Making the transition to a work from home arrangement has been a heavy lift for a lot of organizations.
However, due to various risk factors and regulations, making the sudden shift to working from home has been more complicated for some sectors than others.
Industries like finance and healthcare, as well as those working for the government, face tighter restrictions on remote work. This is because the risks to these sectors are deemed to be higher due to privacy and security considerations.
In many cases, it is against the rules for certain jobs to be performed remotely out of concern for security. Under normal circumstances, it would make perfect sense to forbid the employees of large financial institutions from making sensitive transactions over insecure home networks. But in the time of COVID-19, many of these regulations have been weakened, if temporarily, in order to allow work to continue on while keeping workers safely at home.
At the same time that regulators and organizations are attempting to find workarounds to accommodate the need to work away from the office, security threats are mounting as hackers look to take advantage of the situation.
In hopes of helping organizations in sensitive sectors better understand their risks, we examined each one’s threat models and provided a couple of suggestions on how to mitigate them.
When we talk about cybersecurity, it's worth taking a moment to define our terms. More than just a buzzword, cybersecurity describes the effort to protect information. Yes, there are examples of cyber crossing into kinetic like we saw in Stuxnet, power stations in Ukraine, and a lot of machines that became expensive paperweights after the NotPetya attacks.
But for most organizations, the target is the data on their systems that is either itself valuable or can be used to access something of value. In practice, this can be personally identifiable information like a Social Security number for use in fraud, a company’s intellectual property, sensitive government information, voting information, credit card numbers, or even the ability to access the data itself.
Thinking about these examples laid out above, we can break information security into three categories: confidentiality, integrity, and availability.
The CIA triad, as it is often known, asks us whether the information in our systems is still secret, trustworthy and, well, available if we need to access it. If any of these three conditions have been compromised, then we may be in trouble. Let’s look first at the example of healthcare to understand how the CIA concept impacts our sensitive organization types in practice.
Confidentiality is extremely important when it comes to healthcare. Whether it is communications with a doctor, medical records, or other information nobody else has a right to know about, people rightly take the privacy of their medical information seriously.
Beyond the expectation that health records remain private, they contain a lot of personal information that can be used for identity theft and fraud. They have addresses, birth dates, family details, and plenty of other tidbits that can be sold to fraudsters looking to apply for credit cards or loans under someone else’s name.
Recognizing the need to secure these kinds of data and doctor/patient confidentiality, the government has issued regulations for healthcare providers and services. These include the well known Health Insurance Portability and Accountability Act (HIPAA) and the more recent Health Information Technology for Economic and Clinical Health Act (HITECH).
Looking at HIPAA, its Security Rule lays out the standards for dealing with electronic protected health information (e-PHI). It states that covered entities must:
Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit; Identify and protect against reasonably anticipated threats to the security or integrity of the information; Protect against reasonably anticipated, impermissible uses or disclosures; and Ensure compliance by their workforce.
On a good day, many organizations have trouble staying compliant with HIPAA. The regulations require that they take reasonable measures to keep their systems secure and employees in line with best practices. This is easier said than done on outdated systems with IT teams that are stretched thin, and a workforce that is often far from hardened against attacks by hackers.
Keeping data secure during the COVID-19 outbreak has become a bigger challenge as more medical services moved from the in-person appointment to the digital. Telehealth services, where a patient communicates with their doctor electronically, usually over a video chat app on their phone or transmits data to them from a device, have been crucial in helping the public continue to access important care.
While there are a number of platforms certified as HIPAA-compliant, the Department of Health and Human Services (HHS) has temporarily allowed for the use of additional services such as FaceTime, Zoom, and even Facebook Messenger to conduct these visits. This is good for patients who need to speak with their doctor without taking additional risks, but there are also risks if healthcare providers fail to take the necessary security precautions.
