It’s high time we started taking our Mental Health more seriously especially in this time of uncertainties. There is no health without mental health. Christmas comes to bless the earth. As we approach Christmas, may our hearts be filled with Joy and hope for a better tomorrow. CJP.

Reviewing IT security incidents in 2020, Patrick O’Connor MBCS CISSP CEH, finds that while society may have slowed to a crawl in the face of COVID-19 the cyber security world was more active than ever. – Patrick O’Connor MBCS CISSP CEH.

We all know that 2020 will be remembered for just one thing. While stuck at home, an increased reliance was placed on our various connected devices both for welcome social interaction and an ability to work remotely.

An explosive growth in the use of video conferencing software quickly brought to light security weaknesses in some products. For instance, Zoom (whose value increased more than 400%) found it was not long before some meetings and family gatherings were interrupted by hackers – with everything from political comment to pornography.

Lured by promises of the latest news of the virus, many were duped into visiting websites or opening emailed ‘reports’ containing graphs and charts showing current virus information, but which also installed malware. Researchers at security firm, Checkpoint, found that in the first month of the outbreak, more than 120 malicious and 200 ‘highly suspicious’ domains related to ‘coronavirus’ were registered.

According to US sources, breaches at healthcare related companies have doubled over the same period last year with Ryuk ransomware still the tool of choice for attackers. Nation state actors have also been attempting to breach medical companies and universities to steal COVID-19 research data.

Not so happy new year

Even before 2020 had begun, things took a turn for the worse for Travelex. The currency exchange was attacked on New Year’s Eve 2019 and their website had to be taken down for three weeks. They were attacked by the cybercriminal group behind the Sordinokobi ransomware, also known as REvil. This downtime adversely affected several major banks in the UK, including Barclays, Lloyds and Royal Bank of Scotland, as they all use Travelex to provide foreign exchange and travel money services.

Storm clouds

Cloud computing is proving an exciting new target for hackers. While offering a staggering range of services, the cloud providers’ environments can prove challenging to secure properly. Early in the year, a poorly configured Amazon simple storage service (S3) database was found to have exposed almost half a million financial records. The database was linked to a financial app called MCA Wizard, launched in 2018 but no longer in circulation.

A security intelligence company called Binary Edge found 35,516 unsecured databases online worldwide. Of these, most were in China and the United States, with the majority in the cloud.

Many companies are now considering the cloud, especially with staff needing to work remotely during lockdown. The built-in accessibility the cloud provides would make future outbreaks less disruptive to a workforce. However, the problems of securing a complex cloud environment are significant.

No reward for loyalty

In March this year, Marriott announced they had been breached and that records for more than 5.2 million users of their Loyalty app were compromised.

The intruder used the credentials of two employees from a Marriott franchise property, to access customer information on the loyalty app’s backend systems. Details leaked included name, email, postal address, phone numbers, birth dates, gender and various details of employment and travel preferences.

This is the second notifiable breach of Marriott in the last 16 months. In November 2019 Marriott confirmed that hackers had gained access to the Starwood Hotels reservation system. Through this they accessed the details of more than 383 million customers.

Easyjet, easy target

It was revealed in May this year, that Chinese hackers managed to access records of approximately nine million Easyjet customers. The actual breach occurred in January and the UK Information Commissioner’s Office (ICO) and National Cyber Security Centre (NCSC) were notified at this time, but customers were not informed until four months later.

As a result, the airline is facing an £18 billion class-action lawsuit filed in the High Court in London on behalf of customers impacted by the disclosures. The lawsuit refers to aspects of the General Data Protection Regulations (GDPR). This allows consumers the right to claim compensation when their information is compromised in security incidents. There could also be heavy fines for Easyjet under GDPR.

Losing control

The most sophisticated publicised instance of hacking thus far, remains Stuxnet. This complex attack on an Iranian nuclear facility exploited supervisory control and data acquisition (SCADA) systems. It was the first to demonstrate the extreme vulnerability of industrial control systems being connected. Since then, there have been numerous similar exploits, often employing parts of the Stuxnet code, since it became public.

