The risks of the coronavirus pandemic to IT security
Royal BAM Group CISO Ian Hill examines the many different IT security threats posed by the COVID-19 coronavirus outbreak
With infections of the coronavirus COVID-19, officially designated as SARS-CoV-2, increasing around the world, governments are imposing restrictions on movement, shutting down non-essential services and advising people to ‘self-isolate'.
In a climate of uncertainty, where global stock markets have also seen huge losses and instability, businesses are looking at how best to manage the situation from an operational and, by association, financial risk perspective.
Many organisations will be invoking well designed and tested pandemic- specific business continuity plans, probably created back in 2009 as a response to the H1N1 ‘swine flu' scare. Other businesses will be forced to implement hastily devised and reactive tactical measures and do what is in essence ‘BCP on-the-fly'.
As with all things information security, it's about people, processes and technology, in that order.
Many organisations will be invoking well designed and tested pandemic- specific business continuity plans
And in the current situation, people are potentially more distracted and in a heightened state of anxiety, making them more susceptible to cleverly crafted phishing attacks.
As always happens with major news events, threat actors see an opportunity to exploit the situation. Indeed, we have already seen examples of convincing phishing emails, often personalised as a result of previous data leaks, purporting to be from official sources, including the National Health Service.
They look persuasive. Some even suggest that the recipient may be infected with the coronavirus and insist that they urgently click on an embedded link to find out what to do next.
With many organisations keeping employees updated on the situation via email, threat actors, likewise, are sending phishing emails purporting to come from HR or other official corporate functions.
With so much press attention and extreme action taken by governments, people are naturally concerned and even frightened, making them more vulnerable to these sorts of scams. From a business perspective it is important to tackle this risk as part of its response to the situation, by increasing awareness, specifically about Coronavirus related scams. One option might be to include a sentence about the risk of phishing emails in official coronavirus-related emails or communications, possibly with links to a corporate intranet page with examples and information on how to spot a scam.
Of course, the priority is the health and well-being of employees, and for many office or location-based staff, working from home is an effective measure for maintaining some aspects of the operation, while reducing the risks to those involved.
Remote control
For many businesses, shifting employees to home-working, albeit temporary, is easier said than done, especially if not prepared for in advance. While attention is focused on the operational aspects of ‘keeping the lights on', information security can easily get overlooked or, at least, not have the level of due diligence it requires.
The increasing number of lockdowns and advice from governments to work from home is forcing businesses to allow for often unplanned remote working.
One risk here is a shortage of corporate devices and lack of infrastructure to facilitate home working.
People are naturally concerned and even frightened, making them more vulnerable to these sorts of scams
This very much depends on the nature of the organisation. While some business functions may already have a mobile workforce equipped for the task, there are often critical business functions, such as finance, HR, payroll and so on, that are typically office based, usually with desktop computers that are not set up for working remotely. The challenge here is not only to find them a device to work from home with, but also to create the ability for them to connect securely to the information assets they require to do their job.
There is, of course, the option to allow employees to take their desktop computer home; however, it's unlikely to be configured for remote access. This will involve re-configuring it, possibly rebuilding it to the same standard as, say, a corporate laptop, which will typically have extra security software and controls for a remote working environment.
It will also require the user's privileges to be modified to allow for remote connecting, and appropriate secure routing to the various applications and data that they need to access.
An easy option would be to install some remote-access software onto their desktop and send them home.
However, unless you've adopted a strong ‘zero trust' policy on all corporate devices, the significant security risks posed by the uncertainty of the environment they will be connecting from maybe akin to sending them to work from inside McDonalds.
Stock shortages
Major laptop manufacturers are already reporting shortages of stock, partly due to the current demand but also due to a shortage of the Intel processor chips that go into them.
As a result, businesses are being tempted to allow employees to work from home using their own personal home computing devices, which is fine if they already have an existing robust bring your own device (BYOD) and remote access capabilities that can easily be deployed on such devices.
