In February 2020, safety and legal decrees forced many businesses to shut down their offices as part of a greater effort to minimize and contain the spread of COVID-19. Now, nearly a year later, we are left to wonder: in our response, have we effectively utilized our security frameworks?
The changes that you’ve made over the past several months may introduce security risks alongside new technology and expanded capabilities. We’ll discuss some of the more publicized events that have occurred because of rapid changes and address some of the likely risks to your operations that may remain unchecked. A roadmap for remediating uncovered vulnerabilities can be found in two of today’s most common cybersecurity frameworks. The National Institute of Standards and Technology publish and maintain two complementary pieces of guidance: The Cyber Security Framework (“CSF”) and the Risk Management Framework (“RMF”).
The CSF is a 5-stage recurrent process that starts with the Identification of Assets phase (inclusive of ongoing inventory control), in which we detail compliance requirements and any risks to the business and its assets. Security planning is a critical piece of this first phase. Once the identification phase is complete, we then move on to protecting those assets. This involves hardening configurations, running antivirus programs, using multifactor authentication and related efforts. With these measures in place, emergent issues can be detected through ongoing monitoring so when an issue occurs, we are prepared to respond accordingly. With the event contained, mitigated or eliminated, we return to a pre-incident state and can address the underlying causes of the incident. That will improve our ability to protect against future threats. You can read more about the CSF on the NIST website: https://www.nist.gov/cyberframework/
Risk Assessments are central to the Identify phase of the CSF, so it is important to quickly review the lifecycle of the RMF. The RMF is built around a 6-stage process of its own – some of which overlaps with the CSF. Its first stage is Categorize, which is similar to the CSF’s Identify stage. This stage requires labeling systems - and data - according to its role and importance in the grand scheme of the business. Then you decide the appropriate security controls to minimize risk to an acceptable level, implementing the selected controls and testing them over stages 3 and 4. Stage 5 is Authorization of the system(s), assuming they pass the prior assessment stages. Much like the measures undertaken in CSF’s Detect phase, RMF includes monitoring controls. Read more about the RMF on the NIST website: https://csrc.nist.gov/Projects/Risk-Management/
With security best-practices in mind, we will reflect on the changes introduced by the pandemic, the effects of planning in easing adaption, and the pandemic’s effects on access controls, network controls, communication and vendor management. In conclusion, we will review the cybersecurity framework lifecycle and lessons learned.
More than 9 months since enforced shutdowns started in New York and elsewhere we have seen a huge spike in telework and working from home. This brought about mass purchasing of laptops, heavy use of VPN, increased use of VOIP and the introduction of home networks (and associated risks) to our corporate risk environment. We should not forget the well-publicized issues surrounding Zoom and other web conferencing services.
The mass shortage of laptops and related equipment has impacted capital costs and downtime caused by delivery and configuration delays. In an article on The Verge, Monica Chin provides several examples of shipping delays affecting Apple and HP, noting deliveries scheduled a month after purchase, as opposed to typical timelines of a week or less. Delays of an even longer duration have not been uncommon.
In August 2020, Sara Morison reported on Recode that schools continue to have difficulty meeting demands for technology – for everything from hotspots to Chrome Books – and the cost of these tools have increased greatly over the last few months. Schools, especially those in low-income areas, have been hard pressed to provide the technology required to enable their students to attend remote classes.
In too many cases our plans to accommodate alternatives to in-person schooling or work were not efficient or scalable. The challenges encountered illustrate why the CSF and RMF both emphasize the importance of thorough work in the planning stages of security frameworks.
With all of these recent changes, it may be beneficial to use an outside agency to assess your new security posture with fresh eyes. Many internal teams either do not possess the necessary expertise to review security measures in the context of the current threat environment or will already be devoting their time to keeping your business running.
Like a hurry up offense in American Football, a capable cybersecurity program requires planning, practice and the coordination of special teams – in this context, units dedicated to disaster recovery and incident response. With even enterprise corporations caught off-guard by the pandemic, small and medium sized businesses with fewer resources or limited expertise were understandably vulnerable.
