Covid-19 CyberSecurity Impact: Increased Risk of Insider Threats?Friday, 24 April, 2020
Throughout history, humans have been attacked by epidemics. As with previous plagues, Covid- 19 is inflicting harm on both our morale and physical well-being and has resulted in significant economic and social upheavals. Despite this, our new business model has enabled us to rise to face the new challenge.
We live in an interconnected global economy and we rely heavily on technology. In past years, business has increased its use of collaborative tools via the internet and has embraced the smart working philosophy. For any who had not already done so, this worldwide crisis has required a quick shift from office-based to home-working: an inability to adapt means failure.
However, rushing into a solution without a proper security assessments and transition could be catastrophic.Confidentiality, integrity, and availability must be ensured through a security maturity model which is sufficiently equipped for the current cyber threat landscape. This can be easier said than done - since the beginning of the Covid-19 crisis, cybercriminals have increased their activity in recognition of greater possibilities for exploiting technical and behavioural weaknesses.
A few days ago Europol published a report which confirmed a significant increase in attacks through phishing and ransomware and their analysis illustrates how hackers are profiting from this epidemic (Europol, 2020). This is just the beginning - United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) have issued the following statement: “Both APT groups and cybercriminals are likely to continue to exploit the Covid-19 pandemic over the coming weeks and months” (CISA, 2020).
Some of the key questions for consideration are:How could we securely adapt our work habit and guarantee we meet the new business requirements? Does the current Covid-19 crisis increase the risk exposure of insider threat? In order to support organisations to keep workers healthy and productive, information assurance practitioners are faced with new challenges and must deliver a further layer of security in order to prevent possible attacks or damage.
This includes protection from outside but also from inside the organisation.As asserted in previous literature, when we examine cybercrime, we often underrate the risks of the internal threat. “Insiders present a significant risk to organisations and, even if they were not the most common source of attacks in last years, they were the most expensive and difficult to recover from” (Mazzarolo and Jurcut 2020).
A work-from-home environment pushes the defence line outside of the organisation. Setting up remote working services could pose a potential security risk when combined with possible human-error-enabled security failures. Threatscape: Observing the attack surface during Covid-19 Crises can expose both good and bad traits amongst a population. There has been an increase in hostile acts from criminal organisations, states and state-backed actors hunting for opportunities to exploit the public health crisis.
At the beginning of March, the main target may have been individuals but in recent weeks sights have been set wider and include the healthcare sector, governments, and other industries. As examples of offensive and aggressive acts we could list: darknet marketplaces distributing illicit goods and services (Covid-19 related products), phishing, scam, ransomware, disinformation, DDOS, exploitation of collaboration tools, malicious domain registration (probably used for further criminal operation such as phishing), as well as direct attacks against hospitals or major agencies including the Department of Health and Human Services (HHS) and the World Health Organization (WHO).
On the 4th April 2020, Interpol released a bulletin stating that they are monitoring the situation in partnership with industry to provide support to organisations that have been targeted by ransomware (Interpol, 2020). Additionally, the FBI declared in its last public service announcement that cyber threat actors are exploiting virtual environments: “As of March 30 2020, The FBI's Internet Crime Complaint Centre (IC3) has received and reviewed than 1,200 complaints related to Covid-19 scams” (FBI, 2020).
Working from home: A different challengeIf not correctly assessed and addressed, remote working could represent a real Achilles heel for all businesses. Not all agencies, organisations, governments, industries, or academies are technologically ready to adapt their job model to embrace remote working. Executive under time pressure might not offer the most secure solutions and, regrettably, security is often put on the back burner when compared to productivity. Organisations should take into consideration the following challenges, to guarantee a secure and balanced remote working:
- Increase use of personal devices: When challenged with a lack of company IT devices, employees may be permitted to use their own home computers, laptops, tablets, or phones to access corporate networks and services. The drawback of this solution is it jeopardises the security endpoint that relies on the cybersecurity hygiene of each user. Additionally, in case of breach, there would be no centralised logs or audit available for investigation.
- Use of insecure infrastructure: Working from home or in public can expose users operating with unreliable Wi-Fi, misconfigured routers, or without additional security network devices such as firewall or Intrusion Detection Systems (IDS)/Intrusion Prevention Systems (IPS). The result can be a major exposure to exploitation. Working remotely can give employees a false sense of security, because they are comfortably nestled up at home. Confidentiality must still apply, but family members cannot be vetted with regards to hearing or seeing classified information.
