The Pandemic Heightens the Need for Cybersecurity
Experts share their observations of the cybersecurity landscape in such an unusual time.
While the world was facing the rapid and deadly spread of the severe acute respiratory syndrome coronavirus 2, most commonly known as COVID-19, malicious cyber attackers were also at work, increasing the number of attacks, switching methods, taking advantage of the boom in Internet, network and email users, and playing on fears during the uncertain time, cybersecurity experts say. Companies struggling to maintain operations are still leaving gaps in digital security, they warn.
With employees suddenly working at home and connected to the web during the days as well as evenings, the digital marauders increasingly targeted the home users, either as a gateway to get to corporate networks or to harvest information from the increase in Internet browsers, or to target home-based Internet of Things, or IoT devices, with botnet attacks, say leading cybersecurity specialists, including: Mark Ostrowski, head of engineering, East, Check Point Software Technologies Ltd.; Jim Richberg, field chief information security officer (CISO), Fortinet; and Steven Stone, director, Advanced Practices, FireEye, Inc.
All of the experts point out that the malicious cyber actors wasted no time in taking advantage of the sudden expanded attack surface.
Ostrowski, who has spent nearly 20 years at Check Point, most recently in the Office of the Chief Technology Officer, is leading a team engineering solutions to some of the hardest cyber problems at the company, as well as for clients in the Eastern United States. “From a cyber perspective, it literally was like a light switch,” he notes. “The amount of attacks that were being created weekly got to as high as 120,000 to 130,000 attacks per week—an amazing, amazing amount of activity.”
Home user networks tend to be less protected because they are usually consumer-grade firewalls, not enterprise grade, Richberg says, adding that homes can be full of IoT [Internet of Things] devices and vulnerabilities that have not really been addressed from a cybersecurity standpoint.
Richberg, who has more than 30 years cybersecurity, threat intelligence, cyber strategy and policy experience for the U.S. government and international partners, also spent 20 years at the Central Intelligence Agency. Before joining Fortinet, he was the national intelligence manager for cyber at the Office of the Director for National Intelligence, the most senior federal executive focused on cyber intelligence within the U.S. intelligence community (IC), creating and implementing cyber strategy for the 17 departments and agencies of the IC.
“We saw everyone from cyber criminals to persistent threat actors move towards targeting that environment,” he states. “They’ve been adaptive. They’ve been leveraging a highly uncontrolled computing environment.”
The experts also are seeing more targeted attacks on Internet browsers, combined with a steady continuance of phishing or email breech campaigns.
“We’re seeing an increase in web-application compromises,” Richberg states. “Since the pandemic, we have actually seen more computers get compromised through the browser than we have through email attachments. In an office, there usually is a corporate web application filter that is looking for malicious content on the Internet end and possibly at even the destination itself. You typically don’t have those at home.”
And while the pandemic has changed some aspects of everyday life—such as the need to work from home—what has not changed is the makeup of cyber threat actors. “[They] are still largely the same,’ Stone says. “The bad guys we were concerned about before COVID are the bad guys we are concerned about now during COVID. That didn’t fundamentally change.”
Stone, who started his career in the U.S. Air Force as a special agent in the Office of Special Investigations, focusing on counterterrorism and felony crimes and then leading a cyber threat intelligence team in the U.S. intelligence community, provided threat intelligence at IBM and as a government civilian at the U.S. Transportation Command before coming to FireEye.
FireEye is still seeing the nation-state programs as the most challenging adversaries, he says. “We track over 20 different countries with active nation-state programs,” Stone relays. “China remains very active and dangerous for our clients, and Russia, North Korea, Iran. It is kind of the usual threats that we’ve known about.”
Stone adds that the cyber-crime threats from those nations “are very real and can really run the whole spectrum of very advanced operations to very low level.” He notes that most people make the mistake of assuming that low level attacks are not going to be successful. “We see it over and over in the industry that in many cases that is not true,” Stone states. “They just have to be a little bit better than whoever they are compromising.”
And these active cyber marauders—whether they are nation-state actors or lower-level criminals—have proven to be very nimble in taking advantage of the latest narrative, theme or event happening in the world, and that is nothing new, the experts say.
“Threat groups will try to leverage COVID, whether it’s through email lures or finding this increased surface area to do intrusions,” Stone says. “But targeting, that’s not new. It’s no different from every major geopolitical event. It’s actually really expected, very predictable.”
Ostrowski adds, “The other thing that that still holds true today is that the attacks were obviously very much focused on COVID, and not only were they focused on COVID, but they were also focused on whatever the narrative or whatever the theme was during that particular week or maybe a couple of weeks,” he says. “If you remember the cruise ship that was docked off the coast of Japan, there was a specific cyber threat around that, where folks in that region were receiving phishing emails about the cruise ship. And that approach in general has followed since then.”
