In addition to the upheaval and emergency measures taken to combat the COVID-19 virus, organizations are increasingly vulnerable to cyber-attacks. A key driver of that vulnerability is an at-home workforce using older equipment that may not have been properly configured, operating over networks that are shared and inherently less secure. In cyber speak, we have increased the number of “attack surfaces.” This guidance will helpfully identify some steps your organization can take to reduce the chances of a security incident.
Ransomware on the Rise
We are seeing an increasing number of ransomware attacks. These are typically one- or two-pronged attacks where either everything is immediately encrypted, or some sort of surveillance malware is initially injected into the network and once enough intelligence is gathered, files are encrypted and a ransom demand is made. We have seen these attacks with both private organizations and municipalities.
Beyond these sorts of attacks, data is leaving each organization at an alarming rate. Even trusted and loyal employees, acting with the best of intentions, are exfiltrating data to their home computers so that they may benefit their employer and be productive. But this creates several problems. The obvious ones involve security, as many computer systems are both older and poorly configured and shared with family members. It can be difficult to control what is downloaded to computers in a home environment. Worse, these home computers are connected to the organization’s servers and could allow for the transmission of malware or surveillance. But beyond the loss of confidentiality, there are regulatory and compliance risks associated with sensitive data residing on home computers. Many organizations have contractual restrictions preventing this type of activity. The circumstances may clearly warrant the removal of the data to a less-secure environment, but it likely violates contractual terms and exposes the company to litigation even if no data is ever lost because the contract terms were broken. Finally, there is the challenge of identifying and reclaiming any information that was downloaded from the organization’s controlled systems. This is especially challenging should any of the work from home employees be laid-off in the weeks to come.
Contracts and Regulations
If your organization has contracts or customer privacy agreements in place mandating how it will handle sensitive data, these need to be addressed. It is perfectly reasonable to follow the old adage that desperate times require desperate measures, but the decision to take them when they are governed by a contract is a joint one and must be shared with the other party to the contract or agreement. Consent to process data differently than was set forth in the contract will also reduce exposure to the company should information be lost. It could still be subject to a negligence claim, but defending it as reasonable because it was consented to by the other party becomes much easier than trying to defend the claim when the organization has also breached the security terms it had in its agreement. At first blush this extra process seems like a lot of effort, but once the first contract rider is created the rest become mostly boiler plate.
In our experience, most organizations will agree to waive certain requirements to allow organizations to have their employees work from home as this may be a better alternative than not have any work performed at all. If they don’t, they had the opportunity to make their position understood and your organization avoided a potentially costly misstep. So either way, it is a success.
Regulators are also suspending enforcement of certain security and privacy regulations. We are seeing this with the Department of Health and Human Services now allowing certain types of telemedicine and the New York State Department of Finance addressing that many financial services must now be provided from home computers. To protect against potential regulatory action, it is important to document any changes to the way protected information is processed and engage in a “risk assessment” to demonstrate that the organization appreciated the risks associated with the new processing behavior and took steps to mitigate those risks.
In general, regulators are becoming more involved in understanding the root cause of cyber-incidents and any impact it may have on data subjects and industry they protect. Each regulator is responding differently so constant surveillance of the regulator’s website is essential, or consult with your attorney as they are likely addressing this on behalf of many clients and will be able to contextualize some of the changing requirements. Seeking forgiveness after the fact is not a winning strategy and there is little benefit in further straining organizational resources defending against regulators or civil litigants in contract disputes when it is fairly straightforward to obtain approval beforehand. Beyond that, it is an opportunity to reach out and cement relationships during these troubling times.
Beyond the contractual and regulatory issues, there are a number of steps every organization should take for both their internal systems and the home workforce. Because criminals know organizations are scrambling, the number of attacks appear to be rising. Even though there are competing priorities, there are a number of basic activities each organization can take to reduce their attack surface.
1. Backup your data
Backup critical data at least nightly. This has two immediate benefits. First, if ransomware is installed, it will allow you to restore back to a point prior to when the encryption occurred. If you keep older backups as well, this will help a forensics team determine when the system first became breached and assess how likely it is that unauthorized individuals accessed or acquired protected information. Without these backups, it can be much harder to assess the extent of the breach.
Logging is important because it both allows for the detection of unauthorized access and allows forensic teams to reconstruct the activities of the criminals. It will also allow the organization to identify any authorized exfiltration of information to help with its recovery after the impact of COVID-19 has passed. Where possible centralize the view of these logs so they can be monitored easily and archive them so they are available for later review. Ideally log as many activities as possible, but at a minimum log the firewall activities, spend the extra money for enhanced logging for Microsoft email and authentication activities to the network and critical systems. Many systems only allow logs for a few days or weeks. If possible dump these to an archive file and keeps these for half a year or more since sometimes the criminals surveil systems for that long and this will help confirm or deny their presence.
3. Two-Factor Authentication
It is time to implement this technology. Many of the banking trojans are designed to crack the passwords of system accounts and if two-factor is not enabled, this will allow them unfettered access to the network. Two-factor, while not a complete cure, reduces the risk considerably and it is now relatively inexpensive to implement. It can also be deployed in a very short amount of time. The laws of some state practically require an organization to justify why they are not using the technology, so if possible, implement multifactor authentication.
