The Thinker

CAR - Cyber security in the age of pandemic.

noak -

Thanks to Dr. Rupak Kharel for the useful discussion leading to this article.

The past few months have been quite eventful for companies, governments and individuals alike. Unlike many events, this particular one is life threatening. One that aims to, bluntly speaking, wipe humans off the face of the earth if not controlled. Yes, I'm talking about Coronavirus or Covid-19. There's now a race across various medical research institutions to produce a vaccine to combat this deadly virus which postdate its predecessors - MERS, SARS, Ebola.

At least, here in the UK we've been on a lockdown since March 26 2020. Regardless of the decision making models the government used, complaints state it took longer than expected. The self-isolation and social-distance advisory aims to minimise the spread of the virus allowing for control measures to be established to curb the mass infection. Additionally, it'll allow for those infected without knowledge to see symptoms whilst the virus begun incubation. Those not infected benefit from the same advisory by not going into contact with infected people or contaminated areas. I believe the science behind this, is to minimise the impact on the health services; else the herd immunity would have stood its test of time per the government's initial approach in dealing with the outbreak. Afterall, reports suggest about half of the UK population may have already been infected; a record 33 million people.

So, what is CAR as you may be wondering. It is not a new self-driving autonomous vehicle, nor is it a remedy for fighting the epidemic. Apologies, if I have disappointed you for whatever your stance may have been. Rather, the focus is on Cyber security and managing risk during an epidemic of this nature. This article aims to highlight some of the Cyber security risks pertaining to businesses who have reverted to or enabled full remote working for their employees. Individuals may find insights on how to remotely work securely and protect their identity online. Now let's dig into what CAR is all about by first looking at definition of the acronym:

  • Compliance - procedures that must be followed to ensure full compliance with the law.
  • Access (control) - the opportunity or right to use something or to see somebody/something.
  • Repudiation - the act of refusing to accept something.

C - Compliance

The last few years have seen a drastic change in privacy regulation. Specifically, around the protection of Personally Identifiable Information (PII). A strong indication that Governments and other institutional bodies takes data privacy seriously and a stern warning to businesses of the consequence in breaching these applicable laws. As a result, we have seen a review and update to data protection laws globally, such as the UK DPA 2018 and General Data Protection Regulation (GDPR) alignment for businesses operating outside the geolocation of the European Union. What is at stake is how compliance extends into our homes, now that we're all working remotely. Numerous organisations have distributed smart devices to its customer-facing staff to continue working as they operate in the "key sector" domain or to maintain operational profit and minimise losses. Without adequate time to assess the impact, determine compliance risk, crisis as this may inadvertently breach compliance depending on business sector. Would regulatory bodies relax the rules when human lives are at stake? This question require deeper research now or later. Personally, the rules still must apply, and businesses should have prepared for this scenario in their business continuity and disaster recovery plans (BCDR). But, how many of us have reviewed them in the last 12 months? That is a question for all of us to ponder on and perhaps keep the answer under wraps. We shall review our plans in 2021, I guess.

A - Access

I witnessed the scramble to deploy remote access capabilities. I experienced performance in network degradation on corporate network systems and from my personal internet speed. I read company notices, to not utilise remote services as Citrix during business hours when not important. Change approval board flexed their muscles to keep stability without approving any network related changes unless it's business-critical. The immediate demand for remote working accesses would allow for relax security control measures by a degree. The urgency to deploy remote working services or increase capacity would allow for security gaps to be introduced either intentionally (usability over security), or by mistake (misconfiguration).  Creating a vector for attackers to poke around and exploit human-factors through methods such as Phishing. Could we have designed and planned for secure and resilient network services to minimise the risk of vulnerabilities being introduced? Yes, may be. I fear the exploitation of vulnerabilities isn't going to be noticed now. Attackers will lie dormant and laterally move, escalate privilege whilst they siphon data out secretly under the radar, that even the most sophisticated security prevention and detection systems would not be triggered. If you haven't thought about reviewing audit trail, it's time for a full sweep of your architecture stack. Better late than never!

R - Repudiation

Repudiation is the act of refusing to accept something, according to the Oxford Learners Dictionary. Crisis in times as this calls for careful screening of calls, requests, and access. However, the volumetric demand may result in a relaxed screening processes to ensure everyone has a fair experience. Fear causes panic as we have seen in the earlier horde into shops to stock-pile essentials without clear thoughts of what really is essential. The toilet tissues may still be shelved, but dry nuts may have been a better substitute for nutrition. Lest we learn! The point here is whether we are able to properly screen individuals accesses before granting their requests, and most importantly, knowing whether they are the right entity in the first place. As previously mentioned, usability may see a degree of uplift over security. Thus, outliers spike would be noted once the dust settles and detailed analysis is performed. Financial institutions would likely experience fraud cases where attribution of these possible financial crimes to their customers becomes difficult to solve. The dataset to narrow the activity to small set of user(s) is too wide to compute; and cases may last months if not years. Non-repudiation is one of the most challenging security problems. Enhanced access control mechanisms to augment basic access - what you have, know, and or are - may be insufficient to prove user actions. In 2017 alone, there was around 27.2 million households with an average of 2.4 people in every household in the UK. Although, current security controls may be adequate in certain scenarios, proving that a user carried out an action when majority of the population (~66m) are remote is an uphill battle for any fraud investigator. I expect to see wider adoption and application of technologies such as machine learning and artificial intelligence across many businesses to detect and prevent fraud.

The impact of this pandemic on Cyber security among businesses will be significant. We may never know the true monetary cost as I suspect it to be an on-going matter. Cyber-attacks would increase as adversaries take advantage and blend in with the already chaotic noise of legitimate ingress and egress large network traffic datasets. The breaches may not be known presently until these data are examined thoroughly, an effort that will take many months if not years to accomplish. This article looked at how compliance extends into our homes and remote sites without proper due diligence of the risk. Access control surely would be relaxed in some cases for usability, and access control choices may not be as granular enough to meet the urgent demand. Repudiation - whom, when and how - of an entity's action would be crucial to security and fraud investigations. Arguably, many businesses were unprepared for such an outbreak and unmanaged risk will further expose them to security breaches. Business continuity and recovery plans were perhaps out of date to support the demand of this unexpected way-of-working. Would we ever know the real impact on businesses? May be not, but we could all blame one victim - Coronavirus!