News for the cybersecurity community during the COVID-19 emergency: Wednesday, April 15th, 2020. Daily updates on how the pandemic is affecting the cybersecurity sector.
The threat landscape. And lessons for crisis management.
COVID-19's strategic implications.
Defense News reports that NATO's defense ministers are conferring today (by secure video teleconference, of course) to address the coronavirus pandemic's effects on the Atlantic Alliance. The most obvious effect is budgetary: member nations' defense budgets are very much up in the air as governments grapple with the immediate needs of responding to COVID-19. The likelihood of a recession will also hurt defense spending. Beyond that are considerations of the opportunities the crisis could present rivals like Russia and China.
But there are also interesting questions about the pandemic's effect on intra-European relations generally. These could change in several radically divergent ways, the German Council on Foreign Relations thinks. Whether closed borders will produce a breakdown in European defense cooperation or whether mutual aid rendered during the crisis will engender closer, more collaborative ties, remains an unanswered question.
In the US, National Defense thinks that one of the strategic effects the virus is likely to have will be a delay in implementing the Cyberspace Solarium Commission's recommendations.
The Willie Suttonesque reasons for an increase in attacks on healthcare and medical research organizations.
Any organization will be concerned about the confidentiality, integrity, and availability of its data. But there are few sectors where these matter more than they do to healthcare, especially during a pandemic. The Washington Post and others report that there's been no respite in attacks, particularly ransomware attacks, against organizations engaged in developing or administering treatment for COVID-19. This isn't because healthcare and research organizations are especially poorly prepared to defend themselves. Rather, it's because the data they hold is urgently needed, and therefore unusually valuable. Health IT Security sees smaller hospitals and care facilities as particularly attractive targets: the criminals perceive them as likely to pay the ransom rather than risk an interruption of care.
James McQuiggan, Security Awareness Advocate at KnowBe4, explains: "Criminals see healthcare organizations as targets because of the high anxiety and effort to control the coronavirus pandemic and, in some cases, desperate to get much needed PPE supplies, donations or equipment. Criminals are creating domain accounts related to COVID-19 that appear to help, when in fact, they're looking to either gain access to the systems with a spear phishing email or collect money and not deliver any of the goods." McQuiggan adds some advice that hospitals and others may find useful. Many of the tips will be familiar. "While it is a difficult time with healthcare and government groups working to protect and save the lives of its citizens, it would be beneficial as part of the change over shifts, or daily meetings to include a cybersecurity tip," he wrote. Such tips might include, "If you get emails relating to equipment or donations, refer them to the proper person," or "Set up an internal acronym or code for sending links to let people know that they are safe. Keep the code secret to prevent external attackers from using it against everyone."
Ransomware isn't the only threat under the present emergency conditions. Business email compromise is also a threat. McQuiggan warns, "Organizations want to make sure they're engaging their employees to make proper security decisions every day to not only protect the data, but also make sure money is sent to the authorized groups."
Online fraud related to COVID-19.
No one should expect, we repeat, any public-spirited restraint in the underworld, not even during a global crisis. The US Federal Trade Commission's update on COVID-19-themed complaints it's received is evidence enough: the losses to fraud victims reported to the FTC since the beginning of January total $13.44 million.
Some of that fraud has been facilitated by domains established to push bogus merchandise and other scams, an Interisle Consulting Group study conducted for ICANN concluded at the end of March. Naked Security describes how ICANN, the Internet Corporation for Assigned Names and Numbers, has written to its accredited domain registrars and asked them to take action against the registration of new domains whose names suggest a pandemic theme.
And, of course, since the pandemic is peaking during tax season, there's a criminal convergence between tax fraud and COVID-19-themed attacks. TheHill reports that the US Internal Revenue Service (the IRS) is warning tax professionals that they should expect to be targeted.
Zoom, shedding more users, offers security upgrades.
Reuters reports that London-based Standard Chartered is the first major, global bank to tell its employees to stop using Zoom because of concerns about the platform's security. The bank declined to elaborate, but the memo Reuters say also indicated that employees should shun Google Hangouts, too. Standard Chartered says its employees have other, more secure means available to conduct business.