Businesses typically have plans for all sorts of natural disasters like fires, floods, storms or earthquakes. But, outside of the medical and healthcare industry, few would have predicted a pandemic bringing operations to a halt like we’ve seen so far. In Security Magazine, author Diane Ritchey reports Healthcare was one sector that didn’t have many issues with their cyber and IT planning. By contrast, technology firm GoDaddy admitted that it saw an increase in risk exposure due to the sudden decentralization of their internal operations teams and the adoption of a work from home model. Ritchey’s report focuses on many successful stories of adaptation – all of which share two common threads: effective planning and early engagement with crisis management teams. Prepared businesses also agree that even following their positive results, Business Continuity Plans need to be reviewed.
Based on our experience, the economic shutdowns have been a major source of pain for small business clients that have not embraced the cloud or mobile computing platforms. Plans for the SMB space focus on closures stemming from natural disasters or even terrorist attacks, where a closure might be measured in days or weeks. In the wake of a planning failure, conduct a thorough review of how your company has managed and schedule a planning review for the future. Outside assistance will prove useful in helping all businesses minimize risk and develop specific plans for what the future of business may look like. Cybersecurity risks need to be part of these business plans, so be sure to include your IT and security teams in these planning conversations. The inclusion of IT and security is especially important if these teams are outsourced through service providers.
In IT and Cybersecurity, Access Control is too often boiled down to limiting access, but the three pillars of cybersecurity are confidentiality, integrity, and availability. Confidentiality is keeping access limited to those who need it. Integrity is assuring that nothing changes unintentionally. Availability is the effort to ensure that parts of your system are accessible by those who need it, when they need it.
Prior to the pandemic, most employees did not need access to the company files when they were away from the office. This means most people didn’t need VPN access, even if they had a company laptop for their use. There was also much less of a need for teleconference solutions because everyone was at the office where conference rooms are available. Similarly, gigabit networks at the office meant download speed was rarely a concern. You certainly didn’t have to worry about phone access, with one on every desk. After the pandemic, all this has changed.
Most people are now working at least part time from home, using cloud services and accessing the company network with VPN technology. The rapid shift to the cloud may have only accelerated plans for some, but for others this was an improvised change. For many, the sudden transition has introduced mistakes and revealed oversights in implementation.
From phones to file servers, the cloud is a great tool that can give your people access to the information or services they need whenever, from anywhere. However, things can go wrong and rapid migration to the cloud can create weaknesses from the access control perspective. With the cloud, anyone with access – typically via a username and password – can infiltrate a network. Out of the box, protections like multifactor authentication or geo-location verification are not enabled. A poorly configured firewall could let a home security system talk to your cloud instance through the company laptop that is connected to an uncontrolled network. An aggressive push to enable efficiency within a work-from-home model can introduce issues requiring mitigation.
As previously mentioned, availability is an essential part of any cybersecurity plan. Moving to the cloud is one way to improve the availability, to be sure, but many companies have opted to stick with their on-premises infrastructure. This has led to an availability problem – even if VPN was properly deployed. The problem? Bandwidth for the network. At the office, most workplaces have gigabit networking – that’s 1000 Megabits per second. Data can transfer from your computer to the server and the server back to you extremely quickly in an office environment. With VPN, however, you are limited by the upload/download speeds at home, as well as the same speeds at the office. Furthermore, that’s shared bandwidth with everyone else who is using the VPN. Suddenly a 5 GB AutoCAD file takes 5-20 times longer to download. Some of the reports about the work-from-home effect indicate this was an unforeseen issue. Jonathan Grieg reported as much in Tech Republic in March 2020, stating “bandwidth is also an often-forgotten limiting factor because most people are not used to dealing with it in office situations.” Some of those Grieg quoted suggest that the issue is data routing and many users streaming videos across the VPN.
The CSF and RMF include testing of changes. Given the rapid escalation of access requirements, it is easy to have skipped this step to favor a speedy deployment. Now is a good time to have experts come assess and test your current cybersecurity posture. That professional insight will help you better plan for the future and address any risks recent changes may have introduced. Additionally, it is likely your access controls are likely overdue for testing and verification, just like the network controls.