- Data handling: Even if an agency handles classified information, they should expect that someone will try to print or transfer documents outside of their organisation. These incidences can be unintentional, in an attempt to make things easier during a time of crisis or intentional where the perpetrator is concerned with their own personal gain or deliberately bypassing security policies and directives.
- Allowing for remote user administrator: To guarantee business continuity, users with system and network privileges must also be allowed to work from home. These employees can be particularly dangerous in case of exploitation. IT departments should assess requests on a case by case basis, hardening the end device and monitoring this specific group more closely.
- Behavioural warnings: This pandemic is expected to result in a significant negative economic impact. As a result, more people will lose their jobs or will have anxiety around losing their posts. In this scenario, personnel may be approached by competitors or other agents who may exploit fragility or encourage malicious action.
- Blending personal and work activities: Employees working from home may mix work with personal email, web browsing, social media or instant messaging applications to collaborate with their colleagues. This can also have dangerous consequences. An infamous case is the Sony pictures data breach. It was caused by employees who utilized the identical passwords for work as they did for their personal Apple account (Collen, 2015).
Remote Working Recommendations: Insider threat less risk approach
To successfully secure remote businesses, security managers should be aware of new threats seeking to profit from this public health crises. Different security firms have provided Covid-19 cyber security situational awareness materials. This permits organisations to have a situational perspective of the risk landscape and to offer countermeasures against existing challenges. It particularly highlights protection of the most sensitive data and business applications, specifically referring organisations to:
- Policy: Setting up proper governance is a paramount in creating a defensive baseline and responsivity to cyber-attacks. Employees shifting from office to remote work locations need to be aware of what is expected of them. Policy intentions should reinforce the protection and safeguarding of classified information. Remote working policies should include minimum requirements for the physical environment, data protection management, removable device usage, remote access recommendations, security awareness, incident responding, business continuity planning, monitoring and auditing strategy.
- Technical: Appropriate security capabilities need to be made available and it should be confirmed that these controls are being deployed and run properly. This may include: establishing a multifactor authentication, use of reliable virtual private network (VPN), updated patches for OS and applications, restricting policy in data loss prevention solutions, implementing data at rest encryptions, providing antivirus and antimalware protection with a last signature, endpoint Firewalls, or application whitelists. Finally, it is highly recommended to have test back-up solution in place.
- Awareness: Education is essential at this time. It is important that messages on security come from the very top of an organisation and that good examples are set to be followed. Suspicion should be promoted around dubious links and attachments, particularly those with a Covid-19 subject. Home connections should use strong passwords, and it should be clear which applications and collaboration tools are allowed. Employees should be reminded of the policy regarding handling data, and attention should be paid to social engineering especially exploitation from sources such as social media or phishing.
- Monitoring: At an organisational level, the security operation centre should monitor data exfiltration attempts (data transfers, email traffic and attachment, cloud storage, storage removable devices, printing activity etc.). Inspect endpoint activities for suspicious applications and processes, analyse normal user activity and spot deviations from the baseline through behavioural analytics.
Covid-19 has imposed restrictions across many countries. Everybody has been required to adjust their way of life and to stay at home, limiting exposure to other people. The result is that more businesses are asking their employees to work from home. Overall, this has not changed our day- to-day tasks, but required us to perform them from a different environment. Even though this solution has been viewed positively from the end user side, it has introducing a range of unique challenges for security.
The current crisis has increased risk exposure of insider threats, and individuals are a potential weak factor in preserving security. This is why hackers develop increasingly complex methods in order to target workers, where even the most experienced employee may be tricked into releasing confidential data. To make matters worse, employees could boost incident rates through eagerness to prove their effectiveness working from home by bypassing policy or operating under less restricted parameters.
In order to strongly adapt our organisation, business leaders have a heightened responsibility to set clear expectations about how their corporations are managing security risk in new work environments, leveraging or re-adapting policies, technologies, awareness and monitoring restrictions.Taking a ‘glass half full’ perspective, Covid-19 has enforced the human ability to adapt quickly to a new situation.
This crisis has, in fact, given us the opportunity to adjust our security posture in an unknow environment and balance business requirements with the preservation of confidentiality, integrity and availability.