Covid-19 and cybersecurity: Protecting your business
A single cyberattack can destroy your business. You need to do more than just fix a virus guard and hire an IT manager. Yet you do not need huge investments. Simple activities such as vulnerability testing, patching, and correct configurations can prevent 80% of data breaches.
- Worldwide spending on cybersecurity is going to reach $ 133.7 billion in 2022 (Gartner)
- 68% of business leaders feel their cybersecurity risks are increasing
- Data breaches exposed 4.1 billion records in the first half of 2019 (RiskBased)
- 71% of breaches were financially motivated and 25% were motivated by espionage (Verizon)
- 52% of breaches featured hacking, 28% involved malware, and 32-33% included phishing or social engineering (Verizon)
- Common causes of data breaches are weak and stolen credentials, a.k.a. passwords, back doors, application vulnerabilities, malware, social engineering, too many permissions, insider threats, improper configuration, and user error
- 69% of organisations don’t believe the threats they’re seeing can be blocked by their anti-virus software (Ponemon Institute)
- The banking industry incurred the most cybercrime costs in 2018 at $ 18.3 million (Ponemon Institute)
- 92% of malware is delivered by email (CSO Online)
The cybersecurity challenge
Cyber threats are continuously evolving. Covid-19 is no exception and poses a major challenge for cybersecurity.
It is important that each business leader takes measures to ensure that their organisation continues to run securely and that remote employees have a seamless home-working experience. Security experts can help organisations with the most urgent challenges associated with smartphones, tablets, laptops, and other remote infrastructures when they require the right strategy or a comprehensive security team.
Cybersecurity in Sri Lanka
As a national contact point for all information on security-related matters, the Sri Lanka Computer Emergency Readiness Team (Sri Lanka CERT) receives a significant number of incidents/complaints related to a country’s national information domain, from both domestic and foreign entities. Incidents of social networking, email vulnerabilities, phishing, compromise of websites, malware, malicious software and ransomware, breaches of privacy, financial fraud, and uniform IPs affected from information collected on automated systems run by international organisations are some of the complaints to Sri Lanka CERT.
Based on an overview of the data related to cybersecurity obtained during 2019 by Sri Lanka CERT, summaries can be provided as follows:
- During 2019, the number of cases of abuse of personal data reportedly increased
- The spread of malicious software andransomware increased during 2019, when confidential data from both individuals and organisations is made unavailable by encryption, deletion, or alteration
- A significant number of diversion websites were registered in 2019, targeted at government and private sector organisations
- Most of the incidents reported fall into the social media category. Facebook-related incidents were the highest among social media incidents
(The numbers and types of cybersecurity incidents are shown in Figures 1, 2, 3, and 4.)
Compared to last year, incidents related to cybersecurity reported to Sri Lanka CERT have increased in 2019, totalling 3,566, while in 2018 it was 2,598. The increase is attributable to the considerable number of cases of compromise on the website and data protection problems.
One of the most targeted sectors is the banking sector due to the change of human behaviour – for example, the increase in purchasing online versus physical purchases – and the need for banking staff to work from home and when they are accessing the systems from within the banks.
Two types of banking threats were identified by researchers: External and internal.
- Bad actors’ goals
- Access your system
- Steal personal information
- Lockdown computer with ransomware
(The countries that are most at risk by ransomware are shown in Figure 5.)
- Malicious transactions
- Imposter scam – advantage on negative situation, e.g. sending emails pretending to be from the World Health Organisation (WHO) to share new information about coronavirus; sending emails as though they are from government agencies or officials to collect personal information
- Product scams – fake shops and websites, coronavirus vaccines, surgical masks (trying to steal personal information), etc.
- Cybercriminal attacks
- Phishing attack – coronavirus advisory issue
- Spread malware
- Steal login credentials – fake calls from banks
- Engage in financial fraud
(The countries that are most at risk by ransomware are shown in Figure 6.)
Actions for outsider threats
- Deploy or reinforce protective measures to address vulnerabilities – identify vulnerabilities on your current environment
- Leverage available resources to monitor and identified threats – endpoint protection, sensitive information (backup)
- Review/revise/test incident response plan – can you execute remotely?
