As the coronavirus (Covid-19) threat continues to grow, cybersecurity leaders are forced to adapt to a rapidly changing environment with unique challenges. Two unique issues are playing off one another in the current crisis. For one, cybersecurity threats take advantage of crisis. In periods of widespread worry, attackers can leverage panic, confusion, and desperation to creatively transmit malware or commit successful phishing attempts. The coronavirus pandemic is no different in this respect. The unique constraint making this crisis different is that employees are, for the most part, working from home. A distributed workforce poses many challenges from a security perspective and enterprises will have different levels of preparedness in enabling a secure WFH environment. Security leaders are faced with questions on how to securely provide access to sensitive applications to users who may be connecting over public networks on their personal devices. At the same time, public facing web applications are seeing enormous increases in traffic and are being forced to deliver new capabilities at scale that could not have been anticipated.
We asked 11 prominent cybersecurity leaders (CEOs, CISOs, and execs) to respond to the following: What is the impact of the pandemic on the threat landscape and how is this changing corporate security postures and priorities?
Responses were wide ranging, covering issues like WFH security, phishing attempts, faster digitization causing issues, and even targeted attacks. All of them are published in their entirety below.
Security Strategy, Chronicle (a Google company)
I'd say the biggest change is due to the massive increase in WFH. For sure, there are also the "usual suspects" like COVID malicious domains and phishing lures, but to me WFH is the main change. A lot more access from a lot more places, a lot more BYOD, a lot more VPN, a whole lot of new permissions created and rules loosened.
From our perspective, we have seen three things:
Cybercriminals are using the Covid situation to create more cyber scams, lures, phishing emails, etc. For example, there are more emails with malicious attachments in pdf, mp4, docx, etc that are associated with the Covid-19 situation. In crisis times like these, users who are eager to get the latest Covid-19 information may be more careless and prone to such scams or phishing emails.
Increased use of Telecommuting Technologies. We have seen an increase in customers requesting for more security for their endpoints, better and more VPN services, and conferencing technologies, eg. from Zoom. Telecommuting security technologies such as endpoint security, VPN, web conferencing are hot topics now.
As a cloud and web security provider, we are also seeing many organizations eagerly setting up websites and web applications to handle the Covid news and to help manage funding or assistance programs. These could be from large corporations, non-profit or government agencies. These web applications that typically take months to build with rigorous security checks are now launched in 2-3 weeks. Many are scrambling to put the same security measures in place, but in the midst of the rush, the risks of missing something are very high. Again, these will lead to higher chances of threats like DDOS, defacements, data breaches happening.
Covid has actually pushed many companies to bring forward or expand their digitalization plans. And very often, it is done in a rush. Cyber criminals are taking advantage of this and cyber security defenders will have to work very hard to keep pace with the digitization efforts in the next few months. We see quick to deploy and affordable cyber security solutions (eg. cloud-based, SaaS) as an advantage in the short-medium term as they allow companies to ramp up very fast.
While everyone is focusing on the security implications of a remote workforce, I'm hearing less discussion around the workforce itself. Unfortunately, attackers don't have the strongest ethics or morals, and many are using the Pandemic as a subject of social engineering campaigns. With many looking for ways to contribute during this global time of need, phishing emails requesting assistance are particularly effective. Additionally, some personnel aren't used to remote communications. Some topics that would have historically been addressed with a face-to-face conversation, may now be left un-had. This can be a risk when talking about business email compromise. An attacker posing as the CFO or a third party may request a wire transfer from accounts payable. Where this would have historically been a quick conversation, the employee may see it as being an inconvenience or redundant to question an electronic communication with another electronic communication.
COVID-19 has brought out the best in some people from helping neighbors, donating time and money and most importantly social distancing. The pandemic has also changed how we work, and the amount of time we are online has greatly increased. According to recent reports, corporations have seen a 400% increase in online visits to their websites, with mobile visits up a whopping 600% in March.
