The year 2020 has proven unpredictable and challenging from multiple perspectives. From a sweeping pandemic to natural disasters, 2020 has presented an environment of trials that has tested the entire global population.
Among those challenges is a long list of cyber-attacks, growing daily, which have become the proverbial icing on the cake for many cybersecurity and information security professionals. These attacks, ranging from the infamous social engineering Twitter hack, to the low default security configuration in Zoom calls, have provided important examples that illustrate the value of strong cyber maturity.
However, while these attacks have caused damage within the cybersecurity field, they have also presented several key lessons to inform professionals moving forward. These lessons, if heeded, can strengthen organizational stances against the roiling environment of cyber threats which 2020 presented.
One of the lessons that can strengthen organizational postures emerged from the Twitter hack from July. Specifically, this attack leveraged the social engineering prowess of a Florida teenager who gained access to one of Twitter’s administrative tools and leveraged it to alter accounts. In doing so, accounts representing well-known personalities around the world became part of a global bitcoin scam.
Although it did not take Twitter long to address the issue, having resolved it within a working day, it became clear that the exploitation “should never have happened,” as one individual working for Twitter put it.
In truth, the Twitter exploitation could have been completely avoided if certain basic security applications were applied to the organization and certain security practices observed. Specifically, had Twitter insisted on a multi-factor authentication process to access the administrative tool, it is more likely that this type of attack would have proven unsuccessful.
Additionally, had Twitter employees undergone more rigorous training against social engineering, they may have had another line of defense against the exploitation. Both shortcomings could have been identified had they performed an in-depth risk assessment of their organization and identified their potential weaknesses.
Another event that highlights the threat landscape of 2020 was the rise of Zoombombing earlier this year. Zoombombing, which takes advantages of misconfigured security settings of a Zoom meeting, can allow individuals not invited to an online gathering to join. Additionally, these security settings can allow for individuals not intended to share their screen to present comedic or offensive content to the rest of the participants in the call.
While, most of the time, these attacks have resulted in a simple chuckle, other instances have caused extensive offense and trauma to some of the participants.
Although multiple updates have been developed and distributed by Zoom to address Zoombombing, a great deal of damage was already done. In fact, as recently as this week, poor security configurations on Zoom have been the result of some rather uncomfortable encounters for schools that are performing virtual instruction.
The Zoombombing epidemic could have been addressed years ago, when Zoom first became an available product. Specifically, the lax default settings were in place for the entire lifetime of the product before they were addressed. While Zoom viewed the security configuration of each meeting as the responsibility of the user, current events have put that assumption to the test and resulted in Zoom taking a hard look at its default configurations.
However, had Zoom performed a control assessment for its own product, taking into account the perspective of its users, the company would have stood a greater chance of ensuring that the attack would have never occurred when much of the working world went virtual.
It seems that 2020 has taught the cybersecurity world many powerful lessons: specifically, self-inspection and control testing can potentially protect organizations from attacks before they occur.
In the instance of both the Twitter and Zoom incidents, had the organizations performed robust risk analysis and security control assessments of their organizations, the potential for their successful exploitations would have been much lower.
Hopefully, other organizations will continue to learn from the high-profile mistakes of their peers and implement processes that can increase their cyber maturity.