Businesses need a new way to manage the devices and applications of their remote employees. They need to be able to extend the benefits of the WAN to them without the downsides of VPNs. Every business we interviewed saw benefits of bringing devices, locations and offices inside the WAN. Turning every device and office into a Branch of One.
A few security and network technologies have promised this capability – SDNs can offer a similar service, but they require client software to be installed. 78% of businesses we interviewed are using VPNs to bring devices inside the WAN – but again, they require client software, and can be inconsistent (and insecure!) on mobile devices.
Companies that embrace the Branch of One can provision new users in a few clicks. No software to install, no cables to connect, no hardware to provision – it makes life easier for technology and security professionals. The Branch of One gives your employees the systems and data they need to get their job done – delivered securely across the mobile network.
Download the report based on ‘The Global CxO Study 2020: The Future of the Secure Office Anywhere’, conducted by Ecosystm on behalf of Asavie. The report presents the key findings of the study and analyses the market perceptions of Office Anywhere and the need for a ‘Branch of One’, which will be the foundation of enterprise mobile security in the future.
#1 Cities Will Re-start Their Transformation Journey by Taking Stock
In 2021 the first thing that cities will do is introspect and reassess. There have been a lot of abrupt policy shifts, people changes, and technology deployments. Most have been ad-hoc, without the benefit of strategy planning, but many of the services that cities provide have been transformed completely. Government agencies in cities have seen rapid tech adoption, changes in their business processes and in the mindset of how their employees – many who were at the frontline of the crisis – provide citizen services.
Technology investments, in most cases, took on an unexpected trajectory and agencies will find that they have digressed from their technology and transformation roadmap. This also provides an opportunity, as many solutions would have gone through an initial ‘proof-of-concept’ without the formal rigours and protocols. Many of these will be adopted for longer term applications. In 2021, they will retain the same technology priorities as 2020, but consolidate and strengthen on their spend.
#2 Cities Will be Instrumented Using Intelligent Edge Devices
The capabilities of edge devices continue to increase dramatically, while costs decline. This reduces the barriers to entry for cities to collect and analyse significantly more data about the city and its people. Edge devices move computational power and data storage as close to the point of usage as possible to provide good performance. Devices range from battery powered IoT devices for data collection through to devices such as smart CCTV cameras with embedded pattern recognition software.
Cities will develop many use cases for intelligent edge devices. These uses will range from enhancing old assets using newer approaches to data collection – through to accelerating the speed and quality of the build of a new asset. The move to data-driven maintenance and decision-making will improve outcomes.
#3 COVID-19 Will Impact City Design
The world has received a powerful reminder of the vulnerability of densely populated cities, and the importance of planning and regulating public health. COVID-19 will continue to have an impact on city design in 2021.
A critical activity in controlling the pandemic in this environment is the test-and-trace capabilities of the local public health authorities. Technology to provide automated, accurate, contact tracing to replace manual efforts is now available. Scanning of QR codes at locations visited is proving to be the most widely adopted approach. The willingness of citizens to track their travels will be a crucial aid in managing the spread of COVID-19.
Early detection of new disease outbreaks, or other high-risk environmental events, is essential to minimise harm. Intelligent edge devices that detect the presence of viruses will become crucial tools in a city’s defence.
Intelligent edge devices will also play a role in managing building ventilation. Well-ventilated spaces are an important factor in controlling virus transmission. But a limited number of buildings have ventilation systems that are capable of meeting those requirements. Property owners will begin to refit their facilities to provide better air movement.
#4 Technology Vendors Will Emerge as the Conductors of Cities of the Future
The built environment comprises not only of the physical building, but also the space around the buildings and building operations. The real estate developer/investor owns the building – the urban fabric, the relationship of buildings to each other, the common space and the common services provided to the city, is owned by the City. The question is who will coordinate the players, e.g. business, citizens, government and the built environment. Ideally the government should be the conductor. However, they may not have sufficient experience or knowledge to properly implement this role. This means a capable and knowledgeable neutral consultant will at least initially fill this role. There is an opportunity for a technology vendor to fill that consulting role and impact the city fabric. This enhanced city environment will be requested by the Citizen, driven by the City, and guided by Technology Vendors. 2021 will see leading technology vendors working very closely with cities.
