Threats, Gaps and Challenges in the Era of COVID-19
COVID-19 has changed the way the world operates, the way we communicate, the mode of doing business and the functioning of governments resulting in an increased reliance over digital technologies and remote working[1]. One effect of this massive digital adoption was an increase in cyberattacks, which demonstrates the urgency and the need of a secure and reliable cyberspace. We, as member of the CONCORDIA project, have analyzed how COVID-19 is impacting the current cyberdomains studied in the project, from device/IoT to user, via network, system, data, and application domains.
Device/IoT Domain
During the pandemic, IoT device adoption had a substantial boost. After businesses started reopening, touchless and contactless devices such as body temperature cameras and touchless point of sales have become a necessity. Such devices suffer from the same weaknesses of other IoT devices, which are further exacerbated by the strict relation with safety and leakages in working environments. In addition, remote work resulted in many personal devices connected to the corporate networks through less protected home networks. This scenario offers new possibilities for an attacker to indirectly threaten the corporate networks. New threats to the IoT/device domain emerged during the pandemic, including:
- Inadequate design and planning or incorrect adaptation in critical scenarios: the absence or the inadequacy of an emergency reaction plan or adaptation strategy, in a scenario where new IoT devices and technologies have been quickly adopted to react to crisis.
- Lack of control on safety implications: the strong implications of IoT devices on safety are often not properly considered.
- Lack of strong cyber hygiene practices: the need of good skills for the personnel interacting with digital technologies, whhich is even more critical in ubiquitous IoT.
Network Domain
The network domain is one of the most affected by COVID-19, and experienced a radical change in terms of traffic and boundaries. For example, many remote employers are connected from their home network to the corporate network through a Virtual Private Network (VPN), therefore enlarging, to some extent, the perimeter of the corporate network. Home networks are not under the control of the organizations but still they need to be protected. We have seen a spike in cyberthreats affecting networks, exploiting telework technologies and remote tools. These threats have a very strong impact both on security operations and business processes, because the reliability of the network is a mandatory requirement for remote working. Therefore, building a reliable network at the basis of smart working, e-learning and electronic services is nowadays a must. The new threats to the network domain that emerged during the pandemic include:
- Exploitation of vulnerabilities in services and remote tools: the ever-increasing attacks exploiting vulnerabilities in VPNs and remote work software, which are not as protected as the company infrastructures.
- Physical attacks: the physical attacks to network equipment, often driven by misinformation around networking technologies, in particular 5G.
System Domain
The increasing number of remote workers resulted in the migration of traditional IT systems towards virtualized infrastructures, for instance solutions for desktop virtualization. Often, they have been rolled out in a haste without paying attention to crucial security details (e.g., configuration hardening and endpoint protection), and therefore exposing sensitive information to potential attackers. The new threats to the system domain that emerged during the pandemic include:
- Phishing: sophisticated and targeted social engineering attacks, taking advantage of the uncertainty of the current situation, where attacks can pose as trusted, healthcare-related, sources.
- Lack of awareness: the underestimation of cybersecurity threats; organizations and personnel are subjected to higher stress due to business problems thus making it even more difficult to prioritize cybersecurity.
- Personal cloud service adoption: the rapid move of individuals to cloud web-based services, which have proven to be unable to deliver an adequate level of protection and scalability.
- Cloud sprawl: the unawareness and the immaturity of the migration to cloud services, whose implications are not completely understood (e.g., shared responsibility).
Data Domain
Correct and robust data management is more critical than ever, as COVID-19 accelerated the distribution of computation to homes and the periphery. Moreover, the pandemic acted as a multiplier of the effects of existing threats such as social engineering, Distributed Denial of Service (DDoS), ransomware, child sexual abuse material, to name but a few. Data compromise becomes key to any attacks and is amplified by increasingly effective social engineering; the latter builds on the Cybercrime as a Service (CaaS), where facilitators offer their knowledge on the dark web. The new threats to the data domain that emerged during the pandemic include:
- Information leakage/sharing due to hostile home network: the exfiltration of data, exploited by attackers, made possible by erroneous data sharing and information leakage, due to work in less protected environments.
- Conversation eavesdropping/hijacking: the risks of conversation eavesdropping and hijacking due to the reliance on videoconferencing tools and their poor security countermeasures.[2]
- Unreliable data: the increasing difficulty in distinguishing between reliable and unreliable data, a situation exacerbated by the huge about of information we are overloaded by (especially about the pandemic), and by cybercriminals that are actively exploiting and contributing to this situation.
Application Domain
During the pandemic, we have also seen an ever-increasing usage of ransomware, phishing and scamming, which all go beyond a mere technical aspect and demand strong awareness on the user side. Two kinds of applications have become central during the pandemic: contact-tracing apps and remote collaboration software. Contact-tracing apps have, to some extent, polarized the debate and faced harsh criticisms, which, in the case of decentralized approaches, are mostly unjustified. On the other side, videoconferencing and remote collaboration software, such as Microsoft Teams, Skype or Zoom, have seen an unprecedented spike of usage that exhibited weak communication protection and posed significant stress to the networks. The new threats to the application domain that emerged during the pandemic include:
- Inadequate design: the ineffectiveness of application design, which do not adequately plan for non-functional aspects. Put simply, security, safety, privacy, and compliance, to name but a few, should be considered in the very first phases of software design.