In June this year, Honda’s corporate network was breached. According to the security firm, Sentinel One, it found Ekans or Snake ransomware. Snake is designed to attack industrial control systems. The fact that Honda halted production in the UK, US, Turkey, Italy and Japan, implies some success.

Honda insisted that no data had been lost, suggesting they were able to restore from backups. This may have caught the problem early enough to minimise damage. There is no evidence yet of how the attackers gained initial access, but it is likely to have been part of a COVID-19 related phishing campaign.

Celebrity scam

Twitter was again the subject of a headline-grabbing breach in early July, which saw high profile accounts like those of Joe Biden, Barack Obama, Elon Musk, Bill Gates, Jeff Bezos and Apple taken over by hackers. Subsequent tweets promised their legions of followers ‘double their money’ if they deposited bitcoins to a particular account. Despite the unlikely sounding offer, more than $100,000 was actually deposited in the rogue bitcoin account.

Such was the relatively amateur nature of this attack, authorities were able to identify and arrest the perpetrators within days. The 17-year-old ‘mastermind’ was also prepared to discuss details of the hack with journalists online. This attack was achieved through social engineering a number of Twitter employees over the phone.

Navigating a hostile network

In late July, users of Garmin satellite navigation devices and services found they were suddenly unable to use them. The company’s website was down, its call centre offline and, for a time, there was no way to contact them at all. They had been attacked with WastedLocker: ransomware software developed by the notorious Russia-based Evil Corp group. Such was the disruption caused by the attack, that production was halted at Garmin’s factories in Taiwan for five days.

Chinese warning

Companies operating in China were placed on alert late in the summer, after hidden backdoors were discovered in mandatory tax-related software. China’s banks require all companies to download software from either Aisino or Baiwang to comply with its Golden Tax VAT scheme. This could indicate that the malware, labelled GoldenSpy, has either direct sponsorship from the government or is being deployed with its blessing.

More malware, dubbed GoldenHelper, which pre-dates GoldenSpy, has been found in the Golden Tax Invoicing Software (Baiwang edition), which is digitally signed by a subsidiary of Aisino, Nou Nou Technologies. GoldenHelper, while functionally different to GoldenSpy, has a similar delivery mechanism, according to security company, Trustwave.

Based on this, the FBI sent out an official warning to all US companies in China. They believed companies in the healthcare, chemical, and finance sectors are in particular danger, based on China’s historical interest in these sectors.

The new normal

As we come to terms with how the world may be changed as a result of COVID-19, there are indications the cybersecurity landscape is also changing.

From this brief selection of some of 2020’s security incidents, it should be clear that they naturally fall into categories. There are tabloid-friendly hacks, like the one at Twitter – newsworthy only because of the names of those involved.

Then, there are the inevitable and escalating attacks on financial institutions and medical facilities with the growing use of ransomware as an effective means to extort money.

There are also the huge number of database breaches resulting in the theft of personal data. This problem could be said to have reached epidemic proportions on its own, as websites which try to catalogue all cyber incidents show data leaks on an almost daily basis.

Cyber criminals are industrialising their projects and state actors are being discovered taking even greater interest in large companies, while the ever-present threat to individuals is only getting more sophisticated. There is already evidence emerging of renewed interference by Russia in the 2020 US Presidential election. In a year when a real virus monopolised our attention, those in the digital realm continued to develop and mutate.

While there is the possibility of a vaccine for one contagion, to eradicate the other may be considerably more difficult. (bcs.org)

Protection of personal data especially patient data is absolutely critical. Please listen to this Webinar series from the British Computer Society.

The advent of global pandemic has not only changed the way we work, writes Paolo Passeri, Cyber Intelligence Principal for Netskope, but means we must change the way we think about and maintain security.

It’s no secret that since the beginning of the pandemic, to enable social distancing, remote working has increased exponentially. And, to maintain business as usual as much as possible under the current circumstances, many organisations have gone through (and are continuing to go through) a dramatic change in their processes and the way employees access the corporate information. Over the last few months, remote access technologies, cloud applications and collaborations services have played a crucial role in this transformation.

Protecting a new workspace

Besides the social, economic, and cultural implications, the main consequence from an infosec standpoint, is that the corporate laptop is the new workplace and the perimeter of the organisation is no longer physical. Instead, it resides with the users themselves.

