September 13, 2020
Navigating Security in the Remote Paradigm
by Jarrod Lynn
While companies having been improving during the work-from-home phase, bad guys have been busy, too--and deep fakes are getting scary.
The current remote work situation has brought to light a three-part problem around security. First, it has created challenges in defending against traditional threats – both physical and information security. Second, emerging technologies promise new threats that will be all the more difficult to counter in remote settings. Third, the body of regulations mandating security measures vis-à-vis personal data is growing. Liability for breaches does not abate due to the current circumstances. The inherent vulnerabilities of the remote situation paired with likely advances in adversary tactics and threats from emerging technologies will challenge organizations to meet their regulatory security obligations. In this article, I will give an overview of these problems in isolation and discuss how they might combine. Finally, I will suggest some measures to take to begin to deal with this predicament.
At its core, a security program’s goals are the protection of life and the maintenance of the confidentiality, integrity and availability of information.
The recent widespread shift to off-premises work has two primary distinguishing features from a security perspective: It expands or eliminates the organization’s physical perimeter and necessitates remote access to corporate networks as well as a far higher degree of dependence on information systems for communication between employees. These factors upend an entity’s normal process of security assessments and controls and create fertile ground for both traditional and emerging threats. With unsupervised personnel and data dispersed to uncontrolled locations, using various means to access organizational networks, numerous varieties of threats abound.
Categories of vulnerabilities and threats for which there were standard controls and processes in the traditional setting require rethinking in this new reality. Likewise, emerging technologies pose novel threats. We can expect adversaries to continue to adapt to changing conditions of work by capitalizing on physical vulnerabilities and developing increasingly sophisticated and clever implementations of both existing and new technologies.
At the same time, targeted organizations and individuals continue to bear the costs and liabilities of adversary actions. Victim entities may suffer direct losses from attacks. In addition, cybersecurity requirements related to privacy and penalties for failure to comply grow with each new law without regard to the remote work situation. This creates a difficult bind for defenders and all types of enterprises and individuals who control the data of others.
There are, however, steps that can be taken to address these concerns. Now, more than ever, defenders will see the advantage of relying on skilled security personnel and cross-disciplinary leaders and teams as well as adopting an approach to security that recognizes that cyber and physical security are intertwined.
While the long-term status of the recent shift to work-from-home remains unclear, inherent vulnerabilities of the remote paradigm combined with threats based on new technologies present an opportunity for reflection on the status of future contingency plans and demand the attention of executives, counsel, security professionals and insurance providers now.
How the Remote Paradigm Interacts With Security for Traditional Threats
Effective security programs apply technical, physical and administrative controls or countermeasures to assessed vulnerabilities, threats and risks. While not always uniformly or well-applied, and noting that threats are continually evolving, standards are generally well-developed in the context of traditional workplaces and often in the case of small groups of workers who require remote access, such as members of sales teams and business travelers.
The remote paradigm expands or eliminates the physical perimeter and forces remote access and communication, with serious significant consequences for security controls.
In very general terms, an expanded perimeter leads to:
- Less physical control over information systems and data
- Technical/physical vulnerabilities (e.g., potential adversary access to residential Wi-Fi)
- Less physical security over personnel (e.g., threats to their physical safety)
- Less supervision over staff
- complicating application of administrative controls such as job rotation
- greater potential for problems from insider threats – both witting and unwitting
In equally general terms, remote access and communication means:
- Inherent technical vulnerabilities to data – both at rest and in transit
- Proliferation of endpoints and lack of control over these
- Reliance on communication between remote users and the need for out-of-band communication
- Communications involving proprietary data (e.g., trade secrets) and sensitive activities (e.g., engineers working on live systems) that normally occur in controlled settings and may now be conducted remotely
- Increased reliance on, and accelerated migration to, the cloud
Organizations have established processes for addressing traditional threats in the context of the status quo. The remote paradigm entails significant changes to the security process. Categories of vulnerabilities, threats and risks that are relatively well-managed in an on-site setting must be reconsidered when the whole enterprise is operating remotely. Adversaries are left to their imagination in ways to overcome whatever security measures may (or may not) be in place in the many home offices from which employees operate.
Beyond considerations around configuration management, security professionals must be aware of the potential presence of Internet of Things devices such as smart appliances and smart speakers that may have implications from both a technical and physical security perspective.