- Internet response plan (hybrid protection plan)
- Contact details (in case technical staff are unavailable)/practising simulation exercise
- Backup strategies
- Personal PC/Office PC
- VPN connection
- Wireless/router protection
- PC endpoint protection (virus update)
- OS patch updates
- Deal with third party – role-based management controls
Company employees are consistently identified as one of the main vulnerabilities that compromise company and client financial data.
This threat increases, given the number of employers working from home (WFH).
- Using personal devices lacking same security as company-issued devices
- Forwarding sensitive business and client information to personal accounts
- Failure of conference calls – Zoombombing
Eavesdropping attacks on private conversations or secret contact with people without their permission
- Do not use the same security codes to access the conference call
- One-time PIN code creation
- Meeting identification code (its adding additional layer of security)
- MFA conference call (to make sure that all appropriate members are in )
- New attendees join (notification or set a tone)
- Turn off third party home devices (e.g. Alexa or Google home)
- Review policies and procedures and revise as necessary
- Using personal devices for corporate use
- Storing personal credentials in websites
- Assess infrastructure necessary for work from home
- VPN – the banking virtual private network services provide a wide range of protection and enhanced bank network security services
- Multi-factor authentication (MFA)
- Mobile device management (MDM) – mobile wipe data in case you lost the device
- Bring your own device (BYOD) – when will you have to use it
- Temporary vendor access/resign employee – access disable
- Educate/train employees
- Recognise outside threats (periodically tech upgrade/newsletter)
- Communication with IT teams (awareness programme)
- Established a secure connection
People vulnerabilities and action
- Unknown assets on the network – asset registers (security update and OS patches, security device ports are open, activate firewall)
- Abuse of User Account Privileges (intentional leaks and misuse of account privileges, sharing of super passwords/hardcode super passwords), policy of least privilege
- Unpatched security vulnerabilities (application is not updated/vendor systems not updated)
- A lack of defence in depth (network is structured with strong segmentation) – separate your most important system data separately
- Insufficient IT security management
- Internal IT security team to manage all of an organisation’s needs can be expensive
- It’s a time-consuming process
- Qualified professionals are in demand
Application and networking attacks
- Inbound attack is a first move towards traditional defeats in depth, such as firewalls of the next generation, antivirus (AV), network gateways, and even modern sandbox technologies
- Advanced cyberattacks are planned to bypass the conventional protections of the network
- Next-generation cyberattacks target specific individuals and organisations to steal data
- Bad actors used various channels such as the internet, e-mail, and malicious files, and responded quickly to zero day vulnerabilities and others
Advanced cyberattacks succeed because they are carefully planned, methodical, and patient. Malware used in such attacks:
- Settles into a system
- Tries to hide
- Searches out network vulnerabilities
- Disables network security measures
- Infects more endpoints and other devices
- Calls back to command-and-control (CnC) servers
- Wait for instructions to begin network data extraction
By the time most organisations realise they’ve suffered a data breach, they have actually been under attack for weeks, months, or even years.
Most traditional defence-in-depth cybersecurity measures, such as AV or next-generation firewalls, fail to use signature and pattern-based techniques to detect threats, and don’t monitor malware call-backs to CnC servers.
Advanced cyberattacks take many forms, including virus, Trojan, spyware, rootkit, spear phishing, malicious email attachment, and drive-by download
To properly protect against these attacks, defences must monitor the entire life cycle of the attack, from delivery to call backs and reconnaissance to data exfiltration.
Adaptive defence monitors the entire life cycle of advanced attacks to help organisations detect, analyse, and respond to cyberattacks. Proposed tools are the security information and event management (SIEM) and security orchestration, automation, and response (SOAR).
