Executive Summary

In Part I we analyze four distinct threat reports on cybersecurity in 2020, three of which contain significant analyses of the impacts of Covid-19 on cybersecurity. The four reports, McAfee Labs, Sophos Labs, CompTIA, and VMWare/Carbon Black, all discuss distinct aspects of the 2020 threat landscape, but agree in sum total on significant increases in ransomware and phishing, cloud-based attacks, mobile malware, and similar threats. The Covid-19 impacts discussed include increased ransomware, malware, and phishing attempts, Zoombombing and other forms of harassment, and the increased attack surface associated with work from home, remote desktop, and usage of cloud services during pandemic quarantines. Additionally, though none of the reports discussed it due to their timing, the SolarWinds hack was discussed and its potential long-reaching impacts on the world of cybersecurity for many months.

In Part II we apply the threat landscape to a hypothetical and stereotypical mid-sized municipal government in Oklahoma to analyze real-world impacts of 2020’s realized threats, while planning for the remainder of 2021, discussing the need to address ransomware through phishing simulation and cybersecurity awareness training, implement stronger zero-trust protection in the form of VPN and reverse proxies to protect critically exposed servers, and to begin documenting processes that will address future disasters while addressing the rapid changes undertaken during 2020 in a logical manner.

Introduction

Unanimously, 2020 was both an atypical year, and a massive catalyst for change, both for the positive and negative. In addition, cybersecurity once again had a rocky and tumultuous year, with the trends from attackers continuing, and, in many cases, accelerating impacts on businesses and consumers. While industry reports on the state of cybersecurity are provided by a large and diverse list of companies, the four represented here complement each other well and provide a clear picture of impacts to organizations large and small.

Part I – Report Analysis on the State of Cybersecurity in 2020

Despite their numerous similarities, many of which are outlined below, the four reports also approach the 2020 state of cybersecurity in different ways, as well. Both the Sophos and McAfee Labs reports are largely focused on the changes in the threat landscape and detail the industry more from a defense and counter-intelligence perspective, including entire sections focusing on the specific impacts of the Covid-19 pandemic on cybersecurity. These two reports are built around data gathered from threat intelligence from the companies’ sensors, endpoint protection tools, and research divisions directly involved in malware and threat analysis, and provide details on specific pieces of malware, individual attacks, and even, in some cases, showing sample source code in their reports.

The VMWare Carbon Black USA Threat Report, the first ever from VMWare, is survey-based, and while ostensibly focused on threats, provides a more general snapshot of actual impacts on the surveyed companies. The VMWare report’s Covid-19 coverage is the largest as a percentage of any of the reports, though VMWare’s report itself is also the shortest of all four.

Finally, the CompTIA report is very general, does not focus on threats, and instead discusses cybersecurity from largely an overall holistic managerial role, taking on such diverse topics as cyber insurance, upskilling for cybersecurity specialists, and even the location of an organization’s SOC (Security Operations Center). In comparison to the other three, the CompTIA report mentions Covid-19 the least, simply illustrating specific impacts of the pandemic. Individually, each of the reports have their strengths and weaknesses, but taken together, the 4 reports provide broad coverage of the state of cybersecurity in 2020 and provide a roadmap for senior management and cybersecurity experts in 2021 and beyond.

Cybersecurity irrespective of Covid-19

While much of 2020’s cybersecurity focus was dominated by the pandemic, with the CompTIA report referring to it as a “speed bump” in the growth and maturation of cybersecurity[1, p. 2], and, on the threat side, Sophos referring to it as a “force multiplier”[2, p. 20]. Both perspectives are likely correct, as it is clear that many of the trends and forces experienced in 2020 were likely to occur even without the pandemic, albeit at a slower pace or in more limited circumstances. If cybersecurity threats were an ongoing raging wildfire, Covid-19 during 2020 would have been the wind, accelerating the burn, spreading its effects farther and faster, and necessitating a rapid, critical, but reactionary response. Therefore it is necessary to analyze 2020’s threat and defense landscape both inclusive and regardless of the Covid-19 catalyst.

Irrespective of Covid-19: Defense in 2020

One of the aspects of the change in defense during 2020 is merely the natural maturation and growth in focus of cybersecurity as an enterprise level, executive-driven, critical priority, and not just a technical afterthought. This is best illustrated with an ongoing emphasis on governance, risk management, and compliance (which CompTIA refers to as “GRC”) as areas of need instead of merely continuing to invest in technical tools [1, p. 5]. Indeed, CompTIA reports a decrease in over 12% in corporate investment in network security equipment from 2019 to 2020 [1, p. 3]. Many of the new cybersecurity software and management tools require significant investment in planning and particularly data classification and management, meaning that investment in tools and hardware is being recognized as foolhardy if the organization also lacks the proper governance structure[1, p. 5].

