Lessons Learned from the COVID-19 Panic-Demic

Here are a few idle thoughts and personal takeaways about the impact of the COVID-19 pandemic and the ensuing panic among the public, in the financial markets, etc.:

  • Supply chains that are built around the concept of enabling sellers to provide products at the lowest possible price don’t weather pandemics very well. Depending so heavily on a single country for manufacturing is clearly susceptible to a Black Swan event like the one in which we’re currently embroiled. As investors are almost always advised to diversify their portfolios, manufacturers should diversify their supply chains to weather disruptive events more effectively.
  • Nation-state actors and cyber terrorists have been provided with an excellent example of how they might be able to severely disrupt life in developed countries, particularly the United States. While COVID-19 is a certainly a serious issue that requires the appropriate level of response, the panic buying of toilet paper, flour, sugar, milk, eggs, cake mixes, baby formula, diapers, cat litter (yes, cat litter!), etc. is clearly an overresponse when food-related supply chains, at least in the United States and many other developed nations, are still largely intact.
  • To the point above, imagine if a nation-state actor or terrorist organization were successful in taking a handful of power plants off-line with the threatening message that more would be taken off-line in the near future. As demonstrated with the COVID-19 panic, there would be a huge run on not only basic necessities, but also on things like batteries, generators, flashlights, and hundreds of other items. It wouldn’t just be grocery stores and Costco stores with thousand-foot lines, but also Home Depot, Lowes and lots of hardware stores.
  • Our residential broadband infrastructure seems to be holding up quite well with the addition of several million home-workers now suddenly added to the traffic burden. While I’m sure there are instances of poor broadband services for residential workers because of the additional load, they seem to be few and far between.
  • One of the positives that may come out of this crisis is the realization by many decision-makers that lots of in-person meetings that incur significant travel costs can be easily replaced with on-line meetings. While not good for the already decimated travel and hospitality industries, we might experience a new wave of meeting efficiency that we hadn’t anticipated.
  • There is likely to be a major increase, at least temporarily, in the number of victims of cybercrime and data breaches. As employees use their home computers – with inadequate endpoint protection and networks that incorporate hackable routers – to access corporate email and data assets on the corporate network, the security defenses that normally defend sensitive data resources will be bypassed in many cases. Expect a major uptick in security problems until organizations adapt to the new, hopefully temporary, reality of most or all of their workforce working remotely.
  • Similarly, expect a major increase in social media-related cybercrime because people are hungry for information about COVID-19, and they’ll click on links that purport to offer information about it. As noted by Brian Krebs six days ago, a live Coronavirus map developed by Johns Hopkins University is being exploited as part of an infection kit that uses the tool as a component of a Java-based malware deployment plot.

In short, lots of problems to be expected in the near- to mid-term until a combination of decreasing infection rates and whatever new crisis is in the offing move our attention to some different topic.

Some Musings on the RSA Conference

A great RSA Conference in San Francisco concludes today. Attendance was down noticeably compared to last year, no doubt because of fears related to COVID-19 and the pullout of several key exhibitors, including AT&T Cybersecurity, IBM, Verizon, and six of the nine Chinese vendors. That said, there were 614 vendors exhibiting this year compared to 624 last year, so without the (possibly) overblown fear of the Coronavirus, there would have been a year-on-year increase in exhibitors.

Here are a few takeaways and comments:

Wendy Nather gave a very interesting keynote that discussed the need for democratizing security instead of continuing the current top-down, somewhat autocratic security model that is in place today. As noted in a Dark Reading article on the topic and reiterated in the keynote, Wendy said, “I’m going to argue that we should be teaching kids not to comply with somebody else’s security system, but to make good security decisions on their own from an early age — which means we have to get rid of parental controls. We should be teaching kids to make the right decisions with the devices that they are using.” She applied more or less the same thinking for corporate users.