#5 Compliance Will be at the Core of Citizen Engagement Initiatives
Many Smart Cities have long focused on online services – over the last couple of years mobile apps have further improved citizen services. In 2020, the pandemic challenged government agencies to continue to provide services to citizens who were housebound and had become more digital savvy almost overnight. And many cities were able to scale up to fulfill citizen expectations.
However, in 2021 there will be a need to re-evaluate measures that were implemented this year – and one area that will be top priority for public sector agencies is compliance, security and privacy.
The key drivers for this renewed focus on security and privacy are:
The need to temper the focus of ‘service delivery at any cost’ and further remind agencies and employees that security and privacy must comply with standard to allow the use of government data.
The rise of cyberattacks that target not only essential infrastructure, but also individual citizens and small and medium enterprises (SMEs).
The rise of app adoption by city agencies – many that have been developed by third parties. It will become essential to evaluate their compliance to security and privacy requirements.
This appears to be a global phenomenon. Honda manufacturing plants went offline in June after a cyber-attack compromised some of the Japanese automaker’s facilities. The same pattern emerged in a separate attack at the same time targeting Edesur S.A., a company belonging to the Enel Group that confirmed its internal IT network was disrupted due to a ransomware attack, which was caught by antivirus software before the malware could infect. Both companies had machines with Internet-accessible remote desktop servers, which is a favorite infection method among attackers nowadays. One of Australia’s largest brewers, Lion also faced a ransomware outbreak, last month. In Israel, it was reported that a cyber-attack very nearly poisoned the water supply with the attackers attempting to overload the water system with chlorine, and in recent days, a fire and explosion at an Iranian nuclear plant is suspected of being caused by cyber-attack.
These attacks highlight the need for appropriate investments in cybersecurity by companies and municipalities that own or operate critical infrastructure, properties (including places of public congregation, retailers and others) that are rapidly deploying a suite of operational technologies, and businesses in the manufacturing sector.
Operational Technology (OT) is the backbone of modern industrial operations and is a network of multiple computing systems that perform operations including production line management, operations control and industrial monitoring. OT can further include specific computing systems like industrial control systems (ICS) which is a collection of control systems used to operate and/or automate industrial processes. There are several types of ICSs, the most common of which are Supervisory Control and Data Acquisition (SCADA) systems, and Distributed Control Systems (DCS). With such industrial systems and smart end-user products connected by a common network, several vulnerabilities may appear.
In OT security, the focus is much less on information, but more on the industrial process that technology controls. Hence, availability and integrity are often more important than confidentiality. Any organisation employing OT should employ continual risk-based assessments of their cybersecurity posture to prioritise and tailor recommended guidelines and solutions to fit specific security, business, and operational requirements.
Why is OT More Vulnerable?
OT systems are versatile and can be found in all kinds of industrial settings and infrastructures like smart buildings, oil and gas, energy generation/distribution, mining, wastewater treatment/distribution, manufacturing, food production, consumer devices and transport. In fact, almost every business in 2020 has an element of IoT within their operations.
A big issue with OT is that a lot of the technology in place is over 20 years old and therefore was not designed to provide the security capabilities required to face cyber threats in 2020. Legacy technology often requires legacy hardware and software to support it – much of which is the end of life and unsupported by the vendors (for example, consider SCADA systems still reliant on Windows NT or older Unix based systems, which have not been supported by their vendors for many years).
OT systems have also been damaged as unintended side effects of problems starting in corporate networks that took advantage of increasing connectivity, proving clearly that the standard PCs that now form part of a typical organisation’s IT environment are in turn used to manage OT systems and become a major vector for such cyber-attacks.
When it comes to OT, safety and reliability are the primary concerns as attackers aim to disrupt the critical services industry and their customers rely upon them. Given the increasing propensity of connecting OT systems with corporate networks for ease of management and the growing use of IoT systems, the likelihood of such systems being affected by vulnerabilities exploitable over the network is increasing exponentially.
