There's no part of life or business that the pandemic hasn't touched. CCL pen tester Ben Strudwick explores how things have been impacted in his own domain of cyber security and wonders what's in store for the industry as we move on from Covid.
The pandemic. An unprecedented event which has immeasurably reshaped the world in which we all live. It is without doubt that the infamous COVID-19 has caused an immense amount of pain and suffering around the world. Restrictions imposed by the UK Government during this remarkable period forced people to stay home in what was a collective national effort to save lives. With a shutdown of this magnitude, it is perhaps unsurprising that businesses have been devastated – with many closing their doors indefinitely. But what impact has the pandemic had on cyber security? Has it been affected for better or for worse? What does this mean for the future of this industry? This article attempts to address these questions.
UK Government sanctions have consequently forced the country into numerous lockdowns. The message was simple – Stay Home, Protect the NHS, Save Lives. By staying compliant with the newly enacted legislation, businesses had to encourage staff to not travel to on-site premises, and instead work remotely from home. This trend sent a shockwave throughout the industry, putting the entire IT enterprise into disarray. Many businesses were simply not prepared and did not understand the corresponding risks that would follow suit. Whilst offices and buildings laid empty, staff embraced the new norm of remote working. New and potentially overlooked vulnerabilities now exist due to this unconventional style of working.
Internal company networks which are not used to so many external impound connections will have been shocked by this shift in change. What was once a carefully mapped-out network topology has suddenly become a chaotic hotbed of external connections. Necessary due diligence is required which includes a detailed technical assessment to ensure the configuration of security devices are fit for purpose. This includes change requests. It is possible the changes to appliances responsible for managing these networks may be too inclusive in their now altered utilisation. From firewall whitelists to active directory (AD) management, if configurations are not stringent enough, then networks may be evermore exposed. This would be a dream scenario for hackers: redundant firewall rules, ineffective policies, insufficient processes, and a flurry of log file anomalies.
In contrast, configurations may have not been changed enough by businesses. This is particularly evident in the case of user permissions and access control. Incorrect permissions for users would mean that staff cannot adequately perform their duties with the level of access they have been assigned. This is troublesome as it incurs delays, an increase in raised helpdesk support tickets, a decrease in sales and potentially unhappy customers.
Some businesses operate with a bring your own device (BYOD) policy. Meaning, it is deemed acceptable for staff to use their own personal mobile devices and laptops to connect back to the company network with. Regardless of the method of remote connection (VPN, SSH, RDP etc.), these devices carry new risks to the networks as they are not recognised assets which have undergone a thorough security assessment. None of the security measures expected by the network may be in place, increasing the likelihood of new endpoint vulnerabilities. If, for example, an employee decided to use their own laptop which they have not updated for an extended period, the system in which they operate from could be vulnerable to publicly known vulnerabilities which attackers could easily exploit. If their machine became compromised, attackers could proceed onwards to privilege escalation and infiltrate the network – putting the whole network at risk.
The furlough scheme was introduced as a means of financially helping businesses to retain their staff, as opposed to making them redundant. This meant a lot of staff were temporarily surplus to requirements. This inevitably caused a knock-on effect within cyber security as it causes disruption to business-as-usual (BAU) processes, slower lead times, projects placed on hold, capped security spending and a decline in both domestic/international trade and collaboration. Some businesses have been forced to permanently downsize, forcing people to exit from businesses altogether despite the emergency support packages on offer. In this instance, Cyber Security would have been hampered if the departing staff played a pivotal role in ensuring the safety of their digital assets – especially in relation to security professionals and any single point of failures.
Privacy has been widely discussed throughout the pandemic. With commercially sensitive data being handled outside the confines of company offices, the risk of data falling into the wrong hands increases exponentially. Data protection has become even more challenging if the flow of data has suddenly changed. General Data Protection Regulation (GDPR) is an important legislative topic to get right. Many businesses may now have to handle customer data differently, and the pandemic has made it even more challenging for businesses to comply with secure working practices.
The Information Commissioner’s Office released the following statement on this matter:
“The ICO is a reasonable and pragmatic regulator, one that does not operate in isolation from matters of serious public concern. Regarding compliance with data protection, we will take into account the compelling public interest in the current health emergency.”
- Statement, ICO, 12 March 2020 (ico.org.uk)
Businesses have had to revisit their internal policies and procedures to adapt to the on-going crisis. Since their ways of working has been forced to change, their published documentation has had to also reflect this. This is particularly apparent for business continuity plans (BCP), as well as health and safety, COVID-19 measures, and emergency responses.
COVID-specific phishing attacks have swarmed members of the public (including businesses) throughout the pandemic. “Sir/Madam, thank you for booking your vaccine. For security, please verify your details by clicking the link below.” Or “A payment has been issued as part of our COVID relief promise, please click the link below to apply.” – sound familiar? Phishing emails and SMS text messages have circulated relentlessly, increasing the likelihood that an unsuspecting victim becomes compromised. It is frightening how genuine some fraudulent phishing attempts appear to be. Attackers are constantly moving the goalposts by devising new and ingenious ways to bait somebody in to clicking something they should not. COVID-19 has facilitated more of this malicious activity.
The pandemic has also caused a rise in the number of ransomware attacks which are attempting to impersonate brands in a misleading way. Such attacks are targeting businesses, as well as end users who are downloading COVID-19 related applications such as the NHS mobile app. In a time of crisis, security remains at the forefront of people’s minds. The same should apply to cyber security. Vigilance is key.
Paul Chichester, Director of Operations at the NCSC, said:
“We know that cyber criminals are opportunistic and will look to exploit people’s fears, and this has undoubtedly been the case with the Coronavirus outbreak.
“Our advice to the public is to follow our guidance, which includes everything from password advice to spotting suspect emails.
“In the event that someone does fall victim to a phishing attempt, they should look to report this to Action Fraud as soon as possible.”
Despite the negativity surrounding COVID-19, some advantages have emerged from such events. Many businesses have realised they can offer many aspects of their services remotely. Cloud computing, virtualisation, virtual private networks (VPNs), managed services, and video calling platforms have all seen an increase in popularity. This shift in change is undoubtedly influencing the industry. As companies begin reassessing their infrastructure and acquisition of services, they are innovating in ways which will streamline services, cut costs, and increase efficiency. This is exciting from a Cyber Security perspective as requirements for security audits will inevitably ensue from this change in approach. This will help to boost the sector by setting new trends of security requirements and an increase in revenue.
As the UK economy becomes seemingly more reliant on technology, security has never been so paramount.
In conclusion, the pandemic has brought about a colossal amount of change which is transforming the threat landscape profusely. The IT function has never been under so much pressure from government intervention, data protection is undergoing huge change to keep up with on-going demands, and phishing attacks are flourishing in what is an extremely volatile climate.
Having said all this, cyber security is seeing some positive change as an industry. Many companies are realising the importance of protecting their internal and external infrastructure due to the challenges COVID-19 has introduced. This could be the catalyst needed for increased budgets earmarked for security spending. The restrictions have also bought about new trends which could really help to boost an already growing marketplace.
Although the challenges facing companies remain apparent, the signs are positive for the future of the cyber security industry.