There are bad years and worse years in cybersecurity. 2020 was one of the worst.
Arguably, it will be summarized by infosec pros in four words: COVID-19, ransomware, Twitter and SolarWinds.
COVID-19 caused organizations around the world to suddenly force employees to work from home if they could. That left many CISOs struggling to shore up data protection for staff who were now working outside company firewalls and radically increasing security risk. Some got quick funding to add security controls like virtual private networks, multifactor authentication and enterprise device management systems. Others weren’t so lucky.
On top of that, crooks leveraged pandemic panic to flood inboxes with COVID-related phishing scams going after government relief funds and the demand for masks and hand sanitizer, while some nation-states targeted pharmaceutical companies and universities for COVID research.
Types of exploits: Failure to plan ahead for disasters, plus poor awareness training.
Ransomware gangs increasingly caught on to the idea of double-extortion. In addition to encrypting data, steal data and threaten to release it and embarrass organizations unless they paid a ransom for decryption keys. Judging by the number of victim companies listed by hacking groups, there were many hit this way including municipalities, public school boards and hospitals.
For those who think ransomware can be shrugged off, consider this: In January, the Travelex international currency exchange was hit by ransomware. Reportedly it paid US$2.3 million to get decryption keys. It was forced into administration in August.
The death of an ill woman in Germany whose ambulance had to be diverted away from a hospital that suffered a ransomware attack was blamed in part on the cyber attack.
Types of exploits: Poor awareness training, failure to widely use data encryption for protection.
Twitter was embarrassed in July when employees fell for a phone scam and re-set the passwords of celebrity users including Joe Biden, Barack Obama, Elon Musk, Bill Gates, Jeff Bezos and Apple. Then they used the access to tweet a phony bitcoin scam. Three people have been charged.
Types of exploits: Vishing, poor awareness training.
And in arguably the lowest point of the year respected vendor FireEye was hacked, which leads to the discovery that the security updates for SolarWinds’ Orion network management platform were infected with a backdoor. Some 18,000 Orion customers, largely in the U.S., downloaded the updates. Fingers point to a nation-state known to have a bear as a national symbol.
Outcome: Too early to say, Some reports suggest the attackers exploited only a small number of that 18,000 infections. However, it is believed many are government agencies. As cybersecurity expert Bruce Schneier told SecurityWeek.com, “We don’t know what networks they are in, how deep they are, what access they have, what tools they left.”
One huge question: Organizations like the U.S. federal government are supposed to have defence in depth. How was this not caught?
Types of exploits: Too early to say. Wait for highly informative Congressional testimony in a few months.
Perhaps we can add a fifth word to describe the year: Incompetence. That would describe the cause of the hundreds of millions of data records left open by employees on cloud storage sites for anyone who knew how to find them. In 2020, there was no shortage of reports of these incidents, which count as data breaches. After all, if one person could find it, it’s a breach of security controls.
According to one compilation, the biggest data breach of the year was the discovery of over 10 billion unprotected records of millions of subscribers to the adult live streaming website CAM4.com. A close second may have been the discovery of 5 billion stolen records that had been assembled by a British-based security company that had been keeping track of data breaches for the last eight years.
In Canada, experts may remember the year for the credentials stuffing hack on the Canada Revenue Agency of 11,000 tax and service accounts.
Asked if the incident shows federal systems failed, Marc Brouillard, acting chief information officer, told reporters that “the system worked. We were able to identify these fraudulent actions coming in through some pretty sophisticated analytics that detected [suspicious] behaviours.”
The federal privacy commissioner has launched an investigation whether the government institutions met their obligations under the Privacy Act, the federal public sector privacy law.
Another notable event was the release of a privacy commissioners’ report into the 2019 theft of data by an employee of the Quebec-based Desjardins credit union. It revealed the institution knew there were weaknesses that could allow an employee to walk off with data and had planned to implement a data loss prevention solution. It wasn’t fast enough.
This year will also be remembered for the Canadian Centre for Cyber Security’s bi-annual threat report which outlined for the C-suite the biggest risks to organizations. “The vast majority of cyber incidents in Canada occurred because basic elements of cybersecurity weren’t followed,” wrote Scott Jones, the head of the CCCS.
Accurate annual numbers on data breaches in Canada are still hard to come by. A rough guide is available through the Office of the Federal Privacy Commissioner (OPC) of breach reports from private sector firms covered by federal authority, plus from those provinces and territories without their own privacy law. For the first 11 months of 2020, it received 634 breach reports affecting an estimated 23.8 million Canadian accounts. By comparison in 2019, it received 721 breach reports from commercial organizations affecting an estimated 19 million Canadian accounts.
One thing that can be said about 2020 judging by vendor reports is, regrettably, credential stuffing and brute force attacks are still effective. Until there is widespread adoption of multifactor authentication (including security codes and biometrics) this will continue.
For Dave Masson, Canada-based director of enterprise security at Darktrace, the year will be remembered for the “unprecedented” joint warning from Canada, the U.S. and the U.K. that a hacker group with ties to the Russian Intelligence Services is trying to steal information on COVID-19 vaccines.