Likewise, industry adoption of zero-trust models presents a more robust and enterprise-level defensive tool, reducing vulnerabilities in RDP and other sensitive areas[2, p. 15], while empower users, as opposed to more rigid network-based protection tools. Zero-trust as a framework is far from complete in terms of a standard or usable definition in business[3, p. 13], and therefore, remains a somewhat elusive form of defense and future growth area to watch for.

Irrespective of Covid-19: Threats in 2020

On the analysis of threats irrespective of Covid-19, the 4 reports are almost unequivocally in agreement: 2020 has seen a dramatic increase in the threat landscape, with threat actors shifting to newer, more target-rich environments, such as cloud services [3, p. 14].

In addition, malware, including mobile malware and Potentially Unwanted Applications (PUA’s) were on the rise with new variants infecting mobile app stores, and PUA’s and adware growing more and more malicious

All four of the reports came out before the SolarWinds Orion hack was known, and so, in planning for the 2021 outlook for threat assessments, the reports are missing a large and significant sea change in the threat landscape for organizations of all sizes and types. Taken even without the SolarWinds hack, 2020 heralded deep concern; while including the SolarWinds hack in our analysis represents a catastrophic look ahead in the threat landscape.

The unique challenges of Covid-19 on cybersecurity

3 of the 4 reports give special attention to Covid-19’s separate effects on cybersecurity, either because of the nature or timing of the report, or to highlight the unusual impact of such a once-in-a-lifetime event. All of the reports agree that Covid-19’s primary effects on cybersecurity have been to shift the workforce from occasional or limited work from home to a 100%, highly-flexible, and “ad-hoc” technology model, opening new fronts for cybersecurity and forcing cybersecurity staff to protect assets in insecure areas, utilizing last-minute tools, software, and technologies, and forcing an acceleration to the cloud. This has opened organizations up to new threat vectors and forced organizations to relax controls in the name of pandemic safety, creating new vulnerabilities with little insight into the potential problems created with little to no planning or forethought. Additionally, attackers are obviously taking advantage of the situation by targeting telecommuters and home workers with Covid-19 related threats in the form of spear-phishing and other social engineering attacks, and on relying on poorer security from home or lack of VPN or other zero-trust models[2, p. 25].

Covid-19’s Impacts: Defense During a Pandemic

Defense was largely hampered by the need to protect company and organizational staff by allowing them to work from home. Many organizations had only partial or occasional remote work setups, with VPN’s designed to handle fewer users, and workstation fleets not designed for mobile use or with small or nonexistent mobile-first strategies. Organizations were required to rapidly shift their cybersecurity strategies, including shoring up multi-factor authentication, maintain patch compliance, and institute other defensive measures at a time when work-from-home has complicated remote management of PC fleets[4, p. 5]. Additionally, the abrupt shift to remote work tested many organizations’ business continuity and disaster recovery plans to the breaking point, with problems around enabling work from home itself, to monitoring for cybersecurity threats, and overall IT operations, during the sudden shift[4, p. 6].

Covid-19’s Impacts: Threats During a Pandemic

Threats related or directly caused by Covid-19 have included the mundane: threat actors using Covid-19 as the latest scare tactic in phishing and social engineering campaigns, though this is hardly new. Every major world event or news story is used by attackers in social engineering attacks. Instead, with the push to virtual meetings, especially for our nation’s schools, Zoombombing, the act of interrupting a public or poorly secured class or meeting by an attacker, usually with some form of inappropriate message or imagery, became commonplace early in the pandemic, with high profile attacks even locally in Oklahoma[5]. Most of these attacks were due to the use of publicly posted meeting information and no passwords or moderation; users and service providers alike quickly adapted and began implementing better security. Early in the pandemic, attackers promised “honor amongst thieves”, by agreeing to exempt attacks on health care facilities, a promise that quickly disintegrated [2, p. 4].

Other than these specific attack vectors, the greatest impact of Covid-19 was one of acceleration in the current trends in the industry itself: attackers banded together more quickly into organizations that appear more and more like crime syndicates. Thankfully, groups like the CCTC (Covid-19 Cyber Threat Coalition) have arisen naturally via grass-roots organizing to combat the threats and attempt to keep the attackers in check[2, p. 27].

