Making the transition to a work from home arrangement has been a heavy lift for a lot of organizations.
However, due to various risk factors and regulations, making the sudden shift to working from home has been more complicated for some sectors than others.
Industries such as the financial and healthcare sectors, as well as those working for the government, face tighter restrictions on how they are allowed to work remotely. This is because the risks to these sectors are deemed to be higher due to privacy and security considerations.
In many cases, it is against the rules for certain jobs to be performed remotely out of concern for security. Under normal circumstances, it would make perfect sense to forbid the employees of large financial institutions from making sensitive transactions over insecure home networks. But in the time of Covid-19, many of these regulations have been weakened, if temporarily, in order to allow work to continue on while keeping workers safely at home.
At the same time that regulators and organizations are attempting to find work arounds to accommodate the need to work away from the office, the security threats are mounting as hackers look to take advantage of the situation.
In hopes of helping organizations in these more sensitive sectors better understand their risks, we examined each one’s threat models and provided a couple of suggestions on how to mitigate them.
Defining Security Concepts — The CIA Triad
When we talk about cybersecurity, it is worth taking a moment to define our terms. More than just a buzzword (AI or XaaS) that gets bandied about, cybersecurity describes the effort to protect information. Yes, there are examples of cyber crossing into kinetic like we saw in Stuxnet, power stations in Ukraine, and a lot of machines that became expense paperweights after the NotPetya attacks.
But for most organizations, the target is the data that they have on their systems that is either itself valuable or can be used to access something of value. In practice, this can be personally identifiable information for use in fraud like a social security number, a company’s intellectual property, sensitive government information, voting information, credit card numbers, and even the ability to access the data itself.
Thinking about these examples laid out above, we can break information security into three categories; confidentiality, integrity, and availability.
The CIA triad as it is most often known, asks us whether the information in our systems is still secret, trustworthy, and well, available if we need to access it. If any of these three conditions have been compromised, then we may be in trouble. Let’s look first at the example of healthcare to understand how the CIA concept impacts our sensitive organization types in practice.
Confidentiality is extremely important when it comes to the healthcare sector. Whether it is communications with your doctor, records, or other information that nobody else has a right to know about, people rightly take the privacy of their medical information seriously.
Beyond the fact that people want their health records to remain private, they contain a lot of personal information that can be used for identity theft and fraud. They have addresses, birth dates, family details, and plenty of other tidbits that can be sold to fraudsters looking to apply for credit cards or loans under someone else’s name.
Recognizing the need to secure these kinds of data and doctor/patient confidentiality, the government has issued regulations that lay down guidelines for healthcare providers and services. These include the well known Health Insurance Portability and Accountability Act (HIPAA) and the more recent Health Information Technology for Economic and Clinical Health Act (HITECH).
Looking at HIPAA, its Security Rule lays out the standards for dealing with electronic protected health information (e-PHI). It states that covered entities must:
- Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
- Identify and protect against reasonably anticipated threats to the security or integrity of the information;
- Protect against reasonably anticipated, impermissible uses or disclosures; and
- Ensure compliance by their workforce.
On a good day, many organizations have trouble staying compliant with HIPAA. The regulations require that they take reasonable measures to keep their systems secure and employees in line with best practices. This is easier said than done on outdated systems with IT teams that are stretched thin, and a workforce that is often far from hardened to attacks by hackers.
Keeping data secure during the Covid-19 outbreak has only become a bigger challenge as more medical services moved from the in-person appointment to the digital. Telehealth services wherein a patient communicates with their doctor, generally over a video chat app on their phone or transmits data to them from a device, have been crucial in helping the public continue to access important care.
While there are a number of platforms that are already certified as HIPAA-compliant, the Department of Health and Human Services (HHS) has temporarily allowed for the use of additional services such as Apple’s FaceTime, Zoom, and even Facebook Messenger’s video chat app. This is good news for patients who need to speak with their doctor without taking additional risks of being infected. However, there are risks if healthcare providers fail to take the necessary security precautions.
The first concern is that not all applications utilize end-to-end (e2e) encryption. In very basic terms, this is where the data being sent from one device to another can only be read by the person it is being sent to since only they have the keys to decrypt the messages. This prevents the data from being intercepted by a “man in the middle” attack. Zoom took a lot of heat for initially claiming that it was using e2e before admitting that they were not. Features like their call in numbers for those not using the app mean that the calls cannot be encrypted.
