Home / Resources / ISACA Journal / Issues / 2020 / Volume 6 / The Context of Cybersecurity in the Post Pandemic World

Information Security Matters: The Context of Cybersecurity in the Post-Pandemic World

Journal Volume 6
Author: Steven J. Ross, CISA, CDPSE, AFBCI, MBCP
Date Published: 30 October 2020
Related: State of Cybersecurity 2020 Part 2: Threat Landscape and Security Practices | Digital | English

In my previous article, I stated that “serious cyberattacks seem no worse than before” the COVID-19 pandemic.1 Whenever anyone qualifies a categorical statement, the qualifier is always awfully important. In this case, it invites the question, “Just what is a trivial cyberattack?” I realize that anyone who is subjected to an attack considers it to be quite serious indeed. But some are more serious than others. The theft of millions of records containing personal information or the stoppage of an organization’s ability to operate are more impactful events than the takeover of someone’s home computer. As I stated previously, what is notable is not the lack of consequential cyberattacks during the pandemic, but the fact that there have not been more.2

Increased Number of Attacks During the Pandemic

At the same time, I must note that various sources have reported a significant spike in cyberattacks, especially in the earlier months of the COVID-19 outbreak. There are too many to cite them all; perhaps the most authoritative is from the US Federal Bureau of Investigation (FBI), which reported:

As of May 28, 2020, the Internet Crime Complaint Center (IC3) received nearly the same amount of complaints in 2020 (about 320,000) as it had for the entirety of 2019 (approximately 400,000).3

However, the FBI statement goes on to say that “75 percent of these complaints are frauds and swindles” and mentions “the sale of counterfeit personal protective equipment (PPE), fraudulent unemployment insurance claims, and even criminals who are engaging in online predatory behavior targeting children who are continuing their education from home.”4 The horror of preying on children is a scourge that must be stopped. But neither can we downplay other consequential events such as the massive theft of personal information or ransomware attacks on goverments.5 These, evidently, have not shown a similar increase.6

Endpoints and Espionage

There are certain aspects of the spate of “lesser” cyberattacks during the pandemic that are indicative of what I expect we will see in the post-pandemic era. The most evident is that with so many people working from home (WFH), remote devices have become targets too tempting for cyberattackers to ignore.7 From the point of view of an attacker, it is just so much easier to penetrate a lightly defended personal computer than an enterprise information system. Thus, the endpoints are increasingly the locus of cybercrime and, if present trends continue, will remain so well after we have a medical solution to COVID-19.

Another trend is the reported increase in international industrial espionage. For example, the Center for Strategic and International Studies states that, in July 2020, Russians attempted to steal information related to COVID-19 vaccine development; the United States has commenced cyberoperations against China, Iran, North Korea and Russia; and North Korea has sent phish to more than five million businesses and individuals in India, Japan, Singapore, South Korea, the United Kingdom and the United States in an attempt to steal personal and financial data.8

ONE THEME THAT I BELIEVE WILL TYPIFY CYBERSECURITY IN THE POST-PANDEMIC PERIOD IS THAT THE HAZARDS AND REMEDIES WILL BE THE SAME, BUT THE EMPHASES WILL CHANGE.

Of course, such attacks have gone on for years. I believe that the combination of international trade tensions and the massive increase in working remotely due to the fear of disease have created a different level of threat of espionage. This is a topic to which I intend to return in the future.

Endpoint Security

Clearly, the issue of endpoint security is going to occupy information security professionals’ time in the post-pandemic period. For me, this clarity arises from perusing my email inbox, in which every security vendor, so it seems, is trumpeting its newest products for securing remote computing. The common element in their publicity is recognition that WFH is increasing the likelihood of successful targeted attacks.

 

One theme that I believe will typify cybersecurity in the post-pandemic period is that the hazards and remedies will be the same, but the emphases will change. So just as espionage is not new, the pandemic has changed the dimensions of the threat. This is, in my opinion, even more the case with endpoint security. The growth of WFH has simply expanded the number of potential targets, some of which were always vulnerable; now there are simply more of them. And the preponderance of opinion is that working remotely is going to continue once COVID-19 has been tamed.9

While I do not dismiss the importance of endpoint security products, I believe that these are only a part of the necessary protection. They need to be combined with education of remote workers, accreditation of the devices they use, hardening of the central systems these people access, and the introduction of a whole new approach to securing edge computing and the Internet of Things. (I plead ignorance of what that new approach will look like and I welcome readers’ ideas.)

The New Context of Cybersecurity

That said, the ability to detect and respond to attempted attacks and isolate the successful ones is going to be the sine qua non of tomorrow’s information security. Once again, I expect the careful reader will say, “But that has always been true” and so it has. But the context has changed and that change should be accompanied by a different mindset toward information security.

