[BreachExchange] When the Going Gets Tough, Cybercrime Gets Going

[Destry Winant]

https://www.riskbasedsecurity.com/2020/03/30/when-the-going-gets-tough-cybercrime-gets-going/

The ongoing “Coronavirus” (COVID-19) pandemic has had a profound impact on
the world economy in a short time, especially within the United States
where unemployment has risen sharply. While much is still unknown, many
analysts are predicting that the market decline will continue before we see
any kind of meaningful or sustained recovery.

In the United States, a major part of the economic damage already done has
been from COVID-19’s impact due to “social distancing” and “shelter in
place” mandates. The unemployment rate has risen significantly, from
211,000 to 3.3 million, surpassing the initial projections of 2 million. By
some forecasts “as many as 5 million jobs could be lost in April 2020
alone” and the worst case could send the unemployment rate soaring from
3.5% to north of 10%.

Even though Congress and The White House just pushed out a stimulus
package, many economists seem to agree that we are currently on track, or
already experiencing, the next recession, with some even believing that it
could become a depression.

“We are going into a global recession. We are going to see a spread of
economic sudden stops.”

Mohamed El-Erian, Allianz Chief Economic Advisor

While not everyone agrees on the exact impact, or how long it will last,
there are clearly substantial concerns about just how quickly the economy
will be able to recover once COVID-19 is under control.

Cybercrime Increases During a Recession

The past has shown a correlation between recession and cybercrime during
and before the 2008 – 2009 Great Recession. News publications reported that
fraud on the Internet increased by 33% during the last recession, with the
broken economy and increased digitization making data more vulnerable than
ever.

This is more than just an opinion, backed up with a few links. In
conducting our research on this topic we uncovered a substantial amount of
information that provides some very compelling insights. Here are just some
of the key points and references:

U.S. recession fuels crime rise, police chiefs say, Reuters, January 2009.

“Crime has increased during every recession since the late 1950s,
sociologists said.”

“There has long been debate over the connection between crime and the
economy, but criminologists, sociologists and police chiefs interviewed by
Reuters in October predicted a rise in crimes as the United States sinks
deeper into recession.”

Ross Colvin

Economic recession to spur ‘dramatic increase’ in cybercrime, TechTarget,
February 2009.

“Bad times always bring a rise in crime. But this economic recession is
setting us up for a wave of cybercrime. The broken economy, combined with
increased digitization as retail and operations move online and ever-more
sophisticated hackers, means more data is more vulnerable than ever. That
was the warning from former federal prosecutor and securities fraud
attorney Orin Snyder, speaking at a data security panel at yesterday’s
LegalTech conference in New York.”

Linda Tucci

Report says online crime surging in recession, Reuters, March 2009.

“Fraud on the internet reported to U.S. authorities increased by 33 percent
last year, rising for the first time in three years, and is surging this
year as the recession deepens, federal authorities said on Monday.”

Jason Szep

Recession ‘adds to boom in cybercrime’, Telegraph, August 2009.

“The recession is adding to a boom in cybercrime as computer-literate
criminals in poorer countries turn their hand to electronic scams, British
researchers said.”

“Criminals there can take advantage of cybercrime opportunities, and the
current global recession will likely increase this trend still further,”
said Prof Rush.”

The Telegraph

How Economics and Information Security Affects Cyber Crime and What It
Means in the Context of a Global Recession, BlackHat 2009 Turbo Talk
Whitepaper.

“We asked the question: Will cyber crime increase in a time of global
economic recession? One study by KMPG found that many enterprises believed
that the recession put their business at greater risk from out-of-work IT
workers tempted to join the criminal underground to make ends meet (Kirk
2009).”

“Economic theory predicts that the global recession will probably increase
the amount of cyber crime as the recession deepens. This could result from
a variety of causes an increase in attacks on more vulnerable and desperate
people from those with cyber skills joining the cyber criminal ranks for
needed income; and a decreased focus on and investment in computer security
as a result of fewer resources.”

Peter Guerra

The same factors and trends from the 2009 timeframe are even more present
now in 2020: global economic distress, increased widespread digitization,
and an increase of potentially exposed confidential data. Sadly, even
though a vast majority of industries are struggling in today’s economy, it
isn’t a new concept that cybercrime itself is recession-proof.

The Perfect Conditions for Cyberattacks

Whether we are in, or heading for, a recession doesn’t matter. Economic
hardship historically guarantees that organizations will face increased
cyberattacks.

In happier times, just a few short months ago, we wrote that PSIRT and
other security teams are often caught in a Catch-22 situation, wherein a
successful job creates the perception that there is less need for a
security team.

As such, IT jobs not considered critical (perhaps even some security
programs) are often the first to be reviewed to be cut during times of
economic hardship in order to save money.

