The three stages of security risk reprioritization
What began as a two-week remote working environment, due to COVID-19 has now stretched past the nine-month mark for many. The impact of telework on organizations can be felt across departments, including IT and security, which drove the almost overnight digital transformation that swept across the globe.
While organizations across various sectors were faced with the challenge of maximizing their telework posture, those in government services had the extra burden of supporting employees who needed remote access to classified information.
The technology investments spurred by the pandemic also left organizations open to new and increasing threats, with KPMG reporting that “more than four in ten (41 percent) of organizations have experienced increased [cybersecurity] incidents mainly from spear phishing and malware attacks.”
So, while organizations have always been encouraged to evaluate their security posture, patch their VPNs, and prioritize Zero Trust architectures, the pandemic forced them to accelerate the adoption of these measures and evaluate their security posture more seriously. In fact, KPMG also found that most CIOs believe the pandemic has permanently accelerated digital transformation and the adoption of emergent technologies.
By observation, this digital transformation and security transition has happened in what can be defined as three stages, originating when the pandemic first hit in March, spanning through the rest of 2020 and into 2021.
Stage 1 – Acclimating employees to their new remote workspace
Many organizations had to figure out how to increase capacity for critical technologies like VPN. While large consulting firms and IT services companies generally had the technology and procedures in place to make the transition, government and financial institutions were much further behind. With both industries operating in an environment not conducive to telework pre-pandemic, IT leaders had to onboard large amounts of employees onto the VPN network – in some cases going from 10,000 employees on a VPN to 150,000.
Updating technology to accommodate that scale is no easy feat and other hurdles like supply chain issues – e.g., technology coming from foreign nations that were already in lockdown – presented unexpected obstacles. Lessons learned from this pertain to having a disaster and response plan as well as understanding that you might have to build in more time to effectively solve these types of issues.
Stage 2 – Investing in new tech
Once companies could better support their remote workforce, they needed to further understand the additional controls needed to continue providing a secure remote work infrastructure in the long term. In response to this need, there were significant spikes (as much as 80% according to Okta) in the usage of tools like multi-factor authentication as organizations began to rethink the way employees should access networks.
There has also been an increase in DNS being added to the roster of “easy to implement” security tech geared towards a distributed workforce.
Stage 3 – Developing a permanent remote IT infrastructure
As organizations currently undergo planning and budget allocation for 2021, they are looking to invest in more permanent solutions. IT teams are trying to understand how they can best invest in solutions that will ensure a strong security posture.
There’s also a greater importance in starting to understand the greater need for complete visibility into the endpoint, even as devices are operating on remote networks. Policies are being created around how much work should actually be done on a VPN and by default creating more forward-looking permanent policies and technology solutions.
But as security teams embrace new tools for security and operations to enable continuity efforts, it also generates new attack vectors. COVID-19 has presented the opportunity for the IT community to evaluate what can and can’t be trusted, even when operating under Zero Trust architectures. For example, some of the technologies, like VPN, can undermine what they were designed for.
At the beginning of the pandemic, CISA issued a warning around the continued exploitation of specific VPN vulnerabilities. CISA conducted multiple incident response engagements at U.S. government and commercial entities where malicious cyber threat actors have exploited CVE-2019-11510—an arbitrary file reading vulnerability affecting VPN appliances—to gain access to victim networks.
Although the VPN provider released patches for CVE-2019-11510 in April 2019, CISA observed incidents where compromised Active Directory credentials were used months after the victim organization patched their VPN appliance.
This exploitation was a textbook example of cybercriminals adapting their attack methodologies to the increased use and scale of new technologies for remote workers. This concentrated adversarial effort caused security teams to reevaluate the tools they have put into place, and the scale at which they have done so. The four areas that security teams are putting a critical focus on include:
- The best process for reducing remote access to sensitive data
- The identification gap between commercial and classified data
- The security of collaboration tools across an organization
- Visibility of endpoints, even when they’re not on my network
At the end of the day, security is a journey, not a destination – what might have worked prior to the pandemic needed to best suit the evolving threat environment. But just because you have a security solution in place, doesn’t mean that won’t become your next exploitation. It’s imperative for security teams to continuously advise their organizations on the changing threat landscape, always looking to stay one step ahead of the attacker.
As organizations grapple with stage three of addressing their security posture, they must get inside the mindset of today’s cybercriminals who are working around the clock to maliciously exploit new technologies and workflows implemented by companies today.