This new normal means that remote users must be able to access the corporate data from any location, and potentially any device. Traditional on-premises security technologies, such as firewalls, web and email security gateways are no longer suitable, or able, to cope with the level of security required.

Users are the new security perimeter and from an attacker’s perspective, the weak link of the system: they are outside of the physical boundaries of their organisation and even worse, emotionally distressed – due to the current circumstances – so even more vulnerable.

To complicate things further, for less established organisations, the shift to remote working has been driven by a contingency plan rather than a strategic approach. As a result, many of the remote workers haven’t been educated about the risks of the new workplace and aren’t protected by the right technologies.

If an endpoint is compromised, the attackers get the key to the kingdom. Arguably, it has always been this way, but the reality is that the COVID-19 crisis has dramatically increased the attack surface.

Email is the preferred attack vector

According to recent research, 13% of phishing attacks in Q1 2020 were related to COVID-19, with the total number of attacks increasing by 22.5% in comparison to Q4 of 2019.

Email continues to be the cyber criminals’ preferred attack vector and the current situation has made things worse. Thanks to the pandemic, attackers have many more factors to exploit to make their attacks successful.

For example, the mass adoption of collaboration tools such as Zoom, Microsoft Teams, or Cisco Webex, as well as cloud services in general, is fuelling multiple variants of phishing campaigns that use rogue notifications to steal the victims’ corporate credentials. This is done through malicious pages mimicking the target applications.

Even more concerning, is that during the pandemic, these rogue communications typically impersonate the HR department or other emotive things that make the victim – concerned about the future and emotionally vulnerable – to click on the malicious link, without verifying whether the message is legitimate.

But, rogue HR notifications are not the only way to exploit the COVID-19 crisis for phishing purposes. Other common tactics leveraged by the cyber criminals include the stimulus packages promoted by several governments (links to fake pages applying for funding), or even communications sent by institutions involved in the fight against COVID-19, such as the World Health Organisation (links to fake pages for accessing important information regarding the pandemic).

And COVID-19-themed emails are also used to deliver malware, for example, disguised as fake installers of collaboration tools or fake documents sent by institutions involved in the COVID-19 fight, such as the World Health Organization.

To protect corporate accounts, organisations have adopted multiple layers of defences (such as anti-spam, anti-malware, and email tagging to quickly identify messages sent from outside the corporate perimeter). However, these countermeasures are not always 100% effective for the following reasons:

• Malicious emails are becoming more and more evasive. For example, a typical evasion trick consists of delivering the phishing page or the malicious payload through a cloud service such as Microsoft Office 365 Onedrive or Google Drive, that is implicitly trusted by the email security gateway – hence the ability to bypass it.
• Despite being increasingly common, email labelling is not widely adopted and too often ignored by users.
• As mentioned previously, the user is the new perimeter. Remote employees can use the same device to access personal applications and corporate services simultaneously, which implicitly opens a hole in the security posture of the entire organisation. Phishing pages or malware can be delivered through personal email, turning the endpoint into a gateway to access the organisation.
• If the user is the new perimeter, relying on legacy security technologies that force backhauling the corporate traffic to a central location (contradicting the connectivity mode of cloud applications) and aren’t able to inspect SSL traffic, simply doesn’t work.

An ounce of prevention is worth a pound of cure

Does this mean that remote users are inevitably exposed to the risks and destined to be hacked? Of course not. Technology plays an important part, but at the end of the day, the human being is the first line of defence. Every single action counts and there are some simple steps that can be taken to mitigate the risk of being hacked via email, with the right level of natural diffidence being the first layer of security.

