Securing The Data

The global pandemic’s major side effect is it scattered workers outside their office hives, leaving them susceptible to an array of predators disguised as phishing scams and ransom attacks.

Those fears persist among cybersecurity professionals, as employees are expected to work from home or outside the office in some capacity for the foreseeable future.

The guardians of information technology report that this unprecedented COVID-instigated upheaval has been nothing if not a learning experience.
If anything, the global health crisis reinforced many pre-pandemic security policies, but due to several well-publicized cybersecurity breaches — notably the Colonial Pipeline ransomware attack in May 2021 — IT experts remain vigilant for what lies ahead.

And they should.

Ransomware-related data leaks have doubled in each of the past two years, the Identity Theft Resource Center said in its annual report, released in January.
The nonprofit organization stated the overall number of data compromises (1,862) was up more than 68 percent in 2021, compared to the previous year, while noting the new record number of data compromises was 23 percent over the previous all-time high (1,506) set in 2017.

What cannot be lost — despite those troubling cybersecurity numbers — is the nimbleness with which corporations adroitly deployed their technologically capable workforce.

“Most organizations were able to pivot pretty quickly and transition to a remote workforce faster than I thought they could,” said Scott Montgomery, Open Systems Technologies, Inc. security service manager. OST USA is a national IT staffing and consulting agency, with a branch in Grand Rapids, Mich.

“In fact, had this taken place, you know, five or 10 years earlier, it would have been near impossible,” he said. “So, I think the timing was everything when it came to how we approached this issue. But I can certainly say that, 10 years prior, we would not have the success we had over the last couple of years.”

Remote work posed several hurdles, some of which opened companies’ IT infrastructures to security vulnerabilities.

Routine matters, such as pushing security updates for software and password management, lagged in a few cases, cybersecurity experts said.

More importantly, with so many workers toiling away in isolation, there has been no one in the next cubicle to chat with if something looked suspicious in an email. Distracted by overwhelming circumstances, employees also tended to let their guard down when it came to cybersecurity.

“Early on in the pandemic, our biggest problem was, ‘how do I make sure that we’re staying ahead of phishing attacks?’” said Art Sturdevant, Censys vice president for technical operations. The Ann Arbor cybersecurity software company started in 2017.

“How do I make sure that we’re educating users about what remote life looks like, because a lot of our people who worked here really hadn’t had a career where they didn’t work from the office,” Sturdevant added. “So, they were used to sitting in one spot and being able to just reach over and say ‘Hey, this looks weird.’ We did have to work through that.”

Education continues to be paramount, cybersecurity professionals said. They use interoffice emails, SharePoint — Microsoft Office’s integrated platform — and teleconferencing chats to alert employees about ongoing phishing and ransomware threats.

Laura Clark

The deviousness of the scams’ perpetrators are hitting new lows, said Laura Clark, Michigan Department of Technology, Management & Budget’s chief information officer.

“We used to have pretty clear guidelines around looking for typos or where they would have a generalized greeting to individuals,” said Clark, who is the department’s chief security officer. “They’re much more sophisticated, where they can be more customized with their greeting.

“They are covering their tracks a lot more, so it’s a lot harder for individuals to recognize those things,” she added. “We always make sure that people review who the email is coming from closely.”

Phishing scams are taking a more nuanced approach, said Dr. Rick Wash, Michigan State University associate professor in the Department of Media and Information.

Before, electronic con artists would take a “mass spray machine approach,” creating one fake email purporting to be from a popular service like PayPal and sending it to as many people as possible, while hoping “someone falls for it,” Wash said.

The other ploy involved the “spear- phishing style,” where an email was customized to a specific recipient. Those are harder to detect, but are too labor-intensive for the keyboard fraudster looking for an easy mark and a quick buck.

“We’ve been seeing a lot more in the middle in the last couple of years, where they are partially customized to the organization, but not necessarily to the individual,” Wash said. “We’re seeing that middle-level target that is not full spear phishing and individually targeted, but it requires more knowledge than a mass phishing attack, and it seems to be working.”

Scammers are doing more reconnaissance, learning what software a company uses — like Adobe or Microsoft — and then pretending to be that vendor in a phony email. Another ruse involves including “COVID” or “vaccination” in the subject line in a fiendish effort to lure unsuspecting people into clicking a malicious link.

While hazards are endless, so are the efforts to mitigate them.

In the state Department of Technology, Management & Budget’s case, that meant driving a clean cyber-hygiene message home, literally. Guidelines issued to employees included how they could keep their homes safe from a cybersecurity standpoint.

“A lot of what we find, too, is a good practice: if I can help relate a cybersecurity tip or trick to something that you are going to do at home, as well as at work, sometimes people will listen to the message a little bit more,” Clark said. “They can practice that more at home to protect their families and their finances and things, and sometimes those good practices are moved into the work environment, as well.”

