The Trump administration has ordered hundreds of thousands of federal employees to be prepared to work from home full time and use VPNs to connect to government systems.
Government offices across the country have had to follow the lead of the private sector and help employees work from home as more efforts are made to stem the spread of COVID-19. On Thursday, Acting Director of the Office of Management and Budget Russell Vought sent out a memorandum saying all “federal executive branch departments and agencies are encouraged to maximize telework flexibilities to eligible workers” in parts of the country that have been hit hardest by the coronavirus pandemic.
“Departments and agencies are further encouraged to approve leave for safety reasons to employees who are at higher risk as identified by the CDC and not telework-eligible. In determining their telework and leave decisions, agencies should consider the mission-critical nature of their work,” Vought added.
Senator Mark Warner, vice chairman of the Senate Intelligence Committee, criticized the federal government for not making cybersecurity more of a priority as officials encouraged most departments to embrace telecommuting, telling the Washington Post on Friday that the move was “expanding opportunities for malicious actors to attack and potentially disrupt vital government services.”
Cybersecurity experts spoke with TechRepublic about what the federal government can do to protect workers, which devices are most at risk, and what the threat landscape looks like.
SEE: Special report: A winning strategy for cybersecurity (free PDF) (TechRepublic)
“Now that many companies have gone to telework and retail is closing for a few weeks, the government is thinking about how they can do the same for their employees. My guess is that like everything, there will be a few snafus but they’ll make it work,” said US national cybersecurity expert Mark Testoni, CEO of SAP National Security Services.
“The government is trying to respond to this. The two major challenges will be capacity, do they have enough capacity to have lots of people going in on VPN if they need to and is that infrastructure updated and secure enough and patched. But these are things they have always had to worry about regardless of situation. This is unique because of the time frame—it may be another four to eight weeks—and the size of the workforce that is working remotely. It’s not that the government hasn’t done telework, it’s the length of time and the size of it.”
Protection measures being taken
Shapira said government organizations had to communicate the increased fraud risk to employees with online security training that focuses primarily on work-from-home risk like phishing.
Agencies should also develop verification procedures for financial transactions, account access reset, credentials and the sharing of personal information. Passwords need to be strengthened and everyone needs two-factor authentication
“If it’s the intelligence community, they should use burner devices that can be erased and installed again, monitor connections from devices to other networks and other parts of the organization, run drills and incident handling on a massive scale to verify everything is working, and refresh employee awareness using dedicated materials. It’s important to assess what is required, and when relevant, what can be limited or not used,” Shapira said.
Government organizations also have to teach employees how to spot and report threats they encounter, especially when it comes to email phishing attacks.
Kron added that employees need a clear way to easily contact their management or leadership and the government needs to prepare for a surge in support requests as users begin to telework for the first time and have questions, especially when it comes to how they should secure sensitive information and what information can be processed on non-government machines. All antivirus software needs to be updated before any government data can be accessed.
Patching is key to providing employees with a baseline level of security.
Bohls said that government agencies should select and deploy an enterprise mobility management platform such as MobileIron UEM or Microsoft InTune so that agencies can manage their employees’ mobile business apps and company content–without intruding into the employee’s private files.
“The next clear step is to select productivity apps for secure content capture, such as a managed camera app,” Bohls said.
“A major hedge fund just took those two steps to support employees working from home due to COVID-19, and they’re getting both their network and their users’ devices ready–while, like the rest of us, hoping this situation resolves soon.”
VPNs, devices and systems most at risk
Almost all government workers rely on VPNs and these will become ever more important as thousands more people work remotely. In response to the growing dependency on telework, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) recently released an alert regarding VPN security best practices for remote workers.
But many security analysts said these VPNs are designed for a small percentage of employees and not the thousands who will now need to access them repeatedly throughout the work day.
Salah Nassar, vice president at CipherCloud, said around 10% of employees typically use VPNs while teleworking and the new influx of users may have adverse effects on the speed of systems.
“This creates a major security threat as most employees will opt out of VPN access because it will be slow at best, or refuse the connection all together, leaving many employees using collaboration apps to continue on their day to day activities; personal email, cloud hosted email, cloud apps; Slack, Box, etc. When employees are working remotely, the biggest threat is the user identity. Bad actors are targeting government employees with sophisticated phishing attacks to steal credentials,” Nassar said.
Marcus Fowler, director of strategic threat at Darktrace, said VPNs are very important for federal government teleworking but have become a legacy method for the private sector. For those relying on VPNs, licensing and capacity usually become chokepoints in times like this, especially if organizations haven’t practiced their business continuity plans, he noted, adding that the federal government is further behind in offering more advanced remote access to key resources.
While some government workers may be familiar with more modern SaaS cloud solutions for communication and collaboration, many will need training on how to use these tools, opening them up to a variety of targeted attacks.
“It could also mean last-minute softw are installations, which may stress older equipment or low-bandwidth connections. Single-sign on and identity management is important in a SaaS world, as is multi-factor authentication. If an organization isn’t already comfortable doing this, they will need to quickly establish these behaviors,” Fowler said. “Endpoints will also be storing more data, even if just temporarily. This will make endpoint protections more important, whether that is through the use of technology or policy.”
Government workers typically use specific technology procured and protected by government-certified security products, meaning most employees will not be allowed to use their own devices.
In a memo seen by The Washington Post, the House Administration Committee explained in detail to all lawmakers how their offices can create temporary telework plans for their staff members. They also told them to visit the chamber’s office supply store where they can purchase already secure laptops and other useful tools.
Jason Kent from Cequence Security said remote connections to sensitive systems are going to be a target high on the list of attackers because cybercriminals will not have to negotiate the government’s firewalls and countermeasures. Phishing attempts will become far more common against unpatched devices, he added.