While I am completely on-board with teaching good cyber security practices to users, we need to keep in mind that security is not just about doing the right things. It’s also about defending against a sophisticated, well-funded, malicious, very intentional, and sometimes just plain mean adversary. This is not just about users making good security decisions, as important as that is, but it’s also about enabling security teams to have autocratic authority when it best serves the needs of the company footing the bill and taking the risks. IMO, the best security model lies somewhere between autocracy and the democracy that Wendy proposes.

One of the more interesting products discussed at RSA was Anomali’s Lens+, a web content parser that uses natural language processing to highlight cyber threat information. Lens+ is a browser plug-in that can be configured to highlight text in web pages based on various criteria. It enables threat researchers and others to view web-based threat bulletins, social media posts, articles and other web content and have highlighted for them information related to threat actors, attack techniques, malware families, and other relevant information. Plus, it enables researchers to understand if their organization has instances of these threats already present in their network, and it supports the MITRE ATT&CK framework by showing the TTPs discussed in the content they’re viewing.

Lens+ has the potential to significantly reduce the amount of time that threat researchers spend reading threat bulletins and other content related to their work. Plus, I can see enormous applicability well beyond this space, such as enabling employees to gain additional information about the content they’re reading across a wide variety of subject areas.

There was a very interesting — and fairly contentious — keynote panel led by Craig Spiezle, founder of Agelight Advisory and Research Group entitled, “How to Reduce Supply Chain Risk: Lessons from Efforts to Block Huawei”. The panel members included Katie Arrington, CISO of Acquisitions for the Department of Defense (which can no longer legally purchase from Huawei); Andy Purdy, the CSO of Huawei; Bruce Schneier from the Harvard Kennedy School; and Kathryn Waldron, a Fellow at the R Street Institute.

Craig, who would have been well served in this session had his former career been that of boxing referee, did a good job at managing the group and keeping panel members more or less on topic. While the session shed more heat than light on supply chain management, with personal political preferences leaking through at times, it highlighted the importance of prioritizing where security dollars need to be spent, since there is no way to make everything secure. As Schneier noted, securing the supply chain is an “insurmountable” problem. Whether that’s true or not is certainly up for debate.

All in all, a great RSA and probably the most enjoyable since I started attending 16+ years ago.

Some Examples of Security Problems in Government

State and local governments, municipalities, city councils, local law enforcement agencies, federal government agencies, and other government entities – collectively the government sector – are under attack from cyber criminals and nation-states. Threats from ransomware, business email compromise, phishing and other security threats are relentless, and 2019 was a banner year for various types of attacks against government.

A few examples:

  • Ransomware
    Successful attacks hit four municipalities in Florida in April and June 2019, more than 20 local government organizations in Texas (August 2019), and two power utilities in India (August 2019). Two-thirds of more than 70 ransomware attacks in the United States during the first half of 2019 had local and state government organizations in the crosshairs. The ransomware attack on the City of Atlanta in March 2018 compromised approximately 150 applications, including mission critical services such as the court system and police. The Atlanta’s Attorney Office lost 71 of its 77 computers and a decade worth of documents in the attack. 
  • Phishing
    The City of Naples, Florida was the victim of a spear-phishing attack in July 2019 that netted $700,000 for the cybercriminal(s); this occurred after Collier County suffered a similar attack in December 2018 that netted $184,000.
  • Business Email Compromise
    A public school in Portland, Oregon almost lost $3 million to a successful BEC attack, and a county in North Carolina was tricked into paying $2.5 million into the wrong bank account for a contractor working on a local project (some of which it was able to recover through quick action by the bank).
  • Data Breaches
    Mega-breaches include the US Office of Personnel Management in mid-2015 with 21.5 million sensitive data records breached, and the US Justice Department in 2016 with a data breach exposing contact details for more than 20,000 FBI and Homeland Security employees. A White House audit in 2015 discovered a cumulative 77,000 cyber incidents across government, with theft of data a common occurrence. In late October 2019, hackers breached the City of Johannesburg and claimed they had exfiltrated sensitive financial and personal data. The hackers said they would publish the data if a ransom payment was not made.

