How security testing could change after COVID-19
As companies look to bring employees back into the office, security teams must consider how to handle security testing due to initial remote work deployments and shadow IT.
When state governments across the U.S. began issuing shelter-in-place orders over the past couple of months, businesses had to quickly learn how to enable a fully remote workforce for the first time. The rush to quickly acquire and deploy new technologies to enable this shift brought new cybersecurity challenges and necessitated a change in the way security teams test in their organizations' newly dispersed environments.
Now, as states move toward gradually lifting restrictions and allowing people to return to work, security teams must again be prepared to face a new set of challenges. Many aspects of business will not return to exactly the way they were before. Employees returning to work may potentially bring with them infected or misconfigured devices. Or they may have developed a habit of using cloud-based platforms and tools that haven't been properly vetted or approved by IT. Security teams must start preparing now for the ways security testing will need to be different when people start returning to the office and businesses ramp up.
Large-scale remote working has changed the threat landscape
A gradual shift to more remote working has been taking place in some sectors for quite a while. However, the COVID-19 pandemic dramatically accelerated it. Prior to the pandemic, only about 7% of the American workforce had the option to work from home on a regular basis, and many companies only allowed a select few employees to work remotely -- not the entire company. For many organizations, the idea of working remotely basically just meant that employees were able to respond to email from their phones.
Then, everything changed overnight. Many companies realized they were not as prepared for remote work as they had thought. Employees were not able to access the different systems they needed to do their jobs. IT teams rushed to order more laptops and rapidly ship them to staff; workers began adopting video conferencing tools that the IT department had not sanctioned and that turned out to be not secure (for example, Zoom). These rapid changes introduced new threats and vulnerabilities to organizations.
When quickly procuring large numbers of new laptops and shipping them to employees, for example, the risk of misconfigurations increases. The struggle to ensure that devices have the proper baseline security configurations in place, that VPN connections have been added, that the devices are properly patched and are up to date becomes much more challenging. The opportunity for mistakes grows exponentially.
At the same time, cybercriminals realize that this is a golden opportunity and have increased their attacks. They recognize that people are strained under the stress of working from home under lockdown and thirsty for any new information on the pandemic, the economy and more. This combination makes the public more distracted and less discerning -- and therefore, more likely to click on unsafe links or fall victim to scams. Attackers have adjusted their tactics accordingly and are increasingly leveraging the COVID-19 topic in their phishing scams and malware campaigns.
Cybercriminals are also performing reconnaissance on organizations differently. Knowing that many organization's workforces are now remote and dispersed for the first time, criminals are actively looking for changes in port numbers and web traffic. Each network port is like a door providing access to your environment. As organizations adopt new technologies and web applications, start up new VPN connections, or otherwise make changes to web traffic, it changes what doors are open.
Hackers are watching for changes in network footprints and exploring how they can exploit security gaps. For example, if an attacker sees that a new VPN connection has been established, they might look to see if they can find credentials for that particular organization on the dark web that have previously been shared as the result of a data breach, and then try to use those credentials to access the connection. CISOs need to be aware that any change on the networks are being watched as they occur.
How to secure your organization
Security professionals need to change their security testing practices addressing both the new threat landscape of today, as well as the future challenges that arise when employees begin returning to the office. Even after the pandemic subsides, remote work will be more commonplace than before. A recent IBM survey showed that 54% of Americans want to continue to work remotely on a regular basis, and a Gallup poll said that 52% of organizations would be in favor of allowing more remote work after the pandemic is over. As a result, CISOs should be making business continuity plans now that assume they will have a hybrid environment with a large number of fully or partially remote workers -- and include pertinent security strategies accordingly.
To address the new threat landscape today, CISOs should make sure their employees have proper security technologies and configurations on all their personal devices and home wireless networks, as well as company-owned devices. They should be sure all employees have been issued clean laptops before setting up new VPNs or virtual desktops. Otherwise, if an employee downloads a VPN onto a laptop that has already been compromised with malware, for example, then later returns to the office and plugs it into the corporate network, they could potentially spread malware throughout the entire network. CISOs must create clear policies and procedures that address not only what is allowed while working from home, but also what will be allowed when employees return to the office. The use of certain web applications, for example, may have been permissible during the pandemic but may not be allowed once employees return to the office.
As employees work from home during the pandemic, CISOs should also be looking at the type of traffic coming onto the corporate network -- both from trusted devices as well as what might be sneaking in. It's important to remember that when allowing an employee to work from home, an organization has essentially allowed access not just from the employee's computer, but also potentially from any internet-connected devices in the home, such as smart speakers and other IoT devices that could be used as attack vectors and access points to the company network.
Security awareness training will be essential now more than ever and must be conducted on an ongoing basis. Employees who work from home will need to be more conscious of how their personal security habits can lead to risk for the company, and they must understand that they cannot just rely on technology to keep them secure -- their actions matter. Education on the importance of password security, keeping work devices on separate channels from personal ones, not clicking on suspicious links and using unique credentials for different systems are all critically important. Train employees on how to identify common tactics used by phishers and scammers, and teach them that if in doubt, pick up the phone and call somebody directly rather than communicating through email. Make sure to deploy multi-factor authentication to provide that extra bit of security.
Looking ahead
After the pandemic subsides, organizations that were previously primarily brick-and-mortar may decide that they want to keep the remote capabilities they've developed during this time (for example, Facebook and Twitter). There are benefits to having a remote workforce, including the ability to hire top talent anywhere in the world and greater agility. However, there are also increased risks. CISOs must be vigilant that they have put the correct infrastructure, technologies and policies in place to securely support a hybrid model, and they must be prepared to continually update. By doing so, they'll not only be able to keep their organization secure in the shifted threat landscape during the pandemic but also position their organization for ongoing success in the new normal.
About the author
Mark Whitehead is the global vice president of SpiderLabs Consulting Services at Trustwave. His responsibilities include setting the strategy and directing delivery for all Trustwave's portfolio of testing services for Canada, the United States, as well as Latin and Central America. Mark possesses over 16 years of experience in the cybersecurity field with 10 years of leadership and management experience.
