The COVID-19 pandemic, which forced businesses to close offices and send employees to work from home, has put enterprise security and cybersecurity to one of its biggest ever tests.
The abrupt transition to working from home further complicated an already complicated threat landscape as malicious actors opportunistically adopted new strategies to leverage COVID-19 and profit from what now has become the new normal.
The upshot: the teams responsible for managing enterprise security scrambled to shore up defenses against a constellation of evolving threats which appeared in ever-increasing volume and scale.
There was no pre-existing playbook to consult. Like other CISOs who have lived with these challenges, I’ll remember 2020 as a testament to the skills and determination of all concerned to keep our data safe. Let me share six lessons that I have learned as a CISO.
It’s a new threat environment.
Even before COVID-19, a shift was already underway in how attackers target companies. Previously, attackers went after the centralized, well-defined assets in a company’s data centers. That began to change when digital transformation led companies to distribute certain enterprise assets between on-premise and the cloud. Then COVID-19 happened, forcing IT to improvise new solutions in an emergency situation.
At Hitachi Vantara, for example, we essentially moved from two data centers to 13,000 data centers – every employee at home constituting their own data center – all within the span of one week.
From the attackers’ perspective, all these people isolated in their homes and working on unsecure networks present a heaven-sent opportunity. Some people may use routers with default passwords that are simple to crack or run vulnerable firmware. Others may be deploying insecure Wi-Fi protocols that allow a savvy cybercriminal passing by to gain access to their flow of data.
All these threats are real and pose a new set of risks for IT – risks few organizations had prepared for. To be sure, we allowed employees to work remotely when they were telecommuting. But it was nothing at this scale or assuming this level of exposure to new potential threats to corporate data.
Get used to the “unknown unknowns.”
In cybersecurity, we’ve always worked on the “protect, detect, respond and recover” model. It still applies – but what you have to protect is evolving. You now not only need to protect what's in your data center but you must also safeguard an expanded attack surface available for the bad guys. Briefly put, what you must protect becomes much bigger.
Similarly, detection now becomes very different. If something happens on the firewall in your data center, sure, you can detect it. But how do you detect somebody attacking your CEO’s home router, or his or her kids’ PlayStation that is connected to the same insecure home network? That's much more difficult. You now have to contend with a situation where the attack surface is so wide that you don't know where you need to detect or even what to expect to detect.
Same for response. Using the same example, if the attackers penetrate the CEO’s home router and get access to her email, the detection process is not as immediate. It can be extremely difficult to find the source of the penetration. Again, the paradigm is totally changed because of the complexity and potential methods of attacks and threats that may materialize.
As security defenders, we need to wrap our heads around a new reality: the number of “unknown unknowns” is increasing exponentially.
Social engineering is now everywhere.
With COVID turning everyone’s world upside down, attackers recognize that people are far more vulnerable at the moment to social engineering attacks when they’re at home.
More than ever, employees are receiving phone calls from scammers saying, “Hey, I'm from the Hitachi help desk. You have a problem with your router.” Or, “your laptop is spewing things on our network” in a bid to trick the user into doing things that would enable an attacker to get into the corporate network.
Instead of exploiting system vulnerabilities, bad actors now are more about tricking employees into giving up their credentials. Because once they’ve got that information, attackers are free to do whatever they want.
If someone’s working in the office and receives a strange phone call, they can turn to a colleague for advice. It’s harder when they’re isolated at home, where they don't have the same easy access for immediate validation or a means to verify. That raises the odds of success for persistent attackers to get workers to eventually drop their guard and fall for their ruse.
We’ve put measures in place to mitigate the risks when someone at our enterprise receives an email from an external source that has a link. When they click on the link, recipients are not immediately getting the page on their browser or in their laptop. It first is isolated and vetted in what we call a detonation chamber. However, technology by itself isn’t enough to solve the problem. Often the security protections that we put in place are built on the assumption of trusting the user. But all it takes is a trusting user who falls victim to a combination of social engineering and technical attacks to inadvertently expose the organization to risk.
Weak security lives on the edge
The world of operational technology (OT), which is responsible for managing the operation of physical processes and the machinery used to carry them out, wasn’t really created with the idea of getting patched regularly. Nor were they built with the idea of being connected to anything. An attacker would have had to have physical access to be able to tamper with an OT site.
No longer. OT and big industrial sites are now connected to the internet through the addition of devices that are part of the Internet of Things (IoT).
That’s potential trouble in spades: many IoT devices have proved relatively easy to hack just like any other internet-enabled device. Once attackers compromise the device, they then have free entry into networks. In response, CISOs need to update the tried-and-true concept of the security triad — which is confidentiality, integrity and availability — to also include safety.
For instance, a hacker could get into the hospital network to change the dosage of an insulin pump that’s connected to the internet — with deadly consequences for the patient.
Prepare for worst-case scenarios.
Security leaders should be prepared to meet worst-case possibilities: attackers can now leverage the same IoT devices that now number in the billions to inflict tremendous damage.
The risk isn’t theoretical any longer. On the dark web, you can find groups of hackers whose goal is to one day take control of a robot and kill the operators. And because of rampant IoT security vulnerabilities, they can act on that agenda.
Indeed, we have seen significant attacks that leveraged IoT to compromise OT systems. Stuxnet, which featured a computer worm attacking centrifuges at a uranium enrichment facility and other industrial sites in Iran was obviously the big eye-opener. It was a well-designed and well executed cyberattack that had kinetic effects on the targeted devices. It was a harbinger.
Since then, there have been other examples of how this can unfold. Ukraine’s power grid was totally brought down by hackers suspected to be acting on behalf of Russia in 2015. There have likely been lesser known but similarly disruptive attacks that have not been made public.
The role of CISO is changing.
It’s up to CISOs to make sure none of this happens. But the combination of COVID-19 and the ongoing process of digitization has made that challenge harder than ever.
The CISO role is changing. As we’ve seen, it’s no longer dealing just with internal IT issues. CISOs now have a lot more on their plates in particular on the operations side of the company.
Take me as an example. I was hired five years ago to manage corporate IT security at Hitachi. My responsibilities were quite clear – I was to protect corporate IT. But a couple of years into my tenure, I was asked to extend my responsibility to product security as well. There was a realization that while we were secure internally, we had more work ahead to make sure our products met higher security expectations.
At the end of the day, security is always about brand and protection of company reputation. If data gets stolen from your company’s ERP, or a customer using one of your products gets hacked because the product was insecure, your organization will suffer the blame.
Bad actors are always going to be there and they're always going to be thinking of something new. COVID has given them a new opportunity to wreak havoc. It’s up to the enterprise security leader to make sure that doesn’t happen and that we stay ahead where we can.