For almost every business – not just critical infrastructure providers – most technologies we deploy include connectivity to the internet. Not knowing what systems and external access to these systems that your business is introducing in its everyday technology investment create significant risks to the broader business operations.
Manufacturing businesses and critical infrastructure providers realise that there is need to re-evaluate their cybersecurity measures, in the wake of the COVID-19 crisis, according to the findings of the Ecosystm’s ongoing “Digital Priorities in the New Normal” study (Figure 1).
But these measures may not be sufficient, as indicated by the slew of cyber-attacks on these organisations.
Why are these attacks successful?
There are several reasons why OT attacks are successful:
Unauthorised access to internet-facing systems (e.g. deploying an IoT with the default username and password)
Introduction of a compromised device (e.g. USB stick) to the environment that infects the network (often employee action)
Exploitation of zero-day vulnerabilities in control devices and software
Propagated malware infections within isolated computer networks (i.e. The attacker can place a receiving device to make contact over a channel that can propagate across the isolated network)
SQL injection via exploitation of web application vulnerabilities
Network scanning and probing
Lateral movement (i.e. inadequate segmentation which results in attackers being able to move between systems, groups of systems, network zones and even geographical locations.)
How can they be prevented?
The mitigation cannot rely solely on the organisation building security around the deployment nor can it be a reactive approach to fixing vulnerabilities in production, as they are identified. It begins with the OT vendors building security within; however, as with most IT systems and applications, this will evolve over time. For example, there is an initiative in Australia – driven by the IoT Alliance Australia (IOTAA) – to introduce a ‘Trust Mark’ for IoT devices that pass a certification process for security and privacy in product development. This is targeted to launch in September 2020 but could take many years to gain real traction. Thus, for the foreseeable future, the best operational outcomes must be planned and managed by the consumers of the technologies.
Here are the best practices to reduce exploitable IoT weaknesses and attacks occurring in your business:
Maintain an accurate inventory of Operational Systems and eliminate any exposure of these systems to external networks
Establish clear roles and responsibilities for your organisation and your vendors, to ensure cybersecurity risk is being addressed and managed throughout the OT lifecycle
Implement network segmentation and apply firewalls between critical networks and systems.
Use secure remote access methods
Establish Role-Based Access Controls (RBAC) and implement system logging
Use only strong passwords, change default passwords, and consider other access controls (especially for any elevated privileges) such as multi-factor authentication, privileged access management solutions, etc.
Establish threat intelligence feeds from your OT vendors and security vendors to ensure you remain abreast of new vulnerabilities, software/firmware patches and threats targeting systems you employ
Develop and enforce policies on mobile devices, including strict device controls for any device connecting to OT systems or network zones
Implement an employee cybersecurity training program
Establish and maintain rigorous testing and patching program including vulnerability assessment and penetration testing
Implement measures for detecting compromises and develop a cybersecurity incident response plan with a specific focus on responding to a disruptive attack on your OT environment
Maintain an up-to-date Business Continuity Plan that can be deployed rapidly in response to a significant disruption
In our recently launched study Digital Priorities in the New Normal, we find that 87% of organisations in the Asia Pacific have increased investments in one or more cybersecurity solutions. However, this has to be backed by a reassessment of organisations’ risk positions and a re-evaluation of data protection and compliance policies.
Get more insights on the adoption of key Cybersecurity solutions and investments through our “Market Insights and Vendor Selection” research module which is live and ongoing on the Ecosystm platform.
In Australia, we’re seeing attackers targeting internet-facing infrastructure relating to vulnerabilities in Citrix, Windows IIS web server, Microsoft Sharepoint, and Telerik UI.
Where these attacks fail, they are moving to spear-phishing attacks. Spear phishing is most commonly an email or SMS scam targeted towards a specific individual or organisation but can be delivered to a target via any number of electronic communication mediums. In the spear-phishing emails, the attacker attaches files or includes links to a variety of destinations that include:
Credential harvesting sites. These genuine-looking but fake web sites prompt targets to enter username and password. Once the gullible target provides the credentials, these are then stored in the attackers’ database and are used to launch credential-based attacks against the organisation’s IT infrastructure and applications.
