Adjusting to the new normal

According to alert AA20-133A from US-CERT:

"The U.S. Government has reported that the following vulnerabilities are being routinely exploited by sophisticated foreign cyber actors in 2020:

• Malicious cyber actors are increasingly targeting unpatched Virtual Private Network vulnerabilities.
• An arbitrary code execution vulnerability in Citrix VPN appliances, known as CVE-2019-19781, has been detected in exploits in the wild.
• An arbitrary file reading vulnerability in Pulse Secure VPN servers, known as CVE-2019-11510, continues to be an attractive target for malicious actors.
  
  
• March 2020 brought an abrupt shift to work-from-home that necessitated, for many organizations, rapid deployment of cloud collaboration services, such as Microsoft Office 365 (O365). Malicious cyber actors are targeting organizations whose hasty deployment of Microsoft O365 may have led to oversights in security configurations and vulnerable to attack.
  
  
• Cybersecurity weaknesses—such as poor employee education on social engineering attacks and a lack of system recovery and contingency plans—have continued to make organizations susceptible to ransomware attacks in 2020."

Well whadyaknow?

• The US government blames "sophisticated foreign cyber actors" - the usual xenophobic, somewhat paranoid and conspiratorial stance towards those filthy rotten foreigners, desperately attacking little old US of A (today's version of reds under beds I guess);
  
  
• "Unpatched" VPNs and insecurely configured Office 365 services are being targeted, implicitly blaming customers for failing to patch and configure the software correctly, blithely ignoring the fact that it was US-based software vendors behind the systems that required patching and configuring to address exploitable vulnerabilities;
  
  
• And finally, uneducated users (the great unwashed) receive a further gratuitous poke, along with the lack of planning on system recovery and contingency ... which is whose fault, exactly? Hmmm, I'll pick up that point another day.

Accountability and QA issues aside, the sudden en masse adoption of Working From Home has undoubtedly changed corporate information risks for all organizations - even those of us who were already routinely WFH, since we depend on ISPs, CSPs, telecomms companies, electricity suppliers, professional services companies and other third parties who are, now, WFH. COVID is another obvious, dramatic change with further implications for information and other risks (e.g. mental and physical health; fragile self-sufficiency; global economic shock; political fallout ...), and it's far from over yet.

WFH is now A Thing (not in the IoT sense!) for some of us anyway, although it's not possible or suitable for everyone. As COVID gradually fades from the headlines, some WFH workers will drift back to regular office work, others may continue WFH and a good proportion will do a bit of both (hybrid working as it's now known) according to circumstances and workloads. If COVID returns with a vengeance, or when the next pandemic turns up, we'll presumably be WFH en masse once more. So, have you reviewed and updated your corporate risk profile lately? Have the incident management, business continuity, IT, HR, business relationship management and other controls, processes and arrangements coped brilliantly with the present situation, or are adjustments called for? Do you even know how things are going out there, the workforce now scattered, hunkered down in their caves?