In addition, two newly established threats can have significant potential ramifications in a remote environment. In “Zoom bombing,” someone who is not supposed to be involved in a meeting can disrupt it, eavesdrop or alter the message. In other words, the person can interfere with the confidentiality, integrity or availability of information. Secondly, a well-made deep fake can be very damaging to an organization if, for example, it falsely portrays an employee acting in a way that runs counter to the entity’s interests. These threats are particularly problematic in remote settings because communication and public messaging is complicated and potentially interfered-with.
At the same time as the remote paradigm complicates existing threats, new threats are on the horizon with emerging technologies. As with traditional threats, emerging threats will pose more of a problem in the remote environment. Here, we will consider some potential malevolent applications of quantum computing, artificial intelligence/machine learning (AI/ML) and real-time deep fakes.
Both quantum computing and AI/ML are broad new technologies with myriad potential beneficial implementations as well as malevolent uses by adversaries.
Practical applications of quantum computing are not yet reported to be in use outside of a laboratory setting. However, there is a quantum arms race underway due in large part to the fact that quantum computing will revolutionize cybersecurity. Quantum computing is predicted to make child’s play of current encryption. Remarkably, it may be possible to apply quantum decryption of current protocols retrospectively. That is, traffic might be recorded today and replayed through future quantum decryption tools to decrypt it later. This could have dramatic implications for organizations to the extent that they rely on current encryption to safeguard sensitive communications that will remain sensitive. The current predicted timeframe for widespread use of quantum technology varies; however, three recent developments suggest it may be accelerating. First, processor power has been improving exponentially. Second, the U.S. Department of Energy recently unveiled a blueprint report to develop a national quantum internet. Third, given the threat of quantum computing to current cryptography, the National Institute of Standards and Technology (NIST) aims to develop a post-quantum cryptography standard by 2022.
Moving to AI/ML, adversaries are already using the beneficial features of AI/ML in numerous malicious ways. For example, AI/ML can obfuscate an attacker’s location and identity and augment traditional attacks, providing additional power and scale. Malevolent uses will continue to evolve to enable far more sophisticated attacks. Recent developments involving photon-based chips have moved us closer to AI/ML that learns independently at the speed of light.
Judging anecdotally from the preponderance of articles and developments in both AI and quantum, we may be at a tipping point for both.
Although enabled by AI/ML, deep fakes are a sufficiently rare use case as to merit their own mention. Separate from the pre-recorded deep fakes discussed above, it is now possible to create a deep fake in real time. The primary concern with real-time deep fakes is that an adversary could appropriate the likeness of an employee, infiltrate an internal or external video teleconference, convince an audience of the veracity of the messages and influence outcomes. It is also possible to imagine that a real-time deep fake could falsely portray an individual engaging in some sort of behavior that is damaging to the organization.
Whether in a traditional setting or operating at a distance, these emerging threats are problematic. However, the remote environment continues to provide adversaries with more opportunity due to the expansion or elimination of the physical perimeter and the necessity of remote access and communication.
Having looked at the inherent problems of the remote paradigm and some of the emerging technologies, consider some edge cases. Each of these is presented in its starkest form and capitalizes on weaknesses in a generic remote model.
The first scenario stems from advanced persistent threats (APTs). APTs are insidious in that they tend to burrow into an information system and lie in wait or operate undetected, frequently exacting a heavy toll. They can benefit from emerging technologies of AI and ML as well as the security shortcomings and potential chaos around the current remote work situation.
The next general category of threats has to do with physical violence against employees operating away from corporate offices or in settings that are not within a security perimeter managed by the organization. This could range from a kidnapping to a home invasion and assault or murder. Likewise, as in a remote bank robbery, an employee could be forced to take actions against an organization’s interests under duress.
Next is the new category of real-time deep fakes. The real danger to organizations with this technology is the prospect of a real-time deep fake during an internal or external communication. At a minimum, this could interfere with the confidentiality, integrity and availability of information. At worst, such a tactic could be used as a ruse to outright direct the actions of employees or outside interlocutors.
Finally, a very serious and dramatic threat is that an adversary could take advantage of the various attack vectors available combined with the weaknesses in the remote paradigm to completely divert the organization’s resources to his or her uses for a time. Far more damaging than ransomware, this could constitute a total takeover. This might involve a mix of physical force and real-time deep fakes as well as other technical weaknesses inherent in remote communications. Further, the attacker could rely on an entity’s lack of out-of-band communication or other successful means of authentication to ensure that he or she is able to carry out the plan. This is admittedly an extreme, worst-case scenario. A far more nuanced possibility would involve an attacker subtly manipulating corporate resources using scaled-down versions of the same tactics.