Malicious files. These file attachments to emails look legitimate but once downloaded, they execute a malicious malware on the target device. Common file types are .doc, .docx, .xls, .xlsx, .ppt, .pptx, .jpg, .jpeg, .gif, .mpg, .mp4, .wav
OAuth Token Theft. OAuth is commonly used on the internet to authenticate a user to a wide variety of other platforms. This attack technique uses OAuth tokens generated by a platform and shares with other platforms. An example of this is a website that asks users to authenticate using their Facebook or Google accounts in order to use its own services. Faulty implementation of OAuth renders such integration to cyber-attacks.
Link Shimming. The technique includes using email tracking services to launch an attack. The attackers send fake emails with valid looking links and images inside, using email tracking services. Once the user receives the email, it tracks the actions related to opening the email and clicking on the links. Such tracking services can reveal when the email was opened, location data, device used, links clicked, and IP addresses used. The links once clicked-on, can in- turn, lead to malicious software being stealthily downloaded on the target system and/or luring the user for credential harvesting.
How do you safeguard against Cyber-Attacks?
The most common vectors for such cyber-attacks are lack of user awareness AND/OR exploitable internet-facing systems and applications. Unpatched or out-of-support internet-facing systems, application or system misconfiguration, inadequate or poorly maintained device security controls and weak threat detection and response programs, compound the threat to your organisation.
Governments across the world are coming up with advisories and guidelines to spread cybersecurity awareness and prevent threats and attacks. ACSC’s Australian Signals Directorates ‘Essential 8’ are effective mitigations for a large majority of present-day attacks. There were also guidelines published earlier this year, specifically with the COVID-19 crisis in mind. The Cyber Security Agency in Singapore (CSA) promotes the ‘Go Safe Online’ campaign that provides regular guidance and best practices on cybersecurity measures.
Ecosystm’s ongoing “Digital Priorities in the New Normal” study evaluates the impact of the COVID-19 pandemic on organisations, and how digital priorities are being initiated or aligned to adapt to the New Normal that has emerged. 41% of organisations in Asia Pacific re-evaluated cybersecurity risks and measures, in the wake of the pandemic. Identity & Access Management (IDAM), Data Security and Threat Analytics & Intelligence saw increased investments in many organisations in the region (Figure 1).
However, technology implementation has to be backed by a rigorous process that constantly evaluates the organisation’s risk positions. The following preventive measures will help you address the risks to your organisation:
Conduct regular user awareness training on common cyber threats
Conduct regular phishing tests to check user awareness level
Patch the internet-facing products as recommended by their vendors
Establish baseline security standards for applications and systems
Apply multi-factor authentication to access critical applications and systems – especially internet-facing and SaaS products widely used in the organisation like O365
Follow regular vulnerability scanning and remediation regimes
Conduct regular penetration testing on internet-facing applications and systems
Apply security settings on endpoints and internet gateways that disallow download and execution of files from unfamiliar sources
Maintain an active threat detection and response program that provides for intrusion detection, integrity checks, user and system behaviour monitoring and tools to maintain visibility of potential attacks and incidents – e.g Security Information & Event Monitoring (SIEM) tools
Consider managed services such as Managed Threat Detection and Response delivered via security operations (SOC)
Maintain a robust incident management program that is reviewed and tested at least annually
Maintain a comprehensive backup regime – especially for critical data – including offsite/offline backups, and regular testing of backups for data integrity
Restrict and monitor the usage of administrative credentials
Get more insights on the adoption of key Cybersecurity solutions and investments through our “Market Insights and Vendor Selection” research module which is live and ongoing on the Ecosystm platform.
5/5 (2) In his blog, The Cybercrime Pandemic, Ecosystm Principal Advisor, Andrew Milroy says, “Remote working has reached unprecedented levels as organisations try hard to keep going. This is massively expanding the attack surface for cybercriminals, weakening security and leading to a cybercrime pandemic. Hacking activity and phishing, inspired by the COVID-19 crisis, are growing rapidly.” Remote working has seen an increase in adoption of cloud applications and collaborative tools, and organisations and governments are having to re-think their risk management programs.
