21st Century Mont and Bailey
Employees pinging away on their computers at their assigned duties in remote locations cloistered away from their normal temple of toil is the sudden hallmark of employment continuity and necessity in Q1-2 of the 2020 Covid-19 era. Time will tell if this large emergency translocation will retain some portion of permanency. The difference with being posted outside the Royal Company castle on the mont is that the defenses are not as strong in the bailey and there are fewer safeguards against bandits and predators.
Although the media cacophony of the travail of remote work has raised the immediate effort to heroic status, the fact is that remote work via an electronic pipeline is not novel. It has been the norm for several decades in many technical and service industries, such as computer science, finance, manufacturing and insurance, to name a few.
Ever Since the Telegraph …
In fact, the ubiquitous acceptance of the telegraph in the mid-19th century initiated a constant ‘speed-of-light’ flow of knowledge between parties at great distances (transatlantic telegraphy, Civil War rapid logistics, Transcontinental Railroad construction, Wall Street trading via ‘ticker tape’, etc) permitting decision making in real time. Fast-forward to the 21st century, and you can add in fiber optic and satellite transmission speeds. Now, an individual cannot get away from the information flow almost anywhere on the planet – even the top of Mount Everest! This immediacy of action permitted by modern technology dovetails perfectly with the human need for quick action and resolution. In short, it is here to stay.
Even in the last quarter of the 20th century companies were forcing their employees en mass to work remotely to save on transportation, building maintenance and real estate costs. However, this evolutionary change in location for a significant work force was generally not performed at the spur of the moment or without due consideration for infrastructure with data privacy and security well developed. Companies planned and quickly learned the safest pipeline to remote workers was through the deployment to the worker of a portable company computer configured by their own company IT staff. Basically, an in-house machine on a long leash. No “Shadow IT.”
Use of such a machine was akin to providing the employee, wherever they were, with a key that unlocked the necessary resources inside the Royal Company castle at a distance. Typically, the protected data container was only accessed via a private proprietary software pathway or a vetted VPN (virtual private network). Thus, the company could restrict outside access to specific data to only that employee using only that machine. Any attempt by the employee (or an imposter) to access the castle resources without that machine, or by using that (stolen) machine without the correct employee credentials, would keep the castle drawbridge in the raised position and deny entry. Hence, several layers of carefully crafted and maintained physical and software security for remote work security and success.
Shadow IT
Enter the Covid-19 pandemic of Q1 2020 and companies were at a distinct disadvantage with a stampede of workers out of the castle gates and into the untamed wildlands beyond the picket fence to the horizon. Nothing orderly, just a mad rush with employees grabbing their Royal Company office desk computers (Shadow IT) and lugging them home in a baggage train to plug into their peasant consumer router – of dubious commercial pedigree.
In their wake galloped the hordes of adept cyber-bandits who pounced on the opportunity to purloin and plunder any poorly protected particulars as prize and profit for their pockets. (bet you cannot say that real fast 3x!) Instant headache for the well-planned Sheriff CISO and posse. Too many horses escaped the corral all at once.
However, the aura of security should already be part of the cybersecurity team initiation and instruction. They should be well trained to be cautious and adept at spotting dangers. For the IT staff, coping with Shadow IT may require ad hoc solutions since it is a non-centralized infrastructure suddenly deployed with little or no training time. But everyone on the team should already be trained to work together, be extra vigilant of emails (disguised malware), and report any unknown issues to a supervisor or company IT staff asap.
But all is not lost, since these attacks have been seen before, and the CIO, CISO and IT staff are trained to be resourceful and to quickly muster additional defenses. Several accepted best practices are detailed below:
1 – Identify the Threat Model and the Bad Actors
The worldwide Covid-19 pandemic has presented an unprecedented opportunity for bad actors to ramp up their cyber attacks to create disorder in the west and to continue stealing data and technology. As described by the NY Times, China and Russia are major actors in this renewed global disinformation campaign against the United States. Covid-19 mayhem is their cover and theme.
Wolf Packs Model
Although security teams have by now become accustomed to being attacked continuously by state actors, the volume of attacks since the virus outbreak appears unprecedented. The bad actors know that, due to the outbreak, major portions of the modern work force have suddenly been forced to work outside of their security fences. Plus, the cyber thieves are intensely searching for the Holy Grail, the technology that will give them exclusive rights to a global vaccine. The wolf packs are well funded and organized.
Thus cyber security practitioners know that the threats are real and the risks are more significant now than ever before. But by now all organizations should have reviewed their programs and procedures and formalized the technical and administrative controls for device and information access.
Dark Web Sales
Dark web vendors currently have for sale Corona/Covid-19 kits containing malicious software that anyone can purchase to launch a campaign on the internet. New strains of ransomware have been detected. Bad actors are targeting health care providers and research institutions with malware.
Disinformation campaigns are rampant and professionally manipulated. These disinformation campaigns can be effective against a portion of any population that thrives on conspiracy theories. Populations in general are scared since they are worried about how long this epidemic disruption is going to last, their source of income, children at home, whether they will unknowingly get infected, and then adversaries inject disinformation to produce stress that is designed to create greater public discord.
2 – Attack Surface Reduction
Robust cybersecurity programs have already compartmentalized their data and migrated it to the cloud or similar repository. Employees and third parties should only have access to those containers needed for their defined duties, with specific credentials to access each container. Use of cloud based apps is preferred but their security features should be verified first.
To further the defenses, all drives should be encrypted and email should be encrypted. Access to the company data should only be permitted through approved software defined networking and virtual private networks (VPNs) to expose the least amount of private network traffic.
