Threats, Gaps and Challenges in the Era of COVID-19

COVID-19 has changed the way the world operates, the way we communicate, the mode of doing business and the functioning of governments resulting in an increased reliance over digital technologies and remote working[1]. One effect of this massive digital adoption was an increase in cyberattacks, which demonstrates the urgency and the need of a secure and reliable cyberspace. We, as member of the CONCORDIA project, have analyzed how COVID-19 is impacting the current cyberdomains studied in the project, from device/IoT to user, via network, system, data, and application domains.

Device/IoT Domain

During the pandemic, IoT device adoption had a substantial boost. After businesses started reopening, touchless and contactless devices such as body temperature cameras and touchless point of sales have become a necessity. Such devices suffer from the same weaknesses of other IoT devices, which are further exacerbated by the strict relation with safety and leakages in working environments. In addition, remote work resulted in many personal devices connected to the corporate networks through less protected home networks. This scenario offers new possibilities for an attacker to indirectly threaten the corporate networks. New threats to the IoT/device domain emerged during the pandemic, including:

Inadequate design and planning or incorrect adaptation in critical scenarios: the absence or the inadequacy of an emergency reaction plan or adaptation strategy, in a scenario where new IoT devices and technologies have been quickly adopted to react to crisis.
Lack of control on safety implications: the strong implications of IoT devices on safety are often not properly considered.
Lack of strong cyber hygiene practices: the need of good skills for the personnel interacting with digital technologies, whhich is even more critical in ubiquitous IoT.

Network Domain

The network domain is one of the most affected by COVID-19, and experienced a radical change in terms of traffic and boundaries. For example, many remote employers are connected from their home network to the corporate network through a Virtual Private Network (VPN), therefore enlarging, to some extent, the perimeter of the corporate network. Home networks are not under the control of the organizations but still they need to be protected. We have seen a spike in cyberthreats affecting networks, exploiting telework technologies and remote tools. These threats have a very strong impact both on security operations and business processes, because the reliability of the network is a mandatory requirement for remote working. Therefore, building a reliable network at the basis of smart working, e-learning and electronic services is nowadays a must. The new threats to the network domain that emerged during the pandemic include:

Exploitation of vulnerabilities in services and remote tools: the ever-increasing attacks exploiting vulnerabilities in VPNs and remote work software, which are not as protected as the company infrastructures.
Physical attacks: the physical attacks to network equipment, often driven by misinformation around networking technologies, in particular 5G.

System Domain

The increasing number of remote workers resulted in the migration of traditional IT systems towards virtualized infrastructures, for instance solutions for desktop virtualization. Often, they have been rolled out in a haste without paying attention to crucial security details (e.g., configuration hardening and endpoint protection), and therefore exposing sensitive information to potential attackers. The new threats to the system domain that emerged during the pandemic include:

Phishing: sophisticated and targeted social engineering attacks, taking advantage of the uncertainty of the current situation, where attacks can pose as trusted, healthcare-related, sources.
Lack of awareness: the underestimation of cybersecurity threats; organizations and personnel are subjected to higher stress due to business problems thus making it even more difficult to prioritize cybersecurity.
Personal cloud service adoption: the rapid move of individuals to cloud web-based services, which have proven to be unable to deliver an adequate level of protection and scalability.
Cloud sprawl: the unawareness and the immaturity of the migration to cloud services, whose implications are not completely understood (e.g., shared responsibility).

Data Domain

Correct and robust data management is more critical than ever, as COVID-19 accelerated the distribution of computation to homes and the periphery. Moreover, the pandemic acted as a multiplier of the effects of existing threats such as social engineering, Distributed Denial of Service (DDoS), ransomware, child sexual abuse material, to name but a few. Data compromise becomes key to any attacks and is amplified by increasingly effective social engineering; the latter builds on the Cybercrime as a Service (CaaS), where facilitators offer their knowledge on the dark web. The new threats to the data domain that emerged during the pandemic include:

Information leakage/sharing due to hostile home network: the exfiltration of data, exploited by attackers, made possible by erroneous data sharing and information leakage, due to work in less protected environments.
Conversation eavesdropping/hijacking: the risks of conversation eavesdropping and hijacking due to the reliance on videoconferencing tools and their poor security countermeasures.[2]
Unreliable data: the increasing difficulty in distinguishing between reliable and unreliable data, a situation exacerbated by the huge about of information we are overloaded by (especially about the pandemic), and by cybercriminals that are actively exploiting and contributing to this situation.

Application Domain

During the pandemic, we have also seen an ever-increasing usage of ransomware, phishing and scamming, which all go beyond a mere technical aspect and demand strong awareness on the user side. Two kinds of applications have become central during the pandemic: contact-tracing apps and remote collaboration software. Contact-tracing apps have, to some extent, polarized the debate and faced harsh criticisms, which, in the case of decentralized approaches, are mostly unjustified. On the other side, videoconferencing and remote collaboration software, such as Microsoft Teams, Skype or Zoom, have seen an unprecedented spike of usage that exhibited weak communication protection and posed significant stress to the networks. The new threats to the application domain that emerged during the pandemic include:

Inadequate design: the ineffectiveness of application design, which do not adequately plan for non-functional aspects. Put simply, security, safety, privacy, and compliance, to name but a few, should be considered in the very first phases of software design.
Supply-chain security: the security of all the components involved in the realization of an application. We all know that the strength of a chain is the strength of its weakest component; for application/product there is no difference.[3]
Skill shortage: the need for skilled personnel designing safe and secure systems and applications.