It will also be remembered for the rush by infosec pros to online collaboration tools for all those remote workers, and attempts by attackers to exploit vulnerabilities.
“A big issue for all organizations is visibility – we don’t see what’s going on,” Masson said. “That became even more difficult this year as employees were doing the work, and often finding ways around [restrictions] to get the job done, but not necessarily in a secure way. Attackers see employees as low-hanging fruit, and unfortunately, they often are.”
That was also echoed in ransomware attacks, he added, where there’s evidence in a number of incidents that intruders had been on networks for some time before launching attacks. “Organizations are not really seeing what’s going on,” Masson concluded.
As for 2021, he warned that an increasing number of jurisdictions will either be upgrading their privacy and data breach reporting legislation (Canada, Quebec, California), or passing new legislation (possibly Ontario).
Masson also noted the Canadian Centre for Cyber Security report predicts attackers taking an increasing interest in critical infrastructure (including utilities, government and transportation). “We’ll see more reconnaissance on critical infrastructure, particularly operational technology networks,” he said. “What’s going to make it more important is this increasing convergence of OT networks with IT networks … it’s going to make things more difficult to protect.”
Florian Kerschbaum, executive director of the University of Waterloo’s Cybersecurity and Privacy Institute, said he found it “disturbing” that hospitals and medical institutions around the world this year were victimized so many times. “In fact cybersecurity professionals had to volunteer to help secure hospitals during the pandemic,” he noted. “You see that the higher the stakes are the more criminals will focus on those targets. And that is not very good news for us.”
Like Masson, he sees more threats to IoT systems. “One thing we will continue to see in the future is the intertwining of the physical world and the digital world. The number and variety of cybersecurity threats are going to significantly rise. The problem is IoT systems are harder to update, and they have a longer lifetime than traditional IT systems,” he said.
Tony Anscombe, chief security evangelist for ESET, said the quick switch by crooks this year to COVID-related email scams and ransomware highlights — again — that cybercrime is a business. As soon as Canada’s COVID tracing app was released a malicious copycat popped up, he pointed out. “Cybercriminals will shift to where the cash is.”
This year also saw a leap in the number of attacks through Microsoft Remote Desktop Protocol, he said, which is related to the targeting of the increased number of people working from home. Attempted RDP attacks were up 37 per cent every quarter compared to 2019, ESET found. Organizations have to properly configure their RDP servers, he said.
He credits organizations for improving their defences, but adds that attackers are upping their game as well. Still, Anscombe noted that a free phishing test ESET ran this year showed 68 per cent of Canadian respondents failed to spot all three fake emails. That suggests awareness training still leaves a lot to be desired.
For 2021, ESET sees high numbers of people continuing to work remotely, either permanently or several days a week. For organizations that haven’t done so yet that will mean investing in properly secured collaboration tools. The threat of ransomware will continue because many victims are paying, and paying more than ever. One organization reportedly paid $1.1 million to get decryption keys, Anscombe said.
Companies will re-assess how and how often they do awareness training, he said, because of the number of people working from home. Training will have to increase to more than three times a year.
Finally, ESET predicts an increase in file-less malware attacks, which piggyback on the operating system’s own tools and processes and leverage them for malicious purposes.
Here are other predictions from major companies:
- Ransomware is now a national security issue for nations and it will only get worse.
- Despite the urgency of their work, threat actors will continue to target healthcare providers and vaccine makers.
- Nation-state activity will continue to be dominated by traditional espionage against both governments and perceived threats to regime stability (like human rights activists).
- Expanding cloud usage will require organizations to improve visibility into their cloud footprint, assets and provider relationships.
- Many organizations will turn to security validation, which provides quantifiable data on the effectiveness of their security controls to answer questions like is the VPN working as it should and do the people who have higher level privileges still need them if they’re working from home.
- Advanced threat actors will buy initial network access from cybercriminals. Organizations should pay increased attention to generic malware and perform basic incident response activities on each compromised computer to ensure generic malware has not been used to deploy sophisticated threats;
- More Silicon Valley companies will take action against zero-day brokers. For example, in 2019 Faceboo/WhatsApp filed a lawsuit accusing Israel-baed NSO Group, which sells solutions to law enforcement agencies, of having exploited a vulnerability in its software. There have been many allegations these solutions are used against human rights activists. A U.S. court has ruled the lawsuit can proceed. The outcome of this case could have far-reaching consequences, says Kaspersky, including prompting other lawsuits against zero-day brokers.
NOTE: After that prediction was made Silicon Valley companies joined the action against NSO ;
- 5G vulnerabilities will emerge as countries deploy this next-generation wireless technology;
- We will see more disruptive cyber attacks, either orchestrated against critical infrastructure or from collateral damage on services we use daily, like public transportation and supermarkets.
Finally, Gartner predicts worldwide spending on Information Security and Risk Management solutions and services will grow in 2021 to $143 billion, up from $131 billion this year (all figures in US dollars). In Canada it will increase to just over $4 billion, up from $3.8 billion this year.
If all this isn’t enough, Cisco’s Talos intelligence group looks at new or updated malware it’s seen this year, from JhoneRAT to the Xanthe cryptominer.