We have recently published a white paper focused on cyber security in government that discusses the problems in depth. It discusses a number of important best practices that government decision makers should seriously consider. You can download it here.

How Do You Decide on a Cybersecurity Vendor?

Kevin Simzer, Chief Operating Officer at Trend Micro, wrote an interesting blog post entitled My Takeaways from Black Hat ’19. Among the good points he makes is this one:

“With some ~3,000 vendors, the [cybersecurity] industry is making it so hard for decision makers to keep a clear view of the problem they are out to solve.”

That’s almost an understatement. At a show like Black Hat, RSA or InfoSec, for example, no more than about 20 percent of cybersecurity vendors exhibit, and so there are another 80 percent of the available solutions that just aren’t available for evaluation by attendees. And, at a show like RSA (which had 624 vendors exhibit in San Francisco earlier this year), spending just five minutes at each booth to learn what was on offer would mean you’d spend 52 hours on the show floor — and the expo isn’t open anywhere near that long.

So, as a security professional, what do you do? You can learn as much about security solutions as you can through conferences, vendor briefings, webinars, analyst reports and the like. But even then, you’ll just be scratching the surface of what’s available. Another response is to consolidate on a much smaller number of vendors to avoid the problems associated with evaluating large numbers of solutions and figuring out how to integrate and manage them. For example, at one of the briefings I had at Black Hat, a leading vendor told me that one of their clients is attempting to consolidate their current crop of 40 security vendors down to just two. That carries with it its own set of difficulties, since a consolidation project like this — and finding just the right two vendors — could be tougher than having too many.

Compounding the problem is that many security vendors offer somewhat contradictory messages based on different philosophical approaches to security.

So, as a security professional, what do you do? I’d like to hear how you approach the problem for your organization. Please email me at michael@ostermanresearch.com, or text or call me at +1 206 683 5683.

Are You Paying Attention to SOT and HOT?

Everyone in the cybersecurity space is very familiar with Information Technology (IT), but far fewer are as familiar with Operational Technology (OT) – software and hardware that focuses on control and management of physical devices like process controllers, lighting, access control systems, HVAC systems and the like.

However, cybersecurity professionals should familiarize themselves with OT because it is having an increasingly serious impact on their IT solutions and on their corporate data. Here are two of the several aspects of OT to consider:

Shadow OT (SOT)

Most of us are familiar with “Shadow IT” – individual users or departments employing their own mobile devices, mobile applications, cloud apps, laptops and other personally managed solutions to access corporate resources like email and databases. This phenomenon/scourge/blessing/reality has been with us for more than a decade and is generally well accepted by the IT community. But relatively new on the scene is “Shadow OT” – the use of Internet of Things (IoT) solutions in the workplace. For example, some businesses will employ consumer-grade solutions like routers, security cameras and lights in a work environment, introducing a number of vulnerabilities that are more common in consumer-focused IoT solutions than they are in industrial-grade solutions. Because consumer-grade IoT products are developed by manufacturers who are under enormous price pressure and will sometimes employ temporarily contracted teams to create these devices, the consideration of security in the design process, not to mention the ability to upgrade and patch these devices, is not common.

Because consumer-focused IoT solutions often will have vulnerabilities, they can create enormous security holes when used in the workplace. For example, as discussed at Trend Micro’s Directions ’19 conference earlier this week in a session hosted by Bill Malik (@WilliamMalikTM), a New Jersey hospital installed Bluetooth-enabled monitoring pads in its 2,000 beds to detect patient movement and dampness that would signal a patient needing a nurse’s attention. Doing so makes sense – using technology like this frees nurses from the task of going room-to-room to check patients who needed no help, allowing nurses to spend more time on other, more critical tasks. And, they were able to implement the solution for about $120,000 instead of the $16 million that would have been required to use FDA-approved beds that offered the same functionality. But these consumer-oriented devices very likely have major security vulnerabilities that could allow an attacker to access critical medical systems like insulin pumps and patient monitors, not to mention the hospital’s patient records that are valuable to bad actors.

