Key Takeaways from the Cybersecurity Webinar
Sigma Software continues its series of free quarantine-time webinars aiming to explore the new normal, inspire businesses to move forward, and present expert views on how to surf the digital wave.
Speakers from the USA, Israel, and Ukraine joined the Accelerated Change: Cybersecurity webinar and shared their thoughts about how the crisis has accelerated much-needed changes in this field.
Dick Hardt, founder of SignIn.Org and an advocate of Identity 2.0, the USA; Almog Apirion, CEO and co-founder of Cyolo, Israel; Olesya Danylchenko, Deputy Director and Head of Payment Cards Security Forum, Ukrainian Interbank Payment Systems Members Association "ЕМА"; Alexey Stoletniy, CTO of Clean.io, Managing Director at Sigma Software, the USA; Alex Romero, CEO at Cyberpeace, the USA; Olga Paramonova, Leader of the Stellar Competence Center for AdTech in Sigma Software, Ukraine (Moderator), covered the following topics:
- Cybersecurity challenges during the COVID-19 pandemic
- Tips on protecting businesses from cyber threats inside and out
- The current state of the cyber-threat landscape across the banking industry
Webinar organizers: Sigma Software, Upnotch.io.
Webinar partners: Zag, Sigma Software Labs.
Olga: What are the new risks in the cybersecurity industry?
Dick: There's been an explosion of traffic as more people are working online from home. The digital transformations of retail outlets and in enterprises have rapidly accelerated. Contacts that I have in a number of the big brands in enterprise software are on fire. That’s because all their customers are trying to accelerate their own digital transformations. The identity management companies are overwhelmed by everyone trying to figure out how to manage all of their employees that are now working remotely as opposed to being on premise. Plus, many people that have switched to working from home don't know all the right processes.
Alex: The number of attacks has increased significantly because a lot of people have moved online. A lot of people don't have any knowledge about security or any awareness of it. My dad is now buying stuff online or he's connecting to video chats with his friends, and he thinks that everything is secured by default which is quite alarming.
Obviously attackers are taking advantage of this type of situation. We are seeing more and more servers going online nowadays. People just share them because they have to access all the information that they had in the office. Of course these servers are not secure. These are just honey for the attackers.
With all the technology that attackers now have they can broaden their attacks to a crazy volume. We used to setup these honeypots, which were servers that we put online just to see how things would go. Six months ago it took a week for attackers to find them. Now it takes just a couple of hours. We see that their malware is getting very sophisticated. These are very exciting times but we need to be ahead of the attackers.
Alexey: There is so much specialization and so many specific areas of security. Some companies have already had setups for remote work, whereas others had to produce emergency solutions to enable remote access to all the resources that people used to have in the office.
That's a big challenge. A lot of those gateways, VPNs, and things that were deployed in an emergency are easily able to be compromised. People are just publishing their services online, many of which are not supposed to be public. That is a big issue.
Olesya: The same happens in the banking industry and the financial sector as well. But the main problem now is that it's not only sophisticated attacks and high end techniques, but also social engineering methods that criminals use to attack banks. All attacks that we see today start with very simple things, such as emails or phone calls. After that, banks or their clients can lose huge amount of money. We should talk not just about technical cyber-attacks, but also about social engineering methods.
Olga: Do you see any dynamics in social engineered attacks? Are they decreasing or increasing? What age groups and what demographics are more sensitive to them?
Olesya: During the COVID-19 period, we have seen that there has been an increase in fraud of such type. When people do not understand what is going on and everything around is changing, they are not very well prepared for those types of calls or emails. They do not know what emails they can receive, and what is allowed or not. This environment is a good foundation for users of social engineering fraud.
We see such attacks occurring everywhere and not only against commercial organizations. There were also attacks on government organizations in Europe. These methods can be used against everybody, any type of organization and any type of client.
Concerning demographics, there is no type of measurement as far as different types of social engineering fraud that works for different demographic groups.
Almog: In order to understand the new risk, we need to understand what has changed. For example, what has changed in our business operations? Do we have employees working from home? Are they working with their personal devices?
We also need to consider the new threat landscape and how hackers have changed their methods. That will enable us to prepare better and adapt our security strategies.
