Cyber security in times of COVID-19 pandemic

0
169

John Shier | Senior Security Advisor | Sophos | mail me


Cyber threats have exponentially increased in light of the COVID-19 pandemic, and cyber attacks have evolved to become more sophisticated.

Higher volume and frequency 

It might seem like things have heated up lately in the threat landscape but the reality is that it really is just business as usual.

What has changed is the lures that criminals have been using to scam users into falling for their dirty tricks.

Prior to the pandemic we were seeing the usual scams impersonating banks, telcos, and shipping companies but now a portion of them have switched to using the pandemic, the World Health Organisation, the American Centers for Disease Control and various international and local charitable organisations as bait.

To give some perspective on this, there are approximately 320 billion spam emails sent on any given day. When the pandemic hit only about 3% or approximately 10 billion emails were coronavirus, COVID-19 or pandemic themed. The actual volume didn’t necessarily grow but some of the criminals behind these scams switched their bait.

What’s also changed is many people are paying a lot more attention to the news lately and so it might seem like there’s more bad stuff out there when it reality many are just noticing it more.

Maturity and sophistication of attacks

Many of the attacks we’re seeing, whether pandemic related or not, often start out as an email. These emails are either links to credential phishing sites or contain attachments with some sort of malicious intent.

This type of threat, the opportunistic spray and pray threats, make up the bulk of the attacks we see on a day-to-day basis. A little less prevalent but more destructive are the automated active attacks that we’ve seen many ransomware crews using recently. This threat starts out as an opportunistic threat but quickly changes into a more targeted one as human adversaries get involved.

For example, the attack may start when a criminal uses an automated tool to scan for vulnerable servers on the internet and uses another automated tool to gain initial access the organisation.

Once inside the humans get to work doing reconnaissance on your network, elevating privilege, disabling security products, deleting backups and using your own deployment tools to install ransomware on all of your servers. These types of attacks are not as prominent as the purely opportunistic ones but they can be much more destructive.

Finally there are the rare nation-state attacks that specifically target individuals or organisations because of who they are. They are also much more complex and much more difficult to defend against.

Zero-day attacks

Unfortunately, the vast majority of the attacks we are seeing are not related to zero-days. In fact, these attacks very often rely on either attacking the human such as in phishing attacks or attacking vulnerable systems.

Because we can’t patch humans, we really need to continue to steadily improve our collective security postures by not only using security awareness programs but creating security cultures. The real key to protecting against the human-centered attack is changing behaviour and they way you do that is by baking security into the corporate culture.

We can however patch systems and we need to get better at this. Which means we need to get better at managing risk. There’s a big difference between perceived risk and actual risk.

As an example, we often say to people who are going on a trip, ‘Have a safe flight!‘ When what we should actually be saying is, ‘Be careful on your way to the airport!‘ The actual risk is on the drive to the airport not up in the air.

The perceived risk is that APT-this or Fancy-that are coming after your business when the actual risk is an unpatched server or an exposed remote management service. Getting the security basics right is the foundation on which all other risk mitigations are built.

If we think back to the last big global worm, WannaCry, there wasn’t a zero-day involved. Instead Microsoft had patched that vulnerability 3 months before the first host was infected with WannaCry. A simple patch could have saved a lot of trouble.

The scale of threat for enterprises

Opportunistic attacks are a problem for both individual users as well as enterprises. By their very nature they are un-targeted and indiscriminate so they’re just as likely to land in your personal inbox as they are in your work inbox.

The automated active attacks, however, are mostly aimed at businesses. This means that not only are at businesses risk for destructive ransomware attacks but they also have to watch out for low-level opportunistic attacks and depending on who they are some nation-state attacks as well. The best defence is to be prepared to defend against any and all types of attacks.

Impact of threats on industrial applications and IoT infrastructure

Industrial control systems (ICS) and IoT devices have their own unique set of issues.

Thankfully most cybercriminals are content with the sticking to the usual phishing and ransomware attacks because:

  • they work
  • they’re profitable
  • they don’t generally require much technical ability to pull off.

That said, there are some criminals out there who will try to go after IoT devices, for example, to turn them into botnets. These can then be used, depending on the processing power of the device, as part of the traditional attack infrastructure.

Those going after ICS infrastructure are usually much more capable attackers and mostly in the realm of nation-state operators. So while we do need to look out for all types of attacks, it really depends on what business you are in.

If your business does not operate any ICS infrastructure your best strategy is to focus on the threats that are relevant for your industry and protect against those.

The way forward

I’m not going to suggest how law enforcement and governments should deal with this problem but I can urge businesses to help the authorities in shedding light on this problem.

Many countries already have computer crime laws in effect but it’s the investigative side that needs our help. There are only so many qualified people in law enforcement available to investigate and gather evidence of digital crimes.

By reporting digital crimes we can show our governments and law enforcement agencies how much of it there is out there and they can in turn prioritise budgets and gain political support for increasing the resources available to investigate these crimes.

We can also help the authorities, when asked, by providing expertise and guidance in areas where they may not have capabilities.

Only with the coordinated efforts of victims, security experts, law enforcement and justice system we can  hope to put these criminals out of business. But most important is to take away their victims. Many cybercriminals are like petty thieves. They’ll rattle our digital locks when we’re not looking and if they can’t get in, they’ll simply move on to the next victim.

If we all take on the mindset that security is everyone’s business and make it a lifestyle rather than just a work thing, we can put most of these guys out of business.


 



LEAVE A REPLY

Please enter your comment!
Please enter your name here