Cybersecurity threats are a reality for the enterprise, and they range from being mild irritants to total catastrophes. But since the advent of COVID-19, security incidents have grown in number and changed in character. Enterprises are scrambling to patch systems and implement security protocols while dealing with massive surge in customer or employee demand. At the same time, they’re having to deal with threats that are qualitatively different and quantitatively greater than before. How does the enterprise cope?
Abbas Kudrati, Chief Cybersecurity Advisor, Cybersecurity Solutions Group, Microsoft; Mark Johnston, APAC Head of Security, Google; and Dave Lewis, Global Advisory CISO, Cisco Systems give their advise in a two-part Q&A on the security realities during COVID-19 and what they anticipate the future to be like.
We have seen an uptick in malware and other attacks since the advent of COVID-19. What are some of the significant vulnerabilities that enterprises need to address immediately?
Dave Lewis (Cisco): The pandemic has served to bring items related to security debt into sharper focus. Security issues that may have been accepted risks that have lingered for long periods of time which may have compounded over time could potentially cause more difficulty with the passage of time. This as well as a greater concentration on the core fundamental items such as multi-factor authentication, VPN and the ability to scale are essential.
Mark Johnston (Google): Over the last few months, we’ve had numerous conversations with customers about how we can help them adapt to new ways of working, while keeping their data protected. As the number of remote workers increases drastically in a short period of time, one thing we’ve heard repeatedly is that organizations need an easier way to provide access to key internal applications. Workers need secure access to customer service systems, call center applications, software bug trackers, project management dashboards, employee portals, and many other web apps that they can normally get to through a browser when they’re on the corporate network in an office.
Public and private sector organizations alike also will need a strategy to roll out remote access today while enabling a more secure foundation for a modern, Zero Trust access model. To make this possible, we launched BeyondCorp Remote Access a few months ago. This cloud solution—based on the Zero Trust approach we’ve used internally for almost a decade—lets your employees and extended workforce access internal web apps from virtually any device, anywhere, without a traditional remote-access VPN. Over time, we plan to offer the same capability, control, and additional protections for virtually any application or resource a user needs to access. This system also allows the easy application of multiple 2FA methods to systems to help protect from potential credential theft which is important for all users, enterprise or government.
Abbas Kudrati (Microsoft): According to Microsoft Threat Intelligence Team, the rise in COVID-19 themed attacks closely mirrored the unfolding of the worldwide pandemic, but what we noticed was that this surge of COVID-19 themed attacks was really a re-purposing from known attackers using existing infrastructure and malware with new lures.
It became clear that companies that relied on traditional security methods—things like firewalls— instead of newer cloud-based solutions found themselves most vulnerable.
Not only did they have trouble meeting the needs of a new remote workforce, but more importantly, they were also more susceptible to COVID-19 themed threats than those using more cloud based architectures like Zero Trust.
For organizations both within the public and private sector, it would be essential to take immediate steps to improve security posture. Some key examples include setting up of Multi-Factor Authentication for digital tools to reduce the risk of identity compromise if it has not yet been done, while educating end users about spotting phishing and social engineering attacks, and practicing credential hygiene.
Will the post-COVID-19 world present a “new normal” for cybersecurity professionals, or will things go back to being as they were saying in 2019?
Dave Lewis (Cisco): Remote workers are here to stay and we need to adjust our way of thinking about where the perimeter is now as opposed to the old ideal of a castle wall and a moat protecting the kingdom.
It’s extremely unlikely that we will see a complete return to the way things used to be.
Mark Johnston (Google): As we entered the first few months of dealing with COVID, many organizations expected a slowdown in their digital strategy. Instead, we saw the opposite — most customers accelerated their use of cloud-based services. Organizations now need to manage a new normal which includes a distributed workforce and new digital strategies, ready or not. The goal of my team and I is to help make security operations easier for customers while they execute on new priorities, especially those that relate to today’s new operating environment.
Abbas Kudrati (Microsoft): These unprecedented times that we are living in have reminded us that security technology and the function of cybersecurity is about improving productivity and collaboration through inclusive user experiences.
With or without COVID-19, risks from cyberattacks remain prevalent and threat vectors evolve in-line with global events and shifts to remote working. Over the next few years, I believe that digital empathy will grow to become an important priority in the field. This involves applying empathy to digital solutions and tools by ensuring that they can account for a diverse group of people’s ever-changing circumstances and can forgive human error. The nature of the industry and the security tools we create should evolve to focus on the user and empower their changing needs while maximizing their productivity. The onus to protect should be increasingly on the technology instead of the user.
As a technology vendor, what sort of cyberattacks have you experienced recently (since COVID-19 began), and are they different qualitatively and quantitatively from those that have come before? How have you dealt with them?
Mark Johnston (Google): Bad actors are using the anxieties people are facing around COVID-19 to access user data.
Over the past months we have also seen the emergence of regional hotspots and threats. These attacks and scams use regionally relevant lures, financial incentives, and fear to create urgency and entice users to respond. This includes attacks masquerading as established institutions or government agencies to get viewers to click on malicious links.
To counter these threats, we have put proactive monitoring in place for COVID-19- related malware and phishing across our systems and workflows. While we’ve put additional protections in place, our AI-based protections are also built to naturally adapt to an evolving threat landscape, picking up new trends and novel attacks automatically. For example, the deep-learning-based malware scanner we announced earlier this year continues to scan more than 300 billion documents every week, and boosts detection of malicious scripts by more than 10%. These protections, newly developed and already existing, have allowed us to react quickly and effectively to COVID-19-related threats, and will allow us to adapt quickly to new ones. Additionally, as we uncover threats, we assimilate them into our Safe Browsing infrastructure so that anyone using the Safe Browsing APIs can automatically stop them. Safe Browsing threat intelligence is used across Google Search, Chrome, Gmail, Android, as well as by other organizations across the globe.
in the past month on Gmail alone, we saw 18 million daily malware and phishing emails, and more than 240 million spam emails, specifically using COVID-19 as a lure.
Abbas Kudrati (Microsoft): In the past months, we have seen how cybercriminals have adapted their tactics to coincide with what was going on in the world. We observed specifically, how COVID-19 themed attacks peaked in the first two weeks of March, as governments began to take action to reduce the spread of the virus and travel restrictions came into effect.
For example, in the Republic of Korea, one of the earliest countries hit by COVID-19, we saw how cybercriminals ramped up on attacks during key events like identifying patients from the Shincheonji religious organization, military base lock downs, and international travel restrictions within the country – as they had seen an opening to compromise more victims. Increased testing and transparency about the outbreak then mapped to a downward trajectory of attacks.
At the same time, as I mentioned before, these attacks were really a repurposing of existing attacks – with attackers using existing infrastructure and malware with new lures. After peaking in early March, COVID-19 themed attacks have settled into a “new normal” as cybercriminals adapt and look for the best and easiest ways to gain new victims.
As the situation evolves, cybercriminals continue to look for the best and easiest ways to attack new victims for the biggest risk versus reward payouts. While the industry focuses heavily on advanced attacks that exploit zero-day vulnerabilities, but every day the bigger risk for more people is being tricked into running unknown programs or Trojanized documents.
The focus should be on ensuring that organizations increase the level of defense, because defenders drive up the cost of successful attacks. From Microsoft Threat Intelligence’s insights, we have seen how defenders have greatly increased phishing awareness and training for their enterprises since April, raising the cost and complexity barrier for cybercriminals targeting their employees. This needs to be the continued priority as we move forward into the next stage of recovery.