2020 will go down in history as a year of surprises. The Covid-19 pandemic resulted in challenges to health, wealth, business, and cybersecurity. The early part of the year saw a rapid movement out of the office, introducing a sudden need to support home working. According to Gartner, 88% of companies sent their workforce home to work during the peak of the pandemic. This remote work environment is continuing for many organizations in 2021.
In 2020, businesses were forced to adapt fast. Rapid changes in communication and connectivity requirements meant an increased use of cloud services and apps. The result in this massive upheaval and changes to working conditions was that cybercriminals, ever the opportunists, exploited vulnerabilities.
2020 was the year that Covid-19 harmed our societies, but it was also the year that cybercriminals harmed several businesses worldwide. As 2021 kicks off, what can be learned from the cybersecurity events of 2020 to help prioritize cybersecurity initiatives in 2021?
The year that was – a cybersecurity primer for 2021
2020 can be viewed as a template for the year to come. Cybercriminals are exploitative. They make the most of opportunities as they present themselves, but they also learn from their choices. To look forward, one has to look back. Here are some of the lowlights of 2020, where cybercriminals hurt businesses as Covid-19 hurt communities.
The big phish continued
Threat actors have exploited phishing the most in 2020. Phishing has always been a theme in researchers’ reports. The 2020 Data Breach Investigation Report (DBIR) identified the top three cyber-attack types: Credential Theft, phishing (and other social attacks) and errors (including misconfiguration), finding that phishing was an element across several attack vectors and the primary attack vector in 22% of all data breaches.
The report also linked the massive shift to remote working with the steep uptick in phishing attacks, citing a positive correlation. The DBIR noted that over 80% of breaches involved the use of lost or stolen passwords captured during phishing campaigns or used during brute force attacks.
There is a good reason for the fraudsters’ love of phishing. Cybercriminals are masters of behavioral manipulation, and phishing is social engineering at its best. In 2020, Covid-19 opened up new opportunities to allow phishers to create topical scams; phishing scams that contained a reference to the pandemic and impersonated government agencies were everywhere. The World Health Organization (WHO) was forced to put out a notice to the world, warning of Covid-19 related phishing campaigns. More recently, a surge in phishing related to the Covid-19 vaccine has been noted.
Within this mix, cloud apps have become a focus for phishing attacks, using well-known brands to trick users into complying with a link click or attachment download. For example, Microsoft 365 (formerly Office 365) has seen increased activity around the cloud app. In a post from Microsoft on phishing attacks, the company stated that:
“…threat actors have rapidly increased in sophistication over the past year, using techniques that make them harder to spot and that threaten even the savviest targets.”
Cloud apps were the rising targets
According to the 2020 DBIR, the cloud applications were targeted in 43% of all breaches. One of the most notable issues in the last year has been the increase in misconfigurations of web apps, servers, and other components that leads to vulnerabilities and exploits. A recent survey of cloud engineering and security teams found that 73% of the participants experienced more than ten incidents a day, and at least 33% experienced more than a hundred incidents a day.
New malware strains surfaced
Malware continues to evolve as the tool of the cybercrime trade. New strains of trojans continually emerge to help cyber criminals evade detection and use new vulnerabilities.
A recent example is the TrickBot malware. TrickBot uses compromised Mikrotik routers as a command-and-control communication center to control and manage infections. Ransomware is also a continuing menace for enterprises of all types and sizes. In 2020, Ryuk was the ransomware behind the attack on Universal Health Services (UHS), a major private healthcare service provider in the US. The attack is believed to be one of the biggest in US medical history. In Germany, the worst possible outcome of a ransomware attack happened when a female patient died because the hospital under attack was unable to take in patients.
Threats exploded with remote working
Remote working has created an alignment of planets that has afforded several cybersecurity attack opportunities. Attackers are targeting the new wave of remote workers with tricky social engineering tactics to plant infectious malware in devices.
The difficulties in maintaining security hygiene in remote work environments only act to exacerbate the situation. Insecure working conditions, including vulnerabilities in home networks, access control management, and the use of personal devices (BYOD), have resulted in a lack of corporate control over resource access and security. A recent conclusion from a Gartner security summit stated that:
Remote work spurred by COVID-19, the number of the exposed remote desktop protocol (RDP) and virtual private network (VPN) services increased, and the widespread reliance on digital meeting solutions created new threat vectors
Five cybersecurity priorities for 2021
While 2020 may have created cybersecurity challenges beyond imagination, it has also given us a steep learning curve that we can make use of in 2021. Learning from the lessons of 2020, what should an enterprise prioritize in 2021 to make it a more secure new year?
Priority one: Watch even if from afar
When employees do not work onsite, it can be much harder to manage security hygiene and productivity expectations. Platforms and tools designed to manage users across disparate endpoints using a myriad of public cloud apps and services must be added to the enterprise security toolkit.
An area that has found maturity and new meaning in this remote working era is the use of employee monitoring and data analytics tools, also known as User and Entity Behavior Analytics (UEBA). UEBA uses machine learning to look for patterns of behavior as humans, devices, and networks interact. UEBA software uses these data to create a baseline of normalized behavior as a reference point.