Whichever path your company has taken – cloud, on premises or a hybrid – maintaining or improving controls for accessing and patching are more critical than ever. With an on-premises or hybrid approach, there are several things to consider concerning VPN configurations. Hybrid and cloud configurations have unique concerns and capabilities as well. And, all 3 share universal concerns that need to be addressed.
As discussed with respect to access controls, network controls require regular review. One of the problems with VPN is limited bandwidth and users streaming things like YouTube or Spotify. Enough people doing this will choke off a network. The network controls to consider here are split-tunneling or content filtering. Split-tunneling allows the VPN Software to route traffic directly from the home network to the internet for sites and services that are not at the office – bypassing the potential bottleneck of office internet service. Content filtering blocks all streaming services from the company network, thereby stopping the traffic from ever happening.
Any solution that leverages the cloud must include controls configured to address new risks. A detailed cybersecurity plan includes maps of where information resides and how it flows. With the cloud and decentralized data flows, enforcing a relative control on data is very important. Cloud data resides on someone else’s server – that could be Microsoft, Amazon or Google in most cases. While those companies protect their infrastructure – they don’t automatically do anything for your data on their systems or have any additional security for accessing your data (for example, login hours or geolocation restrictions).
Regardless of the methods used to enable the work from home environments, there’s now an increased threat for data loss and unknown factors like the security of home networks. This could be anything – from old/unpatched computers on the network, printers or the full spectrum of Internet of Things (“IoT”), some of which includes devices you can’t control. A smart speaker like a Google Nest or an Amazon Echo is always listening for their wake-up words and often activate without being directly called. What happens if Alexa records 10 seconds of a privileged conversation – which Amazon admits to keeping for Quality Assurance - did that just break a confidentiality agreement? Regardless of how your network has changed to enable work from home during this pandemic, one thing is certain, it warrants assessment from a compliance perspective.
Communication and Vendor Management
Communication platforms were one of the most significant pain points early on in 2020. For several weeks, Zoom was in the news and terms like “Zoom bombing” became commonplace. In addition, some disturbing vulnerabilities were exposed within weeks of mass shutdowns. Many services – including WebEx, Teams, Zoom, GoToMeeting, etc. – had issues handling the massive uptick in usage – making it impossible for some people to join meetings.
The speed with which these communication services were selected and deployed makes it hard to imagine that due diligence in vendor selection and management, configurations and deployment was adequate. We understand the rush to provide essential services and have witnessed the mad dash to adopt new technologies, provided guidance on mitigations and reported on security patching from the vendors.
Many companies also looked at additional communications services – from the Microsoft 365 Teams/Skype for Business platforms, to Slack or any VOIP platform that enables employees to use an office phone from their homes. Many of these products were not thoroughly vetted at the time, nor were they assessed after deployment to ensure the privacy and security was configured. Now that most companies have adopted the programs and tools they will continue to operate throughout the pandemic, it is time to perform security reviews. These reviews and assessments should analyze critical services and ensure that any regulatory responsibilities are adequately addressed as well.
Cybersecurity Framework Lifecycle and Lessons Learned
It is safe to say most companies had a few missteps due to rapid change and the many challenges presented by the coronavirus pandemic. That is not an issue. If anything, it makes the point that cybersecurity is an ever-evolving and ever-improving endeavor. A modern and mature cybersecurity program has a life cycle that can be in all stages of maturity at once, depending on your perspective, goals and environment. Right now, everyone should be spending some time reviewing the changes that have occurred over the last several months to ensure whatever steps they have taken have been secure – or at least mitigated properly after any cascading problems (like we saw with Zoom). Now is the time to catch up and prove that new formats are as secure as intended.
Once you know where you stand today, an ongoing dialog with your security team will be essential to avoiding repeats of the risks and exposures that happened this year. Continuing the discussion is critical as the next step is imminent: planning for the future of a post-pandemic world. Hiring a cybersecurity firm is the optimal way to ensure you have a thorough snapshot of your current security posture. CyZen, powered by Friedman LLP, is a full service Managed Security Service Provider. We offer the assessments, penetration testing and consulting services needed to address all of the concerns facing business IT security today and help position your company for tomorrow’s security needs. Contact us today to see how our services can benefit you.
Message Us 212.842.7005
Sign up for Our Blog!
* All fields are required