It feels like we have been in lockdown forever. Well…we have.
It is now time to look at life post COVID-19. I have already pointed out in previous posts that the status quo will be changed forever and that remote business will increase in the coming months.
What can we look forward to in a post COVID-19 world?
Zero impact cyber security.
I recently read an article that points out that, as countries around the world struggle to contain the spread of COVID-19, cybercriminals are wasting no time trying to exploit potential vulnerabilities resulting from the lockdown that has confined most people to working remotely, with relatively less secure devices.
Cybersecurity company Kaspersky Lab reported a huge spike in network attacks in SA between March 15 and 21, with hackers attacking up to 310,000 devices during that one-week period — an alarming increase over the normal weekly average of between 20,000 and 30,000.
The article adds that, in a digital world, with billions of people and even more devices connected to the internet via private, public and corporate networks, cybersecurity has become a priority. T-Systems estimates that the world will see 50-billion connected internet of things (IoT) devices by this year.
In addition, to flatten the pandemic curve, governments globally continue to implement lockdown and social distancing, forcing larger percentages of the workforce to connect remotely. Lockdown will leave a lasting impact on how we work, and requires a complete revision of how corporations view and address cyber risks.
Transformative phase
The article points out that, before the outbreak, SA was on the brink of a huge transformative phase in cybersecurity. The imminent introduction of the Protection of Personal Information Act (Popia) and cybercrime legislation, as well as a continued digitisation drive from business and the availability of cognitive technologies, are paving the way for corporations to emerge victorious from the chrysalis. There will be greater focus on effective detection and response, while maintaining sophisticated protection in their cybersecurity DNA.
However, the outbreak greatly accelerated the digital workplace and the lockdown forced companies to enable employees to work remotely. The risk is that many organisations may be left behind in a caterpillar-like approach, while others may remain in the pupal state, overwhelmed by the complexity of this challenge.
The article adds that those who emerge from the chrysalis and are able to adapt and leverage next-generation technology underpinning advanced cyber defences, will be better prepared to grow sustainably in a digital post-pandemic world.
Keep in mind that technology and the security controls it enables do not inherently offer protection; cyber resilience requires a holistic and proactive approach, owned at the highest levels of an organisation.
With data classified and risks assessed relative to the specific business, T-Systems can advise on the appropriate controls and supporting technology to be deployed.
Lead from the top
The article points out that:
- for security to be effective, the leadership team must support and sponsor all initiatives, demonstrating to the organisation the importance of strong cybersecurity practices;
- a board member should be accountable for ensuring the security of the organisation — this could be a chief information risk officer or chief information security officer; and
- employee cyber education is imperative, and should be entrenched in standard operating policies and training throughout the year.
Understand the risks
The article adds that, fundamentally, we need to know what we are trying to protect — our corporate IP (for example, for an oil company this would be geological data, refinement processes, etc).
Thereafter, the risk to this IP can be determined, whether from external attack or insider threat, in all its guises. This helps to determine a defensive value, or the consequence of a loss of this IP — and the size of the security budget can be determined.
Assess the present defences
The article points out that we need to ask:
- what is the maturity of our current cybersecurity defence? Do the pieces interact without issue, or do we have a number of different vendor solutions operating in isolation?;
- what is the perceived effectiveness of current defences: unless you regularly test the defences, this is probably an unknown. If you are operating discrete vendor solutions, chances are the effectiveness is low; and
- this analysis shows a clear picture of the current security defence landscape, and where the gaps are.
Devise a holistic strategy
The article points out that, with the current landscape understood, a risk assessment can be built to determine where investment is needed. This allows the construction of a holistic and cohesive security strategy with all elements interacting to provide true threat intelligence and response. This all starts with a simple journey to understand whether the current organisational defences are effective.
Cyber resilience is much more than a defensive strategy and requires earlier detection and rapid response in the event of a breach. In a data-driven digital economy, with cyberthreats increasing both in frequency and sophistication, SA is no exception and definitely not immune.
The article adds that the lockdown resulted in more employees working remotely using less secure devices and networks, worsening the already significant threat. This is likely to become the new normal and while the initial focus was on access and productivity, we now have to address long-term sustainability and security aspects.
Next-generation technology such as security orchestration automation and response, artificial intelligence (AI) and advanced threat-hunting can greatly assist, but less than 15% of corporations in SA has this deployed.
The article points out that the centre forms part of its managed cyber defence services that consists of:
- SOC/SIEM, testing and vulnerability scanning services;
- network security;
- application and cloud security;
- endpoint security, identity and access management; and
- IoT and industrial control systems security.