We are seeing the market respond to this need and May saw initiatives from governments and enterprises on strengthening risk management practices and standards. Tech vendors have also stepped up their game, strengthening their Cybersecurity offerings.
Market Consolidation through M&As Continues
The Cybersecurity market is extremely fragmented and is ripe for consolidation. The last couple of years has seen some consolidation of the market, especially through acquisitions by larger platform players (wishing to provide an end-to-end solution) and private equity firms (who have a better view of the Cybersecurity start-up ecosystem). Cybersecurity providers continue to acquire niche providers to strengthen their end-to-end offering and respond to market requirements.
As organisations cope with remote working, network security, threat identification and identity and access management are becoming important. CyberArk acquired Identity as a Service provider Idaptive to work on an AI-based identity solution. The acquisition expands its identity management offerings across hybrid and multi-cloud environments. Quick Heal invested in Singapore-based Ray, a start-up specialising in next-gen wireless and network technology. This would benefit Quick Heal in building a safe, secure, and seamless digital experience for users. This investment also shows Quick Heal’s strategy of investing in disruptive technologies to maintain its market presence and to develop a full-fledged integrated solution beneficial for its users.
Another interesting deal was Venafi acquiring Jetstack. Jetstack’s open-source Kubernetes certificate manager controller – cert-manager – with a thriving developer community of over 200 contributors, has been used by many global organisations as the go-to tool for using certificates in the Kubernetes space. The community has provided feedback through design discussion, user experience reports, code and documentation contributions as well as serving as a source for free community support. The partnership will see Venafi’s Machine Identity Protection having cloud-native capabilities. The deal came a day after VMware announced its intent to acquire Octarine to extend VMware’s Intrinsic Security Capabilities for Containers and Kubernetes and integrate Octarine’s technology to VMware’s Carbon Black, a security company which VMware bought last year.
Cybersecurity vendors are not the only ones that are acquiring niche Cybersecurity providers. In the wake of a rapid increase in user base and a surge in traffic, that exposed it to cyber-attacks (including the ‘zoombombing’ incidents), Zoom acquired secure messaging service Keybase, a secure messaging and file-sharing service to enhance their security and to build end-to-end encryption capability to strengthen their overall security posture.
Governments actively working on their Cyber Standards
Governments are forging ahead with digital transformation, providing better citizen services and better protection of citizen data. This has been especially important in the way they have had to manage the COVID-19 crisis – introducing restrictions fast, keeping citizens in the loop and often accessing citizens’ health and location data to contain the disaster. Various security guidelines and initiatives were announced by governments across the globe, to ensure that citizen data was being managed and used securely and to instil trust in citizens so that they would be willing to share their data.
Singapore, following its Smart Nation initiative, introduced a set of enhanced data security measures for public sector. There have been a few high-profile data breaches (especially in the public healthcare sector) in the last couple of years and the Government rolled out a common security framework for public agencies and their officials making them all accountable to a common code of practice. Measures include clarifying the roles and responsibilities of public officers involved in managing data security, and mandating that top public sector leadership be accountable for creating a strong organisational data security regime. The Government has also empowered citizens to raise a flag against unauthorised data disclosures through a simple incident report form available on Singapore’s Smart Nation Website.
While governments will continue to strengthen their Cybersecurity standards, the truth is Cybersecurity breaches often happen because of employee actions – sometimes deliberate, but often out of unawareness of the risks. As remote working becomes a norm for more organisations, there is a need for greater awareness amongst employees and Cybersecurity caution should become part of the organisational culture.
Technology providers, including Cybersecurity vendors, continue to evolve their offerings and several innovations were reported in May. Futuristic initiatives such as these show that technology vendors are aware of the acute need to build AI-based cyber solutions to stay ahead of cybercriminals.
