In every emergency, there are common elements. The health emergency is also faced from the profile of cybersecurity
I am not a medical expert, I am not an immunologist; and even though I have been talking for years about viruses and vulnerabilities with names that look like medical terms – Heartbleed, Shellshock – I never thought I would have to write about COVID-19, something that may sound like an IT technical term, but that is, in fact, sadly medical. Perhaps this is the only good news – as it is something biological, it cannot directly compromise a computer.
The good news, however, ends there.
The importance of prevention measures
Cybersecurity experts divide the population into two – those who have suffered an incident and those who do not know they have suffered it. One of the most difficult barriers to overcome is that victims are very often unaware and therefore do not think they have to make appropriate investments to prevent an incident, to become aware of an incident and to respond to an incident. In order to be aware, we have to take those “swabs” that are used to detect a “virus” (malicious activity) and after having analysed them, to classify them as “positive” (incidents). The fact, however, that you do not use swabs does not mean that you are safer. The WannaCry malware created a great deal of damage not because there were no prevention measures, but because there was no ability to monitor malicious events. In essence, WannaCry was successful where the perimeter was not constituted by a SOC able to take “swabs” and check if there were “positives”. In all this, the analogies with Coronavirus (COVID-19) start to become clear. According to experts, the virus had circulated for several weeks latently before being intercepted when the so-called Patient 1 became ill. At that point, we realised that an incident had occurred. And we ran for cover.
The role of the dark web
A different issue is that of where the attackers buy and sell tools and data that are difficult to source on a lawful market – the dark web. The dark web is the set of contents on the Internet that can only be reached with specific software (Tor, Freenet, I2P) which guarantee a certain level of anonymity to those who access them. The dark web is just a small part of the deep web, that is, the web that is not indexed. I will make myself clear: this does not mean that all those who use the dark web are criminals, but rather that on the dark web it is easier to hide and to conceal any illegal activities. Anyone who thinks that it is a domain reserved only to IT experts is wrong.
In these days of medical emergency, on the dark web you can find masks but also medications that suggest how to prevent and cure Coronavirus. Without commenting on the exorbitant prices, it really is incredible, or you could say immoral, that at such a dramatic time, there are unscrupulous people seeking to take advantage of emergency situations to draw an economic benefit from them. I will not go into it further but for those who want to know more, I recommend an article written by one of the world’s top cybersecurity experts, Gianluigi Paganini (https://securityaffairs.co/wordpress/98574/deep-web/coronavirus-darkweb.html).
The adoption of smart working and its criticalities
The need to reduce and delay the infection has led companies to adopt forms of remote working. Leaving aside the social and economic implications of this, I will focus only on the most significant issues in terms of cybersecurity.
- Working remotely increases the usage of company services via mobile devices that are often used also for personal use. Mobile Device Management consists of creating containers on the device for company applications whose use and operations respect company policies, as well as defining and managing device access policies, integrating the mobile devices into the perimeter of devices controlled by a Security Operations Centre, and keeping the devices updated
- When working from home, employees have to connect remotely to company infrastructures. Ideally, this should be done using the connection provided by the company but it is natural that employees will often connect the device to the company network via their own router. This router generally also provides services to other domestic devices. Although the connection can be made in secure mode, it increases the device’s exposure and it is therefore natural to expect an increase in criminal activities that exploit the adjacency and laterality of the device itself. Criminal activities will identify unknown vulnerabilities and will develop unknown attack techniques. The result is that the perimeter defence created through classic anti-virus systems that are based only on signatures and firewall applications will no longer be sufficient.
What measures are to be adopted?
- Endpoint Detection and Response solutions must be adopted
- It is necessary to acknowledge the fact that the devices connecting remotely may be more vulnerable and to define flexible access policies that take account of this context (micro-segmentation).
I will conclude with some considerations on telemedicine, whose advantages and benefits are known but, in such situations, can become essential: reducing the contagion due to proximity between doctor and patient, accelerating diagnoses, reaching places that are not easily accessible.
- Healthcare, even without the Coronavirus emergency, is one of the most attractive industries for criminals. Telemedicine extends a perimeter that is already difficult to defend
- Improving the visibility not only of infected people, but also of any malicious agents attacking the IT used by healthcare, becomes increasingly important. Therefore, SOCs must be created whose delivery models and functionalities are focused on healthcare
- The awareness of industry operators must be improved. Courses of a few hours are sufficient to reduce drastically the effect of incidents involving the human factor
- The capacity to respond to an incident via specific cyber-ranges for the healthcare and telemedicine market must be increased.