As businesses continue to grapple with and progress through the challenges presented by the COVID-19 crisis, it is not too early to focus beyond the horizon on what the privacy and cybersecurity landscape might look like when the crisis finally passes. Crowell & Moring’s Privacy and Cybersecurity Group seeks to identify likely issues and new norms arising from this crisis in a series of client alerts. We begin by attempting to level-set and understand what the crisis has already wrought in this space and identify issues that will need to be addressed as we slowly inch towards a new reality.
Adjust your security stance for an emphasis on endpoints
Privacy is also going to be a major watchpoint in the recovery from COVID-19.
The article points out that security practices for most companies and industries focus first on protecting the company’s perimeter (e.g., with firewalls) and closely monitoring systems within that perimeter for unauthorized access (e.g., network traffic analysis, ingesting log data into SIEM tools, etc.), with endpoint protection a secondary focus because of the security offered by network-level protections, especially with respect to employees who rarely or never work outside of company facilities.
Increased teleworking, however, has meant that employees – and their laptops, mobile devices and other endpoints – are now connected outside of those secured company systems and networks. Accordingly, companies need to reevaluate and adjust their current posture to account for endpoint security needs in light of the changed use cases for their employees now and going forward.
Manage your regulatory environment
The article adds that many regulators initially took relatively lenient enforcement stances regarding security and compliance issues related to telework during the early days of COVID-19 response when companies were scrambling to deal with the sudden need for telework.
The article points out that companies should not assume that regulators will remain lenient; regulators will expect mature security programs to adapt to new circumstances and to revise controls and practices that were implemented during COVID-19 leniency and necessity in order to comply post-COVID-19.
Companies will need to meet their compliance requirements for any new systems or tools that were adopted in response to COVID-19 circumstances, especially those in heavily regulated industries such as banking, healthcare and defense.
Adjust to the new threat environment
The article points out that threat actors have been quick to adapt and take advantage of changing habits in response to the COVID-19 pandemic. Tailored spear phishing campaigns that incorporate COVID-19 information are being aggressively conducted, but attackers are also pursuing other vectors. For example, social media scams are targeting employees operating outside of company networks as well as targeting those who may be searching for other employment (e.g., by masking malicious URLs as links to job applications).
The article adds that ransomware attacks seek to take advantage of changed operations (e.g., less attention to network monitoring as skeleton IT staffs are stretched thin; dispersed staffs leading to slower detection and reaction to malware spread). There are many other examples, with more certain to arise. Companies need to remain diligent in their security practices, but also be prepared to adapt to a rapidly evolving threat environment. Companies should be prepared to implement their Incident Response Plans in a variety of adverse circumstances.
Plan around new infrastructure
The article points out that, in response to the sudden operational changes during the COVID-19 crisis, many companies rapidly adopted new infrastructure, such as remote access technology, SaaS tools, collaboration and messaging platforms, new video teleconferencing providers, and greater numbers of laptops and mobile devices issued to employees.
The article adds that when operations inevitably begin transitioning back toward prior norms, companies will need to plan for this new infrastructure and for any changes in information governance and records management practices that the new infrastructure might require. Some of the new infrastructure will be incorporated into standard operations, while elsewhere the interim use of COVID-19- specific infrastructure and adaptations will need to be discontinued.
Plan for a return to the office
The article points out that, while timelines are still uncertain, at some point employees will return to the office, and companies need to start planning for that now.
For example, if employees have been using personal devices or third party platforms, how will they be transitioned back to using company systems (and returning to standard operating norms)? How will the company ensure that all company information returns to systems that it controls (and does data need to be deleted from external systems, including mobile devices, printers, and cloud-based collaborative tools)? Can the company ensure that all systems and data that are re-integrated with company systems are free from malware or other malicious elements? Does the company have plans to document and track compliance around these needs?
In addition, data collected during the crisis may impact who returns to the work environment and when. For example, data concerning an employee’s health vulnerabilities or potential contact with other infected individuals may influence the employer’s decisions regarding that employee’s return to the physical work environment.
Plan for the future of COVID-19 data
The article adds that most companies have at least some sensitive data related to COVID-19 (e.g., employee diagnoses), and some have gathered more advanced data through steps taken in response to the pandemic, through administrative processes and use of technology.
For example, employers may be collecting data related to employee health (e.g., temperature scans) or employee behavior (e.g., location tracking, tracing employee interactions, and information about the health of family members) both on-site and outside of company facilities.
