The pandemic is still with us and we start with a cybersecurity time-line and finish with the good news that SMEs are benefiting from a move to the cloud, prompted in large part by the pandemic. In between we have some crime stories, articles on skills and culture (just how emotionally intelligent is your CISO?), thoughts on sustainable security, and some ideas on cyber strategy including advice on making patching more secure.
Keep safe out there.
Thankfully we are starting to see fewer stories about the pandemic. But it’s still with us. And at the 1-year anniversary of the COVID-19 lockdown, we give you a cyber-security timeline.
Ordinary UK consumers are suffering from online fraud which has cost the public £34.5m since March 2020 according to City of London Police. The Metropolitan Police have some great advice on avoiding fraud that it is worth sharing with colleagues. (And their Little Book of Big Scams is well worth a read.)
One particular scam to watch out for at the moment is the fake Clubhouse app that hackers are using to distribute malicious Android malware.
But the problem isn’t just attracting new people into cyber careers. Some senior professionals may need to reskill themselves, moving on from purely technical skills and developing better human skills. Emotional intelligence is the CISOs’ new frontier.
Did you know that Bitcoin consumes more energy than Argentina? InfoTech is energy-heavy and data security is part of that problem. At teiss, we feel that sustainability in IT and data security needs to be addressed urgently.
The world seems to be changing even more rapidly. Threats change and we ask: Is EMOTET gone forever? (The answer is probably “No”.) In a world of accelerated digital transformation, one of the keys to success is simplifying security.
One new threat we have seen recently, with the Solar Winds hack, is that software patches can be infected with malware. It’s a nasty tactic. So here are four patch management best practices to minimise cyber-security risk.
Doing the walk of shame this week is online FX broker FBS who leaked 16B customer records via an unsecured server. And our sympathies go to Northampton University who suffered a major cyberattack that crippled their IT network for days.
Sergey Medvedev: The co-founder of the Infraud Organisation has been sentenced to 10 years by a US Court.
SMEs: Cloud uptake, boosted by the pandemic, is proving to hold many benefits for SMEs. A silver lining of sorts, given how many UK families are dependent on SMEs for employment. It’s worth remembering that cybersecurity isn’t just for the big boys: even simple actions like getting Cyber Essentials certified can make a huge difference.
Cybercrime and online fraud inflicted losses of approximately £34.5 million to the British public since March last year, with incidents of online shopping fraud being at an all-time high, the City of London Police has revealed.
A report from the City of London Police revealed that since March 2020, Action Fraud received a total of 6,073 reports of coronavirus-related online fraud and cybercrime incidents that inflicted losses of £34.5 million to the public.
A dedicated national fraud unit has arrested more than 156 criminals who were allegedly involved in committing fraud during the national lockdown imposed as a result of the coronavirus pandemic. Law enforcement action against cybercrime and online fraud also resulted in the takedown of more than 2,000 websites, phone numbers, and email addresses linked to frauds since the pandemic began.
According to the City of London Police, incidents of online shopping fraud increased by 42% and romance fraud increased by 20% in the past 11 months. Incidents of computer software service fraud, however, decreased by 15.5% in the same period compared to 2019 figures. These numbers revealed the changing tactics and priorities of cybercriminals and online fraudsters during the pandemic.
In total, more than 416,000 incidents of fraud and cybercrime were reported since March last year, with reports of online shopping fraud being at an all-time high since records began. Another type of crime that reached its peak during April and May 2020 and January 2021 was phishing activities leveraging the distribution of COVID-19 vaccines.
“The past year has been incredibly challenging for every single one of us. Sadly, we have seen devious criminals taking advantage of the coronavirus pandemic as a means to commit fraud, often honing in on people’s anxieties and the changes that have occurred to their daily lives. Policing has had to adapt quickly to what is an ever-changing public health situation, but nothing has stopped us from pursuing these individuals and disrupting their activity,” said Ian Dyson, Commissioner of City of London Police.
