News for the cybersecurity community during the COVID-19 emergency: Thursday, May 21st, 2020. Daily updates on how the pandemic is affecting the cybersecurity sector.
Quick development lessons to be learned. The pandemic and the industry.
Contact tracing blues.
Prime Minister Johnson says the UK will have an effective contact tracing system in place by the 1st of June (he was, the Telegraph reports, responding to Labour concerns about staff safety should schools reopen). But in some respects the early favorable reviews Britain's NHS received from its contact-tracing pilot on the Isle of Wight now seem to have represented a false dawn. At the very least more work needs to be done on the security of the app.
People have been asked to let the National Cyber Security Centre (NCSC) know about any problems they've found with the NHSX-sponsored contact-tracing app, and they've reported, ComputerWeekly reports, three classes of significant issues: those involving the registration process for app users, the application of the Bluetooth communication standard, and how the data are encrypted. Some of the issues involve developer missteps (inevitable with such compressed development cycles), but many of them involve design choices or even simple failures to communicate.
Not all areas of the UK will adopt the national contact-tracing app, whatever its final form may be. Northern Ireland won't, for one. Stormont has said, according to the BBC, that it intends to follow the Republic of Ireland's lead. Northern Ireland has some issues with the NHSX app's privacy protections, but more importantly, it values facilitating travel across the Irish border more than it does travel to England, Scotland, or Wales. North-south movement is more important than east-west travel.
The Apple-Google decentralized exposure notification system now being rolled out has attracted interest from governments who are proving willing to sacrifice the advantages of centralized data management and analysis in favor of an approach that users may find more congenial. Reuters reports that some twenty-three governments have shown an interest in the Apple-Google solution.
Organizations may plan to increase spending on security after the pandemic (and some expect a surge in acquisitions, too).
1Password has published a survey of people whose jobs have been affected by remote work and other measures taken to deal with the emergency, and they've concluded that IT departments are actually getting a good bit of love from their colleagues. "89% of respondents had no criticism of their company’s IT team. Given the scale of the upheaval, that’s a remarkable testament to the incredible work IT teams are doing." There may also be a growing preference for working from home, with 68% of respondents saying they like it, or that at least they've grown happier with telecommuting.
It's difficult to know what to make of predictive surveys, but one study, released this week by LearnBonds, concludes that "68% of major organisations, public and private, plan to increase their cybersecurity spending as a response to the coronavirus pandemic." We received several comments on the survey from industry sources.
Murali Palanisamy, Chief Solutions Officer, appviewX, wrote:
"Digital and internet-based systems are understood to be easy pickings in the case of this pandemic. There are two primary drivers that contribute towards organizations ramping up their security policies. First, remote working has opened up protected systems (that are usually heavily guarded) to external access. Many firms might relax their access policies while neglecting to turn up the security a notch to balance it out, thus thinning the metaphorical wall that hackers would need to knock down in order to force their way into a protected environment. Second, the financial gain to be realized from exploits is a lot higher than normal now -- consider the case of the hospitals that were hit by ransomware attacks, and were put in a position where the criminal simply had to name their price. Why? These institutions could not afford to be disconnected from their digital systems at a time when so many patients were so dependent upon them.
"The point is that criminals believe they can reap relatively larger rewards during these trying times. It’s time for enterprises to prioritize security to an even greater extent. It’s a smart investment to deepen relationships with reputable security vendors and consultants, and implement security automation systems that will protect their digital environments now and for years to come."
Some think that market changes will be driven at least in part by recognition that perimeter-based defenses are now generally regarded as obsolescent. Matias Katz, CEO and Co-Founder, Byos commented:
"The idea of the corporate perimeter has vanished overnight and the security technologies used to protect the central corporate network have become somewhat obsolete - employees are connecting from their home, meaning they are accessing corporate resources from untrusted, insecure Wi-Fi networks. The shift to a perimeter-less, Zero Trust security strategy has been accelerated out of necessity, which would fall in line with the increased spending prediction. Organizations are forced to adapt to this new "work from anywhere" mentality.