The world around us is changing. It's like my mother found out that in order to see her grandchildren she had to learn how to use Zoom, and she's quite a technophobe. A lot of organizations are more open to enabling work to be done from anywhere because they want to keep their businesses running.
The world is changing and we need to recalculate our strategy going forward, and remember that we cannot predict the future accurately, so agility and agile technologies are key.
Olga: Let’s elaborate a bit more on cybersecurity strategies. Alex, can you name the most common mistakes that companies make when they implement such strategies?
Alex: They don't understand that it's a strategy. They think of it as putting on patches or putting on band-aids to mitigate the risks of cybersecurity attacks. Those companies think that buying stuff is going to help them. We've seen a bunch of companies that bought everything that could be bought: firewalls, UTMs, IPSs, IDSs, endpoint security, etc. But it's either not being monitored or it’s not being managed correctly.
The thing here is that everything starts with the user.
We're seeing very sophisticated attacks, but most of the time it's just about going back to the basics. We see passwords that are in clear text written somewhere, or in the server, or on post-it notes. That's something that starts with the user. Every strategy has to start with a culturally based strategy that comes from the C-level all the way to everyone involved who touches data. That consists of partners, alliances, providers... Whoever touches data that has anything to do with the company has to be involved in a cultural change or cultural understanding of cybersecurity in terms of awareness.
It is a mistake to not think about the user as the main reason why cybersecurity attacks can be exploited. Because it starts with awareness. There has to be an awareness campaign within the company that is involved and focused on cybersecurity.
Another thing to avoid is relying only on products. They have to be implemented in the strategy that involves everyone in the company.
The other mistake is that some companies believe that the responsibility of cybersecurity relies on only one person or on only one department. That’s incorrect thinking. It’s the responsibility of everyone within the company. It only takes one person to click on something, to get a USB inside one of the computers, or connect from a computer that is infected from home to be able to get into a company.
It’s very important to have a real strategy, to understand where you stand as an organization, and to be able to do all the hardening in all the areas. That involves processes, controls, and not only the digital stuff. The main thing is that the user doesn’t only rely on products and has a complete strategy that starts from the C-level.
Olga: Olesya, can you add something to this topic in terms of the banking sector?
Olesya: Actually, nothing has significantly changed due to COVID-19. For sure, there must be a strategy and most banks have one. But even the smallest thing could lead to bad results. We’ve seen a lot of attacks during previous years in Eastern countries where there was not a very good level of information security.
Olga: Alexey, how are security companies preparing for the raising threats caused by shifting online?
Alexey: Security companies is a broad term. There are a lot of different vendors who produce products for companies as well as those who provide services. From what I've seen across various areas is that specifically phishing and denial of service attacks have scaled the same way as COVID-19 has scaled.
The best thing to do is to talk about the issues that the customers may experience. Small companies that don't have their own IT departments and solid security posture are going to have to struggle with bringing their services online. That will be something that people will need help with.
Another thing, as you migrate things from one place to another, there are going to be a lot of data loss accidents. Even when it is not entirely malicious, it's also a type of a security problem that has to be solved one way or another.
Olga: Dick, what are the biggest issues right now in managing digital identity and also access to the remote workforce?
Dick: Many organizations are using VPNs, but almost everybody is working outside their network now. All of this when the VPN infrastructure is failing. Some people get frustrated as they're trying to connect. They don't have the bandwidth they need. They take shortcuts just to get their work done, which then opens them up to other attack vectors.
One of the other big issues is a shortage of devices. The kids are trying to use the devices and the parents are trying to use some of the same devices for work. The bandwidth might not be flowing well, the servers might not be accessible, and the healthcare servers might be slammed. Everything might not be working well and so it's much more likely for people to go and click the wrong thing.
There are people that are late adopters to going online. Either from a work point of view and/or a home point of view, and they haven't been online much. They don't really know all the things that might happen and don't know what best practices are. The attack surface area is massive now from an attacker point of view. These are the golden years for a malicious user.
Olga: Almog, can you share a bit about the concept of Zero Trust?