Even though it may have left the premises as Shadow IT, by default it should have already had 3 to 5 security tools running in the background. This software redundancy or complimentarity presents an additional deterrent and barrier to the attacker. For mobile devices, be sure and have mobile threat detection solution(s) running to monitor and identify threats in real time and report incidents back to the company IT staff.
When the threat is over, or the company IT catches up, make certain the Shadow IT is dismantled, or roll it into a more centralized established IT system. Bring it back into the castle defenses.
3 – Physical Security of Remote Devices
Only permit company work on vetted company computers to connect to company resources – never permit unprotected private computers or mobile devices to connect. There should be a bright line policy set in stone against BYOD. Plus, no personal internet use should be permitted on company devices. They should be configured to set off an alarm to the shop IT if they are used beyond their authorization. Companies should restrict the ability of the employees to connect printers to their off-site work computers, and/or they could provide disposal cabinets or shredders. Restrict the number of applications necessary and restrict download capability.
4 – Home WiFi Solutions
Since the home network router and Wifi transmitter are well known weak links, the company (or a third party) should have the capacity to scan the router periodically for security issues. At a minimum it should be capable of WPA2 encryption to secure the infrastructure and have the latest firmware. Home workers should also be cautioned to use an approved VPN and NOT to use the ‘guest’ wifi sign-on feature as that channel is usually more vulnerable to perimeter scanners.
5- Traveling away from home or office network
When outside the company defenses, the employee should lock their doors to prevent unauthorized access or theft of devices. They should never leave a device unattended in a car, hotel room, airport, coffee shop, restaurant or other public place. If they must access the internet in a public place, they should use the hotspot on their mobile device but only if certain that it is not visible to other devices. They should connect through a data blocker if they must charge a device at a public place. Encrypt devices, use encrypted email, and random generated passwords.
6 – Teleconferences in public
General guidance on the use of teleconferencing software includes: requiring passwords to connect (periodically updated with a random generator), do not share meeting links with non-authorized persons, lock the meeting once all have joined or a certain time limit has passed, do not post photos of the conference to your social media, and do not participate in a public place where someone behind you could look over your shoulder.
Preventive measures are necessary since the security risks of teleconferences are significant and could include: stolen credentials, uninvited users, connections to malicious domains, lack of encryption and links to malware.
7 – Continuous Work Force Cyber-education
After seeing the carnage of his siblings, only the hard working piggy with the brick house survived the attacks of the big-bad wolf. You may think this nursery rhyme comparison is silly, but common sense fairy tales by your elders had a purpose. When trying to educate non-technical staff, do not underestimate the value of even early childhood lessons to evoke an automatic positive response in an adult. “Lock the door before you go to bed.” Use long-established basic tenets to your advantage for safety vigilance. Keep it simple. Memorization of a safety dissertation and battle plan may be interesting to the board and officers of the IT staff commanding from the rear, but will fail with the privates in the trenches.
Popular form of attacks include (1) Phishing emails like the one that spoofed Microsoft Team Alerts, and the bundling of malware with popular downloadable apps, such as Zoom.
Continuing education on threats and security protocols include:
- never to repeat the same credential on another app,
- change credentials frequently
- use a passcode generator if required,
- make certain the remote site is physically secure and the infrastructure is protected by redundant security apps,
- keep the virtual desktop clean so it does contain any proprietary data,
- use multi-factor authentication if available,
- have the correct remote work policies in place, with remote training modules,
- periodically audit the adaptation with testing and timelines, ‘Check the box’ is no longer sufficient,
- provide a vetted employee handbook with best practices vs ‘big-bad wolf’ scenarios,
- continue education with updated protocols and mandatory meetings (remote if necessary),
- have a white list of approved home wifi routers, or at least data on proper configuration, updating, encryption and
- use of a VPN.
Insist on no public wifi use, unless necessary, like in airports. Instead use the personal hot-spot on a mobile device and make certain no one else is connected (block mobile device public broadcast of connection availability), and block all sight lines to your screen. Do not connect any unknown or unvetted device like a stray USB flash drive or storage device, etc. Report any problems to company IT staff immediately.
Popular Types of Cyber-attacks:
- Phishing emails are the most popular – see article on look-alike spoofs Microsoft Team Alerts
- Downloading software from the internet – don’t permit it!! See article re malware bundled with old version of zoom (suddenly a very popular remote work conferencing application)
8 – ‘New Normal’ Back to Work Strategies
Organizations throughout the world are resuming their on-site operations so they must adapt to the ‘New Normal’. But, what about those workers who are afraid to return? The company will have to make the work place as safe as possible for them.
How are these policies to be configured and communicated? The ‘New Normal’ is a work in progress for each organization and should be drafted with the needs of the organization and the staff in mind – both are in transition.
New on-site measures or back-to-work strategies may include:
- new work configurations with a minimum of 6 feet or 1.5 meters between workers;
- use of personal protective equipment;
- routine use of hand sanitizers;
- one way corridors; and
- less open plan space.
Easier said than done, though. A further unknown is what about outside vendors and contractors performing on-site services? The structure for workers may not fit a compliance or contract issue if it interferes with a contractor job performance.
One possible innovation is to make as many surfaces touch-free as possible, such as:
- touch-free door openers, vending and fountains (may use app on phone to operate),
- 3D printing,
- Customer counting, and
- Facial recognition.
The challenge to the population and world prosperity is great. Cybersecurity is a team effort and all must work together to defeat this criminal spectre.
Readers – Provide a comment on how you or your organization (no identifying info) have recently experienced a cyber been attack, or adapted best practices to protect from the same.
[end]
