Preparing for COVID-19: An Infosec Perspective

As we all consider the implications of COVID-19 to our organizations, a few thoughts for information security and business continuity practitioners to specifically think about:

• Most nonstandard operations scenarios are not effective – or even possible – indefinitely. Mass work-from-home, supply chain disruptions, and event cancellations yield minimal disruption if they span only a few days; yield larger disruptions if they span weeks; and yield significant – potentially catastrophic – disruptions if they span months. When considering contingency planning and process resilience, seek to understand the breakpoints in your nonstandard operation planning by asking the question “what happens if we’re running like this for 10 days, 10 weeks, or 10 months? How do the process and the business needs change?”

• Consider the security implications of nonstandard operations. In my 30 year security career, I have never seen a nonstandard operation that yields the same level of overall security as the standard operation procedure. Sometimes the nonstandard operation actually results in a higher overall level security due to more manual human interaction, less volume, and increased scrutiny. Often, the nonstandard operation results in a lower overall level of security due to circumvented controls (intentionally and unintentionally), expedited processes, a “crisis mentality,” and other human factors.

• The human factors of nonstandard operations are particularly interesting. For example, anticipating hassles around accessing systems remotely and saturated VPN links, employees expecting to work from home may prepare by taking copies of confidential information with them, emailing data to their Gmail account, or copying data to local storage/laptop/USB stick. Circumventing controls in this manner obviously results in a reduction in overall security.

• Remote access procedures are usually designed to simultaneously accommodate a small proportion of the workforce. Expanding a system that typically accommodates 2% of the workforce to suddenly accommodate 90% or more requires planning and testing. Bandwidth considerations, VPN licenses, network hardware, IP address pools, etc, all need to be considered. During a remote work exercise a few years back conducted in preparation for the H1N1 flu, a company I worked with found that the Class C IP address pool they allocated to the VPN clients (256 addresses) was quickly exhausted when 4,000 clients attempted access.  There will always be little gotchas; try to find as many as you can in advance via testing and exercises. Plan a work from home trial run where parts of the company work remotely on an assigned day.  Make sure staff are trained on conferencing tools and appropriate conferencing software clients are installed on the machines staff are taking home. 

• Local residential ISP links may become saturated if adults are working from home and children are home from school collectively using bandwidth-hungry streaming online entertainment services, music, and online gaming.  For business critical staff, have contingency plans in place for alternate (non-residential) workplaces.  Work with local authorities to ensure that these critical staff can access the alternate workplaces in the event of quarantine or other travel/access restrictions.

• Adaptive authentication schemes and user behavior systems will react to the change in behavior work from home scenarios create. Consider employee Jeff that has logged-in consistently from the company office building during normal business hours for the past 2 years; Jeff suddenly starts logging-in from home irregularly, thus generating security alerts, additional authentication requests, and possibly account lockouts.  On the flipside, helpdesks will be overwhelmed by employees that rarely (or never) use VPN and other remote technologies.  Ensure that password and MFA reset procedures are compatible with mass work from home scenarios and do not increase risk.  These procedures will be targeted.

• Be aware of scammers taking advantage of COVID-19 and nonstandard operations as phishing pretext. Look out specifically for “You need to do something to continue accessing this system remotely” and “List of confirmed COVID-19 cases in [COMPANY]” and “Are You OK?” types of scams – very easy to get clicks.  Attackers will exploit the “crisis mentality” by insisting tasks be done immediately.  Train staff to be vigilant to these sorts of scams.

• Be aware of physical security threats from individuals impersonating unfamiliar sanitization vendors, individuals wearing masks to avoid cameras, etc.