Almog: The Zero Trust model has two sides. On one hand, you do not trust any entity inside or outside of the perimeter at any time. On the other hand, you secure, manage, and monitor every device, user and network being used to access business data. The most important thing to remember here is that Zero Trust isn't fully “zero trust”. You do need to actually trust your Zero Trust provider.
Before embarking on a Zero Trust journey, you need to consider the coverage of your needs, the privacy issues, security, and user experience. There is a real need for advanced secure access that will ensure business continuity without risking your network and assets, and will at the same time optimize your IT resource.
Security and IT departments will have to find a way to do more with less and to optimize resource consumption as best as possible. Nowadays, it is very important to work with systems which are as simple as possible to implement, maintain and automate in order to deal with incidents effectively. The world now understands that we need to disconnect between the user, the device, and the physical location. We need to put the network context out of the equation. Even though we need to deal with use cases of users coming from within the organizational network and from the outside as external users.
Olga: Alex, where are the strategies coming from? What if small businesses don't have the capacity within their own security department and they have to move those operations and expect that a security vendor will come and solve these problems for them? Are there any good guides how to evaluate those vendors?
Alex: A service model is what is best for these companies. They cannot make all the investment that needs to be made with all the platforms, and the human resources needed to carry security operations 24/7. They have to rely on someone else to do that for them.
To start with, the company has to look for a vendor that looks trustworthy. For example, they can look at certifications. Since they're going to be carrying the business operations from a security perspective, they need to trust that vendor. That trustworthiness comes from even having an interaction with the person and seeing if they are actually also passionate about security.
Also, they have to be able to understand the business model. They have to understand what could be the difference between malicious behavior and a false positive. They have to understand how information flows within the company's organization.
Olga: Olesya, now with so many people working remotely, do you see any actions to keep privacy and information security while having to comply with GDPR regulations and having to combine this mold?
Olesya: Information security is not a state, it's a process. When something changes in your infrastructure or procedures, you have to review everything that was changed according to GDPR. If you started to operate using the personal data of your clients, you always have to review all the processes. Keep in mind that you are not only compliant to something that is written somewhere, but you are also need to be compliant for your company to avoid risks that are actually present now in the market. Your company becomes much stronger if your processes are compliant with these requirements.
Olga: Alexey, a lot of businesses are going to the cloud. Is it secure?
Alexey: The cloud is just someone else's computer. You have to change the processes that you've built. Those processes will likely follow or include various guidelines that are no longer relevant. They also might not include some guidelines that actually have to be there. Maintaining compliance standards and having the ability to conform to certain rules is a challenge.
Training and awareness are a challenge as well because people have to switch to new environments and use various new things. That's a big challenge especially for small businesses that usually don't maintain a team that can continuously help with security processes. Small companies have to maintain a coordinator on their end to be able to manage those processes and share learning across an assessment. This is the key thing for them to not invest into the exact same thing twice or too many times.
Olga: Alex and Dick, what was the most tremendous and impressive attack that you can recall? Do you see any patterns from the past that are being repeated these days?
Alex: I'm not going to say the names, but it was a big bank. We did some forensic analysis on it. They had all sorts of technology to carry out security operations. In some of the cases they even had two of them, so they had two endpoint security platforms and that was the problem. They were not playing well with each other and the attacker was able to put in malware a year before the attack was made. Yes, the attacker might be working on it for years before the attack actually gets exploited.
It was a $50 million donation to a church in North Korea. The bank itself is not located there, so it was something that was being held internationally. The only reason the transaction didn't go through, was because of the time zone difference. That actually helped them because the money was already transferred to a US bank which was the intermediary between this Bank in one country and the church in North Korea. They were able to figure out that the money was not there anymore, so they hurried to the phone and called the bank in the US. It wasn’t like “please don't do a transaction” because it was already accepted and everything.
The thing that saved them was not a process or a cybersecurity control, it was just pure luck. It's something that shocked us. Imagine, you've got all this technology and you had all the platform's taking care of it. This is something that was planned and actually being carried out for a year or two before that.
