In infosec we’re used to news about digital virus infections and outbreaks. But the new coronavirus is turning the real world upside down. In many countries, it’s changing the way of life for the foreseeable future, and it’s already having effects in business security too. Erka Koivunen, CISO at F-Secure, joined the show for episode 37 of Cyber Security Sauna to talk about the impact of this pandemic on organizations when it comes to cyber security and the shift to a remote workforce.
Janne: Welcome, Erka.
Erka: Thanks for having me.
Maybe I should point out that we’re recording this episode during the pandemic, so we’re sort of recording it in our various houses with whatever equipment was lying around. So to our listeners, please excuse the sound quality. Erka, tell us a little bit about yourself and your role here at F-Secure.
I’m the designated information security guy in an information security company. So my responsibility covers the internal cybersecurity defenses, which includes information security, software security, and we have of course, lots of linkages to risk management and privacy as well.
As a quick aside to today’s topic, what’s that like, being the guy who’s responsible for infosec in a company where everybody’s an expert on infosec?
I have a twofold response to that. People working in a cyber security company are not necessarily pros, to begin with. So there are some myths that I want to dispel. We have normal human beings working for us. But the portion of those truly hardcore professionals, sometimes it feels like I’m herding a bunch of cats, so everybody has an opinion. They have pretty good arguments to support their opinions. And even when they know that they are disobeying sensible dictates coming from my office, they still want to entertain some level of autonomy. So they are difficult to work with at times. And yet I get lots of helpful advice when I need.
But everybody’s like, I know better.
I know better. Yeah. And even if I don’t, I have an opinion.
All right. Let’s get to the topic at hand. Can you tell us a little bit about how you’re seeing cyber criminals capitalizing on the coronavirus in their attacks?
Currently, mostly it is kind of on a narrative level. So people are more tuned to clicking emails and links and fake news articles that appear to be topical. And of course, corona being topical, people might be fooled into following those lures, if you will. This is more overt.
Another way that we anticipate criminals are going to start exploiting organizations is when the IT departments in those businesses start poorly planned change management activities when they are exposing assets that in the past perhaps were only available from local, physical networks. They are now forklifting them to let’s say, AWS or some other cloud instance and putting them behind application proxies. We are going to see those being exploited in the coming weeks.
Because it’s unfamiliar territory for them, but also because of their being rushed into these changes.
Yeah, exactly. So there is a clear business need to make those services available to clients and staff members. And I can imagine that CIOs are in a stressful situation currently when their colleagues in the executive leadership team are shouting in their ears, like, “Why is it that you’re not supporting business?” and “How difficult can it be to provide access to these systems from the internet?” This is what’s now taking place. And the security is an afterthought, at best. So something will break in the coming weeks.
But we are in a situation where a lot of companies have the entire workforce remotely working, maybe for the first time ever. And changes have to be made to these systems and infrastructures. So what are the companies to do? What should they be doing? Because they have to get stuff done by like, yesterday, but in a secure way.
Definitely. Many organizations are currently stepping up their VPN capacity, and that means that they are adding bandwidth in their network subscription and they are adding new gateways. And depending on the technical implementation, when you’re adding new VPN gateways, you need to start reconfiguring your clients as well. And if you do that in a hasty fashion, you might end up leaving part of your user base without any connectivity at all. So that’s one issue. One option and one alternative to VPNs is to move those services behind a reverse proxy or an application proxy.
And sometimes authentication becomes an issue. So organizations may be tempted to drop the requirement for multifactor authentication at this point in time, because it might seem cumbersome to users. And I would predict that this is going to cause some problems going forward.
I’ve seen organizations sending out even public notifications to their end users that they should cut the VPN off when they are not utilizing internal services. And even our own IT has pleaded to our user base that you probably should not stream Spotify and live video if you are not absolutely needing to do that for your business. So the VPN capacity is limited.