• In tough times like these, it’s better to assume that every incoming email could potentially be a threat, so don’t take anything for granted. Carefully inspect every email, for misplaced details in both the form and the content. Once upon a time, the presence of grammatical errors was a simple but important indicator of malicious origin. Unfortunately, this is not completely true today, since attackers are getting smarter and able to craft very realistic messages in terms of form and content. Nonetheless (especially in case of foreign attackers) there’s always the chance that identifying mistakes can reveal the malicious origin.
• If your company applies tags to external messages, pay special attention to those received from outside of your organisation.
• Carefully inspect every link in the mail. Drag the mouse over and check that the target URL matches the destination and the context. The attackers might use simple tricks like HTML tags or shorteners, or even more sophisticated techniques like homograph attacks to hide the real destination. Even if the domain looks legitimate, check every single character. ask yourself: ‘can I really spot the difference between a capital i and a lower case l?’
• Cloud services are increasingly used to serve phishing pages or to deliver malware, so always check the destination URL and ask yourself ‘why does this OneDrive document come from Dropbox (or Google Drive)?’ Additionally, if the phishing page comes from a cloud service like Microsoft Forms or Google Drive, the page always contains a disclaimer to never submit passwords via the form, so pay attention to every single detail.
• The typical phishing message uses emotional bait to entice the victim to click on the link or open the attachment. Typical baits include:
  • a payment (often with fake invoices)
  • the request to reset an account after some suspicious activities;
  • the need to confirm some personal information;
  • notification of a salary increase or related bonuses;
  • offers of giveaways, coupons or free ‘stuff’;
  • things related to personal activities or hobbies, especially in case of spear-phishing (or targeted phishing).

And, as previously mentioned, during COVID-19, malicious actors are leveraging emotional baits specifically related to the crisis, such as:

• requests of meetings from HR;
• missed notifications from collaboration apps, such as Microsoft Teams and Zoom;
• requests to reset the password for a cloud service in use by the organisation such as Microsoft Office 365;
• documents from institutions such as the World Health Organization containing guidelines to face the pandemic;
• eligibility to apply for a fund related to the economic stimulus packages.

In all these cases, whether they are generic or related to the pandemic, it’s extremely important, before taking action, to ask yourself if you have an account with the potentially impersonated service. If the answer is ‘no’, inspect the message carefully. If the answer is ‘yes’, contact the sender organisation (via the website or a contact number) and confirm that the message has been really sent by them.

• The most common email applications allow an inspection of the original message (for example this is the ‘view source’ option in Microsoft outlook, or the ‘show original’ option in the Gmail web interface). More skilled users can use this feature to check the headers and identify if the message was sent by the real organisation, or if the sender was spoofed.
• Whenever possible, protect every account with multi-factor authentication (MFA), consisting of something you have (like an authenticator app) and something you are (for example, mobile authenticator apps allow the use of a fingerprint to unlock the app itself) or something you know (such as a PIN). Similar policies are usually enforced by the organisation to access the corporate services, however it’s necessary to adopt MFA even for any personal accounts if this feature is available. Motivated attackers will look for every entry point, including personal services.
• If possible, avoid using SMS-based or call-based authentication since SIM-Swapping attacks are increasingly common. Maybe you are not a primary target (or you don’t believe you are) but a little bit of additional precaution won’t hurt.
• Always consider the corporate device as an extension of the office workplace. Working from home and spending more time with the family doesn’t necessarily mean that you can share your corporate laptop or phone with others for their personal stuff. If they are compromised, your organisation is potentially compromised as well. In the same way your organisation would never let someone external enter your office and sit at your desk besides you, so you shouldn’t let anyone else use your corporate device for their business.
• Applying these simple steps will reduce the risk of being compromised. The mantra is ‘better safe than sorry’, so if you spot an anomaly in a message, or simply have the feeling that something is not right, do not hesitate to pick up the phone and call your IT department (in general make sure you acquaint yourself with the security incident procedure – every organisation should have one). This is the first thing to do if you think you clicked on a malicious link or downloaded a malware – and don’t forget to delete the message once it has been verified as malicious. (bcs.org)

“It’s extremely important that we recognise that anxiety is contagious, but so is compassion. And there are ways in which we can bring our communities together, even if virtually. We can take advantage of the technologies that are now at our fingertips. We can encourage positive community outcomes such as altruistic behaviour, social cohesion, volunteerism, reaching out to those who are living alone or who are seniors.”— Roxane Cohen Silver

As many companies throw away business plans for 2020 and contemplate the fight for survival, Tony Adams, Senior Director and Max Burrage, Senior Manager of Business Transformation at the Hackett Group, look at what you need to do now – in both the short and long-term future. (bcs.org)

The global public health and economic crisis triggered by the outbreak of the COVID-19 pandemic has created an unforeseen and unprecedented set of challenges for organisations. IT organisations responded to the unfolding situation by activating business continuity plans, but most of those are designed to cope with the short-term, localised disruption of business activity. Additional actions are necessary to address the gaps and position companies to operate in an open-ended, rapidly changing scenario. 

