Take a bow, ye in IT and infosec, for pulling off the biggest, baddest save-the-world action in the heat of a pandemic. Because of you, businesses keep running even when there isn't anyone in the building to keep the lights on and the machines patched.
"Most CISOs were focused on getting people remote as quickly as possible using a 'just-get-it-done' approach," says Andrew Turner, executive vice president at Booz Allen Hamilton.
Among the new duties of leaping tall and varied obstacles was the need for speed in shipping an unprecedented number of devices to just about as many homes. Thinking on your feet was the only way to get things done on the fly.
"Some were even chartering flights and shipping laptops to offshore locations around the world to support operations and critical call-center functions," Turner says.
He ticked off many such budget-squeezing, logistic jamming, and disease-defying feats, all of which ranked well above the normal call of duty. Yet, despite racking up a staggering and unprecedented number of wins in record time, "In the chaos, a lot of best practices likely fell through the cracks," he says.
Oh, yes. He makes a fair point. And now it’s all coming back to haunt us.
Pregnant Pauses and Scary Deliveries
Many new issues are arising from those cracks now to threaten companies. And how could they not? Those empty buildings remain abandoned a year-and-counting later. No telling what has occurred in there in all this time — or what new and awful challenges are brewing in there still.
"Companies that rely on 'air gaps' to protect sensitive networks or machinery should be particularly concerned because the surest way to jump the air gap is with physical access," says Michael Bahar, partner and co-lead of global cybersecurity and data privacy at global law firm Eversheds Sutherland.
"Also, insider threat is heightened by weakened physical access controls. Employees who have the right to be in an office building may find their ability to gain unauthorized access to equipment, systems, and information far easier with fewer other people around," Bahar adds.
An abandoned building could present almost infinite opportunities for an inside threat. Just finding an "unoccupied desk with an open Ethernet port can easily become the initial entry point into a company's network," warns Chris Hass, director of information security and Research at Automox, an endpoint management company.
Attackers and malevolent insiders could easily sweep the area for passwords on sticky notes on desktops, sensitive information left on printers and copiers, and other valuable oversights from a rushed exit. Heck, maintenance crews, lease holders, and security guards could conceivably do the same. Or they could just as easily become unwitting accomplices.
"In one of my previous employments, I once forgot my ID badge to access a very sensitive remote location storing servers, domain controllers, and databases," says Gavin Ashton, security strategist at Stealthbits, now part of Netwrix. "I managed to get in with nothing more than a nice smile, polite manners, and some techno-babble about what I was there to do, so I was escorted down into the server room and left alone."
Social engineering works, he adds, "and we cannot assume the space inside four walls to be secure anymore," Ashton added.
Attackers with access to workspaces and devices could plant some nasty surprises that won't kick in until much later.
"For example, an attacker can install hardware implants. Rather than stealing hardware, it can be modified by installing a hardware keyboard sniffer to capture credentials," explains Mario Santana, senior fellow, threat analytics at Appgate. "Likewise, an attacker can hack into cameras and microphones in boardrooms to capture sensitive conversations once people come back to the office."
Company workers are beginning the trek back into these ghost towns. Back to their seats in abandoned offices and workspaces. What security terrors will your company face once the doors are thrown open again?
Hauntings and Hardware Horrors
Plenty of security issues have risen from the speed and scale of the massive worker migrations to their homes.
"A year ago, changes had to be made and organizations had to make a choice between handling remote work 'right' or handling it 'right now,'" says Rick Vanover, senior director of product strategy at Veeam. "When solutions are hurried, mistakes are made."
The challenge now is to mitigate problems as the tide of workers flows back in the opposite direction. But in many ways, that may actually be trickier to pull off.
For example, even a mature cybersecurity operation could struggle with devices left online and untouched for long periods of time, Appgate's Santana says. Some of the examples he cites are:
- Desktop patches get "stuck" and require a manual reboot.
- Encryption certificates expire, and no one notices.
- Data shares that were meant to be temporary are left enabled.
"There are a million other minor human interactions that we don't normally notice but may be critical when it comes to cybersecurity," Santana warned.
And don't forget the stockpile of old devices previously scheduled for wipes and disposal.
"This is like 'Pompeii,' except instead of buildings and people preserved in ash, it is desktops, servers, and other computer devices that are running on old versions of software," says Nick Edwards, VP of product management at Menlo Security. "IT security professionals should assume the worst when the lights go back on."
Add to that an incoming tsunami of devices that may be loaded with security threats — some that need to be disposed of and some that will be connected directly to the office network, too.
According to a November 2020 Blancco report, 97% of 600 global enterprises surveyed purchased new IT equipment in the last year to equip an at-home workforce.
"Now there's a redundancy of devices looming — some may be reused and others may be recycled or disposed of otherwise. With so much tech equipment in flux, companies will have to hone their data hygiene practices, an issue that enterprises have not entirely tackled to date," says Fredrik Forslund, director of the International Data Sanitization Consortium (IDSC) and VP of cloud and data center erasure solutions at Blancco.
Security pros will have to race the workforce to these machines to ensure they aren’t turned on before they’re checked for problems.
"Companies should also have a plan to test and update systems that have not been touched during the pandemic. They should be isolated from the network before being turned on to run diagnostics, make updates, and patch any vulnerabilities," advises Camille Stewart, cybersecurity expert at Google.
Booby Traps and the Return of the Day Walkers
The usual lineup of security problems that existed pre-pandemic still persist now. Plus, as expected, the bad guys continue to be super-crazy creative and increase the level of sophistication in new attacks because that's just how they roll.
Buildings that were not properly secured and monitored over this past year present a ton of new opportunities and, as you know, "attacker" is just another word for "sneaky-pants opportunist" in the security world.
One example: "Recently, in one customer environment, hidden boxes stacked in an organization's warehouse were discovered to be housing a clandestine cryptocurrency farm in disguise, illegally running off the company's network power," says Justin Fier, director of cyber intelligence and analytics at cybersecurity firm Darktrace. "With Bitcoin at an all-time high, I can imagine malicious insiders or cybercriminals are increasingly using abandoned office buildings to place their mining rigs and steal corporate network power."
Yikes! But that's not the only thing going down in all these newly created ghost towns.
"Alternatively, attackers may indeed break into offices to drop in rogue dropboxes, which seem inconspicuous," Fier adds. "Particularly with empty offices, these kinds of devices are likely to get overlooked by security teams, and they represent easy entry points to use for later cyber intrusions."
In some cases, the bad guys will increase efficiencies in their existing playbooks.
"For instance, in the event of a ransomware attack, it's much easier to physically shut down a machine or pull a power plug than it is to do remotely from thousands of miles away — and in high-stakes environments, like highly secure data centers, security teams operating remotely face a real danger of not being able to act in time," Fier said.
That's just a few of the haunts and horrors that security teams are likely to find when employees return in a hybrid or full new normal workspace model.
Have you run across other interesting "pandemic specials" in your sweeps to make it safe for workers to return to their workspaces? Help the security community out and tell us about it in the Comments section, below. Have some great pandemic war stories to share? Send those to the author of this story, please — you may find your work highlighted in another feature story soon.