- Supply-chain security: the security of all the components involved in the realization of an application. We all know that the strength of a chain is the strength of its weakest component; for application/product there is no difference.[3]
- Skill shortage: the need for skilled personnel designing safe and secure systems and applications.
Users Domain
The last domain of interest in CONCORDIA is the user domain. Differently from other domains, no new user-specific threats have emerged during the pandemic. Instead, COVID-19 has amplified existing threats, and cybercriminals have exploited the state of fear, uncertainty and doubts that many of us have and are still experiencing. Again, awareness is a fundamental point.
Gaps and Challenges
Other than threats, within CONCORDIA, we identified also the new gaps and challenges posed by the pandemic. On one hand, the complexity of the new normality we are living in resulted in additional gaps and challenges. On the other hand, some of the existing gaps have been exacerbated by the current situation. The following table highlights and briefly describes the most important cybersecurity gaps and challenges in the era of COVID-19 and the domains they affect.
Gap | Description | Domains |
---|---|---|
G1 – Gaps in cyber hygiene practices | The current practices to cope with the minimal cyber hygiene education (minimal cybersecurity good practices) are insufficient and often unavailable prior to be exposure to the risks. | All |
G2 – Gaps in handling critical scenarios | The increase of IoT device adoption in critical scenarios without an adequate emergency reaction plan or adaptation strategy is causing data breaches and safety implications. | Device/IoT |
G3 – Gaps on general misinformation campaigns and conspiracy theories | The fear and anxiety caused by pandemic, combined with the isolation imposed by travel and work restrictions, and consequent reliance on online platforms for social interaction, have left many people vulnerable to misinformation, disinformation and conspiracy theories, eventually resulting in extreme actions (e.g., US Congress attack). | Network, Device/ Iot, System, User, Application |
G4 – Gaps on reduced capacity to perform security operations | The large-scale migration to remote work amplified multiple challenges related to the management and capacity to perform security operations, reducing the level of security provided by corporations. | All |
G5 – Logistic challenges to the everincreasing cloud usage | Unpreparedness and inability to cope with logistic issues can lead to security vulnerabilities, where potential DDoS attack could cripple already overwhelmed systems. | Network, System |
G6 – Gaps on endpoint controls | To secure remote workers from potential malicious activities, organizations have to deploy multi-layer endpoint agents on all employee endpoints. | User, System |
G7 – Gaps on cloud user awareness | Remote workers require training on various cybersecurity topics, including phishing, password guidance, privacy screen, device hardening, working with confidential materials and securing physical computing assets. | Network, User, System |
G8 – Gaps on remote network controls | Off-network communications from virtual desktops should be limited only to whitelisted necessary resources. | Network, System |
G9 – Gaps on video conferencing tools | Video conferencing tools are often unable to address the increasing demand in resources and to support required security and identity management. | Application, User, Data |
G10 – Gaps on data management across borders | New approaches must be devised to better manage remote access and minimize the risks of propagating attacks that aim to reduce availability and integrity of data. | All |
G11 – Gaps on interoperability | COVID-19 showed an urgent need for systems interoperability, especially the ones delivering public services (e.g., healthcare). | All |
G12 – Gaps on education | Users should be more aware of emerging sophisticated attacks (e.g., Twitter bitcoin scam), which rely on social engineering and phishing. | Application |
G13 – Gaps on sophisticated protection | Difficulty to define trust boundaries and “zero-trust” coupled with ever-increasing attackers’ attention of AI calls for new and sophisticated forms of protections, dealing also with soft attacks exploiting the human factor, often considered the “weakest link”. | All |
Conclusions
We are all aware that COVID-19 has changed our way of living and introduced a new norm that increasingly rely on digital technologies. This new normality has also become a fertile ground for cybercriminals which have immediately found new ways to threaten our (digital) life. So, the development of a secure, safe, and trustworthy cyberspace is now a critical and pressing need. One of the main goals of CONCORDIA is to build this secure, resilient and trusted ecosystem in EU, supporting EU digital sovereignty. The first step towards this goal is identifying the threats, the gaps and the challenges affecting such ecosystem. We have highlighted here how COVID-19 has changed this triple. First, an ever-increasing reliance on networked and remote technologies, which are often not mature enough especially if the migration towards such technologies has been done in hurry without adequate planning. Second, the centrality of data, which is the final goal of any attacks and whose protection is more challenging due to the fuzzy nature of new IT boundaries. Last but not least, the need for advanced users’ awareness, to get the best out of this technological transition and to cope with new sophisticated threats.
References
- ENISA Threat Landscape 2020: Cyber Attacks Becoming More Sophisticated, Targeted, Widespread and Undetected, https://www.enisa.europa.eu/news/enisa-news/enisa-threat-landscape-2020
- For example, Microsoft has announced the introduction of end-to-end encryption in 1-to-1 calls by the first half of 2021. Source: https://www.zdnet.com/article/microsoft-to-add-new-shared-channels-encryption-for-calls-webinar-features-to-teams/.
- The famous “Solar Winds Attack” is in fact an attack exploiting the supply-chain (in)security. Source: https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html.
(By Marco Anisetti, Claudio A. Ardagna, Nicola Bena, Ernesto Damiani, Jadran Sessa Università degli Studi di Milano)