The first concern is that not all applications utilize end-to-end (e2e) encryption. Essentially, this is where the data being sent from one device to another can only be read by the person it is being sent to since only they have the keys to decrypt the messages. This prevents the data from being intercepted by a “man-in-the-middle” attack. Zoom took a lot of heat for initially claiming that it was using e2e before admitting that they were not. Features like their call-in numbers for those not using the app mean that the calls cannot be encrypted.
The second issue stems from the security of endpoints like mobile phones and computers. Implementing updates as they become available is crucial for preventing the exploitation of software vulnerabilities. Misconfigurations on communication apps like Zoom can open the door to eavesdropping and put patient privacy at risk.
While working remotely is not the cause of these security concerns, it puts a lot of stress on a system that already struggles to get it right day-to-day. Ensuring devices are up to date is not easy. Many healthcare providers will choose to go with the telehealth option that is most usable for their staff and patients, not necessarily the one that is most secure.
These are significant challenges to overcome. Unfortunately, this is not the only sector to face significant issues from the remote work situation.
There’s an old joke about why bank robbers rob banks. Because it’s where the money is.
Whereas an old-fashioned stickup is less of an issue for these financial organizations when most of their transactions are performed digitally, there are still plenty of risks they must mitigate. Organizations that handle financial information and transactions have long been aware of the need for security. Unlike the case of healthcare providers, security is generally well-funded.
But financial institutions still face very real risks to all three of our CIA triad criteria. Our trust in these institutions depends on their ability to keep our accounts and transactions private (confidential), accurate (integrity), and of course accessible (availability). Any threat to these factors and the system could find itself in serious trouble.
Now, in the current work-from-home moment, the financial industry faces challenges in maintaining security and adhering as closly as possible to regulations aimed at guarding against abuse from insider threats and external attackers. However, faced with the balancing act of keeping services running for customers vs security controls, the Financial Industry Regulatory Authority (FINRA) has issued special guidance for the pandemic. The regulator has already made noises about relaxing rules for how Wall Street firms are required to supervise their employees involved in trading from remote locations.
One significant change they are currently allowing is that documents normally needed to be transferred by hard copy are now permitted to be sent by email. This is good news for limiting employees to the risk of exposure. At the same time, it puts additional challenges on securing devices and communications.
When working in the office, employees at financial institutions use employer-provided IT networks and computers. But what happens when employees work from home on unsecured home networks? Is their VPN properly configured? Are they using devices supplied by their employer or a personal computer that hasn't been updated in years?
Then there are the more human challenges. Hackers are taking advantage of remote work to launch phishing campaigns aimed at tricking workers into handing over credentials. One concern is that hackers might pretend to be from the support team and ask an employee for access to their account. Under normal circumstances, it would be easy enough to walk down to double-check on a questionable request in person. However in the remote experience, this becomes a harder nut to crack.
The next concern is government work. Local, state, or federal, all levels of government are further strained by our current work from home arrangement.
While every department has its own specific requirements, the National Institute for Standards and Technology (NIST) has issued the cybersecurity framework standard for government compliance. The Department of Homeland Security also has a say when it comes to data security and the Federal Information Security Management Act of 2002 (FISMA) provides another foundational layer of cyber-protocol to be followed.
Similar to healthcare, public-facing and typically under-resourced, government agencies start at a significant cybersecurity disadvantage. While certain departments may have expectedly higher standards for data security given their assumed risk level (the NSA frowns on taking your work home with you), others like the Office of Personnel Management have been the target of high-profile attacks precisely because of their lax security.
One of the more significant challenges for government departments is that, even as a significant number have been working remotely for years using VPNs and employee monitoring software, there has never been this volume of workers transferring to remote work all at once. The potential pitfalls are many. Using unsecured internet connections, the lack of vetted/updated devices, and phishing attempts all threaten institutional cybersecurity.
Additionally, as the number of workers needing to be independently secured rises and IT teams pulling together solutions with a mixture of popsicle sticks and chewing gum, adversaries rightly vire this reshuffling of policies as an opportunity for hacking.