The cycle is as follows:

Economic hardship prompts organizations to reduce or even cut
“non-essential” programs and personnel to save money;
Organization hasn’t experienced a data breach or unauthorized compromise
(the result of an effective security team), so IT and security teams are
deemed non-essential and are downsized;
Malicious attackers who were previously foiled now have increased
opportunities to infiltrate systems due to a lack of staffing and focus;
Organization suffers an expensive or embarrassing data breach and
reflexively hires additional security personnel.

As financial pressures continue to mount, and unemployment numbers
increase, organizations will need to work hard to ensure that necessary IT
and cybersecurity personnel are not among them, and that the proper
resources are allocated to their security intelligence programs. This is
especially true during a time like this.

As more organizations are forced to temporarily shutter their
brick-and-mortar operations, more people are shifting their work and
purchasing online, putting substantial strain on the Internet. Security is
not and should not be viewed as an unnecessary expense.

In today’s business world, security is a required cost of doing business at
minimum to meet customer’s privacy expectations and meet regulatory
requirements. Cutting security budgets increases organizational risk in
ways that might not seem readily apparent, and doing so may have a
long-lasting impact.

The Unseen Dangers

Many organizations have been forced to rapidly turn to Virtual Private
Networks (VPNs) as they implement work from home policies to help slow the
spread of COVID-19. However, doing so gives malicious attackers more
opportunities to compromise systems.

While remote working isn’t new, endpoints for many organizations have
shifted dramatically, with much of the workforce moving to unmonitored
personal systems, giving attackers a new vector to gain a foothold.
Security Monitoring in this kind of decentralized environment was already
considered daunting and had caused issues for those that had been working
for years to solve the problems. So organizations newly having to deal with
these challenges, while also potentially implementing widespread cyber
security cuts, will not be able to effectively understand or remediate
their vulnerabilities and may not have full visibility into machines being
used for corporate functions.

Attackers thrive off of heightened emotions and targets of opportunity, so
employees now coping with school closings and other unplanned events are
more likely to be distracted. Even with the best intentions, less attention
will be given to phone calls, instant messages, and emails. That suspicious
link may be even more likely to get clicked on, and that abnormal system
behavior may be missed while dealing with family issues, or pets and kids
running around the house. As such, the number of COVID-19 related phishing
attacks has been growing, and this is just the start.

VPNS (AND SECURITY SOLUTIONS) THEMSELVES MAY BE VULNERABLE

Everything is vulnerable, including VPNs and other security products. Even
before the COVID-19 outbreak, certain VPN products had glaring
vulnerabilities and major security flaws.

In the midst of this pandemic, we are starting to see technology vendors
and even security companies offering complementary use of their products.
However, organizations need to fully assess vendor security, and ensure
they fully review new products while not taking shortcuts on established
policies, especially in times of increased exposure. Like VPNs, every other
type of application also has vulnerabilities, and you need your security
team to perform proper vetting.

ANOTHER UPCOMING STORM

Aside from COVID-19, there is another urgent event coming which requires an
intact and fully functioning IT and cyber security program: the
Vulnerability Fujiwhara Effect. Whether you are working in IT or not,
you’re probably familiar with Microsoft’s Patch Tuesday, and several other
major vendors have adopted that same cadence for their own vulnerability
disclosures.

We mentioned at the start of this year that there are three such perfect
storms (Microsoft and Oracle) coming in 2020. Our VulnDB team published 325
new vulnerability reports to our customers and updated over 300 entries in
the last storm that occurred on January 14th. The same event will occur
again on April 14th and July 14th, smack dab in the middle of this pandemic.

If IT and security programs are cut in response to COVID-19 as some
organizations desperately try to reduce expenses, they will have tremendous
difficulty managing the risks affecting their critical assets. Even
well-staffed teams take weeks handling Patch Tuesday on a good release
cycle, so a neutered security team may not be able to handle it at all.

Better Data Is More Important Than Ever

Security is not an unnecessary expense, and while the exact cost of
security incidents is the cause of some debate, there’s no doubt that
cutting security budgets could inflict a terrible impact on the entire
organization’s bottom line, especially if a data breach occurs. Informed
decisions are more vital than ever, and you can only make proper decisions
if you have the proper intelligence.

Organizations need to do their best in these trying times to ensure that
security budgets remain funded and that IT personnel have the resources
they need to properly mitigate risks. There are increased threats and
nonstop vulnerabilities being disclosed, so when there are reduced IT
resources, it requires a laser focus to ensure the time and money is spent
addressing, analyzing and fixing the most important issues for the most
important assets. The corporate landscape is currently primed for
cyberattack and organizations need to prepare accordingly.

Just remember, when the going gets tough, cybercrime gets going.

On March 31st, we will be hosting a webinar to help risk management
professionals  prepare for what lies ahead in this strange new world we
find ourselves in. No nonsense, no product demo, we want this to be
relevant and useful to the cyber security community at this difficult time.

Learn more here: [Webinar] Vulnerability Management in the Time of the
Coronavirus Pandemic
<https://www.riskbasedsecurity.com/2020/03/20/webinar-vulnerability-management-in-the-time-of-the-coronavirus-pandemic/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20200331/76962343/attachment.html>