“We are committed to protecting the public from fraud and have worked closely with all our partners in law enforcement and the private sector to make arrests, gather evidence, and ultimately bring criminals before the courts,” he added.
The force runs the National Fraud Intelligence Bureau (NFIB), which assesses reports made to Action Fraud by the public. The NFIB can take immediate actions to disrupt certain activities in order to prevent more people from falling victim to fraud. The NFIB has taken down more than 1,030 websites, 425 phone numbers, and 597 email addresses since the beginning of the pandemic.
Additionally, the City of London Police’s Intellectual Property Crime Unit (PIPCU) has taken down several websites believed to be selling counterfeit goods relating to coronavirus such as testing kits and facemasks. “The unit has also made 29 arrests since the pandemic began and seen a number of high profile charges, such as that of David Chambers who is alleged to have administered a fake vaccine to a 92-year-old woman at her home and charged her £160, and Frank Ludlow who was convicted for selling fake coronavirus treatment kits across the world,” the report read.
The Dedicated Card and Payment Crime Unit (DCPCU) has also made a number of significant arrests related to coronavirus frauds. The unit has executed 99 warrants since the start of the pandemic and made 56 arrests, 27 percent of which were of criminals committing coronavirus-related “smishing”.
“The unit has already seen 30 criminals convicted since March 2020 and has taken down 773 social media accounts used to commit fraud, helping to further protect members of the public from fraud. On 11 March 2021, officers executed their tenth warrant of 2021, where they arrested and charged Taige Gallagher, 21, of Perth Road, Wood Green, for fraud by false representation and possession of articles for use in fraud. Gallagher pleaded guilty to both charges at Westminster Magistrates Court on 13 March 2021 and is currently awaiting sentencing,” the report added.
Commenting on the report, Mark Crichton, OneSpan’s Senior Director of Product Management, said, “Though concerning, this high volume of COVID-19-related fraud is unsurprising. We’ve seen fraud attacks spike over the past year with criminals preying on vulnerable people during the pandemic - especially those who are new to mainly digital services. Combating these fraud attempts requires a collective effort from banks, telecoms, social media firms and the public sector to put the right measures in place to beat fraudsters, as well as continuing to educate consumers on the cyber threats they face.
“Consumers must make a habit of always checking the sender's email address or phone number. If the communication seems suspicious even in the slightest, they should not click on any links. No trusted organisation would ever ask a customer to part with money or their sensitive information via email, SMS, or telephone. Customers can always contact a company or organisation directly to confirm whether a piece of communication is legitimate or potentially fraudulent.
“Banks need to have dynamic fraud solutions that analyse vast amounts of data with machine learning and advanced risk analytics to identify abnormal user behaviour in real-time and that are capable of automatically operating at a lower level of trust during times of increased risk. In addition, telecoms and social media firms too have a responsibility to act quickly on these scams and minimise the potential of any harm to individuals,” he added.
Originally Aired: Tuesday 23rd March 2021
This episode is now available to view on-demand.
Dr Dave Chatterjee - Associate Professor, The University of Georgia
Garry Scobie - Deputy Chief Information Security Office, The University of Edinburgh
Enis Sahin - Head of Information Security, Federated Hermes – International
Boris Cipot - Senior Security Engineer, Synopsys
A perpetual state of breach reflects today’s world where people are travelling constantly and working remotely. The opportunities for hackers keep expanding. And breaches keep happening. Dealing with this epidemic involves recognising that this is one of the costs of doing business and approaching the problem holistically rather than through technology.
Often we have to go through pain to recognise our deficiencies and we saw that in the pandemic. Cyber threats can be as bad as any pandemic and cyber security needs to be a strategic competency. The process should not be driven by regulation or by a box-ticking approach. The risk needs to be viewed seriously and when you are breached you need to be confident that you have genuinely done all that you can across the organisation. Ownership and accountability at the most senior level is required.
The traits of commitment, preparedness, and discipline are essential. Creating a security culture that embraces these is difficult, but at least working towards this is better than taking the myopic techno-centric approach. And there is a growing recognition at a top management level that this is a strategic issue, so perhaps we will continue to see progress. However cyber security is a moving target and we need to keep on getting better at it.