Other security officials said the use of mobile phones will be particularly problematic, especially if they are used to scan, capture and send documents and other content. Josh Bohls, CEO of Inkscreen said mobile phones weren’t built for security and people often download workplace apps that are rife with malware and various insecurities. Bohls mentioned CamScanner, a scanner app with malicious malware, was downloaded more than 100 million times.
Despite the fear of attacks on smartphones or legacy devices, Elad Shapira, head of research at Panorays, said the real risk was with the people holding the devices.
“Someone who holds a senior position in the government or army is at risk of being targeted, regardless of coronavirus, and his or her devices are at risk of being attacked. That risk increases for people with public-facing positions. A politician with multiple social networks and activities and a known schedule is more at risk than someone who holds a key position in the intelligence community but is unknown in other countries,” Shapira said.
“In addition, people who work at help desks, IT, services and suppliers of organizations are especially prone to attack, as they might be a foot in the door to the government’s infrastructure and networks.”
The threat landscape for government agencies
Even though the entire world is being affected by the spread of COVID-19, that has done little to slow down hackers or state actors. On Sunday night, the U.S. Health and Human Services Department suffered a distributed denial-of-service (DDoS) attack targeting the HHS IT system’s bandwidth, according to CBS News. Although there is no hard proof at the moment, Bloomberg reported that officials at HHS “assume that it was a hostile foreign actor.”
Information about the hack is scarce but government officials said hackers spent hours overloading HHS servers with millions of hits
Fowler said there is going to be a spike in cyberattacks in general as attackers look to take advantage of the current fear and chaos to profit. For employees, this will likely mean increases in email-based attacks, he added, noting that as employees turn to SaaS applications for collaboration, the threats to SaaS applications will increase with attackers attempting to leverage compromised credentials or otherwise gain access.
Government agencies “will now have to depend on employees to upgrade their devices and ensure the latest patches have been installed. Unpatched devices are low hanging fruit for cybercriminals,” he said.
“When employees return to the office, they may be doing so with potentially compromised devices. This now puts the company’s central network in jeopardy. With the move to teleworking, employees are more vulnerable to email phishing or business email compromise. In addition to many more employees being at home, with the closure of schools their families will be there as well. It may become difficult to get work done at home and some employees may try and brave a local coffee shop or library to get work done. Public WiFi networks are significant threat vectors and should be avoided, especially without using a VPN.”
Matias Katz, CEO of Byos, said most government employees working from home don’t have the same firewalls, network-based intrusion detection systems and other defenses they have in the office, leaving organizations without any visibility into the network traffic that exists on a home Wi-Fi.
Unmanaged devices in the hands of children, teens and adults alike are the real problem because tablets, cellphones, home IoT devices and gaming consoles increase the attack surface and the risk. VPNs only encrypt data in transit and don’t isolate the device from the Wi-Fi. Devices are still exposed and vulnerable even when on a home Wi-Fi network. Once an attacker or malware gets into a device, they often go undetected.
They will seize or manipulate data with the ultimate goal of moving from a single remote device into the big prize— the organization’s network of servers. If the employee is using a VPN and becomes infected, the attacker can then pivot through the VPN, jumping into the datacenter, Katz said.
The increased reliance on email communication with telework will make it so that cybercriminals will be more successful with the kinds of email scams and ruses that have become wildly common since coronavirus first emerged in December and January. Hackers will send fake emails from the WHO, CDC or government agencies seeking login information for a variety of workplace tools.
If some government agencies have to relax access policies to make it easier for employees to get online quicker, stolen credentials can serve as an easy and subtle way for an actor to access data for purposes of extortion or espionage, Fowler said.
VPNs are effective in securing data movement but they don’t protect data on personal devices. Shapira said shadow IT systems will also be a problem as employees try to search for their own workplace collaboration tools outside of the government architecture. Shapira added that employees working from home are much more susceptible to attacks like phishing and malware, especially as they now probably receive an enormous amount of emails and online requests.
The entire supply chain of tools used by government workers has to be protected because cyberattackers often go after smaller suppliers without the necessary resources to provide adequate security.
Nassar said working remotely creates three basic risks, which include stolen or spoofed user identities, intercepted connections and compromised applications. Most government departments outside of major agencies with huge budgets rely on legacy systems despite the fact that many of these organizations have outgrown their security infrastructure.
With more people teleworking from home, there are dozens of new endpoints for cybercriminals to attack, including phones, printers, devices and more.
“The federal government is such a monster bureaucracy with so many moving parts that it is going to be—and has been—vulnerable wherever its people work. Different departments have different levels of security, but most federal employees are not used to working in a fast-changing, flexible environment. Getting a web meeting to work with a federal government department can be a frustrating experience, so I think they are going to have a lot of problems maintaining effective communications when most employees are working from home,” said Colin Bastable, CEO of security awareness training provider Lucy Security.
“Contractors are wired into the federal system, and they are also going to find that systems don’t work effectively when their home-based staff are dealing with a distributed federal workforce. This disruption adds many points of risk for data compromise, phishing attacks and targeted cyberattacks by foreign actors. Just because the Chinese and Iranians are crippled, don’t expect their or Russia’s cyberwarfare teams to take a vacation–and we should hope that our offense and defense teams stay focused.”
One other concerning aspect of telework noted by Erich Kron, security awareness advocate with KnowBe4, is that workers who do not have portable devices such as laptops will likely be doing remote work from their personal computers, which are less likely to be as properly managed as an organizational asset, meaning the risk of malware infections or other security incidents will be greater.
Workers who are not used to working from home are likely to have most of the files and data they need on their work computers and may take risky measures, such as copying files to USB drives, in order to get the data to their home where they can work on it. These will likely not be encrypted and run the risk of being lost or stolen.