So this is raising the question of whether companies should be doing full tunneling or splitting the traffic between traffic that’s going inside the organization and traffic that’s just internet traffic. Where are you on that?
I am of the school of thought that I would want to see all the traffic so that I can monitor it, so that I can detect anomalies. And yet, let’s be practical. If you are not in a position to monitor that amount of traffic or if that is causing the system to go belly up, I guess you should allow that part of the traffic goes past the VPN tunnel and only the traffic targeting your internal systems or those systems that you want to control the origin IP addresses, they should go to VPN tunnels. We have been investigating cases where those split tunnels don’t behave as you would expect, the DNS resolution goes haywire. So there’s lots of places where things can go wrong and end users will be frustrated. They might turn on and turn off the VPN against security recommendations.
So the IT departments need to pay attention currently to appearances also, so that they can communicate to their end users that IT knows what they are doing and they give clear guidance over what should be done and what should not be done when working remotely.
Is there any advice you’d want to give to people out there about these coronavirus spam or phishing attacks?
Those tech support scams that a number of people have reported receiving, where somebody is calling you, claiming that your computer has been infected with something imaginary. They try to fool you into installing remote access software on your computer or into giving out your credit card information, or both.
So now when you’re working remotely or when you’re confined to your home and the only lifeline towards the rest of society is through your mobile phone or computer, people are likely to fall for these types of scams way more frequently than in the past. You have been struggling to set up that remote meeting, or you’ve failed to access some internal resources because the VPN is kaput. So when somebody calls and explains that everything that you see is explained away by the fact that you have been breached, you’re likely to follow their advice.
Yeah. Plus at the same time we are seeing like actual changes being made in organizations, and companies like Microsoft are doing a lot behind the scenes to sort of fix their infrastructure and so forth. So there’s actual change happening at the same time.
Absolutely. The whole Microsoft Teams was forklifted to new a platform overnight because even they failed to handle the increase in load.
Yeah. I don’t know, I got two of those Microsoft tech support calls last week. The first one I just shot down with a “no” immediately. But the second one, I mentioned to him, “You called me already on Sunday,” and the guy was like, “Oh, really?” You need better call management. You need to go back to your boss and say, “Somebody’s called this list already.” I don’t know what’s going on.
Good point. And you know, our researchers are keenly waiting to be contacted. They have their own trap computers in virtual machines waiting, they want to have that discourse. They want to deploy those remote management tools.
I should have forwarded my calls.
But joking aside, we’re also seeing some healthcare organizations being hit by cyber attacks, right in the midst of this pandemic. There was news about a Czech Republic hospital that a serves as a COVID-19 testing lab being hit by a cyber attack. Any advice for these types of organizations, how to shore up their defenses in short order to prevent or mitigate cyber attacks?
I think they should have done that already. For protection against ransomware, the best advice is to not get infected at all. So once the criminals get in, they are ruthlessly efficient in hijacking various aspects of your network and IT infrastructure. And they let you know about their presence only when they feel ready to do so.
Just a recent development has been that some of those ransomware gangs have publicly stated that they will seek to avoid disrupting those units that are part of the corona response plans. So if your hospital gets hit, the hospital manager’s advice would be to seek counseling from those criminals and ask them for free decryption tools so that they could carry on rescuing lives. But this is a sad state of affairs.
So getting back to companies switching over to a remote workforce, we already touched upon some of the security challenges that may accompany this shift. But do you have any thoughts on what’s ahead and how could companies be better prepared?
Typically when an end user runs into problems with his or her computers and mobile phones, they just visit the service desk. And in most organizations, it’s conveniently located in the offices where the majority of the workforce is located. And now all of a sudden the service desk is closed and the office has been barred, off limits. Not only you can’t get out of your home, but you definitely can’t get into your office. So simple problems like broken laptops all of a sudden become huge issues. Things like when you need to change the company password, if you are careless and if you do it wrong, you might end up closing yourself out from the network.