But sadly it is true that we are in a perpetual state of being attacked. To manage this, awareness is key. Most users are not cyber aware. In a way that’s fine – we don’t need everyone to be an expert. But we do need people to understand the simple things they can do to help with security.
Training needs to be a continuous process. Awareness campaigns need to run all the time. And these need to be combined with incentives and also sanctions for people who don’t engage with security. Remember: there is a difference between communication and good communication. How well we execute is an important issue. For example, using training as a punishment is a mistake.
And making training general rather than personal will mean that people don’t engage with it. Ultimately it will only work if people understand what the personal benefits of working securely are for their own lives and careers. And the way to start with this is to make sure people care about security, even before they know how to be secure.
There is a lot of account and password sharing that still goes on. It isn’t necessarily true that account takeover is overtaking phishing as a threat – in part because phishing often is the cause of account take over. And phishing isn’t going away anytime soon.
Forced errors and unforced errors: the average IT user is like a novice and they make unforced errors all the time. So rather than running phishing campaigns it is better to look at the unforced errors they make and educating them away from making these errors.
In software development we also see many mistakes. Software is tested in a live environment but security processes are not imposed at this stage. This makes it easy for hackers. And then there is the proliferation of smart devices – again these are ways for hackers to get into IT systems.
Human vulnerabilities will always be exploited, whether through phishing or other ways. The human will always be at the centre of a breach. Unfortunately it isn’t just employees who make mistakes. It’s the employees of people in the supply chain and business ecosystem. Managing that is a huge challenge, and this is one of the things that clearly shows that security goes well beyond the IT function.
One particular problem is the way that hackers are getting better at behaving normally when they have penetrated an IT system. Criminals who are “living off the land” are very hard to identify.
Many security systems are deemed to be paranoid and they are thought of as damaging system usability. But in banks, the thought is that you need to be paranoid. In fact healthy paranoia is where any organisation needs to be moving to. Good security should be a competitive advantage rather than a cost. It’s a strategic necessity because without it you may not be trading for much longer.
Unfortunately humans love convenience and we will do almost anything for convenience, including compromising security. So we need to accept that security cannot be 100% and agree the level of security that is necessary within an organisation. The difficulty is that people in their home lives don’t always (ever?) take security seriously – they look for convenience and log on using a Facebook account or simply ignoring the details of the terms and conditions.
We need to get away from fearing security and look at ways of combining security with convenience. So for instance a password manager can be a good strategy is many circumstances.
Convenience needs to beyond simple usability though. Systems need to be accessible to everyone who uses then and optimal for a diverse community of users. Everyone should find an IT system simple and intuitive to use.
You need to have a security strategy that is focussed equally on people, process and technology. You need to work on constantly improving awareness and creating a workforce of people motivated to stay secure. You need committed leadership and robust governance procedures. And above all you need a committed, genuine and proactive approach that seeks out the way to better cyber security.
375 new cyber threats per minute
McAfee’s COVID-19 Threat Report detects 375 new threats per minute in Q1 2020. As the nation entered lock-down in Q1 2020, the pandemic quickly become the dominant theme of the threat landscape. In its first COVID-19 Threat Report, McAfee observed what began as a trickle of phishing campaigns and the occasional malicious app turn into a surge of malicious URLs and capable threat actors leveraging the world’s interest in COVID-19 as an entry mechanism into systems across the globe – with key findings including:
Rising attacks on cloud accounts
In the same quarter, McAfee’s Cloud Adoption & Risk Report – Work-from-Home Edition showed that external attacks on cloud accounts grew seven times between January and April 2020
According to McAfee’s research, Q1 2020 saw a significant increase in cyber attacks targeting cloud services as companies are largely working from home due to the COVID-19 pandemic, with significant trends including the rise of cloud-native threats access from unmanaged devices, an increase in the use of cloud services. Report highlights include:
Criminals exploit RDP
At the same time, McAfee saw cybercriminals actively exploiting RDP to target remote organisations.
