In addition to the health and economic impacts of COVID-19, society had to grapple with a plethora of new and persistent cybersecurity threats. As the initial health impacts of the pandemic fade, we need to understand the aftermath as it pertains to attacks on information systems around the world. At the outset of COVID-19, we saw a perfect storm of failures in people, processes, and technologies that lead to numerous attacks and cybersecurity incidents around the world. Many different reasons lead to these episodes. While cybersecurity defenders do their best, various conditions created an environment conducive to bad actors, which they quickly took advantage of. CISOs must have a clear understanding of the technologies and processes in place and make the necessary adjustments after COVID-19 to prevent attackers from succeeding in perpetuity.
By Eric Jeffery, Senior Solutions Architect, IBM
How Did We Get Here?
Some of the weaknesses that arose in cybersecurity defense involved technical components while others dealt with human error. Human failures occurred for different reasons, some due to a lack of knowledge, others due to overwork, and yet even more because information technology professionals were thrust into fields they were not familiar with. When I spoke with the IT leadership at a university in Utah and a government agency in New Mexico, it was clear that their organizations suffered in delivering IT services at the start of COVID-19. I was told that staff had to quickly shift from other tasks and engage with new technologies which lead to productivity impacts and security concerns. A healthcare system in the northeast, diverted its security team from critical projects to align them with supporting COVID-19 requirements. This resource shift opened them up to risks of attacks slipping by as the security team was no longer working on their security operations center and instead of helping in other areas of IT.
Being overworked, stressed, and asked to handle technologies they were not skilled in created new weaknesses for hackers to exploit. I observed that many organizations were wholly unprepared to handle the information technology challenges that arose from COVID-19. For instance, a major entertainment firm on the east coast pulled back from deploying security infrastructure due to revenue loss tied to COVID-19. They also moved staff to other areas in their information technology organization. Removing front-line security resources lead to increased risks for the organization as a direct result of COVID-19. As the famous cybersecurity professional Bruce Schneier states, “Security is not a product, but a process.” COVID-19 and the aftermath show organizations the need to always prepare and implement proper processes and not wait to see how they respond in a crisis.
Some of the most prevalent errors that lead to the increase in attacks and successful breaches involve the following areas:
1. Social Engineering: Social engineering in a time of fear and uncertainty makes people more vulnerable, desperate, and less vigilant. Canada’s National Observer reported in April that a security firm witnessed a 4,000% increase in ransomware emails. In early May Datrium stated that nearly 70% of IT professionals from large firms experienced ransomware attacks since COVID-19 began. SDX Central reported that ransomware attacks skyrocketed 148% in March. Europol reported, “Phishing and ransomware campaigns are being launched to exploit the current crisis and are expected to continue to increase in scope and scale.” The number of successful ransomware attacks during the COVID-19 work at home rush exemplifies how susceptible individuals and companies are to social engineering. According to VMware Carbon Black threat researchers , ransomware attacks skyrocketed 148% in March, compared to baseline levels in February, as corporations shift to remote work because of the coronavirus pandemic.
2. Firewall Misconfiguration: When employees connect from a corporate location, managing and maintaining firewall rules is commonplace and simple. As staff migrates to remote locations, the combinations and permutations of rules become exponentially more difficult to manage. Organizations undoubtedly suffered from security weaknesses when they had to make modifications to access control lists to support remote workers. One incorrect digit opens a plethora of attack vectors that hackers can take advantage of. Gartner states that 99% of all firewall breaches through 2023 will be due to firewall misconfigurations, not system flaws. We saw this exact issue with the Capital One AWS data breach. When network engineers are tasked with the job of rapidly modifying firewall configurations, errors undoubtedly occur, and new holes open, leaving organizations at risk.
3. Virtual Private Network (VPN) Configurations: When setting up virtual private networks, entities must decide if they want all traffic traversing their corporate network or if they want remote workers to utilize their own internet service provider to manage the load for specific network requirements. The technical term for this capability is split tunneling. When enabled, users bypass internal security mechanisms including proxy servers, data loss prevention systems, and intrusion detection and prevention devices. That is the drawback, but the benefits include that corporate networks do not become overloaded and users do not have to go over long distances to reach network resources.
During COVID-19, network security professionals began seeing increased connections to known botnets. In a Twitter post, MalwareTechBlog reported on April 18th that “Emotet is back and better (worse) than before. After months of inactivity, all botnets are showing signs of life and utilizing new evasion techniques.”
ZDNet also reported that Emotet, “today’s most dangerous botnet” comes back to life.
This occurred, in part, because infected systems that were protected behind corporate networks and proxy servers were not prevented from reaching out to the command and control systems. Additionally, according to the Official site of the state of New Jersey, “new cyber threats are revealed that exploit public concern over COVID-19… [including] software that, when downloaded, installed the BlackNET remote access trojan and added the compromised system to a botnet.”
Organizations need to improve endpoint protection, so systems do not become or stay infected. Proper endpoint hygiene reduces the need for proxy servers and limits the risks of enabling split tunneling.
4. Unsecured and Unprotected Endpoints: With millions of professionals shifting from working in an office to working remotely, companies struggled to find enough laptops for their staff to use. As The Wall Street Journal reported on May 8th, “Store Shelves Stripped of Laptops as Coronavirus increases Working From Home.” This shortage of systems leads individuals to use personal equipment to do even the most basic work, including email, file sharing, and instant messaging. Using personal systems on a corporate network adds additional risks as internal IT teams have little to no control over what is on the personal systems. Bring Your Own Device (BYOD) has been an issue for IT professionals for years and with COVID-19, that list of devices just skyrocketed. Weaknesses in-home networks and personal devices add a new level of threat to corporate environments.
5. Transmitting Data Improperly: Companies and agencies face numerous risks when it comes to having staff use personal email for business use. There are legal and privacy concerns as well as regulatory and technological risks associated with improper use of email transmissions. Prior to COVID-19, according to Avatier, an identity and access management firm, nearly 4 in 10 people use personal email accounts for work-related emails. The increase in remote work will increase this number due to the ease of access being outside of a corporate environment. When employees work in a corporate office with properly configured systems, IT can control how data gets transmitted. Removing employees from a static environment and allowing them to use either personal or company systems on personal networks potentially eliminates these safeguards.
Employees need to communicate and most often they take the path of least resistance. If they cannot email a file through the company email account, they quickly default to an MSN, Gmail, or Mail.com account. This activity completely opens the organization to untraceable data loss. In addition to email communications, individuals may switch from Slack or MS Teams to using text messaging or WhatsApp. While employees could do this from the office, it is easier for IT teams to identify these bypasses if the employee resides on a corporate network. With so many individuals working at home, the threat of data loss due to COVID-19 changes in our way of working is incalculable.
This story first appeared in the July 2020 issue of CISO MAG. To read the full version, Subscribe Now
About the Author
Eric Jeffery has over 20 years of experience in cybersecurity and currently works as a Senior Solutions Architect for IBM. He has published numerous articles and spoken at several conferences around the U.S. during his tenure in information technology. Jeffery recently started a Podcast under the moniker of Cyber Security Grey BeardTM where he helps students and early professionals begin and grow in the cybersecurity field.
The comments and statements in this article are my own and don’t necessarily represent IBM’s positions, strategies, or opinions.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.