Part II – Cybersecurity Trend Impacts on an Oklahoma Municipality

For the purposes of the analysis of the impacts of these trends and forces, we will choose a medium-sized, semi-rural municipal government in the State of Oklahoma. The city of Anytown, Oklahoma, has a population between 40,000 to 60,000, a community college and vocational school, a private or regional 4 year college plus limited graduate programs, and a full-sized K-12 public school district. The municipal government operations likely include a reasonably sized police force with more advanced IT needs (police body camera and dashcam servers, plus state and federal reporting systems. The city will also maintain sizable fire departments, city administration, and utility departments that include water, wastewater, and electrical utilities, all with SCADA controls and electronic security. At this size the city is likely the county seat and either hosting the County’s emergency management department, or at least large enough to necessitate its own separate EM department, complete with digital radios, special requirements around weather radar, and other advanced technology needs.

All told, the city government itself is likely large enough to warrant an IT team somewhere between 3 and 8 staff, including one non-dedicated cybersecurity analyst (operating in multiple roles, with one of these roles focused on cybersecurity), though these staff may not all report directly to the IT Director, and may be spread across multiple departments, such as a webmaster in the communications department, or Police Lieutenant responsible for specialized Police Department Information Technology needs). A reasonable estimate for the IT department’s 2020 budget equaling approximately $2M, again, with potentially some IT funds embedded within other departments depending on management, and one-time project funds being supplemented through bonds and other one-time appropriations[6, p. 74].

During 2020, the city government, much like the rest of the world, experienced significant disruptions due to Covid-19. In addition to critical staff potentially being unavailable due to the need to quarantine, many staff are considered essential as city government is considered critical infrastructure. Some staff may be able to work from home, but municipal operations may need significant updates to provide this flexibility. The city government likely lacks a mobile-first workstation strategy and instead, the city may simply be forced to retain staff in the office, albeit with significant precautions for health and safety. Likewise, municipal governing bodies are required to host monthly, publicly accessible city council meetings. The State Legislature allowed virtual meetings during until November 15th, but after that, meetings are required to be in-person[7]. This fluidity of meeting requirements will cause significant disruption and planning for Technology staff.

Threats

During 2020, the city has experienced a number of increased cybersecurity threats, and will continue to see an expanding threat landscape in the coming year. Municipal government operations all across the United States are under increasing attack as hackers shift from larger, more well protected corporations and federal government agencies, towards more poorly secured local and county government operations in a larger number of smaller cities. These cities and towns, while lacking the funding of larger organizations, can still represent a sizable take for a financially motivated attacker, and cities and towns have significant quantities of personally identifiable information in the form of utility billing data (including credit cards), credit reporting data, court fines and fees, police records, and other sensitive information.

In ascending order of risk, the city of Anytown, Oklahoma, has faced lack of flexibility and business continuity under the “new normal” of pandemic and stresses on staffing, increased phishing, ransomware and malware attempts, and attacks on online payment infrastructure and critical systems.

Of lowest concern, the city of Anytown, Oklahoma, has struggled through the pandemic. While businesses closed and others worked from home, the municipal operations had to maintain close to current staffing levels. Information Technology staff also had to pivot quickly to address virtual meeting needs, then secure these meetings if Zoombombing occurred, reflecting the difficulty of providing an open meeting format in compliance with State sunshine laws, while protecting against griefers and other malicious actors. Some staff may have been furloughed due to an inability to adjust working conditions for safety, while a few were able to work from home. The IT Department was able to stand up remote work options, but these may not have had adequate zero-trust models or secure VPN tunnels to protect RDP endpoints or other open server connections. Devices used to connect to the network from home were likely personally owned and may have lacked proper security controls and anti-malware. All told, the city of Anytown’s operations are strained due to a business continuity plan that was not flexible enough to handle a pandemic. All of this occurred at a time when social engineering, ransomware and malware were on the rise.

While considering malware and social engineering attacks, the city has likely faced these types of threats before. Many of Anytown’s neighboring cities have experienced phishing and malware infections before, sometimes with disastrous and expensive consequences[8]. While the city has tried to train staff to be cautious on opening suspicious attachments and not responding to phishing emails, the threats are evolving, and staff may be even more prone to attack.

Finally, municipal governments, while significantly less well-funded than Fortune 500 companies, are also significantly less mature in the realm of cybersecurity. Servers, especially those that handle payment and creditor information for utility billing systems and court fees and fines often lack basic security controls and can be a rich environment for personal financial data of citizens[9], or a place to install ransomware to disrupt city operations for exorbitant extortion amounts, as many cities in Oklahoma rely heavily on utility payments to fund critical operations, meaning they cannot whether any disruptions in revenue.

