It is an understatement to say that COVID-19 has forced significant changes in how most organizations operate today. Whether mandatory or voluntary, social distancing requirements have accelerated comprehensive technology changes such as the shift to mass remote workforces, use of cloud platforms and the expanded use of managed IT services to reduce costs. Organizations did what was required to keep business moving, which often entailed technology teams cobbling together whatever solutions were necessary to allow their now fully remote employee workforces to continue operations. These changes created various risk scenarios that manifested as a distinct set of short-term, moderate-term and now long-term problems.
The short-term risk factors hit organizations immediately, and sometimes with spectacular impact. An example includes organizations that deployed emergency remote access solutions that were misconfigured or unpatched, which allowed attackers to compromise their environments. Other examples include clients that were caught unprepared for a purely remote workforce, went to a big box store, bought all the laptops in stock and sent them out to employees with the stock enterprise laptop image. These platforms were built to operate within the safety of an enterprise network screened by firewalls, intrusion detection appliances and various security platforms, not within the wild west of personal home networks. Many of these devices became infected with malware, which quickly pivoted to the enterprise environment with payloads such as ransomware.
These platforms were built to operate within the safety of an enterprise network screened by firewalls, intrusion detection appliances and various security platforms, not within the wild west of personal home networks.
The moderate-term issues followed quickly after, and primarily entailed modifying existing attacks using the circumstances of the current pandemic to significantly increase their effectiveness. Common examples include simple changes to existing phishing attacks disguised as communications from the chief executive officer (CEO) or a random vendor to fake notifications from health organizations such as the US Center for Disease Control (CDC) or fake announcements from human resources (HR) about “emergency changes to health benefits.” These tactics have had massively increased success rates leading to significant damage via malware infections. Even more dangerous was when attackers realized the shift to a remote workforce had interrupted many processes that had once worked one way when employees were on-premises, as opposed to how they operate now. As an example, approval of invoices in many organizations was highly automated and could be quickly sanity-checked by simply walking down the hall and asking someone if they were valid. Current circumstances have broken those simple processes, and it is now not abnormal to receive an email stating something along the lines of “The payment app is not working through the virtual private network (VPN), and Barb from accounts payable is offline. Can you please approve this as soon as possible?” Previously, such communication would quickly have been identified as suspicious, but now even valid requests sound similar to this, all of which makes it difficult to identify malicious attempts.
Finally, some of the more obscure long-term risk scenarios are starting to be exposed, primarily around potential regulatory issues. For example, a specific client had extensive amounts of sensitive data properly segmented from the larger enterprise environment. Due to COVID-19, the organization made a variety of architecture changes such as unsegmenting the environment so that the data would be accessible by newly remote workers, and moving part of the related operations and data to hastily constructed cloud platforms. Months later, the organization realized that its new environment violated various regulatory requirements, just as it was scheduled to submit its annual self-attestation that it was adequately protecting the data. As one would guess, this situation will likely result in an array of negative repercussions that will impact the business.
With the pandemic forcing organizations to adopt new processes and policies, it is highly recommended that they properly assess the variety of technical and regulatory problems that may not be recognized until it is far too late.
Daimon Geopfert
Is the principal and national leader of security and privacy services at RSM US LLP. He specializes in penetration testing, vulnerability and risk management, security monitoring, incident response, digital forensics and investigations, and compliance frameworks within heavily regulated industries. Geopfert has over 20 years of experience in a wide array of information security disciplines. He serves as the firm’s national leader for security and privacy practice, responsible for the development of the firm’s overall strategy related to security and privacy services, applicable methodologies, tool kits and engagement documentation.