If there is one thing that everyone can agree on in these interesting times, it is that COVID-19 has upset the apple cart in lots of different ways. Everything from school to work to social gatherings has been disrupted and changed over the last eight months, and some of these changes are likely to be permanent. However, one thing that is still required is adherence to the rules and regulations that govern good IT security. You might have to adhere to the Payment Card Industry Data Security Standard (PCI DSS) to be able to accept credit cards. You might deal with medical information that puts you in the line of fire for the Health Insurance Portability and Accountability Act (HIPAA). And most, if not all companies have to be concerned at this point with some level of privacy protection, whether it is the European General Data Protection Regulation (GDPR) or one of the US state laws such as MA 201 CMR 17 or the California Consumer Privacy Act (CCPA). Although we are doing things differently now, the requirements to secure systems, processes, and people to remain compliant have not changed. This creates some unique difficulties.
Companies that once passed annual compliance assessments easily have started to see issues. What we have found is that this disruption of the way we do business has uncovered gaps that businesses did not need to deal with before now. As a result, some companies are starting to scramble to re-secure and re-comply with regulations and standards just like they scrambled to set up remote workers and Zoom meetings back in the spring.
As time has progressed and Compass IT Compliance has had the chance to review many companies and system setups during the pandemic, a pattern of gaps started to emerge across the different environments that we thought would be worth sharing. Below are some of the key controls that companies started to notice gaps in over the last two quarters:
Patching, scanning, and updating of systems – No one likes patching, and there is not a silver bullet to make it easy, no matter how much you spend. However, one thing we have seen is that with the huge push to remote work, patching has become even more difficult. Automated patching systems that relied on timed patching of environments missed many systems that were now connected by VPN and performing vulnerability scans had the same issue. With systems operating outside of the usual corporate network, having an unpatched system not behind corporate firewalls and monitoring is a significant risk.
VPN access – In the scramble to make sure everyone had access to the corporate network remotely, many staff were added without checking access levels to the network, in some cases giving them access to more than they had while in the office. In addition, there are still companies who only require a username and password to access the corporate network. Because of the huge spike in remote users, this creates an easy point of entry that hackers can use by compromising a password.
External scans and penetration tests – Because of the new environments, many companies had to make significant changes to firewall and router rules to allow remote access. In some cases, they added lines, added IP addresses, and changed routing paths. This means that the scans and tests that were run in the past may no longer apply. Holes could have been opened inadvertently, and new vulnerabilities might be introduced into systems that were not used in the past.
Compliance has not significantly changed since COVID-19 hit earlier this year. Many of the requirements are still the same. However, the way we do business and how our systems are configured have undergone substantial changes this year. Any significant system change can expose new vulnerabilities and opportunities for attack. These are just three areas that we see where companies have had to expose themselves to new attack vectors to continue doing business. Making sure that these and other compliance controls are reviewed in the new environments is critical to maintaining both compliance and good security.