"Employees working from home don’t have the same firewalls, network-based intrusion detection systems, and other defenses they have in the office. This means that malware and lateral network movement, exploits and brute force attacks are common threats.
"There are also often dozens of unmanaged devices connecting to our home networks: personal laptops, cellphones, gaming consoles, and home IoT. Any of these devices represent an entry point for attackers; once they've compromised an edge device, chances are high this compromise will spread laterally throughout the home network. And once an attacker or malware gets into a device, they often go undetected, seizing or manipulating data with the ultimate goal of moving from the single remote laptop or tablet into the big prize: the company network and servers. Some basic steps businesses can take to protect themselves against cyber threats:
- Keep software applications and operating systems up to date,
- Create strong passwords and enable two-factor authentication across all devices and accounts,
- Enforce policies stating that employees must never respond to any email asking for personal information, and
- For added layers of protection, adopt endpoint micro-segmentation to protect devices from insecure public and home Wi-Fi networks.
Saryu Nayyar, CEO of Gurucul, thinks that remote work will prove an enduring trend.
"In the wake of COVID-19, businesses have had to quickly change their long-standing, limited remote work strategy. Most have had no time to change and implement new controls for securing data with a remote workforce. And cyber criminals are using this pandemic to increase their volume and severity of attacks at all levels.
"The borderless work environment introduces a new set of cybersecurity issues. Workers are logging into corporate networks from unsecure personal devices and networks. And dealing with remote workers, a surge in temporary workers, headcount reductions, and a staggering demand for staff in some industries has radically impacted access controls across the board. Traditional security and access control measures won’t work in this new borderless emergency remote workforce state. Rules, policies and signatures are ineffective, and security and identity teams do not have enough time to change or build new rules and threat patterns. The fastest and most efficient way to solve the problem with highest efficacy is by using machine learning to perform behavior analytics and identity analytics on this ‘new normal’ - to detect and remediate malicious behaviors and access risks."
Josh Bohls, CEO at Inkscreen, also sees remote work as something that will last:
"Threats are escalating and network boundaries are evaporating. A huge chunk of the workforce is working from home for the first time, and are often making due with unsecured devices, unapproved services, and unguarded networks. This scenario creates clear opportunities for hackers. When combined with a public health crisis that is creating confusion, desperation and general disruption to the modus operandi, you have a recipe for cyber-disaster.
"For example, we have seen new sophisticated phishing attempts with messaging around the PPP and EIDL programs. There was also a scheme to redirect business payments to a new account because the original bank was closed due to the pandemic."
The Wall Street Journal predicts a surge in acquisitions once COVID-19 abates. Bigger companies have put M&A plans on temporary hold, but that pause isn't likely to be one of the emergency's enduring legacies. Those legacies are instead likely to manifest themselves in areas that have proven valuable during the pandemic, like "cloud computing, collaboration, access management and other business continuity tools." Security tools are of course an important species of business continuity tool.
While security isn't something organizations can easily cut during periods of stress (see, for example, this mash note to the industry in the Memphis Business Journal) the larger tech sector nor its security subsector have proven immune from the economic effects of the pandemic. While IT and security businesses haven't been as hard-hit as those in other industries (and the COVID-19 downturn has been particularly hard on media shops), they too have had to endure lower revenue and in some cases lay off employees.
Checkmarx, for one, on Monday said it was laying off "dozens" of staff. The company's CEO, Emmanuel Benzaquen, suggested that restructuring had been in the plans for some time, saying “We didn’t do it earlier because of the exit and the coronavirus crisis, but now it is time to make some changes.” It's part of "building for the long term," and, while the pandemic has affected the company "like everyone else," he expects to emerge stronger from the other side of the emergency. The private equity firm Hellman & Friedman LLC finalized its purchase of Checkmarx in April, paying $1.15 billion for the company. The lesson, CTECH observes, is that "even unicorns aren't immune to COVID-19."
There are security companies who are still hiring, even during the pandemic. May we suggest they take a look at people who've recently been laid off? They represent an attractive talent pool, as close to pre-screened as any talent pool ever is.