Dick: The really interesting ones I can't talk about unfortunately, but one of them was the Capital One breach that happened a couple years ago. A woman that used to work in AWS breached and compromised Capital One data. That breach happened because of a misconfiguration in Capital One’s accounts. It was even more egregious because there are systems in AWS that give alerts for misconfigurations. The team just ignored all of those things.
The biggest risk is the transition as opposed to the cloud. I would argue that the cloud is likely significantly safer than armed premise equipment because you've got a team that's just focused on making it secure. I worked with the AWS security team for quite a while when I was at Amazon and they see all the different types of attacks and the edges, almost all of our time is spent on addressing internal threats as opposed to external threats. Because the external threats are always there, so the biggest threats are really somebody that doesn't have the organization's best interests in mind. There's a lot of time spent on dealing with this and you've got people who are focused on this all of the time.
Olga: Almog, what about overall investments currently going into the cybersecurity industry. Cyolo raised 4.2 million during the crisis. How is it currently happening in terms of overall investment in this industry?
Almog: Cyolo closed its seed fund during COVID-19 and I believe that part of it had to do with the agency needing truly secure connectivity. We still see a lot of this despite the pandemic. We will see more investment in cybersecurity solutions that have a direct impact on business continuity. The right phrase to quote nowadays “There's less security and more business continuity.” A lot of businesses just want to keep the business running and there are two things that need to be done.
The first is to enable the business to continue operating. On the other hand, to do it effectively without compromising security and is a challenge.
Olga: How can employees that are now working from home protect themselves against cyberattacks?
Dick: I just have one quick piece of advice which is: make sure you understand and follow the best practices that your organization is giving you about what to do. Almost all organizations, particularly larger ones have best practices.
Alexey: It can be tricky to just give general rules. Employees of different organizations have different policies and will definitely need to expect those things from the IT department. They should know who to contact in case they suspect that something is going on, and they should deal with that beforehand. Knowing who to immediately contact if you suspect something happened and having channels for that communication is critical.
Olga: We detected and blocked a bot doing credit card testing on our checkout page. Is that a general trend across all e-com websites or are we being targeted?
Alex: The answer is yes to both. Which is, yes, it is a trend. There are a lot more automated ways of doing attacks now. That's what we've seen, these botnets are attacking, searching or analyzing the whole internet all the time. Anything that comes up will be targeted and the thing here is that they are able to detect what kind of website is being uploaded and from there do a more sophisticated or not so sophisticated, but direct attack based on what they have seen.
We know for sure that organized crime has been hiring security analysts for quite some time now. They are creating structures that are even more stable, or more structured then most companies are. They have a COO, a CISO, or even a CMO which is something very interesting because they have a quota that they need to meet on a quarterly basis.
What we tell our customers is that it is not something that is personal to you. They do have a quota and they need to meet it, so they're going to attack anyone. They first send these botnets to make sure that they find all these sites that are either vulnerable or that they can transact money with and then they move it to a different stage and then they analyze it even further.
So yes, to both. Anything that comes on the internet nowadays is going to be targeted. The Internet is now an extension of us. Even if we go to sleep, the cloud is still there, our accounts are still there, and our e-commerce sites are still there. If it were a physical store — that store would be open all the time. At night and on the weekends they will try to attack it. They are going to see if it has any vulnerability then they're going to try to exploit it later on. They have all the time in the world.
Alexey: In e-commerce specifically there are definitely fraudulent transactions, which can be one of the big pieces of the puzzle. The other big piece is how these credit cards are collected and those that are collected via compromised stores themselves. When credit card information is loaded, all kinds of users become victims of various skimming.
Users are being infected more, as more users get online and shop online. Users are getting infected and we're seeing spikes in those trends. But also in terms of targeted attacks, we have actually seen attacks which inject into the specific websites one way or another and into the user sessions between the e-commerce store and the actual user. There are specific call outs for specific stores and specific areas and specific vulnerabilities in specific stores. There are definitely going to be a lot of specific targeted attacks that would call out specific names in specific stores. There are a lot of things that are happening in a targeted way as well as broadly and in general.
Olga: Almog, what changes in attacking behavior are being observed during COVID-19?