From January to March, McAfee examined attacks on RDP ports and the volume of RDP credentials being sold on the underground markets – concluding the focus on RDP in the underground market has been amplified as enterprises move remote due to COVID-19. Highlights of the research include:
A rise in Covid-19 scams
In April 2020, McAfee discovered a posting on a dark web forum from an individual claiming to have recovered from Coronavirus selling their blood to others.
Overall, the volume of threats McAfee saw related to COVID-19 was significant, from phishing emails name-dropping the disease to malware named after popular video conferencing services. Tracking these campaigns revealed the most targeted sector to be healthcare, followed by finance and then education.
Several malicious Android applications were discovered abusing keywords connected to the pandemic, like an app called “Corona Safety Mask,” which abuses the SMS send permission to send scams to the victim’s contact list. And amongst a sea of offers for face masks, a posting on a dark web forum revealed the sale of blood from an individual claiming to have recovered from Coronavirus.
Covid scam detections rise by over 600%
In Q2 2020, the McAfee Labs Threats Report: November 2020 saw COVID-19-themed cyber-attack detections increase by 605%.
The industry saw an evolution of cyber threats and activity related to malware Q2 2020, as criminals adjusted their cybercrime campaigns to exploit the pandemic. This included a surge of malicious URLs and capable threat actors leveraging the world’s interest in COVID-19 as an entry mechanism into systems across the globe.
Notably, McAfee found:
Cyber crime: a trillion dollar drag
In December 2020, McAfee revealed that cybercrime is now a trillion dollar drag on the global economy, a more than 50 percent increase from 2018.
The global report titled “The Hidden Costs of Cybercrime,” revealed that 90% of companies reported hidden costs that went beyond monetary losses - including major reductions in productivity and lost work hours:
Online activities established as routine
Moving into January 2021, McAfee revealed that online activities such as banking (79%), social media (60%), and food deliveries (56%) will remain part of Brits’ routines post-lockdown.
Brits plan to continue digital habits brought on by the global pandemic even when social distancing guidelines and stay at home restrictions lift – with key findings including:
Adam Philpott, EMEA President, McAfee commented: "Over the last year, change has been a constant. Businesses have had to continuously adapt to keep their organisation and workforce safe from the rise in Covid-related threats. As the pandemic took off in Q2 2020, McAfee saw a staggering average of 419 new threats per minute. Criminals were quick to capitalise on pandemic panic, with our global network of more than a billion sensors registering a 605% increase in total Q2 COVID-19-themed threat detections.
"As we navigate the new normal, businesses must continue to stay alert and adapt to protect their hybrid workforce and ensure their business stays resilient. To do this, organisations need to employ a Zero Trust mindset to maintain control over access to the network and all instances within it, such as applications and data, and restrict them if necessary - all without compromising user experience and performance.
"This approach will allow businesses to enjoy the benefits that come with hybrid working, knowing they're taking the necessary steps to protect their organisation, no matter where employees are working."
Originally Aired: Thursday 25th March 2021, 16:00
This episode is now available to view on-demand.
Roland Cloutier - Global CISO, TikTok
Mudassar Ulhaq - Chief Information Officer, Waverton Investment Management
Andrew Tsonchev - Director of Technology, Darktrace
People have learned better to reach out to other humans using technology. We have got better are communicating using video, not least because we have brought children, pets, and our home environments into business conversations. We don’t know what the new normal will be when the pandemic is over, but it won’t be the old normal. We know there is a different way to work.
Businesses need to understand how to deal with the changes we have seen – smaller offices, zero trust, flexibility – using technology to enable these will be important as a way of maintaining innovation and useful change.
There have been reports that new threats were appearing in 2020, but this wasn’t necessarily true. It’s a function of a malware-oriented mindset. It’s simple to change a virus signature, but that doesn’t necessarily make it different. There were different things that appeared in 2020, real zero-day vulnerabilities like Solar Winds. But really we should be moving beyond making a distinction between new and old threats.