Home OT (HOT)

Another important issue to consider is the use of OT in the home. Many employees work from home either occasionally or full time and they often do so in an environment populated by Internet-connected thermostats, baby monitors, game systems, voice-enabled home automation systems, security cameras, lights, alarm systems, wearables, refrigerators and the like. Here again, these often insecure solutions typically have numerous security vulnerabilities and access the home Wi-Fi network – the same one the employees use to connect their laptop and desktop computers to enterprise email and other corporate data sources. And, because all of these devices in the home connect through the same gateway, a bad actor’s access to one device exposes everything else on the network – including corporate devices – to unauthorized access and control.

The solutions to these issues won’t be easy. It’s tough to convince decision makers, as in the case of the hospital noted above, to spend 100+ times more on secure technology when they barely have the budget for what they can afford now. And it’s virtually impossible to require employees to disconnect the IoT devices in their homes while they’re working there. However, there are some things that can be done, such as using firewalls, monitoring solutions, VPNs and the like to make things more secure in the short term. Longer term security will require a change in design focus, as well as user education focused on being careful about using an ever-expanding array of OT devices, among other things.

Cybersecurity Predictions for 2019

Around this time of year, it seems as though everyone publishes their predictions about what they think will happen during the next 12 months. Being one in that “everyone”, I decided to follow suit:

Boards of directors will be a focus for security education
Boards of directors’ knowledge about business issues is generally quite good, but knowledge about security issues is typically not their strong suit. As a result, CISOs, security managers and others charged with providing security for their organizations often feel overstressed and under supported. However, we believe that 2019 will be a turning point during which boards will get serious about security. This enlightenment will be driven by high profile data breaches (the Marriott data breach of 500 million records figuring prominently in this awakening) and will take the form of making more CISOs board members, discussing security issues at most or all board meetings, and accelerating funding for security in most organizations.

Ransomware will make a comeback, but with low ransom demands
The ransomware problem was terrible in 2016, got worse in 2017, softened a bit in 2018, but will make a comeback in 2019. However, we believe that the focus of ransomware authors in 2019 will be low level ransom demands, perhaps on the order of $20 to $40. The goal of cybercriminals will be to make ransom demands low enough to make paying the ransom an easy decision akin to an impulse buy at a supermarket check stand. Moreover, these ransom demands will come with full instructions about how to pay the ransom using Bitcoin or other cryptocurrencies.

Cryptocurrency mining will become a much more serious threat
Osterman Research believes that the price of Bitcoin will recover significantly from the significant drop it has experienced during 2018. This will motivate more external cybercriminals to infiltrate corporate systems for the purpose of installing cryptocurrency mining malware on various corporate servers, and it will motivate some insiders to do likewise.

Home routers will become a greater focus of corporate security managers
The large number of employees who work some or all of the time from home, coupled with the fact that 83 percent of routers in the US have unpatched vulnerabilities, leads us to believe that a rapidly growing threat focus will be employees working from home. The relatively low use of VPNs, which ranges from 18 percent to 30 percent worldwide, will contribute significantly to this threat and will motivate corporate security managers to address the security of their employees’ home-based security infrastructure in a much more serious way.

Malware will be used to damage the reputations of celebrities and high level government officials
A tool commonly used to tarnish the reputations of celebrities, nominees to high level government positions and others is to reveal information they have posted to social media in the past, sometimes many years past. Osterman Research believes that in a few cases during 2019, some will go one step further and use malware to install compromising content on the computers, social media accounts or cloud accounts of celebrities and others. For example, while malware has been used in the past to install child abuse images on the computers of victims, such as in a 2009 case involving an employee for the Commonwealth of Massachusetts, we believe this approach will be used to discredit a few high-profile individuals in 2019.