We have been through this before. At one point, if the central mainframes were secured, the threats were contained. Then, distributed computing changed the context, and the response needed a new set of security measures.10 The same progression played out with mobile devices and the cloud, so it should be no surprise that we need to rethink cybersecurity once again.

As I see it, the sheer dimension of remote access brought on by pandemic-driven WFH has brought us to the endpoint (pun very much intended) of considering information security as a succession of technologies. We need to address the gestalt of security of information systems as a whole. I am not quite at the point of Zen and the Art of Information Security, but I do believe we need to consider security architecturally and not as a matter of protecting each component.

Information Security Architecture

The components have become too numerous, too geographically disparate, too uncontrollable individually to secure them one at a time. This trend toward information security architecture was coming anyway before COVID-19 (in fact, it had arrived), but that plague has greatly accelerated the need for it. Sadly, there is not a consensus as to what an information security architecture is, much less how to craft one. I have seen definitions as broad as compliance with the EU General Data Protection Regulation (GDPR) or the Payment Card Industry Data Security Standard (PCI DSS),11 the “cohesive design” of the elements of an information system,12 and adherence to a framework such as ISACAs own COBIT®.13 If we can just get across the idea of considering the big picture and seeing the mosaic and not just the pebbles, we will be well along the way.

I DO BELIEVE THAT THE ISSUES THAT HAVE ARISEN DURING THE PANDEMIC NECESSITATE CREATION AND IMPLEMENTATION OF A SECURITY ARCHITECTURE ACROSS ENTERPRISES EVERYWHERE.

I have previously expressed my admiration for Zero Trust Architecture,14, 15 and I believe that today it has the broadest recognition, if not acceptance. But I am not doctrinaire about it. If someone defines a more universal architecture, that will be fine. I do believe that the issues that have arisen during the pandemic necessitate creation and implementation of a security architecture across enterprises everywhere. The times demand it.

Endnotes

1 Ross, S.; “Lessons for the IT Community From the Pandemic,” ISACA® Journal, vol. 5, 2020, http://4crt.rf518.com/archives
2 Center for Strategic and International Studies, “Significant Cyber Incidents,” http://www.csis.org/programs/technology-policy-program/significant-cyber-incidents
3 Shivers, C. A.; “COVID-19 Fraud: Law Enforcement’s Response to Those Exploiting the Pandemic,” Federal Bureau of Investigation Statement Before the US Senate Judiciary Committee, USA, 9 June 2020, http://www.fbi.gov/news/testimony/covid-19-fraud-law-enforcements-response-to-those-exploiting-the-pandemic
4 Ibid.
5 Hay Newman, L.; “Atlanta Spent $2.6M to Recover From a $52,000 Ransomware Scare,” Wired, 23 April 2018, http://www.wired.com/story/atlanta-spent-26m-recover-from-ransomware-scare/
6 Op cit Center for Strategic and International Studies
7 Boyden, P.; “Remote Worker Cyber-Attacks Increase Amid the COVID-19 Pandemic,” FraudWatch International, 9 April 2020, http://fraudwatchinternational.com/all/remote-worker-cyber-attacks-increase-amid-the-covid-19-pandemic
8 Op cit Center for Strategic and International Studies
9 Eisenberg, R.; “Is Working From Home the Future of Work?” Forbes, 10 April 2020, http://www.forbes.com/sites/nextavenue/2020/04/10/is-working-from-home-the-future-of-work/#521c651a46b1
10 I expressed my thoughts on this in Ross, S.; “Why We Failed,” ISACA Journal, vol. 5, 2018, http://4crt.rf518.com/archives
11 RSI Security, “Enterprise Information Security Architecture: What You Need to Know,” 10 May 2019, http://blog.rsisecurity.com/enterprise-information-security-architecture-what-you-need-to-know/
12 Arconati, N.; “One Approach to Enterprise Security Architecture,” SANS Institute, 2020, http://www.sans.org/reading-room/whitepapers/policyissues/approach-enterprise-security-architecture-504
13 Posey, B.; “Enterprise Information Security Architecture Fundamentals,” ITPro Today, 30 July 2019, http://www.itprotoday.com/strategy/enterprise-information-security-architecture-fundamentals.
14 Ross, S.; “How We Can Succeed,” ISACA Journal, vol. 6, 2018, http://4crt.rf518.com/archives
15 National Institute of Standards and Technology (NIST), Developing a Framework to Improve Critical Infrastructure Cybersecurity (Response to NIST Request for Information Docket No. 130208119-3119-01), USA, 8 April 2013, http://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf

Steven J. Ross, CISA, AFBCI, CISSP, MBCP

Is executive principal of Risk Masters International LLC. Ross has been writing one of the Journal’s most popular columns since 1998. He can be reached at stross@riskmastersintl.com.