On the infrastructure side, the state doubled its virtual private network capacity during the pandemic. Through software licensing, about 13,000 VPN access tokens were issued to employees.

With new tools and software, the state’s IT department pushed security checks and policies to workers’ desktops, laptops, and cellphones, “even if they are not able to access the state network through the VPN,” Clark said.

The state is working toward a “zero trust” model. The ironclad cybersecurity framework — which requires that everything must be verified before being connected to a network — is increasingly being embraced by organizations, including the Department of Defense.

“We are working on a zero-trust strategy and starting to migrate toward that strategy,” the state’s IT chief said. “We have a lot of building blocks that we have put into place over the last 15 to 20 years in our IT practices.

“What we’re looking to do is working to pull all of those things together and be able to identify and ensure access is appropriate based on user, based on data, based on device.”

Likewise, Blumira is moving toward zero trust, in that it’s not putting users into a position where they could “do something dangerous” and ensuring a secured environment, the company co-founder said.

Blumira works with many small and medium-sized businesses with 10,000 employees or fewer.

“For a lot of them, their IT networks have been in place for years longer than even the concept of zero trust,” Warner said. “For them, what they are looking at it is, ‘We’d like to start to remove some of the risks across the environment, where we said we will assume trust with our users.’

“When you start to pull back and assume trust, and then you apply that to your cloud services, it allows you to do more tight-scoping and start to move more to zero trust.”

The smallest of devices — the cellular phone — has been the most problematic in a cyber-secure environment during the pandemic.

Many workers prefer their devices, especially when responding to emails or texts and using calendar apps. So-called BYOD (bring your own device) policies vary depending on the organization.

The state requires workers to use its equipment with some exceptions, including cell phones. Phones must have up-to-date operating systems and contain security tools so the data can be wiped if the device is lost or stolen, Clark said.

The BYOD concept runs contrary to Censys’ zero-trust ethos. Yet, the company has allowed a little wiggle room, the Ann Arbor company’s technical operations VP said.

Phones or tablets must have an up-to-date operating system, full-disk encryption and security controls. The device also cannot be jailbroken, meaning the owner has gained root access to the operating system.

Art Sturdevant

“If you come in with your iPad and you haven’t updated it in a year and a half, we’re probably not going to let it connect anything,” Sturdevant said. “But if you come in with an iPad and it’s up to date and you’ve authenticated it and you’ve done your multifactor authentication push, we’re pretty sure that it’s you and your device is healthy, so there are certain applications that we will let that device connect to.”

Security policies have evolved as necessary.

“We had that set up before the pandemic hit,” Sturdevant said. “As our company has grown and as our security footprint has grown, we’ve just had to stay on top of that.

“We’ve had to figure it out, as we’re hiring remote employees… We can’t block traffic from outside the U.S. anymore, for example, because we’re hiring globally.

“So, we have to adjust some of those policies and then, before any of our users can access storage for files, … if they want to access that from their phone or their iPad or any mobile device that isn’t, you know — , for lack of a better term — blessed by our central IT, then they have to agree to put some sort of mobile device management on their phone.”

Organizations that required MDM (mobile device management) applications or multi-authentication for devices were able to transition very smoothly, Blumira’s Warner said.

“For us, we’ve done a lot over the past two years, to essentially move away from BYOD and move people only to machines that are controlled by Blumira,” Warner said. “That’s partly because it is better to have more visibility, it is better to have more control.

“It’s not to granularly check the workforce; it’s more to make sure they are properly secured, to ensure they are getting what they properly need and ensure the machines are doing what they are supposed to do to get the work done.”

Many organizations warded off risks in other ways before the pandemic.

Some have migrated to the cloud, meaning they have no onsite data centers for hackers to target. Others have implemented strict “HTTPS” enforcement, which requires TLS certificates where available and encryption.

“If there’s something on your network that is potentially sniffing the network, it’s not going to be able to read any of the secure communications that are going on,” Sturdevant said.

Though working in solitude, computer users are becoming savvy through cyber education.

“For me, one of the things that have been effective in recent years is telling stories about actual incidents,” MSU’s Wash said. “So getting people to talk to each other is important.”

The state has enlisted 60 or so technical experts as part of its Michigan Cyber Civilian Corps, which provides rapid assistance to governments, schools and businesses in critical cyber incidents.
Members are required to have at least two years of direct involvement with information security, preferably with security operations, incident response, digital or network forensics, and have a basic security certification.

A comprehensive approach — pandemic or not — will likely be needed in a cyber world rife with evildoers.

“One of the things we do as a state is work to educate our workforce on things that might be coming their way,” Clark said. “Because we can protect the network and all kinds of things, but if one of those phishing emails is successful in reaching one of our employees and somebody clicks on that malicious link, they can jeopardize their computer, as well as other things.

“What we like to do is work to make sure our employees know what to look for in a phishing email or some kind of social engineering activity and help make sure they are protecting our network.”