What IT got right in its response 

Fortunately, the IT sector was relatively well-equipped to handle this crisis. IT has taken a number of approaches and actions to minimise disruption and sustain operations effectively. For example, investments in digital, agile infrastructure – modernised platforms and applications – have kept companies functioning and minimised disruption. Similarly, zero-trust architecture and multifactor authentication have kept companies safe, despite the vulnerabilities of working from home (WFH) environments and a massive spike in villainous attempts to gain access to systems. 

Continuity plans for epidemics and ‘practice’ WFH days have minimised worker frustration and unpleasant surprises and most third-party providers have demonstrated that they can deliver services during extended WFH periods. Prescient stockpiling of user devices and advance warnings to drop-ship suppliers provided the right tools at the right time to support widespread remote working. Relatedly, scalable service desk capacity managed the spike in calls from employees unfamiliar with remote access processes and tools.

As we all know, deployment and training for collaboration tools like Teams and Zoom have enabled teamwork to continue and group discussions to flourish. Ultimately, IT leaders’ standing team meetings have kept employees informed, helped manage their anxiety and brought a regular cadence to their days. Meanwhile, virtual team ‘happy hours’ have sustained a sense of family.

Response leadership

IT leaders correctly focused initially on people’s health, safety, equipment and tools to enable them to work from home. As this condition continues, leaders are starting to broaden their focus to employee engagement, sense of mission and camaraderie. The associated challenges of hiring and onboarding staff have also risen. 

Although IT offers little comfort at this time, IT leaders are also seeing new or heightened stakeholder appreciation for IT’s capability and importance. This can be leveraged to advance IT’s agenda, but this will require care and circumspection. On the bright side, the digital IQ of the entire organisation has risen manifold and this will reduce resistance to – and most likely accelerate – digital transformation initiatives that improve agility, scalability, security and productivity. 

• In the immediate future: businesses must continue to keep employees informed through virtual town halls and similar activities while striving to avoid distracting, unfocused overcommunication. Wherever possible, be transparent over continuity plans, actions and timelines and crowdsource solutions for ongoing WFH support. This will require collapsing the leadership hierarchy to accelerate information sharing and adding cadence and opportunity for reprioritising via short, regular team meetings. Businesses should continue to promote healthy behaviours, camaraderie and engagement with workers’ home lives, be that children, pets, or anything else and offer flexibility regarding work schedules. It also helps to reinforce how IT employees’ work advances the company mission in this crisis to offer a sense of purpose.
• In the near-term: businesses will need to assess their IT and business digital transformation plans and commit to accelerating areas that will improve remote working, agility, responsiveness and efficiency. They must also work with HR to set up remote recruiting and onboarding processes and leverage positive stakeholder perception of IT’s role and performance, to push for funding and timing of highly relevant initiatives previously resisted. It is also important to anticipate post-mortems and collect data and opinions that will be needed.
• In the long-term: this crisis has emphasised the importance of prioritising digital deployments, particularly around key post-virus capabilities such as cloud for agility and security; AI / analytics for performance, liquidity and supply-chain visibility; and zero-trust cybersecurity to support more remote access. Businesses must also work with peer leaders and experts to plan how employees will return to offices and how operations may be permanently modified for post-virus reality.

Business continuity 

Working from home is now a sustained reality for most IT staff and office workers. The good news is that IT’s business continuity plans largely succeeded, leaving IT leaders feeling relieved and proud that so much went right despite the unprecedented scale of impact, which no plan anticipated.

Now, it’s time for IT to look at strengthening plans to work even better during a similar catastrophe. Leaders must also look to technologies that will reduce the impact of a similar catastrophe, allow increased capacity and look again at the use of manual workers, offshore and outsourced providers. 