Just arbitrarily allowing home personal devices to connect to the corporate network, or even corporate cloud-based services, is asking for trouble, because you have no idea about the state of these devices or their home network environment, which could easily already be compromised.
Sending users to work from home may also affect other security measures and result in unintended consequences
Facilitating secure connectivity to a corporate network, needs careful planning and design not least of all from a mobile device management/mobile application management (MDM/MAM) perspective, and cannot easily be rushed.
Split tunnelling is an example of an unintentional security risk that can be caused when giving users VPN access to the corporate network, while still maintaining the ability to print to a local printer connected to the home WiFi.
There are, of course, solutions such as Citrix or other virtual desktop infrastructure (VDI) environments that can facilitate a certain amount of security to homeworking operations, but these need careful management.
The same can be said for businesses that have shifted some of their operations to cloud-based services.
While cloud solutions, such as the Office 365 suite of applications, have a level of protection through Microsoft Direct Access (MDA) and encrypted connections, they don't fully get around the risk posed by access from uncontrolled devices.
This issue is also not helped when, for tactical reasons, privileges are hastily changed to grant access in order to share information via SharePoint or Microsoft Teams.
For businesses that haven't adopted such solutions, there is a temptation to share files via the likes of personal Google Drive, Box or Dropbox accounts which, again, can create all manner of security risks - not least of all, exposing the business to a potential GDPR breach.
With larger enterprises, a group-wide IT structure can come under a lot of pressure under these circumstances, and this can result in frustrated business functions resorting to unilateral measures and implementing what is, in effect, ‘Shadow IT'.
One example being reported is the deployment of GoToMyPC or LogMeIn as a way of facilitating homeworking users' access to their desktop device. While both of these products are mature and reputable, you can't just deploy them without understanding the risks, and implementing appropriate compensating controls and monitoring. Anything that is done outside of a business's proper IT governance will almost certainly create a significant risk.
The whole issue of facilitating remote working for employees who do not normally work from home also brings other security challenges. It will inevitably involve making access privilege, network routing and firewall changes, all of which need to be subject to strict and robust change management. Business pressure to fast track or short cut this process can easily create significant information security risks.
Anything that is done outside of a business's proper IT governance will almost certainly create a significant risk
Sending users to work from home may also affect other security measures and result in unintended consequences. There are many security solutions now deployed to monitor user activity for evidence of a threat or compromise.
Azure Identity Protection (AIP), for example, part of Microsoft's cloud-based Azure Active Directory, learns and monitors user login and access activity. If it sees anything it deems abnormal behaviour it will alert or even block it.
So, when someone from payroll who usually logs in from within the corporate office network suddenly logs in from home, tools such as AIP will likely red flag them.
Best security practice dictates that all remote access must authenticate via some form of multi-factor authentication (MFA), which depends on the authenticating applications actually being compatible with it.
One classic problem area is email, such that devices newly seconded for home working may be running email clients, including older versions of Microsoft Outlook, that only support legacy protocols such as ActiveSync, IMAP or POP.
This may leave the choice of either upgrading clients to ones that support MFA, or allowing legacy protocols to connect remotely, which brings a high risk of threat actors with compromised credentials being able to bypass MFA in order to get access to business information assets.
Another risk is the ability to effectively monitor for and deal with serious security incidents in the event that there are not enough capable staff available should some of them be off sick or unable to work. Restrictions on movement also means that in the event of a major compromise where security professionals may need physical access to affected devices, they may not be able to get to the sites, such as data centres, in order to contain or mitigate the compromise.
In summary, not being prepared, making hasty tactical changes to the IT infrastructure, opening up access and potentially lessening security controls in order to mitigate the operational risk posed by the current pandemic can unintentionally increase security risk.
It's too easy to be distracted and to forget the importance of information security, when the organisation is screaming out for business continuity.
While we are all dealing with the day to day human and business impact of coronavirus, for threat actors from organised criminal gangs through to nation states, it's Christmas come early.
Ian Hill is global director of cyber security at Royal BAM Group, the Dutch construction and engineering giant. Prior to Royal BAM, Hill was information security manager at KCOM