So yeah, working remotely might actually make you quite vulnerable to simple mistakes and simple tech glitches. It might ruin days’ worth of work.
So what do we do then?
I don’t know. Quite many organizations are struggling with that.
Yeah. Is there an upside to this? Are there any security benefits from everybody working remotely?
From the point of view that an extra set of eyes are all of a sudden taking a fresh look at how is it that we route the users into our systems? Why is it that some of our systems can’t handle the load? The increased vigilance and alertness will help in spotting even these dormant breaches, which I find a positive thing.
Those organizations that have a strong culture for documenting and planning for changes, even in rushed situations, they probably have a good sense of how to document the changes and the reasoning why these changes were being put in place in a rushed fashion. So that at least provides you with an ability to go back and review your organization with a fresh pair of eyes going forward.
From an end user’s point of view, this is actually a great moment to start proposing new ways of working and perhaps new tools. I know the IT departments will hate this, but sometimes when you find that the existing ways of work are not supporting your business, and when things and surroundings and circumstances change so dramatically, that might open up avenues to discuss perhaps taking into use better conferencing tools. Or, why is it that we’re still not utilizing SharePoint? And why is it that people still keep on sending email attachments instead? So these types of improvements that even boost security might come out as a result of this crisis.
Do you think they will? Do you think companies will become more agile and able to sort of use these modern technologies?
At least from the point of view that quite many organizations are now, in a pretty agile fashion, they are taking new services into use. I hope that they will continue also ramping old legacy down afterwards. People like me, the security professionals, we are always telling that change is bad, and unplanned change is extremely bad. Some organizations will eventually come out of this change storm unharmed, and they’ll find that it was actually a positive experience to start some parts of their IT from fresh. And they’ve probably changed from couple of generations ways of working to more modern ones.
So as long as you also remember to kill the legacy and you remember to document the new ways of working and the new infrastructure, there’s also a likelihood that this may benefit security.
One thing that I want to always stress is that in the generation that I represent, the 40-plus people, there’s something of a fetish towards on prem solutions as a token of security. So people think that if a system is tangible enough that you can touch it, and you can hear the fans humming somewhere, it probably is controllable and it’s securable.
I would argue that this is a mistaken belief currently. The remnants of those on prem systems, in most organizations, they are going to be the place where these organizations are going to be compromised. And if as a result of this unprecedented crisis due to the coronavirus, if we finally move some of the services to cloud and even make them cloud native, there is a likelihood that we even get rid of the old security baggage.
So how do you think the companies of the world will do? Business continuity-wise, is this going to have a huge impact, particularly from an infosec point of view, or do you think we’ll get in front of it and we’ll keep making the right calls so that in the end nothing really super bad happens?
Human nature is going to be eternal and humans are going to be a bit lazy. They are going to be erring on the side of quick fixes over long term solutions. So I would argue that since the crisis in at least the Western world is too fresh, it is too early to make predictions. But as we already have been told, this is going to continue for weeks, even months. And it is actually a long enough time for people to actually realize that this is not going away just by closing our eyes and wishing for the best. So if you ask me in one month’s time, I would be wiser.
Any final parting advice for your fellow CISOs during this time?
Information security is part of the more concerted effort of keeping the business afloat during hard times. So be careful to familiarize yourself with the more wider business continuity planning efforts taking place in the company. IT and information security is there to support the survival of the business and it’s there to make life more bearable for the workforce. And you have to be mindful of the fact that this is not the time to say “No.” This is the time to say “Yes, but,” and be careful to explain what is it that you can do to achieve the business goals in a secure fashion and in keeping with the privacy ideals as well.
That’s sound advice. Well thanks for being with us today, and stay safe out there.
Everybody stay safe on my behalf as well, and save the toilet paper.
That was our show for today. I hope you enjoyed it. Make sure you subscribe to the podcast, and you can reach us with questions and comments on Twitter @CyberSauna. Thanks for listening.