Almog: All of us are working from home and the attackers are working from home as well. There is a trend of attackers trying to exploit the situation of everyone who is not in the organization. We are seeing a lot of attacks against management interfaces in an organization, and resources and services that are accessible from the outside.
The secure access from the internet or minimizing the attack surface from the internet is always something that we need to take care of. But nowadays it's way stronger and a bigger risk. One of the things that is very important is zero trust. Zero trust is all about continuous identity verification before granting access. Credential theft nowadays will have a dramatic impact even more so than before. A lot of organizations help you open up a lot of things, in order to provide the employees the ability to do their work.
So, nowadays we need to be concerned about two things: the exposure from the internet and the theft of IDs.
Olga: Where do you see privacy and identity in 2021?
Dick: From a privacy point of view there's definitely accelerated protection happening in modern browsers and in mobile operating systems, where they're locking down more and more of the tracking that's being done. That is partly for advertising and partly for other reasons. That's the stuff behind the scenes. You've seen at Apple, privacy is now one of their core products. They are embedding it in almost everything they're doing. Google’s trying to catch up on that.
The challenge though is that as they crack down on these things, they often make it harder for a single sign-on. They wipe all the tracking. It makes it harder for other platforms to know “Oh does this look like it's the same user?” which is a signal often used for knowing “Okay I've seen this user on this device before.” But it's gone now. They don't have as much signal as they had to protect the user before.
That's an unfortunate thing. From an enterprise concept context, they'll have an account at one place and be able to essentially manage it which will help from an identity point of view.
From a user point of view, COVID-19 is exploding the number of accounts and passwords people have. That’s becoming more of a problem. Hopefully, we'll see people move to password managers.
Olesya: I would add that we also have to speak about identification as far as new approaches to personal identification that emerge during payments. We now have Face ID, Touch ID, and so on. I believe that these approaches will become more broadly used in the next few years, but I cannot forecast what type of attacks criminals will make to overcome these new types of identification. Now such identification is quite secure, but it is difficult to say what will happen in the future.
Olga: If you were to pick one social network or messenger, security wise which would be the one?
Almog: A lot of social networks are providing pretty good security in aspects of data in transit. I think that the concern here is a bit different as we were talking about putting your personal data or organization of data in someone else’s hands. I don't know which is better, but I think that preserving your own life for yourself is possible. It's something that is worth considering, because if something is out there it can potentially get into the wrong hands.
Dick: Regarding which one has the best security, as much as I don't like some of the privacy aspects and other things around Facebook and WhatsApp, they've got massive teams that focus an awful lot on security. They've got some of the most advanced modern authentication that's looking for anomaly detection to see if it looks like someone's got your password.
Alexey: It's hard to say which messengers are more secure to use, because you have to use the messenger app that the other person's using. If you're choosing a messenger, some of the things you should look at are: what data the messenger has about you and whether it publishes this data, and what it does with that data. If it discloses that data, can it give it to the authority? Who are the legal authorities around that messenger’s legal entity?
Another important piece is the default settings which are used by most people. People don't necessarily go in and customize the settings on their chats. So whichever messenger provides end-to-end encryption a default setting would probably be better suited to not disclose your information to the messenger owner.
Olesya: I would like to add the same about social networks, as far as everything depends on what you are sharing. A lot of attacks that use social engineering methods begin from the information that individuals or companies have posted on their social media. It’s not very difficult to create a profile for a company and to understand all of the networks and business connections and so on. You have to be very careful when you post something on social networks. It's not only for your friends, but everybody can use it.
Olga: Alexey, what recommendations could you give us to start being specialists in cybersecurity?
Alexey: I agree with what Alex was saying before about being passionate about it. That is one of the things that really drives interest.
Being in cybersecurity means you have to understand a lot of things from all the way down to how it works at the CPU level to all the way up to how it works in very abstract concepts. Having an open mind, being very passionate about understanding how things work, and just going out and participating in some teams. Trying to do those things and always looking out for more things and more information is the best approach.
We hope that the insights that our experts have shared will help you bring more digitalization and introduce the right mentality into your organization in these turbulent times. We will keep bringing you outstanding experts that are transforming businesses in various domains. Follow us on LinkedIn, Facebook, Twitter, and stay tuned for our news and events.