18 May 2020

Cyber Security Crisis Management: Lessons From Covid-19

Executive Summary

  • The Trends E-Discussion entitled Cyber Security Crisis Management: Lessons from Covid-19, which took place on Wednesday 20th May 2020, was the final event in Trends Research and Advisory’s “Strategic Dialogue E-Forum” series.
  • Moderated by Ms Emina Osmandzikovic, Researcher at TRENDS Research & Advisory, the session discussed the growing challenge of ensuring effective cybersecurity across the public and private sectors during the Covid-19 crisis.
  • Mr Muntaser Bdair, COO with SecurityMatterz, in the Kingdom of Saudi Arabia, said that technology alone doesn’t solve cyber-security challenges, and that processes and procedures were needed as well as trained people to achieve cyber-security goals. Cyber-security is important because it remains a constant threat.
  • Mr Naeem S. Musa, Chief Information Security Officer (CISO) with the Commodity Futures Trading Commission (CFTC) in the United States of America, explained that the pandemic has forced a change in business methods, including the need to ensure that home infrastructures such as modems and routers were up to date as they are easy to hack into and could enable illicit access to sensitive information.
  • Mr Andrew Staniforth, Director of Saher-Europe in the United Kingdom, highlighted the various aspects of organizational resilience and the combatting of Covid-19 cyber threats. He argued that organizational processes and procedures should embed cyber-security measures into the organization’s culture to ensure their effectiveness.
  • Professor Ernesto Damiani, Director of the Khalifa University Center for Cyber Physical Systems (C2PS) in the United Arab Emirates, discussed the illegal Psychological operations (“PsyOps”) carried out by cyber attackers during the Covid-19 crisis, in that criminals had exploited psychological vulnerabilities that had made people more gullible in terms of hacking and social engineering.

Speaker’s main points

1. “What is cyber-security and what are its concerns and objectives?” – Mr Muntaser Bdair, COO, SecurityMatterz, CISSP, CISM, CISA, CRISC, ISO27001 LA, Kingdom of Saudi Arabia

Mr Muntaser stated that cyber security is a national security issue. The average costs for an organization that suffers a data breach is $3.9 billion dollars. As a result, there is great concern among governments and business CEOs about economic costs. The threat is very significant, given that hacking is easy and can even be done by children. Some hackers responsible for illegal acts in cyber space are extremely sophisticated.

One of the consequences of the Covid-19 crisis is that changed global circumstances are pushing us faster and further towards a digital future; with this new development comes the need for greater security. Given the nature of cyber threats, the major issue now is the need for effective laws and regulations.

In the Middle East and North Africa (MENA) region the problem of cyber security has been given much more attention over the past 5 years. Over the past few months, more than 9,000 new spam messages have been seen in the MENA region alone. In addition, dangerous and highly advanced new forms of malware have also emerged.

As a result, more efforts are needed to counter these developments and individuals and institutions must consider how they can counter the new threats. In developing good cyber security practice, the main requirement is awareness. Cyber criminals seek to exploit vulnerabilities through social engineering and phishing: the aim is to hack the minds of people through fraud to encourage them to reveal sensitive information.

Phishing is carried out through emails, with the aim of persuade people to click on a link that will result in them sharing personal information. Another attack specifically targeted not only to mislead people is ransomware, which is designed to provide access to sensitive files, encrypt personal information and then demand payment to unlock it.

The most important thing an individual can do to ensure their cyber security is ‘think before you click’. We need to be careful with the security of our mobile coverage, social media and downloads. Individuals also need to guard against ‘dumpster diving’, which involves sophisticated cyber raids designed to extract information from recycle bins. Ultimately, it is not a case of if you’re going to be hacked, but rather when you are going to be hacked. Awareness is critical if we are to keep our personal information safe.

 

2. “Cybersecurity Tips for Remote Working During COVID-19” – Mr Naeem S. Musa, CISO, CISSP, CISM, PMP, GSTRT, Chief Information Security Officer (CISO), Commodity Futures Trading Commission (CFTC), USA

Mr Naeem discussed the ways in which individuals could be more cybersecurity aware and also help protect their organizations from possible security breaches.

In terms of promoting best practice against potential threats, there are two principal issues: 1) what precautions are needed for people using home networks to do office work; and 2) what could be done to ensure that connected home devices (computers, printers, cameras, and others) do not harm or interfere with office networks.

To help maintain the integrity of cyber security networks, it is important that individuals are made aware of their organization’s policies, use only approved devices, use VPNs when possible, update regularly their router’s software, and think carefully before clicking on any link received from unknown senders.

In terms of basic enhanced security, it is also important to guard devices, create strong passwords of at least 12 characters, use two-factor authentication, encrypt sensitive email with passwords (OPT), and carry out regular updates of devices.