• In the immediate future: IT must accelerate equipment purchases because of supply scarcity, shipping delays and an anticipated rise in prices. For obvious reasons, IT must also adopt touchless hardware deployment and ensure all company employees have necessary licenses and access to collaboration tools. Businesses need to develop and regularly review critical IT staffing requirements for continuity and test with scenarios that include losses due to illness. Similarly, businesses which haven’t already done so should develop methods that limit the need to be on-site for technology deployments – for instance, using local providers and video or even VR training tools. Just as in the office, it remains important to assess staff productivity and any issues around meeting deadlines. 
• In the near-term: IT must adapt performance metrics to ensure that they are relevant to work-from-home factors such as access and processing times and service desk performance. IT must also improve neglected or shaky foundational applications and platforms to ensure stability.
• In the long-term: IT needs to incorporate lessons learned into a corrective action program to revise business continuity and business resiliency plans. Businesses must increase and accelerate the automation of manual processes to increase resilience and capacity, reduce reliance on individual workers and exposure to potential continuity risks associated with services delivered predominantly by people.

Risk management 

The coronavirus presents substantial workforce risk from direct illness or the need to care for sick family members. IT leaders should be prepared to fulfil essential duties with the loss of up to half of global staff. Security protocols must encompass an environment where the majority of workers connect from home full time for an indefinite period.

There must be reviews and education sessions on rules for accessing and using company systems and IP remotely. IT must also be prepared for the possibility of bad actors taking advantage of the crisis. The balance of 2020 will be one of financial risk for the enterprise and austerity for IT.

Even as they freeze budgets and hiring and slash costs, IT must plan to meet the inevitable demand for new, accelerated automation, security and remote access investment and new skills to help position the enterprise to rebound from a position of strength.

• In the immediate future: IT must ensure that all company employees have licenses and access to collaboration tools, regardless of role or group. The department must also develop and review critical staffing requirements for continuity and test scenarios that include losses due to illness. As a preventative measure, IT should develop methods that limit IT needs for travel and need to be on-site for technology deployments, again potentially turning to local providers and video or VR training tools. IT must educate employees on evolving virus-related phishing and hacking threats and home environment vulnerabilities. Decision-makers should reassess technology project pipelines and determine which to accelerate, delay or stop, given the current circumstances. 
• In the near-term: businesses should accelerate investments in infrastructure resilience against future pandemics and cross-train IT staff for better resiliency in a crisis. Unfortunately, businesses should also update their IT contingency plans for the potential of a deep, extended recession.
• In the long-term: IT should identify opportunities to update security policies and practices. They may also need to amend contracts for variability in the scope and demand of services and their charging model. Financially, it will be important to re-evaluate contracts and defer costs that are not essential to operations in the balance of 2020 and develop or revise IT cost control or reduction plans for 2020-21. 

Managing IT in uncertain times

Uncertainty about the development of the coronavirus globally, infection rates, government responses and duration of the pandemic are high. IT leaders must consider that short term fixes are liable to become longer-term solutions. After the immediate response, which involves invoking business continuity plans (BCPs) and the necessary improvised responses, a longer-term plan must be developed that anticipates the possibility of future pandemics and drastic measures to contain them.

IT must also look ahead to how the business will endure a recession, recover and thrive in whatever the new normal will be for global enterprise. This IT-led, technology-enabled transformation may involve automation, company interdependencies, the role of a broadening service-provider ecosystem, the ability to work remotely and securely, as well as enterprise agility.

We are living through a world crisis the likes of which hasn’t been seen in 100 years. The enormous scale of the crisis and the impact it is having are naturally causing a lot of fear, uncertainty and anxiety across the globe. Add social isolation, disrupted work and family routines, and economic instability, and it is understandable that our mental health is suffering.

During these challenging times, we need to keep an eye on our mental health and look out for those closest to us. There is no doubt that this is a tough situation, and it’s understandable that you might be feeling low or missing your loved ones. Reaching out and supporting each other is the best way for us to get through this. Remind yourself that this situation will not last forever, and that although you may feel lonely, you are not alone. We are all in this together. Be Kind, Stay Positive, Stay Alert and Keep Safe.