The ever-present threat of cybersecurity does not fade during times of crisis. In fact, it heightens. Data is showing that cities are even more vulnerable to cyber attacks now, during the COVID-19 pandemic, than they were before. In a recent webinar with cyber experts, we discovered ways in helping cities diagnose increased cyber risk during COVID-19.
The City Innovators Forum held a digital convening in collaboration with City Possible, where cyber experts Alex Niejelow, Senior Vice President for Cybersecurity Coordination and Advocacy at Mastercard (and form cyber advisor for the Obama Administration) and Rebecca Ledingham, Vice President Cyber & Innovation at Mastercard (and former Interpol CyberAgent), revealed the most popular cybersecurity threats during the COVID-19 pandemic and the most common vulnerabilities in US cities’ IT infrastructure.
Why Cities Are So Vulnerable to Cyber Attacks
A city does not need to be a ‘smart’ city to be vulnerable to cyber-attack. A city just needs to be a city providing everyday services to the citizens of their communities.
In the convening, Ledingham began by highlighting the increase in phishing attacks and their success due to the pressures people are under. The most common point of entry for ransomware is a phishing email. Hence why so many are falling victim to this repetitive scourge.
Almost half of cities rely on their weakest link ‘humans’ to be their first line of defense. If there is no automated process to help employees sift the good from the bad the probability of them clicking on a malicious email is clearly exponentially higher and the criminals know this.
“When people are working from home, on the couch, the way they would typically react to a phishing attack changes,” she noted. “They’re in a different mindset.”
This, coupled with the obvious external pressure of COVID-19, has increased the number of attacks claiming cures and ailments to the coronavirus. Those creating these attacks know that the fear that exists now, didn’t a few months ago and are using that to capitalize on our emotions for their criminal benefit.
Additionally, cities are easy targets for cyber hackers as they all comprise of the same digital infrastructure, operate the same services, and require the same software and therefore share the same flaws and vulnerabilities. Therefore, if you can compromise and break into one city’s digital environment you can pretty much compromise them all.
“We are much better at putting locks on doors in our physical environment than we are in securing our virtual environment,” noted Ledingham.
Mastercard has taken steps to help identify the increased risk cities are under during the COVID-19 crisis. To do this they use the same analysis for a virtual environment as they would a physical environment. For example, they compared a burglar sitting outside City Hall observing the CCTV and broken windows, to a cybercriminal passively observing the online presence of the city. There are 43 criteria typically used by cybercriminals and Mastercard uses the same to analyze the vulnerability of an online system.
In a recent analysis of 50 cities across the United States to check for increased vulnerabilities, Mastercard highlights the six most common vulnerabilities. They are:
- End of Life Software (47%)
- Shared IP Hosting (35%)
- 1 Factor Authentication (55%)
- Invalid Encryption Certificates (61%)
- HTTP Headers (91%)
- Emai Authentication (44%)
As Ledingham also pointed out, it takes an average of 279 days for an organization to realize they have been breached. This means the true effect of COVID-19 phishing attacks will not be realized until the end of this year, at the earliest. She advised participants in the call to raise each of these items with the heads of IT and check to ensure they are addressing each. Further insights from this research will be available via the CityPossible portal.