The manager of the cybersecurity service (RCTS CERT) of the FCCN Unit of the Science and Technology Foundation (FCT), Carlos Friaças, makes some remarks about cybersecurity in the Science, Technology and Society Network (RCTS) during the pandemic. October is European Cybersecurity Month - an ENISA initiative that aims to "promote cybersecurity among citizens, companies and public entities".
What are some of the challenges in the area of cybersecurity that the pandemic context has presented to the RCTS, during the last few months?
One of the challenges, perhaps a little unexpected, was the issue of invasion of videoconference sessions, where several situations were reported - sometimes unusual and, in other cases, extremely serious. We appealed to users of the services provided by the RCTS to use the existing security mechanisms in the various tools. For example, putting a password in the session that is intended to be held has become essential.
Regarding the cases of account compromise, we have the perception that it was a phenomenon that continued during the pandemic. The physical removal of people from the institutions' premises contributed to the fact that some cases took longer to be mitigated.
Finally, I believe that the availability of means to allow remote work (VPN), in an initial phase, also raised some issues in some institutions. This was due to the volume of users who did not have access via VPN and started to have it. However, I believe that this was overcome during the first weeks, also thanks to the contribution, in some cases, of the FCCN Unit, which responded with the recommendation of the adoption of the eduVPN solution.
Many of the institutions are now facing a return under what was considered "the new normal", combining face-to-face and distance activities. What kind of consequences may result from this context, from a cybersecurity point of view?
I think that this "new normal", with a greater physical presence in the institutions, will inevitably lead to a greater number of infected devices (mainly mobile) appearing in the infrastructures of the different institutions. This will be reflected in the information we receive daily and that we transmit to the respective institutions.
The volume of traffic will naturally also increase, and we expect naturally some increase in DDoS situations that the RCTS is the target. These situations are sometimes triggered by antagonism between people, and with more people making use of the RCTS infrastructure, it is also normal that the volume of such attacks is heading towards the numbers observed before the pandemic.
What are some good practices that RCTS users should keep in mind in the current context?
Best practices are no different than usual with the current context. Robust and long passwords are recommended and it is very important not to reuse the same password in different contexts. In contexts where this possibility exists, it is also highly recommended to enable 2FA (second factor authentication) mechanisms - this inhibits the exploitation of using a compromised password if the second level of authentication relies on something physical, typically a mobile phone, that is in the possession of its rightful owner.
There are several sub-services included in the RCTS security service. What is the importance of these sub-services in the action of RCTS users? How do you evaluate the connection of the community with these subservices?
To a large extent, the benefits of such sub-services to RCTS users will only be possible if those in charge of the institutions decide to adopt them within their framework, and also in a widespread manner. The various sub-services, which are freely available in the context of the RCTS, follow an 'opt-in' approach. This means that the managers of each institution can opt for other similar services available in the market.
A good example of this is the DNS Firewall, which from a list of DNS domains classified as malicious, inhibits communications that are part of infection chains from devices that resort to the DNS. There are several options on the market, with different prices and different sizes, with regard to the list of malicious domains. At the beginning of the pandemic, there were even some companies that offered this service for free, for a limited time. However, we believe that the strengths of our solution are the price (free for RCTS entities) and the quick possibility to add and flag false positives due to the proximity that exists.
The community connection to these sub-services is still relatively low as their adoption depends on decisions of the infrastructure managers and not of the individual end-users. As such, we have to continue working on improvements in the various sub-services to make this decision easier and more evident.
Is there anything you would like to add?
It is important, even in these almost unprecedented times, with new rules of behaviour, not to lower our guard when it comes to cybersecurity care. Electronic identity theft may have very serious consequences for the victims, so it is necessary to be always alert.
The levels of attempted fraud have not decreased since the pandemic began, and the pandemic itself is being heavily used as a theme to carry out various types of fraud. When doubts arise, it is important that people continue to talk to each other, even if by means of videoconferencing. In this chapter, incidentally, I must say that I am very proud of our Colibri service.
Finally, I would also like to reaffirm RCTS CERT's willingness to help, in whatever way we can, so that cybersecurity levels within the RCTS community are increasingly high. Although the genesis of an incident response team is reactive, all the investment we manage to employ on the preventive side will have an impact - although difficult to measure - on the subsequent need to react.