Organizations could also strengthen their cyber security by securing systems that enable remote access, test and if necessary increase the capacity of remote access solutions, ensure continuity of business and operational plans, increase employees’ awareness of IT support mechanisms, and update incident response plans to take account of workforce changes in a distributed environment.

Since the start of the Covid-19 pandemic, there had been a notable increase in risk relating to high-profile event security and increased phishing attacks.

In the context of the current pandemic, cyber criminals are making greater efforts to exploit the vulnerabilities of the rapid expansion of teleworking.

To counter this, it is important to encourage individuals and organizations to make more use of VPNs, secure video conferencing solutions, enhanced bandwidth utilization, and improved monitoring and patching systems.

It is notable that government data breach vectors are showing the increased threats posed by phishing, malware, stolen credentials, key-logging, and misconfigured servers.

 

3. “Organizational resilience: Combatting Covid-19 cyber threats” – Mr Andrew Staniforth, Director of Saher-Europe, Non-Resident Fellow in Counter Terrorism at TRENDS, United Kingdom

Mr Staniforth warned that global cyber crime could cost the entire global economy up to $6 trillion each year. Such activity has many negative effects and impacts more and more people: criminals now look to commit a million small crimes for a dollar each rather than one large, complex crime to steal a million dollars.

With cyber criminals seeking to take advantage of the disruption by Covid-19, we need to raise awareness and take a positive cyber security posture based on preparedness and resilience to enable organizations to respond effectively.

COVID 19 has exposed pre-existing cyber security vulnerabilities and created new organizational management challenges. Destructive cybercrime includes destruction of data, financial costs, lost productivity, and theft of intellectual property.

Growing online dangers include ransomware, which has been defined as an “urgent and highly active” threat by the FBI. Automated and “spray and pray” attacks also pose a significant risk to business enterprises, public bodies and government. To counter these threats, we need effective training of staff by organizations, awareness of the many forms of criminal activity that endanger organizational and individual cyber security, and the cultivation of a security culture within organizations.

In the current situation, the most vulnerable people at risk are careless users. Attacks in cyber space have sought to capitalize on the fear associated with COVID19 by sending emails containing false advice. Financial institutions have been targeted, with crimes following the path of the coronavirus from Asia to Europe and North America.

For example, the National Intelligence Bureau has flagged 21 reports of COVID-19 fraud involving losses of hundreds of thousands of dollars. There have also been instances of undelivered face masks purchased and international organizations exploited to entice payments. The European Central Bank has warned companies to increase their preparedness, with small local businesses being especially vulnerable.

With the growth of cyber crime in the current pandemic, a strategic approach will help to combat cyber threats. Most importantly, appropriate technical tools and support can ensure organizational resilience and encourage a “security culture” among employees.

The reality is that cyber security can never be 100 percent guaranteed: it is therefore critical that organizations need to promote awareness and ensure employees are briefed to be alert to the ever-changing nature of the threat.

 

4. “The COVID crisis: Lessons Learnt in Cybersecurity PsyOp” – Professor Ernesto Damiani, Director, Khalifa University Center for Cyber Physical Systems (C2PS), United Arab Emirates

Cyber ‘PsyOps’ (psychological operations) try to exploit the fears of individuals through social engineering and phishing. “Bad guys” are now renewing their cyber attack efforts as they try to profit from the current Covid-19 pandemic disruption.

With most companies devolving their functions to employees working from home, this has created an opportune situation for hackers and phishers. Family devices and connections are all potential entry points into the company’s network. Hackers are also currently taking advantage of individuals’ concerns about health, safety and financial aid information. To work effectively from home, people need to adopt a new mindset.

Covid-19 has brought millions of people back to the bottom of the “Manslow Hierarchy”, where defending family is a basic need. Through social engineering, experts know that individuals can be induced to act to satisfy needs according to their perceived positions in the hierarchy; for example, if you are hungry you can be persuaded to steal food.

At the same time, fake news and videos on social media, as well as phishing messages, exploit fears and increase a sense of vulnerability. There have been many attacks that have been effective to the point that they prompt immediate responses from recipients on instant communication platforms, like iMessage, WhatsApp, WeChat and others.

Some attacks that will not work at office will work at home. At home, different software is used that is not configured according to companies’ requirements. One very simple attack is where hackers change the DNS; people working from home tend to fall for this. This shows that people in a different situation may behave differently. VPNs are safe, but can coupled with a DNS attack to encourage people to download a malicious VPN update. This will never happen with a machine that is under control of a company.

