COVID-19 was, naturally, the overarching cybersecurity story of 2020. The pandemic forced a massive shift as organizations around the world pivoted to remote workforces, a move which introduced numerous information security challenges. And, of course, the year ended with SolarWinds - arguably the most serious cyber hack / intrusion in history. What are the key lessons of 2020 for investors and asset managers as they consider cybersecurity due diligence?
As COVID case numbers rose around the globe in February and March, asset managers (and administrators and other service providers) began to close their offices and hastily transition to remote working arrangements, enacting business continuity plans that, for many, had never been designed to accommodate an extended mass exodus from the office. This meant providing employees with necessary equipment for prolonged work-from-home, ensuring they had secure means of accessing any on-site or otherwise restricted tech resources, and modifying procedures around operations and sensitive transactions.
Castle Hall published a blog in mid-March, highlighting some of the essential controls and procedures to consider when transitioning to WFH arrangements.
One change from new remote work arrangements was, of course, the rapid adoption of videoconferencing to replace business travel and in-person meetings. The videoconferencing provider Zoom saw a meteoric rise in users, and subsequently received backlash for concerns around privacy and security as the platform become a de facto standard. To their credit, Zoom took feedback from consumers and regulators and has made great strides in security controls and in redesigning their product to address those concerns.
‘Zoom-bombing’, a phenomenon where uninvited parties would join Zoom meetings with the intent of disrupting or disturbing attendees, became widespread enough to warrant a warning from the FBI in March 2020. Evidently ‘security by obscurity’ was not enough to prevent being "bombed". In most cases, meetings which were subject to unwanted interruptions were created without access controls, and their connection details had been published online, allowing bad actors to join those meetings.
As Zoom grew more popular, the brand was also co-opted by those running phishing campaigns – fake Zoom invite e-mails became more common as a new wave of online scams rolled out.
A range of phishing and social engineering campaigns appeared in the first half of 2020, with e-mails, calls, and text messages targeting businesses and individuals with phony promises of COVID-19 statistics, insider news and access to home testing kits or even vaccines. Everything from miracle cures to threats of debt collection were fair game as fraudsters took full advantage to frighten people into providing credentials, sending money, or installing malware.
Phishing aside, there were many other novel cyberattacks and frauds carried out throughout the year. The Canada Revenue Agency (CRA) detected a co-ordinated attempt to compromise individuals’ online accounts to falsely claim the $2000/month Canada Emergency Relief Benefit, redirecting the payments to bank accounts controlled by bad actors. The attack was attributed not to any specific weakness in the CRA’s systems, but to a technique known as ‘credential stuffing’.
The CRA attack was part of a larger pattern in 2020 – credential stuffing attacks became so prevalent that the OCIE issued a warning in mid-September. ‘Credential stuffing’ relies on users who re-use the same login / password combination across multiple websites and applications, on the grounds that it is "too complicated" or "they can't remember" different passwords.
Credential stuffing can be compared to finding a key in an apartment lobby and trying each mailbox in turn to see which one it opens. However – instead of a found key, it’s millions of username/password combinations (obtained on the dark web from previously published data breaches), and instead of a grid of mailboxes, the targets are a virtually unlimited number of online sites & services.
If passwords are not rotated regularly, and if two-factor authentication is not enforced on critical systems, this approach can be highly effective. A single known good e-mail address/password combination could potentially open any number of doors and result in the compromise of sensitive systems.
The credential stuffing technique was responsible for several notable breaches:
The relative success of credential stuffing as a vector in 2020 served to highlight the importance of basic credential hygiene – ensuring the use of strong, unique passwords for different services (as opposed to the legacy ‘but this is my password’ approach), and regular rotation – especially for accounts affected by a data breach.
In Castle Hall's weekly cybersecurity diligence newsletter, we highlight notable data breaches and explore their causes in a segment we call ‘Know Your Breach’. Here were some of the more notable cybersecurity incidents we examined over the course of 2020:
We explored a range of data breaches and cyber-attacks over the course of the year, and the consequences of a breach can be staggering. Between immediate material losses, reputational damage, and, in the case of lost personally identifiable information, legislative penalties (there were around 300 fines levied in 2020 for GDPR violations, totalling over €142M), for some organizations – the accumulated costs can be fatal.