This allows any anomalies in these patterns to be used to send out alerts on any imminent threat. UEBA tools were originally designed for use in determining hard-to-spot threats such as those from insiders. However, the advent of mass teleworking has found the perfect application of UEBA to ensure that those working from home are working securely.
Advanced endpoint protection is another area that requires focus in 2021. Gartner predicts that by 2023, over 50% of enterprises will have more advanced anti-virus capabilities, using combined endpoint protection platforms (EPP) and endpoint detection and response (EDR) solutions to augment prevention with detection and response capabilities.
Together, these tools provide the means to ensure employees work safely even when they work remotely.
Priority two: Take the intelligent route to cyber-attack prevention
Any new technology that enters the general landscape is open to abuse by cybercriminals. This is the case for AI-enabled technologies. There is likely to be an extra load on cybersecurity teams in 2021 because of the use of smart tactics using techniques like deep fakes.
A hint at what is to come was seen in the area of Business Email Compromise (BEC) back in 2019 when a CEO was tricked into sending over $240,000 to a scammer who used a deep faked voice scam. A blog post from Veriato in 2019 also highlighted some of the techniques used in AI-enabled cyber-attacks, including circumvention of CAPTCHA and super-sophisticated phishing campaigns. AI-enabled attacks are something that will need to be on the security policy radar in 2021. Mitigation measures should include:
- Security awareness training in the use of deep fakes in attacks such as BEC and phishing.
- General security policy enhancement to take AI-enabled attacks into account and enforcement of security hygiene and anti-malware protection.
- Other measures include general improvement in identity and access control, coupled with robust verification and authentication.
Priority three: Transition from blind trust to Zero Trust
Another area of cybersecurity that has come to the forefront in 2020 as remote working has taken hold is the principle of Zero Trust security. The movement to use a zero-trust architecture, especially for vastly expanded networks that incorporate remote workers, makes sense and is achievable. The concept of Zero Trust security is based on the idea that an enterprise with regards to employees, devices, data, and networks, should “Never Trust, Always Verify.” In a Zero Trust architecture (ZTA), data is ‘zoned’ into ‘micro perimeters,’ and control is enforced between those zones, with access being verified against the rules.
Monitoring, logging, and the use of advanced data analytics are crucial in spotting malicious activity across the micro perimeter ecosystem.
According to NIST’s Special Publication 800-207:
“…identity and access management, continuous monitoring, and best practices, a ZTA can protect against common threats and improve an organization’s security posture by using a managed risk approach.”
Remote enterprise subjects and assets cannot fully trust their local network connection. Remote subjects should assume that the local (i.e., non-enterprise-owned) network is hostile. Assets should assume that all traffic is being monitored and potentially modified.
Priority four: Prepare for the year of the scam, the next installment
Fraudsters will continue to use employee behavior as an inroad into an enterprise network. Scams and phishing campaigns are highly likely to feature in 2021. Vaccine-based scams and cloud-app targets will offer avenues to manipulate remote and office-based employees alike. Therefore, security awareness training is still an important goal for enterprises of all sizes. This is especially the case where there are increased remote workers who are out of IT teams’ direct reach. Phishing simulation exercises and training on the tell-tale signs of sophisticated spear-phishing and cloud-app based phishing campaigns are vital in managing this prevalent form of cyber-attack.
However, it is important to note that security awareness alone is not enough. Other mitigation measures should include the use of employee monitoring, website scanning, and endpoint security tools.
Priority five: Keep up with the day-to-day of cybersecurity
The rapid cyber exploitation of the underscores the strategic need for enterprise security measures. The day-to-day of security policy enforcement has to continue with the much-worn path of traditional security measures. This includes general security hygiene, good patching protocol, ensuring that penetration tests are carried out on systems and services, deploying best-of-breed solutions to malware, phishing, social engineering, etc. Now that remote working has expanded our working environment into myriad satellite home offices, the upkeep of secure working conditions means using the extended reach of security tools such as UEBA and cloud-based employee monitoring.
But while we consider the remote nature of modern work, an enterprise must also ensure that security across the expanded third-party ecosystem is not forgotten. Covid-19 pandemic or not, regulations too, must be adhered to in 2021: A Gartner study found that 52% of legal and compliance leaders were concerned about the levels of third-party cybersecurity risks in the post-COVID world.
Conclusion: Making 2021 the year of secure remote (and office) working
After a year like no other, we can’t afford to lower our guard. 2020 has taught the industry three key lessons. The first is that cybercriminals will make the most of any opportunity, with remote working being one of the most fruitful to date. The second is that cybercriminals can and do use state-of-the-art tricks, tactics, and technologies to exploit enterprise networks. And finally, with the right level of mitigation, the enterprise can fight back and win.
An enterprise needs to think forward and prepare the battleground based on priorities. The world may have changed, but cybersecurity is still a major battleground that, with the right approach and systems in place, the enterprise can make 2021 a year of secure remote (and office) working.
Insider Risk – How Prepared Are You?
Not every company is equally prepared to deal with insider risk. This report outlines the four stages of insider risk maturity and explores how to improve your insider risk preparedness.