The article points out that, while such activities have understandably occurred in rapid response to companies’ evolving needs in the midst of a crisis, there should be a practical plan in place regarding these data and practices once the crisis passes. Issues for consideration include aligning collection with (and limiting to) specific needs, determining where this COVID-19-specific data is stored (level of security; geographic location), determining who should have current and future access, and data retention plans (alignment with needs; whether different from standard policies; and whether personal data being retained can be aggregated or anonymized to reduce privacy-related risks).
The article adds that companies will additionally need to ensure that they are complying with applicable federal and state law in their collection, use and retention of this information. At some point, collection will become more limited or end completely, and companies will also need to have a plan in place to wind down their programs.
Begin planning for the “unknown new”
The article points out that most companies plan for the enhancement, growth, and overall evolution of their IT, data protection and security environments on multi-year cycles – for both technical and people/process needs.
The article adds that this means that now is the time for companies to look beyond the current crisis and start incorporating the lessons learned from their COVID-19 experiences in terms of planning for newly identified needs, reviewing and updating existing plans, and making informed projections about what is coming over the horizon, including areas such as increased telework, increased focus on endpoint security, changes in the collection of personal information like employee health information, and the increased need for resiliency as business continuity and disaster recovery plans are expanded to include future scenarios with stressors similar to COVID-19.
Many questions
There will be many questions that need answering post COVID-19. I recently read an amazing interview on silicon.co.uk with Gaidar Magdanurov, Chief Cyber Officer & Chief Operating Officer at Acronis on what to expect in the coming months. Below is an extract of two questions and responses.
Will cybersecurity, in general, have to change post-COVID-19?
The cybersecurity world is adapting to the new situation – multiple remote devices, employees working from remote locations not trained in cybersecurity, work, and entertainment devices in the same network. Thus, we can expect more corporate IT and managed service providers to deploy more cyber protection tools for workers, and design future corporate infrastructure with remote work and protection for remote workers’ devices, in mind.
With the widespread usage of corporate networks, the “forever day” vulnerabilities concept grows in relevance. Commonly used “zero-day vulnerability” is a vulnerability in the software that was recently discovered and can be used to attack a system or application because there is no patch protecting against that vulnerability is available.
But with multiple smart devices at home, there is a growing number of “forever day vulnerabilities” – vulnerabilities that will not be fixed by the vendor. There may be older devices, not supported anymore, or vendors not paying attention to the security of simple, smart home devices, while those devices are still can be used to get unauthorized access to the home network.
Now, with remote workers surrounded by devices that may run vulnerable software, for IT professionals setting up remote workspaces, the concept of “zero trust” network becomes crucial. Instead of trying to protect the network and trusting all devices on the network, “zero trust” requires strict authorization rules for all devices and users. Home networks will have to upgrade from a convenient mode of trust to less comfortable for users “zero trust” mode to protect remotely accessed business data and corporate systems.
Has the threat landscape changed because of COVID-19?
Based on the Acronis Cyber Protection Operations Center reports, there are two primary trends for the threat landscape related to the COVID-19 outbreak:
The first trend shows an increase in the overall frequency of attacks targeting users to open malicious links or install malicious software, using Coronavirus and COVID-19 related keywords. Attackers send emails on behalf of government agencies or healthcare providers, using the interest to the subject and forcing an emotional response from users to deploy malware known for a long time.
Attackers build websites using keywords related to the pandemic; they build fake dashboards with information about the infection statistics –to force users to download and install malicious software. For instance, we see attackers distributing well-known malware like Agent Tesla password-stealing tool, NetWare remote access trojan, or LokiBot trojan.
The second trend presents a growing number of attacks targeting remote workplaces and home network infrastructure. Starting from the attacks on unprotected and unpatched devices, exploiting existing vulnerabilities to install malicious software on users’ systems, to network traffic intercepts to steal users’ passwords and other sensitive information, and attacks on network domain name servers to redirect users’ requests to the legitimate website to phishing mirrors.
It is worth highlighting that attackers also go after tools for remote work gaining popularity. For instance, recently, there were lots of security issues reported in the popular videoconferencing software Zoom, as the userbase of the software grows. Users usually don’t expect that the tool they use for video calls may bring danger to their system. Still, those types of tools open a wide variety of attack opportunities –message injections, remote control hijacking, hijacking of conference sessions, intercepts of text chats and video streams, redirect of users to malicious web addresses.
It is also important to remember that getting access to a work device from the home network may be possible by attacking other devices and other users. Therefore, family members, and especially children, are getting into crosshair of the attackers, using social engineering to deliver malicious software to their home network.