As many countries enter their second full month of Covid-19 lockdown, its impact on the threat landscape and enterprise cybersecurity is starting to become clear. I spoke to several experts a few weeks back for an Infosecurity Magazine news feature on the topic.
Some of the key challenges facing organisations are in enabling secure remote working en masse without impacting productivity.
“The fact that employees are transitioning to working from home is the key risk. All these employees are now working in new environments using technology and processes they are not used to, something bad guys will take advantage of,” SANS Institute director of security awareness, Lance Spitzner told me.
“All of this change creates an environment where it is very simple for bad guys to take advantage of and trick people working from home for the first time. They don’t have all the security technology protecting them at home that they normally would at work.”
The SANS guide to secure home working advises users to: be suspicious of any emails trying to create a sense of urgency to click through or enter info; take steps to protect home Wi-Fi (change default passwords and restrict access); create strong passwords on any websites; ensure all devices are running the latest software; and don’t let family and friends use work devices.
Proofpoint’s senior director of threat research and detection, Sherrod DeGrippo, agreed that users are at the frontline when it comes to tackling Covid-19 cyber-threats.
“We recommend that organisations prioritise a people-centric approach to security that protects all parties (their employees, customers, and business partners) against these threats, including layered defences at the network edge, email gateway, in the cloud, and at the endpoint, along with strong user education,” he told me.
“Users should be encouraged to approach all unsolicited emails with caution, especially ones that request the user to act, like downloading/opening an attachment, clicking a link, or entering credentials.”
Restricting users according to least privilege policies is also a must-follow best practice, as hackers go after VPN log-ins to directly access data and applications, DeGrippo added. In fact, there have been widespread reports of cyber-criminals targeting remote access infrastructure; not only via phishing emails and brute forcing but also exploiting unpatched vulnerabilities. Microsoft has warned of APT-like behaviour from many well-known ransomware groups, which are targeting hospitals.
Time to automate?
However, aside from the uptick in Covid-themed phishing, which is delivering crypto-jacking malware, ransomware, info-stealers and more, the pandemic has forced IT security teams to work in different ways. Michael Armistead, co-founder and CEO of Respond Software, argued that SOCs and security departments are faced with both minor and meta challenges.
“Making sure practitioners can perform their jobs remotely with adequate bandwidth and communication platforms, and have the ability to act on security incidents will be a challenging undertaking for many firms,” he told me.
“I believe many of those tools and platforms are in place … but you just never know how well they will work in practice if an organisation is now distributed for the first time. Still, I’d count these very real and very practical issues as minor because they can be solved in relatively short order.”
In fact, research emerging suggests that security teams are struggling. A global poll by industry body ISACA found that only around half (59%) of members feel their cybersecurity team has the right tools and resources at home to perform their job effectively. Tellingly, just 51% are highly confident that these teams are ready and able to detect and respond to rising volumes of threats. A separate study from (ISC)² revealed that nearly half (47%) of global security professionals have been taken off some or all of their typical tasks to support other IT-related jobs, like WFH. A third report, from Barracuda Networks, ominously suggested that 41% of firms have actually cut IT security budgets to save money during the crisis.
In fact, investments in specific technologies could be a smarter way of reducing costs and improving security outcomes during the crisis, according to Armistead.
“The situation screams out for automation to relieve the pressure on people to sift through mountains of data and to act quickly,” he said. “SOCs and IT security teams need to look at their processes and procedures in light of the distributed workforce. Do they make sense and how quickly can issues be resolved?”
The immediate future remains uncertain, but if remote working is to become more widespread as the pandemic recedes, IT and security leaders better adapt to the new reality fast.
If there’s one cybersecurity story that dominated the headlines more than any other in 2019, it was the surge in high-profile ransomware attacks on the US public sector. Municipalities all over the country were caught out, leading to major disruption of local schools, emergency services, courts and other public services. It was a reminder, if any were needed, of the absolutely critical role IT systems now play in society.
But what can IT security chiefs learn from the travails of the past year to improve resilience as we head into a new decade? I spoke to several experts recently for an upcoming Infosecurity Magazine feature.
Drowning in ransomware
According to estimates from Emisoft, 103 municipalities and 759 healthcare providers, along with 1,224 schools, may have been impacted by ransomware as of December 2019. These include major cities such as Baltimore and New Orleans, as well as countless other smaller local authorities like Pensacola and Riviera Beach.
Why are these organisations suffering in such great numbers? According to the experts I spoke to, it’s a combination of under-investment in cybersecurity, and the propensity of some high-profile targets to pay-up — encouraging copycat attacks.
“Public sector bodies have been very heavily targeted by ransomware lately. This trend has likely been helped by some public sector entities paying substantial sums to ransomware criminals,” said SANS Institute dean of research, Johannes Ullrich. “Access to information is also very important to public sector entities to conduct business, and under-investment in business recovery plans has led to a lack of backups or other fallback mechanisms.”
According to Scott Styles, data orchestration and resiliency lead at Raytheon Intelligence, Information and Services, current security systems are struggling to keep pace with evolving threat techniques.
“Ransomware is designed to avoid detection and exploit the social nature of the network by hiding in files or hyperlinks that businesses need for day-to-day operations. In addition, ransomware only has to be executed once to be successful and it must be detected as well as removed quickly before it can lock or overwrite files. This is unlike other malware that may need to remain in a system for a significant amount of time, or evade detection within a vulnerable system, allowing more time for detection and removal,” he told me.
“While the time-sensitive value of data and services within these organisations makes them prime targets, the main challenges are not much different than other sectors. Vulnerabilities are numerous, people make mistakes and the threat evolves quickly, creating a perfect storm.”
Weathering the storm
The good news is that a defence-in-depth approach utilising key best practice controls can make a big difference, he added. These include AV, up-to-date patching and configuration management, regular backups, and employee security awareness training.
“They should also consider a multi-dimensional approach that integrates hardware, software, network, and behavioural monitoring into a zero-trust resilient solution,” explained Styles. “These solutions typically have the ability to remain operational even if the threat has defeated perimeter defences or is an insider threat.”
For Kevin Lancaster, general manager of security solutions at Kaseya, one of the biggest threats to US public sector bodies is their use of legacy systems. This makes prompt patching more challenging, but also more important than ever.
“The US Department of Homeland Security (DHS) recently issued a new Binding Operational Directive (BOD 19-02) instructing government organisations to patch critical vulnerabilities within 15 days, and high severity vulnerabilities within 30 days,” he told me.
“Patching on time helps reduce the attack surface and ensures vulnerabilities are mitigated quickly. Automating patch management is moving a step ahead. With tight budgets and limited manpower, government agencies can make sure that patches are not missed across the entire network with an automated patch management solution.”
Local governments must get proactive, by developing and testing incident response and business continuity/disaster recovery plans — if necessary, in concert with third-party providers. However, city staff are also a vital asset in helping to mitigate the threat, Lancaster added.
“For government organisations to be fully prepared to tackle cyber threats, IT directors should have a long-term vision which includes up-skilling their employees in areas of cybersecurity,” he concluded. “With budget constraints always at the forefront of concerns, it might not be feasible to routinely train every member of the team. Instead, areas to focus can be prioritised and worked upon to implement effective up-skilling.”