- Scanning and configuration
- For protecting mailboxes against SPAM and malware
- Proper domain name system (DNS) configurations for Sender Policy Framework (SPF)
- DomainKeys-Identified Mail (DKIM)
- Domain-based message authentication
- This technique helps to protect against phishing attacks
Use strong authentication
Password complexity requirements, MFA, and conditional access policies are all required
- MFA helps restrict malicious use and limit the damage (phishing attack)
- Data protection, encryption, and leakage
- Outbound emails are leaving the end user environment on a daily basis
- Data loss prevention (DLP), rights management, and email encryption serves to provide protection and management awareness, while helping to better manage associated risks
- Response, monitoring, and auditing
- Automating response tactics combined with mailbox auditing help to ensure that when an infected email hits the organisation network, users are able to automatically prioritise remediation
Network analytics and visibility
- Its ability to continuously analyse threats and monitor traffic trends are important to your email security strategy
- URL-based threats should automatically be analysed to protect against malicious content
- Real-time analytics help to block infected emails that have been received
- Comprehensive protection from BEC threats
- Threats from business email commitment (BEC) use social engineering to make end users act. It is a threat to phishing, where cybercriminals are forcing workers or consumers to reveal or move confidential data
- IT surveillance, user education, understanding, and testing help users to become more intelligent
Cybersecurity end-user model
(The authors have devised the following comprehensive model by which businesses could strengthen their cybersecurity in Figure 7.)
Sri Lankan legislation on cybersecurity
Evidence (Special Provisions) Act No. 14 of 1995
Provides for admissibility in court of evidence contained in electronic form, including audio-visual recordings and translations of evidence in machine language.
Intellectual Property Act No. 36 of 2006
Provides protection for software, trade secrets, and integrated circuits.
Electronic Transactions Act No. 19 of 2006
Recognises the legality of all communications in electronic form, including electronic contracts, data messages, electronic messages, electronic documents, and electronic records.
Payment Devices Frauds Act No. 30 of 2006
Criminalises counterfeit and unauthorised payment devices or unauthorised use of genuine payment devices.
Computer Crimes Act No. 24 of 2007
Criminalises any act of “hacking” in Sri Lanka or outside Sri Lanka by an individual, group, or institution; of unauthorised access to a computer, computer programme, data, or information including any downloads; modification, alteration, or deletion of information; introduction of viruses, copying of information, or interception of information while it is being transmitted.
Criminalises the use of a computer to harm national security, national economy, or public order. Also criminalises unauthorised distribution of information including passwords.
Prescribes fines, prison terms, and compensation.
Authorises police to investigate and call upon any expert for assistance, including universities. Any person who obstructs an investigation can be charged with a criminal offence.
Mutual Assistance in Criminal Matters (Amendment) Act No. 24 of 2018
Authorises Sri Lankan law enforcement agencies to obtain assistance of foreign authorities and institutions for investigations on crimes committed digitally, including requests for arrests for suspects.
Personal Data Protection Bill
A huge vacuum in Sri Lankan cyber law. It was drafted by the Ministry of Digital Infrastructure and Information Technology in 2019, and is awaiting approval by Parliament.
Whom to call if you are attacked
- Sri Lanka Police Cybercrimes Unit
- Sri Lanka CERT
- Information and Communication Technology Agency (ICTA)
The dynamic nature of the digital universe must be taken into account. Every new protection technique spawns a new hacking technique designed to get through it. Countries and businesses must always be a step ahead of them in order to beat cybercriminals.
(Dr. Nicholas Ruwan Dias and Niresh Eliatamby are Managing Partners of Cogitaro.com, a consultancy that finds practical solutions for challenges facing society and different industries. Dr. Dias is a digital architect and educationist based in Kuala Lumpur. He holds a BSc in Computing from the University of Greenwich, a Master’s in Computer Software Engineering from Staffordshire University, and a PhD from the University of Malaya. He is completing a second doctorate in business administration from Universiti Utara Malaysia. email@example.com.
Niresh Eliatamby is a lecturer in marketing, HR, and mass communications based in Colombo. He is an author and was formerly the Associate Editor of a newspaper and Editor of various industry magazines. He holds an MBA from London Metropolitan University and an LLM from Cardiff Metropolitan University. firstname.lastname@example.org.)