December 21, 2020
The concept of the Remote Workforce has now become a reality for the long term, going well into 2021, and possibly even beyond. While most Cyber experts were predicting that a near 99% Virtual Workforce was possible in 4-5 years, it came to fruition in just a matter of two months, right when the COVID-19 pandemic started.
Many businesses across Corporate America were not prepared for the sheer gravity of this situation, and as a result, new Cybersecurity issues have sprouted, especially concerning the intermingling of home networks with corporate networks. As a result, this has exposed confidential information and data to being easily heisted by malicious third parties.
There are other data security issues as well that have come about recently, and this is the focal point of this review as well as the forensic impact of each area.
Focus 1. The use of Virtual Private Networks (VPNs):
The VPN has normally been one of the most relied upon tools in which to transmit confidential information/data across a network connection. While this technology has been designed to support a workforce that works remotely about 20-30% of the time, it simply has not been able to keep up with the magnitude that became necessary beginning in March of 2020. Because of this, the total number of brute force attacks has escalated to levels never seen before. For example, these kinds of security breaches now make up for at least 45% of the cases that Incident Response teams must respond to (SOURCE: 1). This kind of attack is carried out in almost the same fashion as it would be against a server. For example, the Cyberattacker targets a specific portal that is associated with a VPN, and completely overwhelms it with hundreds of phony authentication requests, making use of an already heisted list of credentials (most likely purchased from the Dark Web). Once the right username/password combination has been found, the Cyber attacker then has a quick and covert way to access the lines of communication and hijack proprietary information/data that is in transit. Worst yet, this point of entry can be used to leverage lateral movements into other corporate networks, in an attempt to hijack the Personal Identifiable Information datasets of employees and customers for further exploitation.
While many are familiar with the structure of the VPN most were not ready to deploy and use it at home. The at-home use for work and the general at-home use is what got muddled in the transition that can cause some risks to the data being transferred. While a VPN will hide an IP address and provide protection when operating on an untrusted network, it won’t protect a system from malware, phishing, scams, or other hacking attacks. A VPN is not an antivirus system or a firewall so they need to be included and properly configured, along with your VPN for the best protection.
Focus 2. Lack of company-issued equipment:
In the rush to get employees to work remotely as quickly as possible, many organizations were under a severe time crunch in order to issue equipment that had all the necessary protocols installed onto them. As a result, many devices were not set up properly, or remote employees were not given anything at all. Because of this, during the interim, people have been using their own personal devices or smartphones to conduct their daily job tasks. This, of course, has been a huge security risk because of the lack of security controls that are on them. It could also mean risking further exposing confidential information and data to levels that are totally unacceptable.
Many organizations never considered the simple spread of data that was going to occur just that they needed to get people working. The spread of digital evidence onto the non-corporate owned device has grown exponentially with the remote workforce. Now the question of data collection and ownership comes into view. With no legal precedence for this type of situation, many organizations are left scratching they head to the next step and the follow up to a proper digital forensic collection response.
Focus 3. The use of the Cloud:
Over the course this year, many businesses have also realized some of the strategic benefits of using a Cloud-based platform (such as that of Amazon Web Services or Microsoft Azure) in which they can move their entire On-Premises Infrastructure. While these providers do offer an extensive suite of tools that a company can use to protect their virtual databases, the problem now comes to a matter of proper configuration. In these cases, the default ones are used, which are often not compatible with the security requirements of the organization, thus offering a new backdoor for the Cyberattacker to penetrate into, to heist confidential information and data.
As data has been spreading to cloud storage options many forensic responses have been lacking in the capability to do this style of the collection. As tools are updated to account for the cloud capture as done with the Paraben E3 Forensic Platform version 2.6 there are still needs with training and procedure. Many teams have not considered a structured plan or process with cloud data collection and as such it gets missed in the digital evidence process.
Focus 4. The use of insecure networks:
When restrictions were eased up during the summertime, many remote employees started to work in public places, such as Starbucks or Panera Bread. While these venues do offer internet connectivity, they are very often insecure, as they offer no level of encryption whatsoever. Rather than using a secure connection, the tendency was to use these public connections in order to carry out work-related duties. As a result, all the information and data that was transmitted back and forth were done so in a clear text format, making it quickly visible to the outside world. Or worst yet, these venues are also the perfect places in which a Cyber attacker can leverage a Social Engineering attack. For example, a Cyberattacker can easily pose as a patron and engage in a conversation with a remote employee. Even if a secure network connection was established, a data packet sniffer could easily be covertly hidden in a clothing pocket so that the data packets can be captured, and the information residing in them could be exfiltrated at a subsequent point in time.
Although it would be rare to have a forensic collection happening over an insecure network the temptation of bandwidth is out there. Many teams that did forensic processing typically on a closed connection, but are now doing so from home were forced to review their bandwidth. The hope is always that collections did not happen on public networks the risk with bandwidth caps and homework were there.
Focus 5. The lack of proper patching:
Before the COVID-19 pandemic hit, companies (for the most part) maintained a fairly normal schedule of applying the needed software patches and upgrades to all of the servers, databases, and employee devices. But with many remote employees now using their own home-based networks in order to gain access to shared resources, it has almost become impossible for IT Security teams to deploy these patches. After all, you cannot force a remote employee to install something onto their home network if they don’t want to. Many organizations are still trying to find a fix to this grave issue, and in the meantime, the Cyber attacker has yet another easy way to get access to your most critical information and data. This is due to the fact that many remote employees still have not upgraded the security levels of their home-based networks and rely upon just one password to protect them.
Overall, we have examined some of the key areas in which your mission-critical information/data can be covertly hijacked without even you knowing about it until it is too late. Once that occurs learning what the same risks are to the forensic data that is being collected is critical to have a holistic understanding of the issues at hand. As with all potential security breaches, you still owe it to your key stakeholders to conduct a thorough examination of what has happened and ensuring it can be mitigated in the future. When selecting teams for a response or preparing your own team always step back and consider the forensic impact of the situations that have now been forever changed with the COVID-19 pandemic.
Other valuable articles on this topic can be found here.
Small Businesses: Don’t Make These 7 Common Cybersecurity Mistakes
Guest Blog Post: Lance Cody-ValdezHackers are going after SMBs with a vengeance – 43 percent of all cyberattacks are directed toward these smaller companies, according to a Hacked report. SMBs make for “soft” targets, as many don’t have basic cybersecurity safeguards...
Why is Triage a good step in Digital Forensics?
Many people discount the value of triage. Investigators try to obtain all the data at once, which can be costly and unproductive. With the data gap gone between mobile and computer-related data, you can analyze terabytes now without breaking a sweat. Triage and...
Fall is full of new data in iOS 16 messages
With each fall we see changes in the smartphone world with new firmware updates that bring extra spice to the pumpkin spice season. This year was not an exception with iOS 16 showing lots of new data that will add to our digital investigations. iOS 16 held a lot of...