Users Domain

The last domain of interest in CONCORDIA is the user domain. Differently from other domains, no new user-specific threats have emerged during the pandemic. Instead, COVID-19 has amplified existing threats, and cybercriminals have exploited the state of fear, uncertainty and doubts that many of us have and are still experiencing. Again, awareness is a fundamental point.

Gaps and Challenges

Other than threats, within CONCORDIA, we identified also the new gaps and challenges posed by the pandemic. On one hand, the complexity of the new normality we are living in resulted in additional gaps and challenges. On the other hand, some of the existing gaps have been exacerbated by the current situation. The following table highlights and briefly describes the most important cybersecurity gaps and challenges in the era of COVID-19 and the domains they affect.

Gap	Description	Domains
G1 – Gaps in cyber hygiene practices	The current practices to cope with the minimal cyber hygiene education (minimal cybersecurity good practices) are insufficient and often unavailable prior to be exposure to the risks.	All
G2 – Gaps in handling critical scenarios	The increase of IoT device adoption in critical scenarios without an adequate emergency reaction plan or adaptation strategy is causing data breaches and safety implications.	Device/IoT
G3 – Gaps on general misinformation campaigns and conspiracy theories	The fear and anxiety caused by pandemic, combined with the isolation imposed by travel and work restrictions, and consequent reliance on online platforms for social interaction, have left many people vulnerable to misinformation, disinformation and conspiracy theories, eventually resulting in extreme actions (e.g., US Congress attack).	Network, Device/ Iot, System, User, Application
G4 – Gaps on reduced capacity to perform security operations	The large-scale migration to remote work amplified multiple challenges related to the management and capacity to perform security operations, reducing the level of security provided by corporations.	All
G5 – Logistic challenges to the everincreasing cloud usage	Unpreparedness and inability to cope with logistic issues can lead to security vulnerabilities, where potential DDoS attack could cripple already overwhelmed systems.	Network, System
G6 – Gaps on endpoint controls	To secure remote workers from potential malicious activities, organizations have to deploy multi-layer endpoint agents on all employee endpoints.	User, System
G7 – Gaps on cloud user awareness	Remote workers require training on various cybersecurity topics, including phishing, password guidance, privacy screen, device hardening, working with confidential materials and securing physical computing assets.	Network, User, System
G8 – Gaps on remote network controls	Off-network communications from virtual desktops should be limited only to whitelisted necessary resources.	Network, System
G9 – Gaps on video conferencing tools	Video conferencing tools are often unable to address the increasing demand in resources and to support required security and identity management.	Application, User, Data
G10 – Gaps on data management across borders	New approaches must be devised to better manage remote access and minimize the risks of propagating attacks that aim to reduce availability and integrity of data.	All
G11 – Gaps on interoperability	COVID-19 showed an urgent need for systems interoperability, especially the ones delivering public services (e.g., healthcare).	All
G12 – Gaps on education	Users should be more aware of emerging sophisticated attacks (e.g., Twitter bitcoin scam), which rely on social engineering and phishing.	Application
G13 – Gaps on sophisticated protection	Difficulty to define trust boundaries and “zero-trust” coupled with ever-increasing attackers’ attention of AI calls for new and sophisticated forms of protections, dealing also with soft attacks exploiting the human factor, often considered the “weakest link”.	All

Conclusions

We are all aware that COVID-19 has changed our way of living and introduced a new norm that increasingly rely on digital technologies. This new normality has also become a fertile ground for cybercriminals which have immediately found new ways to threaten our (digital) life. So, the development of a secure, safe, and trustworthy cyberspace is now a critical and pressing need. One of the main goals of CONCORDIA is to build this secure, resilient and trusted ecosystem in EU, supporting EU digital sovereignty. The first step towards this goal is identifying the threats, the gaps and the challenges affecting such ecosystem. We have highlighted here how COVID-19 has changed this triple. First, an ever-increasing reliance on networked and remote technologies, which are often not mature enough especially if the migration towards such technologies has been done in hurry without adequate planning. Second, the centrality of data, which is the final goal of any attacks and whose protection is more challenging due to the fuzzy nature of new IT boundaries. Last but not least, the need for advanced users’ awareness, to get the best out of this technological transition and to cope with new sophisticated threats.

References

ENISA Threat Landscape 2020: Cyber Attacks Becoming More Sophisticated, Targeted, Widespread and Undetected, https://www.enisa.europa.eu/news/enisa-news/enisa-threat-landscape-2020
For example, Microsoft has announced the introduction of end-to-end encryption in 1-to-1 calls by the first half of 2021. Source: https://www.zdnet.com/article/microsoft-to-add-new-shared-channels-encryption-for-calls-webinar-features-to-teams/.
The famous “Solar Winds Attack” is in fact an attack exploiting the supply-chain (in)security. Source: https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html.

(By Marco Anisetti, Claudio A. Ardagna, Nicola Bena, Ernesto Damiani, Jadran Sessa Università degli Studi di Milano)

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.