Warren Buffet once said, “Only when the tide goes out do you discover who’s been swimming naked.” You can cover over a host of sins when times are good, but bad or unsafe practices will be exposed when times are rough.
Time and experience have borne out how accurate this witticism has been in the financial arena — and we’re now seeing how it can be true when it comes to the intersection of information security and COVID-19.
From an information security standpoint, current events have brought about a “new normal” in what we do and how we do it. The pandemic has impacted almost every aspect of security in some way — from security operations to security management to security planning and beyond.
Some organizations, particularly those that have embraced operational agility and resilient modes of service delivery, have found the transition relatively painless. Some even have derived unexpected competitive advantages. Others, like those that have rigid operational processes or rely on less resilient strategies, have found it less so.
Ultimately, when we finally reach a “post-COVID” state, there will be plenty of time to analyze what surely will be many lessons learned from the decisions we’re making today (and the legacy of the decisions that we made in the months and years leading up to today.)
However, it’s likely that many weeks or months will pass before we can get to that systematic and analytical retrospective. Yet even though the data will be slow in coming, we can draw out some trends — though still anecdotal — based on what we see in the world around us.
There are lessons we can learn to inform how we plan for the remainder of this crisis, and they may inform the questions we ask when the time for retrospective analysis does come.
The Threat Landscape
The first area for productive exploration involves changes to the threat landscape. Now, it bears saying that it’s early in the cycle, and there’s limited data about the direct impacts associated with the operational changes that we’ve made to accommodate “work from home” orders and increased “externalization” of technology services.
Because of this, it’s important that we be ready to adapt or gainsay what we observe anecdotally in light of hard data that is sure to be coming. Caveat aside, we have seen some concerning trends emerge that are observable (though perhaps not yet directly quantifiable) as it pertains to the threat landscape.
We’ve seen an increase in attacks against the healthcare sector. These run the gamut from ransomware and phishing to more sophisticated attacks.
While this is obviously horrifying, given that these are the same institutions that are responsible for treating the onslaught of COVID patients, it is informative in that it gives us some insight into how attackers operate.
We’ve also seen an emergence of attacks against videoconferencing applications: for example, uninvited external participants in conferences (i.e., “Zoom crashing”) along with a steady stream of security vulnerabilities in popular videoconferencing platforms.
These facts tell us two things about attacker activity that might be tougher to see in normal times, providing a different frame of reference to observe how attackers have pivoted in response to new business conditions.
First, attackers continue to use contextual events as fodder for attack campaigns. This is perhaps not that surprising in itself, but it is valuable when combined with the observation that they are tending to concentrate attacks against exactly those industries that have their hands full already in the midst of the crisis. Attackers go after the vulnerable — and they leverage context to do so.
Second, many long have held that the size of the target increases the prevalence of attacks. For example, when a large population of users employ a given tool, the size of the target increases. Again, this might be something that seems obvious at first blush, but watching it happen — for example watching attacks against videoconferencing applications go from “all but unheard of” to “commonplace” in proportion to increased usage — is noteworthy.
Noticing these patterns isn’t exactly rocket science because they’ve long been expected, but watching the pivot happen in front of our eyes makes it that much more clear.
BYOD and Cloud
It is interesting to observe how organizations have adapted to BYOD and externalization (e.g. cloud). Even organizations that historically have been reluctant to embrace cloud services and allow use of employee-owned devices for business purposes in many cases have had to allow some lessening of restrictions in order to maintain worker productivity. Some have said that the changes translate to the final death knell for the traditional network perimeter.
It is unlikely we will we see a complete elimination of the perimeter as a result of the adaptations we’ve made in response to current conditions. However, the pandemic could lead to a faster erosion of it. Some organizations on the other side of COVID (whatever that might look like) might find it difficult to re-introduce restrictions on BYOD after users have acquired the habit and developed a taste for using their own phones, laptops,and Internet access to support their work.
Likewise, organizations that historically have been loath to migrate critical services or applications to the cloud — and are doing so now out of necessity — may find that inertia works in favor of leaving those services external rather than bringing them back inside the traditional perimeter.
The reason it pays to think through these things is that now can be a good time to gather information. If you’ve been worried about the economic or customer impacts of cloud and you’ve made an emergency short-term transition now, collect what information you can about the economic performance.
In situations where workers previously were not able to use their own devices but can do so now, for the short term, collect whatever information you can about their usage. Take advantage of the opportunity to learn something that potentially can help you decide what kind of organization you want to be on the other side of this terrible situation.