As concerns grew over the teleconferencing service's security (summarized by OneZero) Zoom has begun to issue weekly security updates. iMore reports that the latest of these, out yesterday, enhances the password options available to users and session organizers. Some of last week's improvements included giving paying customers the option of choosing how their traffic will be routed; the news that Zoom traffic routinely transited Chinese servers aroused alarm in many. According to Mounir Hahad, head of Juniper Threat Labs, "The routing options may give some people more peace of mind knowing that a powerful third party may no longer be able to snoop in on conversations, but that’s not the only danger. The real danger from a Zoom account password leakage is the access a threat actor would gain to all previously recorded meetings.”
The routing options, one might add, are reassuring only insofar as one believes Zoom either escaped or contained potential security problems in its code supply chain. Several of its partners are Chinese firms, as Citizen Lab found when they looked into the company's encryption issues.
Credential-stuffing attacks against teleconferencing sessions.
One of the widely reported security problems that have troubled Zoom as the teleconferencing platform's usage suddenly expanded has been the availability of login credentials on various black markets. This data exposure, as Fast Company points out, isn't due to a breach at Zoom itself. Instead, it's the result of credential stuffing in which attackers try credentials culled from other incidents to see if their users have casually employed them for other sites or services. All too often the users have done exactly that.
Juniper's Hahad finds it incredible that people persist in doing this. “It is mind boggling that credentials reuse is so prevalent that hackers are talking about credentials dump without a breach having occurred, at least not on the target platform," he wrote. "It is critical that platform vendors always offer two factor authentication and that the general public adopts the use of password managers more broadly to avoid using weak or recycled passwords. This particular threat would be a non-event had people not used the same passwords elsewhere."
"While Zoom’s ease of use has made it popular among users, it would be inaccurate to blame its security issues on this alone," writes Logan Kipp, director of sales engineering at SiteLock. He adds that "the best way for users to protect themselves is to ensure they utilize a meeting pin and have the host admit attendees to the meeting individually."
Handling a reputational crisis.
Zoom's pyrrhic success, explosive growth that drew close and highly damaging scrutiny, offers a useful case study in how an organization might respond to and manage a reputational crisis. Zoom has certainly been active in disclosing problems and attempting to address them, as Help Net Security points out. It's brought in outside help not only to address the immediate security issues, but also to oversee systemic changes in the way the company handles the security of its services. Another Help Net Security piece looks at the company's response and draws some general lessons for crisis management:
- "Executive support." Effective response requires the ability to allocate time, resources, "and even goodwill." Decisions on the necessary trade-offs are inherently executive functions. So is public acceptance of responsibility.
- "Crisis leadership." An experienced leader should be appointed. This normally shouldn't be drawn from either legal or public affairs, whose inclination will be to concentrate on deflecting damage as opposed to dealing with root causes. They belong on the crisis management team, but they shouldn't lead it. Nor should engineering, another important member of the response team, take the lead. The issues the organization confronts aren't purely technical. And CEOs should recognize their limitations and appoint a leader, and then define that leader's goals and provide necessary support.
- "Root cause." Identify the underlying cause of what went wrong.
- "Priority planning," or "stop the bleeding." Address the immediate issues of greatest importance to the customers or stakeholders. And, "in parallel," find and fix what's not publicly known, but that has the potential to exacerbate the crisis.
Not in the list but implicit throughout the discussion is the importance of clear, timely, effective, and honest communication.
Security advice for remote work.
Security experts are advising in general that organizations and individuals take five steps to improve their security during remote work. They come down for the most part to familiar cyber hygiene recommendations, and their familiarity doesn't make them any less important. First, keep systems patched and up to date. (Both Microsoft and Adobe patched yesterday.) Second, use multi-factor authentication. Third, avoid reusing passwords. Fourth, be alert to the possibility of phishing emails. And fifth, consider using a virtual private network (VPN). That last bit of advice should be followed with caution and circumspection: Zscaler says it's found a number of phony VPN sites using spoofed brands to deliver information stealers.