The market for security awareness training will grow significantly
Employees are the last line of defense in any security infrastructure. Because technology-based solutions cannot block 100 percent of malicious content 100 percent of the time, employees need to be trained to deal with the phishing, spearphishing and other threats that will inevitably reach them. While the market for security awareness training has been growing at a healthy pace over the past several years, the fairly recent spate of acquisitions in this space by mainstream security solution providers will accelerate the trend at an even faster pace.

The market for web isolation technology will explode
A significant share of malware and other threats enters the corporate network through web browsing, webmail access and the like. To combat this, organizations of all sizes will increase their use of web isolation technology to prevent this avenue of attack from being effective. While these technologies have been available for several years, we believe that 2019 will be the breakout year for them.

Security Defenses are Not Adequate

We have just completed an extensive survey of security and compliance professionals in mid-sized and large organizations, asking about the current state of their cyber security defenses. We will soon be publishing a white paper discussing the results. Here’s a bit of what we found:

  • Fifty-five to 58 percent of organizations admitted that they are not fully protected against security threats like payment scams, spear phishing attacks and email spoofing.
  • Four of the top five concerns that security and compliance professionals have in the context of their organizations’ cyber security are focused on email-related threats.
  • Sixty-five percent of security and compliance professionals admitted that their organization has suffered a successful attack and/or data breach during the past 12 months, with the most common being a phishing attack successfully infecting systems on their network with malware (28 percent), and a targeted email attack launched from a compromised account successfully infecting an endpoint with malware (25 percent).
  • Corporate executives represent 16 percent of the attack surface in the typical mid-sized and large organization, despite the fact that they account for only two percent of the total number of employees.
  • Forty-two percent of those surveyed told us that their anti-ransomware defenses are either not improving the catch rate for ransomware attempts over time or the catch rate is actually going down.
  • Only 28 percent of those surveyed believe that their end-user training regimen focused on web surfing best practices is “very good” or “excellent”; only 39 percent believe that their user training for detecting and addressing phishing and other unwanted emails is this good.
  • The average cyber security budget will increase by 7.4 percent in 2018 compared to last year; 67 percent of organizations are increasing their budget and only two percent are decreasing it.

Please let us know if you’d like an advance copy of the white paper.

Here are some upcoming security conferences that should be on your radar:

Best Practices for Dealing With Phishing and Ransomware

We have just published a white paper on phishing and ransomware that we welcome you to download and review. Here are some of the key takeaways from the paper:

  • Both phishing and crypto  ransomware are increasing at the rate of several hundred percent per quarter, a trend that Osterman Research believes will continue for at least the next 18 to 24 months.
  • The vast majority of organizations have been victimized by phishing, ransomware and a variety of security-related attacks during the past 12 months. In fact, phishing and ransomware are among the four leading concerns expressed by security-focused decision makers as discovered by Osterman Research in the survey conducted for this white paper.
  • Security spending will increase significantly in 2017 as organizations realize they need to protect against phishing, ransomware and the growing variety of other threats they face.
  • Most organizations are not seeing improvements in the security solutions they have deployed and in the security practices they follow. While many of these solutions are effective, most are not improving over time, in many cases because internal staff may not have the expertise to improve the performance of these solutions over time. On balance, only two in five of these solutions and practices are considered “excellent”.
  • Security awareness training is a key area for improvement in protecting organizations against phishing and ransomware, since our research found that organizations with well-trained employees are less likely to be infected.
  • There are a variety of best practices that organizations should follow in order to minimize their potential for becoming victims of phishing and ransomware. Among these best practices are implementing security awareness training, deploying systems that can detect and eliminate phishing and ransomware attempts, searching for and remediating security vulnerabilities in corporate systems, maintaining good backups, and using good threat intelligence.

You can download the paper here.

As an aside, I will be attending the Virus Bulletin International Conference next week in Denver and encourage you to do likewise if you’re at all focused on security. I have been to this event before and can vouch for its tremendous value as a place to learn about trends in cyber security and to advance your education about all things security.