Government organizations are targeted for many reasons. On one hand, state actors like China are launching massive intrusions against researchers working on COVID-19 or in an effort to identify intelligence assets. On the other hand, cities and states are facing an uptick in the number of ransomware attacks from cybercriminals out to make a quick buck.
Given the range of threats facing the government, healthcare, and financial sectors during this mass migration to remote work, how can their organizations work to improve their chances of making it through with minimal cyber scrapes and bruises?
There is no shortage of excellent advice available online for those looking to make their organization a little bit safer during the COVID-19 outbreak. I always recommend looking at the resources provided by the Electronic Frontier Foundation (EFF) for becoming better educated about how to protect yourself.
But before you go on a deep dive of cybersecurity wisdom seeking, here are a few tips to help you and your team avoid the most pressing threats out there today.
1. Think Before You Click
Ransomware is one of the biggest concerns for organizations in all sectors today. These attacks lock users out of their systems, leaving them at the mercy of hackers to let them back in at a price.
Along with cities, hospitals have found themselves to be particularly vulnerable to these attacks, since being locked out of systems means lives are at risk. Considering the risk, many have been quick to pay out hundreds of thousands of dollars to regain access.
As organizations have become smarter about backing up their files, hackers have also evolved. Now many pose the double threat of not only locking organization outs of their machines or networks but also threatening to publicly dump data if not paid, compromising data security compliance as well.
In most cases, attackers start with a phishing email enticing an employee to open a boobytrapped document or click on a link. Once they gain a foothold on a device, the send a malware payload to infect their target.
Since many organizations are public-facing, avoiding clicking on links is easier said than done. Sure, you can look out for telltale signs like poor spelling or other mistakes, but many hackers have gotten better at their craft or simply buy high-quality phishing emails off black markets.
Educating your team to spot suspicious emails is the first line of defense. If an email looks suspicious, then avoid opening it or any docs or links contained within. It's always better to send a suspicious communication to security for inspection than risk harming the organization.
As a backup though, we recommend that your system admins disable Powershell and macros in Office products. These are two of the most common ways malware infects systems. They are also features the majority of users do not need, so it is far better to simply avoid having them open as avenues of attack.
2. Verify with a Second Channel
Sticking with phishing, one of the most common threats facing organizations is business email compromise (BEC). While there are many forms of this attack, all involve using social engineering to trick an employee into sending them money. Most often attackers pretend to be an executive at the target's company or a vendor sending an invoice. Typically, the goal is to fool an insider into making a deposit or purchase that will materially benefit the hacker.
Defending against these kinds of tricks, unfortunately, puts the onus on the user. It's advisable to always check that an email or communication really comes from the right address, and not someone creating a fraudulent address.
If there's ever any doubt, the best thing to do is ask. Remote workers make this more difficult since there are many more opportunities for hackers to pose as someone from within an organization. But even if you cannot just pop down the hall to the CFO’s office, you can at least pick up the phone. Never ask for confirmation on the same channel that you suspect might be compromised.
3. Update, Patch, Repeat
One of the most important steps for improving an organization's chance of success against attackers is to regularly update software.
This is understandably annoying for IT teams an workers. It can be time-consuming and impact the performance of essential software. But updates often explicitly call out the vulnerabilities they are released to addressed, tipping their weak hand to cybercriminals.
In recent years, some of the most notorious hacks have been carried out not by using zero-day exploits, but by leveraging known vulnerabilities on unpatched systems. Think WannaCry and its use of the EternalBlue exploit that the NSA had found and developed. Microsoft had issued patches well before the attack was launched, but many organizations like the UK’s National Healthcare System (NHS) were still running old versions of Windows that were not protected.
Even as some states have begun to plot their course towards a post-pandemic future, many aspects of how we work are likely to remain in flux. The only certainty is uncertainty as we learn more and adjust to the new normal.
Whether your organization returns to work full-time or on a hybrid model, it's best to stick to proven practices for staying secure. While complex threats will continue to emerge, organizations can take a significant step in fending off attacks by covering the basics.
This article was originally published on IT Security Central and reprinted with permission.