Samsung introduced a new secure element (SE) Cybersecurity chip to protect mobile devices against security threats. The chip received an Evaluation Assurance Level (EAL) 6+ certification from CC EAL – a technology security evaluation agency which certifies IT products security on a scale of EAL0 to EAL7. Further applications of the chip could include securing e-passports, crypto hardware wallets and mobile devices based on standalone hardware-level security. Samsung also introduced a new smartphone in which Samsung is using a chipset from SK Telecom with quantum-crypto technology. This involves Quantum Random Number Generator (QRNG) to enhance the security of applications and services instead of using normal random number generators. The technology uses LED and CMOS sensor to capture quantum randomness and produce unpredictable strings and patterns which are difficult to hack. This is in line with what we are seeing in the findings of an Ecosystm business pulse study to gauge how organisations are prioritising their IT investments to adapt to the New Normal. 36% of organisations in the Asia Pacific region invested significantly in Mobile Security is a response to the COVID-19 crisis.
The same study reveals that nearly 40% of organisations in the region have also increased investments in Threat Analysis & Intelligence. At the Southern Methodist University in Texas, engineers at Darwin Deason Institute for Cybersecurity have created a software to detect and prevent ransomware threats before they can occur. Their detection method known as sensor-based ransomware detection can even spot new ransomware attacks and terminates the encryption process without relying on the signature of past infections. The university has filed a patent for this technique with the US Patent and Trademark Office.
Microsoft and Intel are working on a project called STAMINA (static malware-as-image network analysis). The project involves a new deep learning approach that converts malware into grayscale images to scan the text and structural patterns specific to malware. This works by converting a file’s binary form into a stream of raw pixel data (1D) which is later converted into a photo (2D) to feed into image analysis algorithms based on a pre-trained deep neural network to scan and classify images as clean or infected.
Click below for more data on organisations’ Cybersecurity priorities and investments
The NCSC also published an analysis of the 100,000 most commonly used passwords that have been accessed by third parties in global cyber breaches. The analysis shows that less than half of the respondents do are not concerned about the strength of passwords for their emails and online accounts. Some examples of commonly used passwords used by people rely on their own names, Premier League football teams, musicians and fictional characters for inspiration.
This general lack of understanding of the cyber world can be harmful to individuals but can be devastating to organisations. A chain is no stronger than its weakest link, and insecure passwords may pose a serious security risk to an organisation. “We rely on passwords in all facets of our online world, so this presents a massive risk to anyone taking short-cuts. Unfortunately, if organisations are not prepared, and allow the use of similarly insecure passwords, the flow on effect of a breach can escalate rapidly” says Alex Woerndle, Principal Analyst Cybersecurity, Ecosystm “The passwords in the above list are very weak. Even without the knowledge provided in the list, a hacker would be able to crack these passwords in seconds with the right tools. Even password complexity cannot always protect an organisation. What about a user that re-uses a complex password repeatedly, and that password is part of a breach? That puts all of the organisation’s logins at risk”.
There are some additional steps that system administrators and IT professionals need to consider when it comes to securing passwords and managing logins.
The global Ecosytsm Cybersecurity & Data Privacy study found the most common controls organisations implement to manage data access.
“The main step being used currently is ensuring MFA is enabled wherever possible. While not a perfect solution, it provides a circuit breaker for the most common types of attacks that would get anyone using insecure passwords into trouble” says Woerndle.
The NCSC hopes to reduce the risk of further breaches by building awareness of how attackers use easy-to-guess passwords, or those obtained from breaches and help guide developers and system administrators to protect their users. NCSC has framed guidelines covering multipleaspects of managing and maintaining security on its website.
Ultimately this problem will not go away until we find a genuine replacement for passwords. The pure scale of growth in the number of systems and applications that all users, both at a personal and on a professional level, have access to, makes password management complex and frustrating. While focusing on how to strengthen your passwords and other easy steps to avoid a cyber attack, may be a good start, it will not be enough, as long as systems and applications are dependent on passwords for better security.
The Changing Shape of Asia’s Cybersecurity Landscape
The latest in our Leaders BreakFirst series. Following the launch of our Cybersecurity and Data Privacy study, Ecosystm is delighted to share the insights from almost 7000 deployments globally.Featuring two of Ecosystm’s cybersecurity and data privacy experts on one stage- Claus Mortensen and Carl Woerndle, this session will highlight the findings from our Cybersecurity & Privacy research.