations’ broader attack surfaces, as many shifted to WFH practices.
The study suggests that a large contingent of CISOs – 47 percent of respondents – are being shifted to non-security-related IT assignments. Such assignments include equipping members of the mobile workforce – an apparently logical development, considering that 96 percent of survey-takers said their organizations instituted WFH policies, with 47 percent saying the entire organizational workforce is operating remotely.
Specific issues CISOs said they are facing include a lack of hardware to support remote work, and helping end users comprehend and comply with security policies.
“The goal of the survey was to take the pulse of the cybersecurity community as many of their organizations began to shift their employee bases and operations to remote work setups in March and April,” says Wesley Simpson, COO of (ISC)². “While this was certainly not an in-depth study of the situation, it does provide a current snapshot of the issues and challenges our members may be facing during this unprecedented time.”
CISOs and Business Continuity
According to Joe Partlow, CTO of ReliaQuest, CISOs and security teams have an important role to play in strengthening physical and cybersecurity, in addition to business continuity, by ensuring that current and future telecommuting and WFH policies do not create tradeoffs between usability and security. There are three steps they can take to begin to accomplish those goals, he suggests.
1. Adjust Remote Access Baselines for “New Normal” Activity
Security teams must stay on top of remote access trends and usage patterns in order to understand what behavior is now anomalous and worthy of attention, versus what alerts may be false positives, Partlow says.
“Tracking the source IP address is a common way to authenticate users, but may not be an appropriate baseline during this time when employees aren’t restricted to a specific location,” he says. “Security teams will need to authenticate users from a variety of networks, like home Internet service providers, in multiple locations. As users move outside the office, there will likely be an increase in false-positive alerts for remote access anomalies.”
The increased network noise from all the new remote workers may give attackers an opportunity to carry out undercover attacks against remote authentication portals and Virtual Private Networks (VPN) using password guessing and spraying techniques. “That’s why it is important to continue to monitor for anomalies and quickly remediate any alerts,” he adds.
At the same time, Partlow notes, previous geographic norms linked to business travel have also changed. For example, remote access attempts from other countries that would not have raised eyebrows two months ago may now be genuine cause for concern because they are no longer linked to employee travel patterns.
2. Prioritize Visibility Across Networks and Endpoints
Remote connectivity makes it more difficult for security teams to log network and endpoint activity because employees are moving off corporate networks and using devices that do not log their activity. This can result in large visibility gaps, Partlow says.
“Anti-virus, Endpoint Detection and Response (EDR) tools and even the native operating system software will still send their logs back to a central server for collection and monitoring. Because most agents send their logs to an on-premise server, devices that are not on the internal network will need to send logs via a VPN. If remote users don’t consistently connect to the VPN, the logs will collect on their device and not be sent until they reconnect, which means detection and response will be delayed,” Partlow explains.
Network visibility is also impacted by remote devices that aren’t connected to the VPN and won’t route through on-premise logging devices such as firewalls and web proxies. Split-tunnel VPNs also don’t send Internet-bound traffic over the VPN connection where it would be logged. This means security teams could miss noticing threat activity, such as web-based malware, malicious downloads and data exfiltration, Partlow says.
“The shift to cloud infrastructure is a saving grace in this regard,” Partlow adds. “While on-premise endpoint and network technologies are subject to gaps in visibility, cloud products enable “always-on” monitoring and logs are stored directly in the cloud. Office 365 and other shared cloud services are able to log user activity since the interaction occurs on the server and not on the endpoint. In addition, solutions like Email Security Appliances provide visibility into threats such as the huge increase in COVID-19 phishing campaigns.”
3. Update or Eliminate BYOD Policies
The sudden shift to wide-scale remote work may force organizations to rapidly clarify or even phase out Bring Your Own Device (BYOD) policies that enable employees to use personal devices at home. Many enterprises avoid BYOD even during normal times, due to increased security risks, as personal computers, tablets and smartphones may not be subject to the same controls as corporate assets, and often lack logging agency and patches, Partlow says.
If employees need to access internal company resources, they’ll most often need to connect to the corporate network through a VPN or Virtual Desktop Infrastructures (VDI). But these methods can introduce new risks; for example, a machine that’s already infected can provide attackers with an opportunity to get into a network and move laterally, Partlow says.
“Based on the risk, some enterprises have quickly pivoted to equip employees with corporate devices or at least strengthen the protocols for BYOD use,” Partlow says.
Therefore, one action security teams can take is to create profiles through various BYOD solutions that enable security software to be pushed to remote devices. “This enables security teams to pull audit and security logs from the device,” he says. “It’s a good idea to enable features that pre-check devices for recent security updates and configurations, as well as perform anti-virus scans before they’re allowed to connect into the network.”
The CISO Role
How else has the CISO role changed with COVID-19? According to Jon Oltsik, senior principal analyst, fellow, and the founder of ESG’s cybersecurity service, these days, the CISO role is “all about securing remote users. This one is obvious, as stated earlier, but it’s also the reason why CISOs are busier than ever. The mandate from executives was to get employees up and running first and then address security afterward. CISOs have been fighting ‘bolt on’ security cycles like this for years, but the virus has forced security teams to work uphill to catch up. This means on-the-fly risk assessments, controls adjustments and lots of work in tandem with IT and network operations teams.”
Oltsik adds that CISOs are doing “an immediate search for ‘quick wins.’ CISOs are finding and patching holes as quickly as they can. In some cases, this means they are starting from scratch as they quickly ramp up product research, purchasing cycles, testing, piloting, and deployment. Despite this workflow, CISOs are looking for tools that can be easily installed and configured to mitigate new risks.”
“Budgets haven’t been cut yet and CISOs really don’t have time right now to deal with paper pushing,” Oltsik notes. “Rather, security teams are grabbing money as they can to address the new reality.”
Other parts of that new reality, Oltsik says, include the fact that CISOs are increasingly working with trusted partners to get things done quickly, are asking staff to do what they can to increase end-user monitoring and are increasingly working with HR teams on “crash course” security awareness training.
“CISOs are asking trusted vendors for help,” Oltsik adds. “In some cases, they are discovering security product capabilities and free features and services they were unaware of. Who knew?”
Burnout and Stress
One thing that is certain among many CISOs is burnout and stress.
Principal Analyst at Forrester Jinan Budge says, “Even before COVID-19, CISOs had a stressful job. They were already dealing with bureaucracy, internal politics, lack of organizational support and the constant feeling that they would be breach scapegoats.”
Cue COVID-19 and the stress and burnout intensifies. In the coming months, the psychological safety of security teams will be just as important as their physical safety, Budge argues. If executives want their organization to be protected, they will need to foster a healthier working environment where the issue of stress, mental health and well-being at work is addressed.
“Everyone in the organization,” argues Rick McElroy, Principal Security Strategist, VMware Carbon Black, “from the CEO to the season intern, should understand that security is everyone’s responsibility.”
In order for CISOs and their teams to be less stressed and to accomplish their jobs, all business units and employees within the enterprise should lend a helping hand, he says, by taking responsibility of their actions, increasing vigilance, engaging in regular cybersecurity training and asking, “How can we help?”