Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:00 PM
Alan Brill
Alan Brill
Connect Directly
E-Mail vvv

Are You One COVID-19 Test Away From a Cybersecurity Disaster?

One cybersecurity failure can result in a successful ransomware attack or data breach that could cause tremendous damage. There's no need to panic, but neither is there time to ignore the issue.

The president of the United States testing positive for COVID-19 reminds us that there is no guarantee any individual will remain virus-free. That's true in Washington, and it's equally true for those managing and running the cybersecurity of our organizations.

Fortunately, the possibility that the president could become ill was understood. The Presidential Suite at Walter Reed National Military Medical Center is no spur-of-the-moment facility. It was set up for such a need. Aside from the full medical staff and facilities of Walter Reed, it has communication facilities provided by the White House Communications Agency and security vetted by the Secret Service. In short, the government recognized the need, created a plan, and took the necessary steps to provide the infrastructure that would be needed to execute that plan.

Related Content:

The New War Room: Cybersecurity in the Modern Era

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: Expert Tips to Keep WordPress Safe

The news about the president's medical condition is a reminder that we need to consider not only what we do to protect our systems in these disruptive times but also whether we've sufficiently planned for resilience in our cybersecurity operations and teams.

Given the history of cyberattacks, ranging from large-scale data thefts and insider problems to the current rash of ransomware attacks and business email compromises, corporate and government managers understand that continuous cybersecurity — 24 hours a day, seven days a week — is vital. But going from that understanding to having actual operational resilience requires planning and work to make it effective. While companies have increasingly turned to using automated monitoring systems to help them surveil their networks and systems, the results and alerts generated by those systems must be reviewed by qualified security specialists and turned into actionable intelligence and decisions.

Most companies run very lean when it comes to cybersecurity staffing, and experienced network monitoring specialists are in short supply in both the public and private sectors. As threats evolve, those monitoring our networks must continuously update their knowledge to be prepared for both current threats and whatever is coming next. Add to this the stresses related to changes required by the coronavirus pandemic (such as remote working and increased reliance on cloud services) and the cyber-risks have grown — sometimes faster than the ability of the company to adjust cybersecurity to match the new challenges.

Another problem that all companies face is that while we frequently read about cybersecurity incidents involving large breaches, successful significant attacks against any particular organization are actually infrequent. As a result, organizations typically have little practical experience to go on. They're at the bottom of the learning curve when they need to be at the top. After they recognize an event, companies — often with the assistance of their cyber-insurance carriers — bring in specialized legal expertise and cyber-forensic investigators with significant experience. That's great, but it's after the fact.

The real issue is how we manage our cybersecurity to prevent serious incidents. With COVID-19, it doesn't matter how you get infected, but once you have the virus, you can get very sick very quickly and become unable to do your job. If that job is monitoring the cybersecurity health of your company, are there qualified replacements trained and ready to step in?

Every organization should take the news from Washington as an opportunity to ask the "what-if" question and to carry out a cybersecurity resiliency risk assessment. We have to recognize that cybercriminals are taking advantage of security weaknesses, and we must do our best to avoid disruptions.

Start by understanding who in your organization is available and qualified to monitor your networks (and network monitoring systems) around the clock. Determine if there are additional experienced personnel available to step in if needed, and if they're ready to do so. Based on the risk assessment, management should give serious consideration to working with an outside analysis and response organization as their primary or backup source of network monitoring and incident response.

Do You Need Help? 
Many companies have chosen to outsource or augment their network and systems monitoring with organizations that bring a team of qualified analysts who can triage security alerts, hunt for threats, and respond as needed on behalf of (or alongside) internal teams. Because they work across many companies, these organizations have substantial experience in dealing with the range of current and emerging threats and bring analytic and intelligence capabilities that only the largest companies could afford. These outside organizations provide best-of-class monitoring and analytics that provide a combination of automated analysis and human oversight, and they can provide service if and when an in-house information security team becomes disabled or needs to quarantine or isolate.

There's no need to panic, but neither is there time to ignore the issue. A single cybersecurity failure can result in a successful ransomware attack or data breach that could be enormously expensive and cause tremendous reputational damage. Taking some simple steps to avoid these problems by assessing the resiliency of your cybersecurity program is well worth it.

Alan Brill is a Senior Managing Director in the Cyber Risk practice of Kroll, a Division of Duff & Phelps, and is a Fellow of the Duff & Phelps Institute. He is also an Adjunct Professor at Texas A&M University School of Law. Alan has worked on numerous high-profile ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
Alan Brill
Alan Brill,
User Rank: Author
10/22/2020 | 1:02:43 PM
Some additional thoughts...
While in the op-ed, I focused on issues relating to the more limited in-house technology resources that may be available during the pandemic, please don't think the issue is limited to the technology team. Others can be problematic as well. 

If decision-making managers have limited availability or are harder to reach, getting decisions made that may be very time-sensitive may be difficult. Deciding whether to treat a ransomware case as a breach -- which is often the truth of the incident as data theft now can preceed the encryption -- which implicates the need to notify those affected as well as government agencies could be delayed if, for example, legal counsel was harder to reach or to brief. Having the ability to get contracts in  place with vendors (of forensics, investigations or notification may be critical, and some may have requirements relating to issues like establishing attorney-client privilege. 

The idea I wanted to get across is that during the pandemic, the changes in how we work can affect the ability to carry out an incident response plan. People working from home. People working with more limited resources, the inability to just "run in and talk to" whoever can affect how an organization responds to a challenge. 

As a result, I'd recommend that you re-visit your incident response plan to ensure that it still works as intended in the fact of the Covid pandemic. If it does, fine, but if not, you should be considering either temporary or longer-term changes to make sure the plan will be effective when it is needed.
Alex White
Alex White,
User Rank: Author
10/27/2020 | 12:06:22 PM
Many Great Points
This article brings up some really points that all companies and CTOs must consider. In the middle of a pandemic, we must of course expect that our employees may get sick -- and we must be prepared in the event that they do so that no gaps occur in their absence while they focus (rightly) on getting well again.
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-17
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. A vulnerability related to firewall authentication is in Symfony starting with version 5.3.0 and prior to 5.3.2. When an application defines multiple firewalls, the token authenticated by one of the fir...
PUBLISHED: 2021-06-17
In TrendNet TW100-S4W1CA 2.3.32, due to a lack of proper session controls, a threat actor could make unauthorized changes to an affected router via a specially crafted web page. If an authenticated user were to interact with a malicious web page it could allow for a complete takeover of the router.
PUBLISHED: 2021-06-17
In TrendNet TW100-S4W1CA 2.3.32, it is possible to inject arbitrary JavaScript into the router's web interface via the "echo" command.
PUBLISHED: 2021-06-17
Nextcloud Android app is the Android client for Nextcloud. In versions prior to 3.15.1, a malicious application on the same device is possible to crash the Nextcloud Android Client due to an uncaught exception. The vulnerability is patched in version 3.15.1.
PUBLISHED: 2021-06-17
Nextcloud Android app is the Android client for Nextcloud. In versions prior to 3.16.1, a malicious app on the same device could have gotten access to the shared preferences of the Nextcloud Android application. This required user-interaction as a victim had to initiate the sharing flow and choose t...