Considering these scenarios, readers might be tempted to ask who would do these things and why.
The potential cast of bad actors and motives is the same as always. It ranges from opportunistic “script kiddies” to activists to common thieves and organized criminals to nation-states. What is different here is that the how becomes easier. Further, bad actors may be emboldened by the lack of traditional security controls and barriers. Simply, someone not otherwise inclined to physically access a system or commit violence in the service of what could be a relatively white-collar crime might make a calculated decision that the risks involved are not prohibitive relative to the rewards. In a traditional environment, corporate security and access control measures would ordinarily discourage the mere consideration.
These threats can cause a variety of harms – physical harm to people, exposure of private data, financial loss to shareholders and damage to the organization through lost profits, regulatory trouble and reputational harm.
Regardless of other priorities, any entity’s first concern must be mitigating increased risk to remote employees stemming from their employment. Should harm come to pass, there could possibly be civil liability, but safety is the first priority.
The next area for concern is data privacy. Nearly all entities hold personally identifiable information (PII) of some sort, even if it is little more than the data of their own employees. If a breach exposes that data, liability to data holders (customers, employees, vendors) or shareholders may ensue. Likewise, chances are that a given entity is bound by at least one of the ever-growing number of industry- or regional-specific regulations addressing cyber security and privacy.
In the U.S. alone, there are multiple regulatory regimes and regulators that address PII and security – the California Consumer Privacy Act (CCPA), the Sarbannes-Oxley Act (SOX), the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability Accountability Act (HIPAA) and the Payment Card Industry-Data Security Standard (PCI-DSS), as well as those falling under the jurisdiction of the New York State Division of Financial Services (NYSDFS), the Securities and Exchange Commission (SEC) and the Federal Trade Commission (FTC) – and the list is growing. Meanwhile, the GDPR has major implications for organizations whose operations have a connection to Europe.
In some cases, the obligations are clear, while in others, what exactly a business is required to do vis-à-vis PII is opaque. For instance, both the FTC and CCPA refer to a requirement to implement “reasonable” data security, without providing much clarity on what constitutes “reasonable.” The sum and substance of these requirements is that even when, or precisely when, they are the victim of an attack, organizations remain obligated to provide a given measure of security over PII.
Although beyond the scope of this article, organizations might consider potential downstream effects should their systems be used as a launching point for attacks on third parties, as well as impacts on the performance of contracts.
Finally, the takeover or even meddling with a given entity’s operations is clearly likely to have severe direct consequences to the enterprise itself. For a business, this could include loss of revenue during down time, siphoning of productivity and damage to reputation, among other potential consequences.
What Organizations Can Do
I hope it is clear that there are some immediate problems that merit attention. In this situation, one of the worst things to do would be to deny the problem and do nothing.
Moving forward, organizations should start by asking whether the remote situation is temporary or permanent. For any entity that has plans to return to full on-site operations in the very near term, some of these considerations may be less pressing.
For all other entities, the first concern is how to improve security in the remote situation. The best thing any organization can do is to hire, fund and take the advice of a competent chief security officer, chief information security officer and counsel, who should work together on issues of physical security, information security and administrative controls. Preferably, the CSO and CISO will take a holistic view of security favoring a convergence approach, where appropriate. If an organization does not currently have the benefit of competent or sufficient in-house security personnel, a firm specializing in security may be a viable option in the short term.
Developing and adjusting security controls to the remote paradigm is a challenge, but it is not insurmountable. What follows is a non-comprehensive list of recommendations that can be taken related to certain key steps.
From an information and technology security perspective, this starts with knowing the enterprise’s network, what machines are connected to it and the identity and location of the organization’s crown jewels. Organizations must decide whether the risks of allowing certain business functions that may have only historically occurred in dedicated spaces and via hardline connections (such as discussions of trade secrets and access to live/production systems for engineers) should occur remotely. Likewise, organizations must make decisions related to approved devices, means of accessing corporate networks and standardized security procedures (e.g., securing Wi-Fi). Organizations should also decide on remote identity and access management, to include the use of two-factor authentication. Organizations should consider engaging outside security firms to assist with these assessments as necessary, to audit physical and cyber security through penetration testing and, potentially, to conduct employee training.