The second issue stems from the security of endpoint devices like mobile phones and computers. Implementing updates as they become available is crucial for preventing the exploitation of software vulnerabilities. Misconfigurations on communication apps like Zoom can open the door to eavesdropping and put patient privacy at risk.
While working remotely is not the cause of these security concerns, it puts a lot of stress on the system that already struggles to get it right from day-to-day. Ensuring that everyone’s devices are up to date is not easy. Many healthcare providers will choose to go with the telehealth option that is most usable for their staff and patients, not necessarily the one that is most secure.
These are significant challenges to overcome. Unfortunately, this is not the only sector to face significant issues from the remote work situation.
There’s an old joke about why bank robbers rob banks. Because it’s where the money is.
Whereas an old-fashioned stickup is less of an issue for these financial organizations where most of their transactions are performed digitally, there are plenty of risks that they must mitigate. Organizations that handle financial information and transactions have long been aware of the need for security. Unlike the case of healthcare providers, security is generally well funded.
Financial institutions face the very real risk of all three of our CIA triad. Our trust in these institutions depends on their ability to keep our accounts and transactions private (confidential), accurate (integrity), and of course accessible (availability). Any threat to these factors and the system could find itself in serious trouble.
Now in the current work from home moment, the financial industry faces challenges in maintaining security and sticking as close as possible to regulations aimed at guarding against abuse from insider threats as well as external attackers. However, faced with the balancing act of keeping services running for customers vs security controls, the Financial Industry Regulatory Authority (FINRA) has issued special guidance for the pandemic. The regulator has already made noises about relaxing rules for how Wall Street firms are required to supervise their employees involved in trading from remote locations.
One significant change that they are allowing for the time being is that documents which would normally have to be transferred by hard copy are now permitted to be sent by email. This is good news for limiting employees to the risk of exposure. At the same time, it puts additional challenges on securing devices and communications.
When they are working in the office, employees at these financial institutions are able to use their employer-provided IT network and computers. But what happens when employees have to continue working from home on their unsecured home networks? Is their VPN properly configured? Are they using devices supplied by their employer or is it their personal computer that has not seen a system update in years?
Then there are the more human challenges. Hackers are taking advantage of the remote work situation to launch phishing campaigns aimed at tricking workers into handing over credentials. One concern is that hackers might pretend to be from the support team and ask an employee for access to their account. Under normal circumstances it would be easy enough to walk down to double check on a questionable request in person. However in the remote experience, this becomes a harder nut to crack.
Last but not least on our list is the government. Local, state, or federal, all levels of government must contend with risks that are further strained by our work from home arrangement.
While every department has its own specific requirements, the National Institute for Standards and Technology (NIST) has issued a cybersecurity framework that sets the core for government compliance. The Department of Homeland Security has a say when it comes to data security and the Federal Information Security Management Act of 2002 (FISMA) provides another foundational layer of cyber protocol to be followed.
Similar to healthcare, public facing and often under-resourced, government agencies often start at a significant cybersecurity disadvantage. While certain departments may have higher standards (the NSA frowns on taking your work home with you) given their assumed risk level, others like the Office of Personnel Management have been the target of high-profile attacks because of their lax security.
One of the more significant challenges for government departments is that even as a significant number have been working remotely for years using VPNs and employee monitoring software, there has never been a scale of workers going remote all at once. The potential pitfalls are many. Everything from using insecure internet connections and lack of vetted/updated devices to phishing attempts could threaten all aspects of their security.
Adding to their troubles is that as the number of workers who will have to be secured rises, with IT and Security teams pulling together solutions with a mixture of popsicle sticks and chewing gum, adversaries see this time of reshuffling policies as an opportunity for hacking.
Government organizations are targeted for many reasons. On one end of the spectrum, state actors like China’s many APT crews are launching massive intrusions into researchers working on Covid-19 or to identify intelligence assets. On the other, cities and states are facing an uptick in the number of ransomware attacks from what we can assume are criminal groups out to make a quick and dirty buck.
