The Difficulties of Remaining Compliant in the New COVID Landscape

If there is one thing that everyone can agree on in these interesting times, it is that COVID-19 has upset the apple cart in lots of different ways. Everything from school to work to social gatherings has been disrupted and changed over the last eight months, and some of these changes are likely to be permanent. However, one thing that is still required is adherence to the rules and regulations that govern good IT security. You might have to adhere to the Payment Card Industry Data Security Standard (PCI DSS) to be able to accept credit cards. You might deal with medical information that puts you in the line of fire for the Health Insurance Portability and Accountability Act (HIPAA). And most, if not all companies have to be concerned at this point with some level of privacy protection, whether it is the European General Data Protection Regulation (GDPR) or one of the US state laws such as MA 201 CMR 17 or the California Consumer Privacy Act (CCPA). Although we are doing things differently now, the requirements to secure systems, processes, and people to remain compliant have not changed. This creates some unique difficulties.

Companies that once passed annual compliance assessments easily have started to see issues. What we have found is that this disruption of the way we do business has uncovered gaps that businesses did not need to deal with before now. As a result, some companies are starting to scramble to re-secure and re-comply with regulations and standards just like they scrambled to set up remote workers and Zoom meetings back in the spring.

As time has progressed and Compass IT Compliance has had the chance to review many companies and system setups during the pandemic, a pattern of gaps started to emerge across the different environments that we thought would be worth sharing. Below are some of the key controls that companies started to notice gaps in over the last two quarters:

Patching, scanning, and updating of systems – No one likes patching, and there is not a silver bullet to make it easy, no matter how much you spend. However, one thing we have seen is that with the huge push to remote work, patching has become even more difficult. Automated patching systems that relied on timed patching of environments missed many systems that were now connected by VPN and performing vulnerability scans had the same issue. With systems operating outside of the usual corporate network, having an unpatched system not behind corporate firewalls and monitoring is a significant risk.

• What we recommend – Many anti-malware, vulnerability scanners, and even patching tools now come with agents that can be installed and managed from the cloud. This provides a company with the ability to manage and monitor the health of remote systems even when not connected to the corporate network. In most cases the cost is quite reasonable, although there will be some lifting to get it installed and set up. In the event your company is not ready to do this, consider turning on automatic updates for both OS and third-party updates so that remote machines at least get any security updates automatically.

VPN access – In the scramble to make sure everyone had access to the corporate network remotely, many staff were added without checking access levels to the network, in some cases giving them access to more than they had while in the office. In addition, there are still companies who only require a username and password to access the corporate network. Because of the huge spike in remote users, this creates an easy point of entry that hackers can use by compromising a password.

• What we recommend – If you have not enabled multi-factor authentication (MFA) for all users working remotely, do so immediately! Many companies that didn’t have much of a remote presence had to scale quickly, but now that the dust has settled, make sure users have tokens or that access is restricted to corporate owned machines through certificates with a Terminal Access Controller Access Control System (TACACS) server. There are multiple ways to add extra security, just make sure that access is not only username and password. Also, review the security settings for all users. Make sure that users are in a VPN group, and that they only have rights to systems and data they need for their jobs. Finally, make sure you are monitoring for suspicious behavior, just like you would internally. You should be looking for multiple login attempts that could be suspicious, access from outside the US (provided you are a US only shop), or logins at odd hours when there is no reason to access the environment.

External scans and penetration tests – Because of the new environments, many companies had to make significant changes to firewall and router rules to allow remote access. In some cases, they added lines, added IP addresses, and changed routing paths. This means that the scans and tests that were run in the past may no longer apply. Holes could have been opened inadvertently, and new vulnerabilities might be introduced into systems that were not used in the past.

• What we recommend – Many of the security frameworks and compliance regulations require regular testing of the environment. With all the added traffic and external network changes, if you have not performed a thorough vulnerability scan and penetration test, now is the time! Make sure any new opened IP addresses and ports are scanned and reviewed for vulnerabilities. Ensure that the firewalls and routers are locked down, and that any changes cause alerts to be issued.

Compliance has not significantly changed since COVID-19 hit earlier this year. Many of the requirements are still the same. However, the way we do business and how our systems are configured have undergone substantial changes this year. Any significant system change can expose new vulnerabilities and opportunities for attack. These are just three areas that we see where companies have had to expose themselves to new attack vectors to continue doing business. Making sure that these and other compliance controls are reviewed in the new environments is critical to maintaining both compliance and good security.