This increase has given cybercriminals an opportunity to prey on fear and the hope of help. The sad reality is that scams are rampant and deception is everywhere. The pandemic has changed how we work and how corporations need to implement security and protect their customers. We’ve seen a dramatic uptick in the number of COVID-19 scams, largely phishing campaigns and an onslaught of fake emails trying to trick people to click on links sending them to malicious sites to steal their credit card information and their credentials and personal information. Fake sites that look like real sites copied from well-known brand websites are effective in herding unsuspecting victims. The economy and people have obviously taken a big hit. It is unconscionable that more users who are suffering economically with lost wages, will have even bigger problems if they fall victim to successful phishing scams. The economic pain will be felt by them far longer.
The threat landscape has clearly changed and corporations are starting to invest to actively protect their customers and employees from these scams by deploying active defenses and anti-phishing technologies to thwart successful phishing campaigns. It is very important these scam sites are detected quickly and response is almost immediate to limit the damage.
We’ve written more about this on our blog.
From my perspective, the threat landscape is forever changing. Sometimes the changes are minor and not recognized for a longer period of time. With these changes, companies have longer to react, but the ones that have made an effort to tune into these minor tremors are able to react faster. However, because of the lapse in time with minor adjustments, the business impact is not as catastrophic. Major changes, such as with Covid-19, are more like a natural disaster. The landscape is rapidly changed and oftentimes changed forever. But this doesn't mean that the hearty species don't continue to thrive. Companies must be agile enough and brave enough to adapt. Those who manage the risk best, not only adapt, but thrive. In the words of Glynis M. Breakwell, "Risk surrounds and envelopes us. Without understanding it, we risk everything and without capitalizing on it, we gain nothing." So, although times are uncertain and clearly challenging, the global security risk to a company does not change. The risks - whether realized prior or not - have always been present. Those that pay attention and embrace them are the ones who will survive, as they are the most prepared and accepting of the reality. For everyone else, it is a hard lesson to learn. Unfortunately, some never do.
The COVID-19 pandemic has offered CISOs and their security teams two immediate challenges and two things that have made it to the priority list. The first challenge is getting secure connections for employees to arrange work-from-home at extraordinary scale. This entails the scale-up of multi-factor authentication to access business critical applications, and in some cases requires the patching of a critical system without breaking the application.
Since the lockdown prohibits employees from visiting the office, the second challenge is in maintaining CIA (Confidentiality, Integrity and Availability) of both operational data network infrastructure and user data network infrastructure. Safeguarding remote-work provisions and maintaining the CIA of these networks are critical to establish cyber-resiliency during this pandemic.
Stay safe, stay secure!!!
I think the most obvious impact of the pandemic for most organizations is managing a completely remote workforce. This is especially imposing on organizations not setup for remote work. Just a few thoughts from a data and asset security perspective, and from what we have been seeing at client organizations across industries –
a. A major threat is having a remote workforce not applying appropriate security at their remote work environment. We have been seeing organizations send out updated policies and procedures to ensure timely and appropriate communication of security controls and rules that users need to be aware of and apply accordingly to meet security requirements. Management priorities have adjusted accordingly to establish regular communication channels with employees and apprise them of updates in policies and procedures.
b. A major threat is not having technical controls on technology/equipment used to remotely access the work environment and organization’s resources in a secure manner. Organizations should have or are setting up a well-defined user end-point device monitoring and patching process. We have been seeing enterprise operations teams across the board having increased priorities regarding the security of a remote device used to access the environment. Having a good security posture in this scenario means well-defined configurations in place to manage whitelisting / blacklisting of applications on user devices, e-mail management rulesets, etc. We can see this gaining sustained traction, especially in companies that generally do not have a large remote workforce.
c. Arguably, the single biggest threat we focus on in our industry is the threat to information in transit and information accessed remotely, which has significantly increased due to the pandemic. Most companies offer some type of remote virtual private network (VPN) solution to enable their workforce to access the environment remotely. Traditionally, IT operations personnel priorities have focused on ensuring proper encryption (protocols and ciphers) technologies have been implemented to protect information in transit and to meet industry standards / compliance requirements. A change in priority that we can anticipate due to the pandemic situation is availability. The pandemic has led to the World seeing perhaps its largest remote workforce yet. Most companies’ VPN solutions are not designed for ‘peak capacity’ – and automatically scale for a situation where nearly all employees are remote. As a result, local VPN servers get overloaded with the sheer amount of traffic and network connections required for supporting such a large workforce. This in turn can have a detrimental effect on employee productivity. We anticipate organizations changing their approach in designing systems and obtaining solutions to account for this and meet or increase their security posture.