A sobering example came later in the year – we commented in November on the case of Levitas Capital, an Australian hedge fund manager, which was ultimately forced to shutter their operations after a cyber attack. After an executive received a phishing e-mail with a phony Zoom link, his accounts were compromised, and his e-mail account was used to issue fake invoices and payment instructions.
While some of the transfers were ultimately blocked, almost $800K was unable to be recovered, and, their confidence shaken, the fund’s largest investor redeemed - forcing Levitas to shut down.
The cherry on the 2020 sundae was perhaps the most chilling breach of all – it was revealed at the end of the year that SolarWinds, a vendor of network management software used by Fortune 500 firms and US Government agencies alike, had been compromised. The firm had pushed malware within software updates for their Orion platform that allowed Russian agents backdoor access to the networks of their high-profile clients.
The scope of this attack continues to grow as more details emerge. Compromised client networks, already subject to data exfiltration and further probing by the threat actors, will need to perform thorough forensic analysis to fully understand the scope of the attack and chart their next steps. Patching the SolarWinds software alone is, at this point, rather like closing the barn door once the cows have already fled – it remediates the cause, but doesn’t address the consequences of the compromise. Some clients will ‘only’ have lost control of their data, while others will discover that the attackers established beachheads and introduced additional access points into their networks and systems.
This incident has re-opened the discussion around supply-chain vulnerabilities in a significant way. There’s always an element of risk when integrating with suppliers and vendors to share access to sensitive data and systems. When the third-party that causes a breach is your software provider, that has a profound effect on confidence, and raises questions – best practise is to test and apply software patches as soon as possible to reduce attack surface, but how can you be sure that those software patches won’t themselves introduce new vulnerabilities?
Events have also prompted a range of conversations on the topic of organizational reticence to treat cybersecurity warnings seriously. Reports have indicated that concerns existed for years about SolarWinds’ internal security practices, from use of the password ‘solarwinds123’ on an update server, to the 2017 resignation of a security advisor who felt the firm’s leadership did not have the willingness to give security issues the appropriate attention and resources. Furthermore, some commentators have raised the question of whether profit-boosting cuts to security budgets and the cost-saving relocation of software engineering teams to Eastern European countries (where Russian intelligence operatives are deeply rooted) may have ultimately contributed to the compromise of the Orion platform.
To be fair - SolarWinds aren’t the only ones who’ve ignored warnings or given inadequate attention to pressing cybersecurity matters. One of the most shocking headlines associated with the SolarWinds compromise was the breadth of its effect on the US government – affected entities include the Pentagon, the National Nuclear Security Administration, Department of State, and the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security (DHS), to name a few. The Government Accountability Office reports having made over 3,000 recommendations in the last decade to tighten network security. They claim that nearly 20% of them still haven’t been implemented, including 75 of their highest priority recommendations. A system known as the Patch Authentication and Dissemination Capability, specifically conceived to address concerns that “the patch update process could become a vector for large-scale attacks”, was implemented by the DHS in 2003, but was shelved the next year.
It can be tempting to assume a mentality of “it won’t happen to us” or to look in the budget for cost savings during a stretch of sunny days. Security posture must be based on honest risk assessments and must be part of an organization's overall risk management strategy – ignorance and incredulity do not absolve an asset manager of their responsibility to their clients, their employees, and their investors.
On that cheery note - what cybersecurity lessons can we carry from the past year into 2021 and beyond?
We remain convinced that now, more than ever, it’s crucial that firms get their own cyber house in order - and that they expect suppliers, vendors, and partners to be open and accountable about their own security postures. Due diligence practitioners must engage in serious assessment and conversations around cyber risk and how those risks are being managed. Are technical controls layered, robust, and adequate? Are staff given appropriate training, is that training evaluated, and is a firm-wide culture of security awareness nurtured from the top down?
Only time will tell what 2021 has in store!