Administrative controls are more difficult. Given the variety of harms that can arise directly from human behavior, leaders need to find a way to encourage and maintain a culture of security despite the lack of physical proximity. Witting and unwitting insiders have much more room to cause damage away from supervision and peers. Organizations need to find ways to implement controls such as those related to access management and job rotation, among others. Education and training, particularly around topics such as spear phishing and authorized uses of corporate networks, should be designed with an emphasis on the remote setting. Employees should be given incentives to comply with security. Security managers need to stay abreast of trends in employee malfeasance around remote work as well as emerging best practices in this new area.
Physical security will also prove challenging. Organizations should consult with counsel to determine their obligations to employees and tailor programs to meet these needs. Just as enterprises assess the sensitivity of their data systems, they should also assess the exposure of their personnel. For certain high-risk employees, it may be wise to consider implementing off-premises physical security measures or, at the very least, training.
For all types of enterprises, whether they plan to return to on-site operations now or not, there are some common considerations. First, they should consider the possibility that clever and determined adversaries may have taken advantage of this period during which their guard has been down to some degree to access systems and plant malware or establish an unauthorized presence on the organization’s systems. With this in mind, organizations should carefully examine their networks for indicators of compromise. Likewise, they should consider that this has been a period in which insiders have had an opportunity to grow bolder. Security departments should step up their efforts to detect insider threats.
See also: Keeping an Eye on Consumer Privacy
In the longer term, all organizations can take certain additional measures. This period has proven fortuitous in a number of ways. First, it can be treated as a practical drill. All entities should conduct an after-action review. Leadership at all levels from individual teams to the C-suite and boards should sit down and discuss what went right and wrong. Where business continuity plans and other policies and procedures did not match with reality, they should be rewritten. We’ve been handed a real-world opportunity to improve upon our posture.
One specific action all sorts of entities should ensure is that they have reliable out-of-band communication and authentication. This is absolutely essential. In the event of a form of takeover such as the doomsday scenario proposed above, an organization needs a reliable and immediate way of verifying information, authenticating its source and enacting contingency plans should it become necessary.
The various regulatory obligations to provide measures of security over PII imply a responsibility to keep up to date on shifting threats and vulnerabilities that stem from changing environments and emerging technologies. Organizations are on notice that they must begin to find ways to ensure they are meeting their obligations to develop measures to provide security against these threats. In other words, organizations are on notice. The fact that NIST has a public target date for its first quantum security standard provides some saliency around this. Some companies have already taken action along these lines.
It does not appear as though exceptions will be made for shortcomings in security in the current situation, for example under NYSDFS rules and the CCPA. However, the rules of the road for the remote paradigm are being written as we speak. Organizations should use this opportunity to help write them. They should also develop relationships with law enforcement and regulators. They should join industry ISACs and other relevant security groups. Groups such as the IAPP and SANS also offer a wealth of information for professionals interested in working to improve their processes. In consultation with counsel and security professionals, all enterprises need to consider what constitutes acceptable security measures in the current situation and with awareness of emerging technologies.
Of course, organizations should consider which forms of insurance are best-suited to the purposes of the scenarios laid out above. Cyber insurance and kidnapping and ransom may apply.
We are facing three simultaneous game-changers – the remote paradigm, emerging technologies and increasingly prescriptive privacy regimes. At the same time, adversaries are taking advantage of this time to invest in research and development. Victim enterprises continue to bear many of the costs.
The current remote work situation may continue, we may return to normal or we may find itself somewhere in the middle. Regardless, this time presents an opportunity to look at our approach to remote situations. By extension, it should be a time to examine and adjust business continuity plans, many of which may have been found lacking in this experience. Moving away from the remote setting, this experience highlights many aspects of traditional security that can benefit from fresh work. Again, it calls for a recognition of the increasing interdependence of physical and information security. Further, overall, this period should demonstrate the need for competent security officers and cross-disciplinary teams dealing with security at the highest levels of the organization as well as the need to invest in comprehensive security and exercise plans meaningfully.
Disclaimer: This article is intended as general educational information, not as security guidance with respect to any specific situation or as legal advice. If the reader needs legal advice, the reader should consult with an attorney.