As an ISO 27001 lead information security auditor, personally, the landscape I have seen change the most is the nature of an assessment. Onsite audit time requirements, physical and environmental security assessments, as well as data center risk reviews have required a fundamental rethink and have us applying temporary changes to the way we conduct assessments. This is in addition to obtaining exception forms from organizations justifying the reasons for a remote assessment while balancing the need to cover the security requirements and risk resulting from remote audits.
At this point, most companies are still in panic mode. They have moved from a more traditional model to a more collaborative model, and are doing whatever can be done to retain business and a business as usual approach. In most cases, this has meant moving from a centralized and office-based approach to a more distributed model of work. In doing so, companies are attempting to solve their business problems without performing a lot of the due diligence that would have been the norm in a non-pandemic scenario.
As we have seen with some of the issues with Zoom and other technologies that have been adopted to deal with decentralization, there are associated risks. For most companies, the attack surface has been greatly increased and the security posture has been neglected in favor of preserving as much of the status quo (both in work styles and business relationships) as possible. The risks of this posture and the long-term effects will take some time to play out, but the companies that are quicker to adopt a stronger security posture will be the ones who are least impacted by these changes.
CISO, City of Boulder, CO
Trends within cyber security are inextricably linked to quick monetization and human frailty.
Our people are stuck at home. They are making entertainment purchases so they are targeted by websites impersonating services like Netflix and Hulu. They are trying to be productive so they are bombarded by credential harvesting messages, and they are afraid so they are being exploited by social engineering, such as tech support scams and pushy emails impersonating senior leadership.
Our businesses are struggling to change their comfortable processes so they are targeted with fake invoices and fraudulent requests to change vendor payment locations. They cannot maintain a physical office presence so theft and vandalism have replaced active shooters as a significant physical risk. And finally our business units are finally being forced to embrace digital transformations and are desperate for someone to watch their backs.
This is an extraordinary opportunity for cyber security programs to show how we make sure everyone wins rather than just making sure adversaries lose.
We are seeing a 20-30% increase in magecart and XSS attacks across the board. Many are targeting eCommerce and particular retail sectors like online delivery, at home health, nutrition and fitness. Additionally, the economic stimulus package has forced financial institutions, both large and small, to deploy new public facing web applications within their websites to accommodate the application process. Anytime you impose short time windows for development to production, you increase security challenges and risks. Finally, many of our enterprise clients were forced to re-architect and expand critical infrastructure and resources to accommodate work-from-home requirements. The attack surface has only increased due to these changes and the attackers are looking to capitalize as much as possible during this difficult time.
Many cybersecurity technologies incorporate AI/ML to create a baseline of "normal" behavior and then provide the ability for an organization to interrogate or challenge traffic that falls outside of this baseline based on their own risk tolerances. But what is “normal” now?
The challenge the pandemic poses is that so much has changed so fast, and there has been almost no time to prepare. A huge influx of new accounts for online shopping have been created, people who traditionally made orders in the afternoons are now doing so at midnight. Requests that have always been made face-to-face are now happening electronically or over email. Additionally, many companies had to quickly ramp up remote access, and some have even been forced to accommodate BYODs which not only exponentially increases their attack surface, but also the likelihood of an already compromised device gaining legitimate access to the network.
Businesses are operating in a way that they never have, and everything is far from “normal”. It is an environment that requires extra diligence from both enterprises and their employees and where security should take precedence over user experience.
That’s all folks. Have a pressing cybersecurity question or contribution? Get in touch with us!