Are your “coronavirus infosec strategy” Google searches not really returning useful results for you? Worried that any day now you’ll be put on the spot to explain how the infosec team will assure the BCP decisioning that is happening across your organisation as it prepares to respond across multiple complex scenarios around extended remote access requirements, new cloud services and capacity planning?
These are crazy times and it’s unlikely that your BCP contains a runsheet for “global pandemic”. I figured I’d jot down a few notes that may be of use to CISO/CIO/Head of Infosec types to help identify potential risks that are emerging through rapid changes to infrastructure, networking, remote services and other business continuity actions that are likely to pop up in response to Covid-19.
Please feel free to comment and add to this very basic list.
The obvious one
As has already been reported, phishing campaigns using Covid-19 pretexts are going to be doing the rounds. This is pretty predictable as threat actors are keenly aware that topical content has a higher chance of evoking a link click or payload execution on victim endpoints – it’s a fact that there’s nothing as big as Covid-19 right now so attacks with this pretexts across email, SMS, instant messaging, voicemail and social media are going to be a popular vector across multiple actor groups.
Sending out company-wide comms to remind users of this threat vector is a good idea.
Rapid enablement of cloud services
A lot of businesses are likely reaching out to Microsoft, Amazon and others to bolster their BCP by complementing remote access services with cloud-based options that, in the event of a scenario where a third-party supplier is unable to continue to provide the required service, core operations around messaging, file transfer and transactions can continue. If you’re responsible for infosec and you aren’t connected into the plans, designs and decisions around new or extended cloud services, you could quickly find yourself in a situation where:
- authentication services that were protected are now exposed (e.g multifactor authentication that is invoked on your gateway was not activated for your temporary cloud service)
- non-secure services are spun up to complement or replace current secured services (e.g FTP vs SFTP)
- permission profiles for roles, departments or functions haven’t been mapped or applied to replacement services
- …and so on…
Understanding and communicating risk positioning is critical at this point, particularly when the longevity of these solutions are unknown – we really don’t know how long Covid-19 will hang around, and if the plan is to replace on-prem solutions with cloud offerings it is crucial to ensure core security requirements are implement from the get-go.
Get yourself connected with your company incident management and ICT teams as soon as possible to ensure minimum security requirements are being met on any new apps or services that are being provisioned for continuity.
Loads of businesses rely on endpoints being connected to the core in order to stream critical telemetry like EDR/AV/syslog to collection services or SIEMs or fed into correlation or alerting systems to detect malicious activity. If your whole org was suddenly required to work remotely, how would that affect this telemetry? Do your endpoint agents still deliver logs on the same schedule? Do all endpoint agents deliver telemetry the same way?
Understand how your endpoints transmit critical infosec telemetry and determine whether changes are needed to maintain appropriate visibility.
What about updates? Is your patching cycle performed monthly? Can patches be provisioned to an massively increased set of remote users? Should you drop all but the most critical patches from the regular schedule?
Workshop options for maintaining basic ICT hygiene under outbreak/pandemic conditions in partnership with infrastructure teams to ensure solutions are achievable and allow the business to continue without significant interruption.
This is an important one. You might be in a position where the assurance of endpoints via corporate security controls is degraded due to differences in the security profile for users working from home – it may not have been an issue in the past with only a small proportion of staff falling into this bucket but not now – are you able to remotely contain infected systems in this scenario? Can you quickly isolate hosts via VPN? Do your DLP services still operate effectively? What about your other infosec controls? How does a Covid-19 remote operation scenario affect your ability to respond to incidents?
Is additional risk introduced in this scenario? What changes are required to mitigate these risks?
Partners and managed services
Have you talked to your account and ops counterparts? What is their plan for continuity? Can they continue to deliver the same service if they have multiple staff quarantined? How does the risk position change and what are the ramifications for in-flight project and BAU services? How are they position for their other clients? Remember, this is a tough time for everyone, so kick off the conversation as soon as possible to get an understanding of how 3rd party capability and response could affect your operations.
Get in touch with key partners and providers to get a brief on their preparations and plans for dealing with the many challenges that Covid-19 presents.
If half your infosec ops team was offline due to illness, do you know what core functions remaining team members should concentrate on? Can you lean on infra and other support teams for assistance should such a situation eventuate? If you had to drop back to half the services you normally operate, how would that impact your risk position? What is the minimum level of service you and your team can provide that does not adversely impact your risk position?
Look at your service stack and identify key activities that your team deliver to maintain assurance against your current risk appetite. Identify the minimum threshold and create an action plan to enact if that threshold is breached.
Not an exhaustive list, just a few thoughts for what infosec leaders during what is a somewhat unprecedented and unexpected scenario for most of us.
Comments and additions are most welcome.