Perhaps what is new is the way that some business processes that had previously been overlooked came into focus.
Another change is how we work. Proxy environments, bilateral defence, malicious URL management – these things defended the end-users within an enterprise network. Now users are at home, their gateway is their home environment and they have a larger threat surface.
Endpoint security is still the main pain point cited by security professionals. That’s hardly new. Sometimes hackers are innovative – ransomware was an innovation for instance. In 2020 hackers didn’t need to be innovative because IT systems were changing. Endpoints became even more important as people started working from home.
In a time of change, security professionals need as far as possible to manage the risks. You need the right data if you are going to mitigate threats as they appear – and that means reassessing how you collect data about remote workers.
The ecosystem of endpoints has changes. We now use a wider ecosystem – Slack channels, apps, video conferencing tools – to defend users you need to understand the whole ecosystem and not just the endpoints.
Perhaps the big shift wasn’t remote working. And home networks being hacked wasn’t the problem that people experienced. The change was the move to cloud services. And the increase in the use of personal devices to access corporate data. These were the new threat channels.
At a time when you can buy internet-connected salt cellars (!) the risks of connected devices at home and at work have been much discussed. And hacks through connected devices such as lockers and security cameras do happen. But it wasn’t a big issue in 2020. Preventing remote access would be a major problem if hackers focussed on the ability of remote workers to communicate with the operational centre. But no one went after the home networking environment.
Instead, we have seen a change in criminal tactics. Ransomware doesn’t just make files unavailable. It exfiltrates them too. That’s because the criminals know that selling the data is just as valuable as preventing access to the data.
One tactic is for security to work with employees to put more defences on personal equipment. But many users will object to that and so they will often look for ways to get around the changes that their employers have made. Instead, other tactics may be preferable such as providing browser-based access to apps where a user’s device never actually touches corporate systems because everything happens in the cloud.
How will enterprises provide the necessary applications in a virtualised form? And how will they provide protected cloud environments where employees can find all the tools they need. Companies are increasingly going in this direction.
On the security operations side, people are becoming more flexible in how they approach monitoring security. In the old way of doing things, which was compliance and rules-based, security operations teams were very inflexible. But now they have to be more flexible. There is no point in writing a new rule book that will be out of date in a few months. Instead, the challenge is to actively monitor the estate across all workers, VPN users and well as internal users. And with so many different types of behaviour, the need is to look for strange and potentially damaging behaviour rather than behaviour that is simply out of the ordinary.
Air Date: Thursday 8th April 2021, 16:00 (BST)
Andrew Aken - Zero Trust Lead Technical Architect, Twitter
John Rouffas - Chief Information Security Officer, Pharos Security
Rob Hornbuckle - Chief Information Security Officer, Allegiant Air
Jason Soroko - CTO of PKI Sectigo
Air Date: Tuesday 13th April 2021, 16:00 (BST)
Jordan M. Schroeder - Deputy MD & Managing CISO, HEFESTIS
Robin Lennon Bylenga - Human Factors Analysis Classification System
Jean Carlos - Group Head of Information Security, Nomad Foods
Richard Cassidy - Senior Director – Security Strategy, Exabeam
Air Date: Thursday 15th April 2021, 10:00 (BST)
Emily Taylor - CEO of OXIL & Editor for the Journal of Cyber Policy
Karl Knowles - Global Head of Cyber | CISO, HFW
James Packer - Head of Information Security, EF Education First
Mike Campfield - VP, GM International Operations and Global Security Programs, ExtraHop
Air Date: Tuesday 20th April 2021, 16:00 (BST)
Mishu Rahman - Director of Cyber Security, BNP Paribas
Reena Shah - Director, Cyber Security Strategy, Culture & Process Optimization, London Stock Exchange Group
Reinhard Hochrieser - VP, Global Product Management, Jumio
Ardie Kleijn - Chief Information Security Officer, Transavia
[s2Member-Login login_redirect=”https://www.teiss.co.uk” /]