This is almost hackneyed at this point but we still see poor password hygiene in many of our cases. The author of the guidance recommending use of funny symbols and numbers in a password has since published his regret for this guidance. The best passwords are now considered to be phrases meaningful to the user. These are more likely to be remembered and since they are longer, they are much harder to crack. You also want to encourage your users to have a unique password for logging on to the organization’s system. That way if another organization is breached that services your employee, they can’t use their knowledge of that password to log in as the employee to your organization. These criminals are amazing users of LinkedIn and other social network applications and know to try these passwords on other sites. Indeed, one form of blackmail is to send an email to an individual with a known password and threaten to reveal all their secrets unless a ransom is paid. The attacker may not even know where the password works, but the fact that a secret password is known scares the user into paying the ransom.
Password Management Tools
We also recommend the use of password management tools. There are products like Dashlane that keep track of username and passwords and ensure that they are unique. This technology also exists at a browser level and your organization should undertake a risk assessment to determine which is the appropriate path to take. But without such technology, most users will use the same password across all their accounts and it is not possible to detect this behavior until it is too late.
Use different passwords for administrator accounts on each server. If the same password is used, it is much easier for the bad actors to overtake all the servers. If there are different passwords only part of the environment is compromised. While on the topic of administrator accounts, make sure each user with admin rights also has a regular account without such rights for their day-to-day use.
Finally, passwords should never be shared with other people. Each user should have their own account and own unique password. Even though their might be some additional licensing fees for more accounts, sharing an account among multiple users is dangerous and frustrates many of the logging activities.
5. Least Privilege
The concept of least privilege is easy to explain but hard to implement. Users should only have access to the systems and data they need to perform their work. As people change positions they often acquire more access but seldom are access rights withdrawn. This is political and sometimes convenience driven. But reducing the number of individuals authorized to access a system significantly reduces the attack surface and thus the risk.
Configure the system to lock users out after a few password failures. One or two failures could be a result of someone not realizing their caps lock is on. More than that suggests an attack. You can always unlock the account after so it is better safe than sorry.
It is also possible to prevent someone from even trying to enter a password if they are entering the system from a location outside of where your workforce operates. This is called Geo-blocking. It is not foolproof since the attacker could be using a proxy server located in the United States, but it reduces the attack surface.
7. Delete old data
Obsolete data that contains personally identifiable information is just taking up space and increases risk. Delete it or at least anonymize it if it no longer needs to be associated with a person.
8. Anti-virus software
Although the more sophisticated malware applications are new and may not be known to the anti-virus companies, this protection still protects against many of the common attacks, is inexpensive and should be used. It would be very hard to defend a company that did not use this technology.
9. Identify external email
Most email servers can identify email messages that come from outside of the organization. This helps users realize that an email that looks to have come from within the organization because of a very similar domain name actually did not and they should be suspicious of any attachments.
10. Disable macros
Many of the malware infections we see were initiated by macros embedded in Excel or Word. If macros are disabled, your users would need to permit them to run and while someone could make a mistake, most employees will elect not to authorize the running of the macro.
Your users are both your strongest defense and biggest weakness. Most attacks do not get past the firewall or other protections. They are invited in though a user opening an infected email message or navigating to an infected web page. Training both reduces the likelihood of these events happening and reminds users of what to do should they be tricked by an attacker.
12. Have a plan
A disaster plan limits the impact of bad events. There are a number of specialists who can help. If your attorney, insurance broker or remediation vendor are known, and their contact information documented, you are in a much better position to get help fast. It also helps to know under what circumstances the organization wants to involve authorities so that time lost to prevarication is eliminated.
If the attack is ransomware, know what you need to do: disconnect computers from the network; preserve the system and its logs for review; record as much information as possible about the virus, the email or document that delivered it and any information from the attackers. Sometimes it is better to leave the servers plugged in to see some of the temporary logs; sometimes it is better to power-off the servers and all workstations. Have an expert on speed dial and call your broker and lawyer.
These twelve strategies should be implemented both on existing equipment managed by the organization and on devices utilized by your workforce from their home environment. Now that the initial wave of home workers is deployed, consider having your Information Technology group work with remote workers to perform a checkup on their personal devices and implement technology that will enhance the monitoring and oversight of their configuration. If internal resources are maximized or uncertain about how to best accomplish this, there are a number of managed service providers who have become exceptionally efficient at this and they can often help.
What to Do if You are a Victim
Denial is a powerful force and works against any organization facing an attack. This is true for ransomware and for wire fraud. If you act immediately, there are a lot of things that can be done. Start with your disaster plan. Consult with your attorney and insurance broker. If you bring in an expert to help with the remediation, engage the expert through your attorney to ensure their work is protected by attorney-client privilege and the work product doctrine.
Harris Beach is committed to helping its clients through these changing circumstances and fulfilling its mission to deliver exceptional client service. If you would like help drafting amended data processing agreements to allow for a workforce operating from home or with finding solutions to enhance security in a changed network configuration, call Alan M. Winchester at 585.419.8713 or 212.313.5403 or email him at email@example.com. Otherwise reach out to the attorney you usually work with and they will introduce you to him.