And harnessing changing themes on which to base attacks is an effective method for cyber marauders, Richberg notes, especially as people may be more anxious or interested because of COVID-19. “People have gotten wise, by and large to the financial scams,” he observes. “But if you get something, for instance, that purports to come from your local public health department, saying contract tracing suspects you have been exposed to COVID-19, you are much more likely to open that email.”
With the rush to create a COVID-19 vaccine, cyber attackers have also developed specific malware and targeted phishing campaigns hoping to gain personal data from people that will click on emails or information about vaccine availability, Ostrowski states.
And while cyber attacks based on themes or geopolitical events is not new, the attacks are on a much bigger scale, he says. “The amount of attacks has been extraordinary,” Ostrowski exclaims. “And the sophistication of the attacks following those themes as they changed through the past several months, that was the biggest change that we saw here at Check Point. The scale was just off the charts.”
Naturally with people working from home and relying on communication tools to hold meetings, cyber attackers targeted that activity. “And it wasn’t just limited to Zoom,” Ostrowski continues. “People were affected on WebEx, Microsoft teams or Google Meet. That was another narrative and theme, and the attackers adapted very quickly to those.”
Stone offers that the scramble of businesses and organizations to find third-party technology has created less visibility into the now-extended networks. “In the U.S. government, there are a lot of people that are having to use personal laptops now, and they’re trying to figure out a mix of the devices and networks, and there is less visibility,” he confirms. “That’s what happens when you rapidly adopt a third-party tool, and now you can’t see what your users are doing inside that. This is not a new thing, but the scale of the problem is greater.”
In that rush to continue business operations, cybersecurity was less of an initial priority than ensuring corporate continuity, the experts note.
“Early on in the pandemic, the first thing was all about just getting access to sustain business continuity as best as possible,” Ostrowski says. “And some industries that were very much on-premise and not really remote struggled to move to 100 percent remote. Once the continuity was reestablished, what ended up happening was a gap from a security perspective, because continuity was about getting access and building new processes, but security was not necessarily the forefront of that.”
In addition, Richberg points out that bandwidth is usually the first issue companies address—instead of cybersecurity—to see if they have the ability to support a certain number of connections without dropping people off the network. “You have to look at whether you actually have architected the infrastructure of the headquarters properly,” he offers. But risks abound even if the cybersecurity professionals at a company have put in place a virtual private network, or VPN, and have employed secure sockets layer, or SSL capabilities, to read encrypted traffic on the network. However, they may not be fully examining that traffic or they may be turning the devices off to increase network performance.
“You’re probably using a VPN,” he explains. “You’re probably encrypting the data going between the remote environment and the corporate or government end. That is just the best practice. And if the traffic is coming back encrypted from the VPN, are you actually looking at all of that content to make sure something’s not riding into the corporate network that way? There also is a difference between saying you can read [the traffic] and you can read it without dragging the performance [of the network] to its knees. So, what I have been telling organizations is that the security people will say, ‘Yes, we’ve checked the box. We can do SSL inspection.’ But talk to the network guys [and see]—did they actually turn it off because the bandwidth wasn’t there to support it with the kind of performance we needed?’ It is ‘trust but verify.’”
Ostrowski also observed a push for quicker cloud adoption during the pandemic, with much more activity than previous months or quarters. “If a customer was not adopting cloud or adopting cloud slowly, that changed overnight,” he emphasizes. That rush to the cloud, however, could also leave organizations with gaps in security. “So, going back to your new cloud environments or new cloud applications and making sure they are also secure is [really important].”
Stone reasons that the present situation presents a lot of opportunities for companies or government organizations to change their cybersecurity posture. “And a lot of that can be really good if organizations take that seriously,” he says. “Some organizations are realizing that it is not enough that somebody is using a corporate laptop. If you have intellectual property sitting on someone’s hard drive, that’s a huge risk. So, we are seeing more and more organizations getting better at securing intellectual property and operations at a systemic level.”
At the heart of that effort, companies or organizations should spend the time figuring out what their essential operations are so that they can digitally protect the important aspects of their business.
“We are here to help clients make smart, informed decisions to deal with the threats affecting their operations,” Stone explains. “This means that we have spent a lot of time over the years helping clients understand ‘what exactly is your operation.’ And ‘let’s talk about your network’ for sure, but let’s also talk about what it is you are doing. Why does your company exist? Why does your organization exist? What makes you, you? And that has proven to be really valuable to our clients now because that is what they are really struggling with. Our clients are struggling with how do they still do what makes them, them, in this new, challenging environment where workers aren’t coming into buildings anymore.”