Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

10/21/2020
12:00 PM
Alan Brill
Alan Brill
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Are You One COVID-19 Test Away From a Cybersecurity Disaster?

One cybersecurity failure can result in a successful ransomware attack or data breach that could cause tremendous damage. There's no need to panic, but neither is there time to ignore the issue.

The president of the United States testing positive for COVID-19 reminds us that there is no guarantee any individual will remain virus-free. That's true in Washington, and it's equally true for those managing and running the cybersecurity of our organizations.

Fortunately, the possibility that the president could become ill was understood. The Presidential Suite at Walter Reed National Military Medical Center is no spur-of-the-moment facility. It was set up for such a need. Aside from the full medical staff and facilities of Walter Reed, it has communication facilities provided by the White House Communications Agency and security vetted by the Secret Service. In short, the government recognized the need, created a plan, and took the necessary steps to provide the infrastructure that would be needed to execute that plan.

Related Content:

The New War Room: Cybersecurity in the Modern Era

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: Expert Tips to Keep WordPress Safe

The news about the president's medical condition is a reminder that we need to consider not only what we do to protect our systems in these disruptive times but also whether we've sufficiently planned for resilience in our cybersecurity operations and teams.

Given the history of cyberattacks, ranging from large-scale data thefts and insider problems to the current rash of ransomware attacks and business email compromises, corporate and government managers understand that continuous cybersecurity — 24 hours a day, seven days a week — is vital. But going from that understanding to having actual operational resilience requires planning and work to make it effective. While companies have increasingly turned to using automated monitoring systems to help them surveil their networks and systems, the results and alerts generated by those systems must be reviewed by qualified security specialists and turned into actionable intelligence and decisions.

Most companies run very lean when it comes to cybersecurity staffing, and experienced network monitoring specialists are in short supply in both the public and private sectors. As threats evolve, those monitoring our networks must continuously update their knowledge to be prepared for both current threats and whatever is coming next. Add to this the stresses related to changes required by the coronavirus pandemic (such as remote working and increased reliance on cloud services) and the cyber-risks have grown — sometimes faster than the ability of the company to adjust cybersecurity to match the new challenges.

Another problem that all companies face is that while we frequently read about cybersecurity incidents involving large breaches, successful significant attacks against any particular organization are actually infrequent. As a result, organizations typically have little practical experience to go on. They're at the bottom of the learning curve when they need to be at the top. After they recognize an event, companies — often with the assistance of their cyber-insurance carriers — bring in specialized legal expertise and cyber-forensic investigators with significant experience. That's great, but it's after the fact.

The real issue is how we manage our cybersecurity to prevent serious incidents. With COVID-19, it doesn't matter how you get infected, but once you have the virus, you can get very sick very quickly and become unable to do your job. If that job is monitoring the cybersecurity health of your company, are there qualified replacements trained and ready to step in?

Every organization should take the news from Washington as an opportunity to ask the "what-if" question and to carry out a cybersecurity resiliency risk assessment. We have to recognize that cybercriminals are taking advantage of security weaknesses, and we must do our best to avoid disruptions.

Start by understanding who in your organization is available and qualified to monitor your networks (and network monitoring systems) around the clock. Determine if there are additional experienced personnel available to step in if needed, and if they're ready to do so. Based on the risk assessment, management should give serious consideration to working with an outside analysis and response organization as their primary or backup source of network monitoring and incident response.

Do You Need Help? 
Many companies have chosen to outsource or augment their network and systems monitoring with organizations that bring a team of qualified analysts who can triage security alerts, hunt for threats, and respond as needed on behalf of (or alongside) internal teams. Because they work across many companies, these organizations have substantial experience in dealing with the range of current and emerging threats and bring analytic and intelligence capabilities that only the largest companies could afford. These outside organizations provide best-of-class monitoring and analytics that provide a combination of automated analysis and human oversight, and they can provide service if and when an in-house information security team becomes disabled or needs to quarantine or isolate.

There's no need to panic, but neither is there time to ignore the issue. A single cybersecurity failure can result in a successful ransomware attack or data breach that could be enormously expensive and cause tremendous reputational damage. Taking some simple steps to avoid these problems by assessing the resiliency of your cybersecurity program is well worth it.

Alan Brill is a Senior Managing Director in the Cyber Risk practice of Kroll, a Division of Duff & Phelps, and is a Fellow of the Duff & Phelps Institute. He is also an Adjunct Professor at Texas A&M University School of Law. Alan has worked on numerous high-profile ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Alex White
50%
50%
Alex White,
User Rank: Author
10/27/2020 | 12:06:22 PM
Many Great Points
This article brings up some really points that all companies and CTOs must consider. In the middle of a pandemic, we must of course expect that our employees may get sick -- and we must be prepared in the event that they do so that no gaps occur in their absence while they focus (rightly) on getting well again.
Alan Brill
50%
50%
Alan Brill,
User Rank: Author
10/22/2020 | 1:02:43 PM
Some additional thoughts...
While in the op-ed, I focused on issues relating to the more limited in-house technology resources that may be available during the pandemic, please don't think the issue is limited to the technology team. Others can be problematic as well. 

If decision-making managers have limited availability or are harder to reach, getting decisions made that may be very time-sensitive may be difficult. Deciding whether to treat a ransomware case as a breach -- which is often the truth of the incident as data theft now can preceed the encryption -- which implicates the need to notify those affected as well as government agencies could be delayed if, for example, legal counsel was harder to reach or to brief. Having the ability to get contracts in  place with vendors (of forensics, investigations or notification may be critical, and some may have requirements relating to issues like establishing attorney-client privilege. 

The idea I wanted to get across is that during the pandemic, the changes in how we work can affect the ability to carry out an incident response plan. People working from home. People working with more limited resources, the inability to just "run in and talk to" whoever can affect how an organization responds to a challenge. 

As a result, I'd recommend that you re-visit your incident response plan to ensure that it still works as intended in the fact of the Covid pandemic. If it does, fine, but if not, you should be considering either temporary or longer-term changes to make sure the plan will be effective when it is needed.
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29378
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. It is possible to elevate the privilege of a CLI user (to full administrative access) by using the password [email protected]#y$z%x6x7q8c9z) for the e...
CVE-2020-29379
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D4L V1.01.49 and V1600D-MINI V1.01.48 OLT devices. During the process of updating the firmware, the update script starts a telnetd -l /bin/sh process that does not require authentication for TELNET access.
CVE-2020-29380
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. TELNET is offered by default but SSH is not always available. An attacker can intercept passwords sent in cleartext and conduct a man-in-...
CVE-2020-29381
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. Command injection can occur in "upload tftp syslog" and "upload tftp configuration" in the CLI via a crafted filename...
CVE-2020-29382
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. A hardcoded RSA private key (specific to V1600D, V1600G1, and V1600G2) is contained in the firmware images.