Given the range of threats facing government workers, as well as those the healthcare and financial sector during the mass transition to remote work, how can their organizations work to improve their chances of making it through with minimal cyber scrapes and bruises?
3 Tips and Tricks for Cyber Threat Mitigation
There is no shortage of excellent advice available online for those looking to make their organization a little bit safer when it comes to cybersecurity. I always recommend looking at the resources provided by the Electronic Frontier Foundation (EFF) for becoming better educated about how to protect yourself.
But before you go on a deep dive of cybersecurity wisdom seeking, here are a few tips to help you and your team avoid the most pressing threats out there today.
Think Again Before You Click
Ransomware is one of the biggest concerns for organizations across all sectors today. These attacks can lock users out of their systems, leaving them at the mercy of hackers to let them back in at a price.
Along with cities that were noted above, hospitals have found themselves to be particularly vulnerable to these attacks since being locked out of their system can put lives at risk. Considering the risk, many have been quick to pay out hundreds of thousands of dollars to regain access.
As organizations have become smarter about backing up their files, hackers have also evolved. Now many have a double threat of not only locking the organization out of their machines or network, but threatening to publicly dump data if they are not paid, thus compromising not only accessibility but confidentiality as well.
In most cases, the attackers begin their attack with a phishing email, enticing an employee to open a boobytrapped document or click on a link. Once they gain a foothold on a device, they are able to send in their malware payload and infect their target.
As many organizations are public facing, avoiding clicking on links is easier said than done. Sure you can look out for telltale signs like poor spelling or other mistakes, but many hackers have gotten better at their craft or simply buy high quality phishing emails off of black markets.
Educating your team to spot suspicious emails is the first line of defense. If an email looks suspicious, then avoid opening it or any docs/links. It is always better to send something to security for inspection than risk harming the organization.
As a back up though, we recommend that your system admins disable Powershell and macros in Office products. These are two of the most common ways that malware is able to infect a system. They are also features that the vast majority of users do not really need, so it is far better to simply avoid having them open as avenues of attack.
Verify with a Second Channel
Sticking with phishing, one of the most common threats facing organizations is business email compromise (BEC). While there are many forms of this attack, one is when a hacker uses social engineering to trick an employee into sending them money. Most often they pretend to either be an executive at the company or a vendor sending an invoice. In other cases, the hacker may try to convince a worker into providing them with credentials that will allow them access into the organization’s network, letting them work their way up until they find something valuable enough to steal.
Defending against these kinds of tricks can feel like a cat and mouse game. We advise always checking to see that the email or communication really comes from the right address, and not someone creating a fraudulent address.
However, if you are ever in doubt, the best thing to do is ask. Having everyone being remote makes it harder since there are many more opportunities for hackers to pose as someone from your organization. But even if you cannot just pop down the hall to the CFO’s office, you can pick up the phone to ask about that Slack or email. Never ask for confirmation on the same channel that you suspect might be compromised.
Update, Patch, Repeat
One of the most important steps that an organization can take to better its chances of success against attackers is to stay up to date with software updates.
This is understandably an annoying activity for IT teams as well as workers. It can be time consuming and there is always the possibility that a patch or new version may impact the functioning of essential software.
But we know how important updating is because it is the way that software vendors are able to fix vulnerabilities that can later be used to exploit your system. In recent years, some of the most notorious hacks have been carried out not by using 0-day exploits but with known vulnerabilities on unpatched systems. Think WannaCry and its use of the EternalBlue exploit that the NSA had found and developed. Microsoft had issued patches well before the attack was launched, but many organizations like the UK’s National Healthcare System (NHS) were still running old versions of Windows that were not protected.
Staying Secure in Uncertain Times
Even as some states have begun to plot their course towards a post-pandemic future, we are likely to see many aspects of how we work remain in flux. The only certainty is that change will continue as we learn more and adjust to the new normal.
Whether your organization returns to work full time at the office or a hybrid of more work from home, our advice is to stick to best practices for staying secure. Our advice above, as well as guidance from regulators and bodies like NIST offer the best way forward.
While many complex threats will remain out there, organizations like yours can take a significant step in fending off the attacker by covering the basics and not being afraid to ask questions if your gut tells you to.