Countermeasures

Of highest priority, Information Technology staff should adopt a robust cybersecurity awareness program complete with anti-phishing behavior management, such as products by KnowBe4 or Cofense PhishMe[10, p. 8]. These social engineering simulations can help train staff in all departments to help shore up the city’s “human firewall” at a time when the Information Technology Department is even less capable of protecting a more diverse and spread out network. This is a relatively small expense and fairly easy to implement, and provides somewhat immediate gains to one of the more expensive and ever-present problems associated with cybersecurity. Primarily, though, the tools help begin reducing the risks associated with phishing, ransomware, and other sources of malware by developing the all-essential human firewall as attacks become more sophisticated and defenders must work harder to defend the technology itself.

Secondly, the city must immediately work to implement zero-trust in front of any Internet facing systems, establishing reverse proxies, load balancers, and other network protection in front of publicly facing systems. The city should utilize cloud-based tools wherever possible due to the more rapid setup time and ease of procurement. If the city does not yet have a VPN solution in front of any virtual desktop interface or Remote Desktop system for staff to remote in from home, then such a solution is critical during the pandemic and as the City begins to move into the “new normal”.

Finally, the city, over the coming year, must perform a series of necessary documentation steps to address governance, risk, and compliance regarding the changes that have occurred during 2020 and early 2021, whether these were temporary or semi-permanent. Much of the work that was done, equipment that was purchased, permissions granted, and changes made were likely ad-hoc, unplanned, and poorly documented at the time due to the alacrity of the change and necessity to adapt quickly to changing conditions during the early days of the pandemic. Now is the time for the City IT staff to properly document those changes, discover and formalize positive lessons learned, address deficiencies in business continuity plans, and update disaster recovery plans. The pandemic, and all of the other cybersecurity challenges associated with 2020, present not just a set of risks, missteps, or disasters, but a chance for any IT department to test their organization’s mettle against proper planning and strategy and to help prepare for future needs with much more flexibility.

Works Cited

[1] “State of Cybersecurity,” CompTIA, Sep. 2020. Accessed: Jan. 23, 2021. [Online]. Available: https://comptiacdn.azureedge.net/webcontent/docs/default-source/research-reports/research-report---state-of-cybersecurity-2020.pdf.

[2] “Sophos 2021 Threat Report,” Nov. 2021. Accessed: Jan. 24, 2021. [Online]. Available: https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf.

[3] McAfee Labs, “McAfee Labs Threats Report,” Nov. 2020.

[4] VMWare Carbon Black, “USA Threat Report - Extended Enterprise Under Threat,” Jun. 2020. Accessed: Jan. 24, 2021. [Online]. Available: https://www.carbonblack.com/wp-content/uploads/VMWCB-Report-GTR-Extended-Enterprise-Under-Threat-USA.pdf.

[5] “OCU virtual graduation interrupted by Zoom-bomber,” KFOR.com Oklahoma City, May 10, 2020. https://kfor.com/news/ocu-virtual-graduation-interrupted-by-zoom-bomber/ (accessed Feb. 01, 2021).

[6] RSM, US, LLP, “City of Enid 2020 Financial Audit,” Dec. 2020. Accessed: Jan. 31, 2021. [Online]. Available: https://www.sai.ok.gov/olps/uploads/city_of_enid_2020_fs_final_gas_with_single_audit_v3u8.pdf.

[7] “Oklahoma AG Hunter announces open meetings going back to pre-COVID-19 rules,” KFOR.com Oklahoma City, Nov. 12, 2020. https://kfor.com/news/local/oklahoma-ag-hunter-announces-open-meetings-going-back-to-pre-covid-19-rules/ (accessed Feb. 01, 2021).

[8] C. Price, “City of Enid scammed out of more than $30,000,” KOCO, Aug. 09, 2016. https://www.koco.com/article/city-of-enid-scammed-out-of-more-than-30-000/4311030 (accessed Feb. 01, 2021).

[9] K. Staff, “City of Stillwater computer hack compromises personal information,” KOCO, May 25, 2017. https://www.koco.com/article/city-of-stillwater-computer-hack-compromises-personal-information/9930624 (accessed Feb. 01, 2021).

[10] Mimecast, Inc., “Advancing your Anti-Phishing Program: How to be Successful Against Email-Borne Attacks,” Feb. 2018. Accessed: Feb. 06, 2021. [Online]. Available: https://www.gartner.com/imagesrv/media-products/pdf/mimecast/Mimecast-1-4QT9Y3H.pdf.