Another example is a bogus World Health Organization (WHO) phishing email which used the Manslow Hierarchy thanks to encourage victims to click on a link that led them to a compromised web page with a plausible WHO frame asking individuals to verify their email address and password. This instance demonstrates gain that a PsyOp attack that exploits the Manslow Hierarchy of need can have significant success.

There are several steps that can be taken. In a transition from working from office to working from home, some critical process may become vulnerable to security attack. We need to improve the resilience of these organizations and those who work from home. In this respect, training people working from home – especially those without IT backgrounds – to improve their cyber security awareness is of paramount importance.

Audience questions

Following the lecture, the audience was given a chance to ask questions on ensuring effective cybersecurity across the public and private sectors during the Covid-19 crisis:

1. How do we ensure effective regulation?

MUNTASER – it is important to strike an effective balance. There is always a risk that too much regulation requires compliance in ways that do not necessarily mean doing the right thing.

NAEEM – to strengthen cyber security, sound regulations are needed. In the US, the Federal Information Security Management Act (FISMA) drives cyber regulations. Nevertheless, regulations should be adaptable, as one size doesn’t fit all; the outcomes in terms of security are most important.

2. What best practices can be replicated across countries?

STANIFORTH – in terms of international best practices, effective cooperation is a challenge. The current crisis should hopefully inspire changes that could bridge the ‘G-A-P’ (Government-Academia-Private sector), in terms of encouraging these sectors to work together more closely. As many changes are likely to result from Covid-19, common action is needed to tackle the challenges that emerge.

3. How do we ensure that remote working remains safe?

DAMIANI – for individuals working from home, using personal devices is still a major organizational challenge. For companies, the main task is to maintain the integrity of the ‘perimeter’; defense in depth is needed, fostered by regulations as well as technology and awareness that should be fostered in schools before people enter the work place. 

4. How can we raise awareness of Cybersecurity in crisis situations?

STANIFORTH – awareness has to be embedded into the culture of an organization, and all executives and employees should have roles and responsibilities. In this context, Human Resource departments can play an important role.

MUNTASER – cyber security awareness can be taken beyond organizations to a national level. As we do more and more digitally, we need to take into account the increasing digital awareness of people in general; the key thing is to change mindsets to the extent that new practices have a cultural impact.

NAEEM – senior management must be involved in ensuring organizational awareness; this issue should not be left to IT support only. Within organizations, regular exercises should be conducted and individuals’ cybersecurity awareness assessed regularly.

5. How will the cyber landscape look after Covid-19?

STANIFORTH – there are very sophisticated cyber criminals operating around the world who will constantly be looking for opportunities to exploit vulnerabilities.

MUNTASER – we need to ensure that people are carrying out basic security measures while remaining up-to-date on the latest attacks.

DAMIANI – there is an ongoing transition from traditional software systems to data-driven and AI systems. These developments are changing the nature of the attacks; future hacks will be less opportunist and predatory and more long-term and parasitical.

NAEEM – in order to safeguard organizations and individuals from cyber attacks, regulation needs to be reformed to ensure the law catches up with technology.

Key points:

  • International cooperation is needed to address cyber security threats along with better government, academia and private sector cooperation to meet the challenge
  • A three-pronged approach – based on regulation, awareness, and technology – is needed to secure the increasing ‘virtualization’ of organizations, greater use of AI and Big Data, and new home-based work methods
  • Raised awareness needs to be embedded into the culture of the organizations to ensure reliance through the participation of all employees
  • Senior-level management should take an active role in training their employees to be continuously aware of cyber threats and not remain reliant on IT specialists
  • Cyber-criminals are always looking for the next opportunity and they will have no shame in using the next crisis to prey upon people’s vulnerabilities

Conclusion

Cyber security has become an even more urgent requirement as the Covid-19 pandemic has encouraged criminals to exploit vulnerabilities and disrupt and steal. At a time of crisis, people have become more susceptible to the increasingly innovative frauds and tricks employed by hackers. In light of the new circumstances created by the pandemic, it is imperative that individuals and organizations adapt to new home-based work routines while also guarding against increasingly sophisticated cyber attacks.

In order to ensure success in the ceaseless fight against cyber crime, individuals and organizations need to increase their awareness and instill a ‘cyber security culture’ for all aspects of their operations and work routines. A ‘think before you click’ mentality needs to be encouraged, and individual employees should be encouraged to develop their own technical awareness and not remain reliant on IT specialists.

As part of the effort to build effective cyber security measures than can deal with evolving threats in the future, governments and international organizations need to revisit regulatory frameworks and adapt them to new threats while also being mindful of differing needs across the cyber sector. At the same time, more effective cooperation is needed between governments, academia and the public sector to ensure that cyber criminals will not be able to exploit the increasing use of AI and Big Data.

Event details

Comments

Your email address will not be published.