Lessons learned: five cybersecurity takeaways for a safer 2021
It’s been a momentous year for everyone working in cybersecurity. But while the pandemic has caused pain, misery and disruption on a quite unimaginable scale, there are also some positives we can take with us into 2021. The rapid shift to remote working and adjustments that many companies were forced to make to continue serving customers highlighted the importance of digital transformation. But they have also hopefully reminded business leaders of the critical need for effective cybersecurity baked-in from the start. The stakes couldn’t be higher: cyber risk in today’s environment represents nothing short of an existential challenge for organisations.
So what specifically have we learned over the past 12 months that can make 2021 a safer, more secure and successful year for all of us?
- Cyber-criminals’ ability to pivot remains a threat
Back in March Barracuda Networks recorded a 667% spike in COVID-themed phishing emails. Although that number subsequently fell back, it showed us something very important: that cyber-criminals really are past masters at adapting their campaigns for maximum results. Thus, we saw attempts to steal personal data using pandemic-themed lures like fake government and WHO notices. We saw multiple attempts to scam users into sending money for ‘charities’ and other organisations fighting the virus. And we even saw attempts to utilise the event to launch BEC attacks.
The bad guys will always be quickest to react, so we must have defences ready and waiting in place. That means multi-layered email security featuring URL link protection, reputation checks, behavioural analysis, CPU-emulation sandboxing and AI-based tools to keep threats at bay. They must sit alongside improved security awareness training for all staff.
- SD-WAN comes of age amidst government lockdowns
Around half of UK employees were working from home at the height of the pandemic in April, with similar numbers repeated in the US and across Europe. With every remote worker now effectively their own discrete branch office, the case for SD-WAN became a lot more compelling in 2020. With VPNs struggling with the sudden uptick in traffic and cyber-criminals increasingly focusing on the perceived security weak link of remote workers, the network architecture started to make sense. Barracuda Networks report in June revealed that 23% of global firms have already deployed SD-WAN and another 51% are either in the process of deploying or expect to do so within the next 12 months.
When done right, SD-WAN can reduce costs and significantly enhance performance for site-to-site and site-to-cloud connections. The key is to ensure security is built in from the start from a single provider, rather than requiring a separate appliance or cloud service.
- Ransomware attackers have no shame, and are on the hunt for big game
The term “big-game hunting” was actually coined in 2019 to refer to ransomware gangs going after larger firms in more targeted attacks reminiscent of APT campaigns. However, with the advent of the pandemic, we’ve seen an increasing array of such groups targeting remote endpoints like RDP to gain a foothold in organisations. Many took advantage of security teams distracted by other tasks during the pandemic, or of organisations like hospitals focusing all their efforts on saving the lives of infected patients. One ransomware attack may have even resulted indirectly in a patient’s death.
Attacks may use “living off the land” techniques to stay hidden, steal internal credentials for lateral movement and exfiltrate data for a “double extortion”. Some victim organisations have admitted attacks could cost them tens of millions. The message is clear: layer up defences with behaviour-based AI tools to spot phishing attacks, vulnerability scanners to check for exposed systems and applications and advanced firewalls to detect unusual internal traffic. Complement these with backups along the best practice 3-2-1 model.
- Web application attacks are on the rise, as users flock online
The pandemic has forced many organisations to reach their users in new ways. Just think about your local restaurant, which now has to sell produce and ready-cooked meals online just to stay afloat. Web applications have been at the heart of many hastily developed digital strategies this year. But they also represent a growing threat to organisations. According to Verizon’s latest Data Breach Investigations Report, web app servers were targeted in around 40% of breaches it analysed. Web apps themselves were also a hacking vector in over 80% of breaches, either via exploited vulnerabilities or credential stuffing/brute force attempts to crack open passwords.
Compromised web applications could lead to denial of service, hijacked customer accounts and data breaches. To prevent any resulting financial and reputational damage, organisations are urged to invest in web application firewalls as a first step. Many are also now available as-a-service.
- VPNs are out, zero trust is in
As mentioned, VPNs have had a bad pandemic. Overwhelmed by the sheer number of users, many systems proved to be a security bottleneck rather than an enabler of secure business, as performance stuttered. As well as delaying in-bound traffic headed for centralised corporate security controls, they also held up delivery of vital security updates to remote workers. One vendor claimed that 43% of IT operations leaders had problems patching remote endpoints, thanks in part to overwhelmed VPN tunnels. In some cases, cyber-criminals even targeted vulnerabilities in VPNs to gain a foothold in corporate networks. It’s also true that VPNs could be accessed by a hacker who managed to steal (phishing) or brute force (credential stuffing) a user’s credentials.
That’s why increasingly organisations are looking to zero trust to support their new cloud-first IT infrastructure and distributed workforce. Based around the notion of “never trust, always verify” zero trust is built on multi-factor authentication (MFA) and least privilege policies to ensure only legitimate users and devices get access to the corporate resources they need, and no more. It also supports the flexible, remote workforce of today by working anywhere, anytime, on any device.
Stay tuned for the second part in this mini-series where we’ll be looking ahead more specifically at what 2021 might hold in store as the threat landscape continues to evolve.
Phil Muncaster is a technology writer and editor with over 12 years’ experience working on some of the biggest technology titles around, including Computing, The Register, V3 and MIT Technology Review. He spent over two years in Hong Kong immersed in the Asian tech scene and is now back in London where information security has become a major focus for his work.