2020 was an unusual year where circumstances shifted at record pace. Amidst the scramble and confusion, security teams rose to the occasion. Perhaps most significantly, organizations had to rapidly protect and scale their remote access while facing new security risks.\nThe past year has shown us just how cyber threats can impact our lives, and the need for everyone to prepare for evolving attacks in the future. Let\u2019s examine what happened last year in the world of security, celebrate those who were able to keep governments, businesses, and individuals cyber safe, and look to how we can prepare for 2021.\nElections\nOne thing that Cisco\u2019s cyber threat intelligence team Talos knows for sure\u2014 2020\u2019s election security landscape was more complicated and yet more secure than it was in 2016. While many were focused on foreign election interference, domestic disinformation campaigns were quick to rise as well. Talos Director Matt Olney says that the commercialization of disinformation campaigns, or Disinformation-as-a-Service, is now more widespread but also easier to spot. State and local officials were able to take what they saw in 2016, build the right procedures, and come better prepared four years on.\n\u201cAs a result, a conversation with an election official in 2020 is fundamentally different than how it would be in 2016,\u201d says Olney, \u201cGone are the times where I would say, \u2018Let me tell you about this threat,\u2019 because they\u2019ve spent the last four years learning about those threats.\u201d\nSee also: What to expect when you\u2019re electing\nIn that time, the federal government created procedures and processes for election security as well\u2014the Election Infrastructure Information Sharing and Analysis Center (EI-ISAC) created in 2018 uses network sensors and network flow monitors to be available at low cost to any state. The Cybersecurity and Infrastructure Security Agency, also created in 2018, works towards the security of the United States\u2019 cybersecurity and communications infrastructure.\nTalos worked on the ground with the State of Mississippi, providing them a tabletop scenario that presumed some level of compromise had occurred. The group worked with the state\u2019s security office, as well as their communications and public relations teams. As Olney states, it\u2019s crucial to understand that security attacks are not just technical\u2014the most important moment of any potential security incident \u201c\u2026is the moment when the Secretary of State steps up to the podium and begins to talk about what happened.\u201d\nHealthcare\nHealthcare also became a critical point of 2020 with the coronavirus outbreak, and CISO of Steward Healthcare Edmond Kane says that some bad actors used this to their advantage. Massive upticks in threats emerged through the pandemic, whether because of the rapid move to remote working or luring unsuspecting users into phishing, disinformation campaigns, and even COVID-related scams.\nKane says that this is insidious because healthcare IT is the essential backbone of modern patient care\u2014individual\u2019s lives depend on whether this infrastructure is secure. A big challenge in the healthcare industry is legacy and outdated technology. Healthcare professionals and businesses are constantly balancing the risk of introducing new IoT technology and devices that may be insecure, while legacy technology may not be up to speed.\nUltimately, communicating the value of security is vital because every person in the industry needs to know how to be vigilant. In healthcare, the consequences move beyond just information.\n\u201cHealthcare is not about cybersecurity, it\u2019s about patients,\u201d says Kane, \u201cAnd it\u2019s our role to get in there and help them make sure that security doesn\u2019t enter the bedside of the patients.\u201d\nRemote work\nThe shift to remote working in 2020 meant two things\u2014 making sure all employees could safely work from home and ensuring that they could still access the company resources and assets.\u00a0 Because of this, many turned to Remote Desktops, the technology that allows users to connect to a computer from a remote location. Voila, your office computer is now at your home desk, but RDP (remote desktop protocols) often pose security concerns as well.\nThese include stolen credentials, man-in-the middle attacks (a cyberattack where a bad actor puts themselves in the communication line between two parties), and remote code execution (a vulnerability where an attacker can run their own code on a machine or server of their choosing).\u00a0 Any remote desktop solution, if compromised, grants an attacker entry into the organization. Organizations who use RDP must implement extra security measures to keep themselves and their employees safe. Cisco outlines a few key steps:\n\nDon\u2019t connect RDP directly to the internet. Instead, use VPN before RDP to allow employees to get the access they need while staying secure\nAdd MFA (multi-factor authentication)\u2014an extra security step that ensures users are legitimate by having them provide two pieces of evidence to prove their identity\nBlock failed login attempts after a reasonable number\n\nRansomware\nRansomware trends saw the adoption of new tactics, techniques and procedures (TTP) on corporate networks in 2020. As malware gained traction and popularity, many actors refined their approaches and adopted new strategies like adding countdown timers on their ransom, threatening permanent deletion of data, and even big game hunting.\nBig game hunting is when attackers leverage compromised systems as initial access points to the network. From there, the attack moves to gain access to additional systems while escalating privileges. The ransomware is only activated once these systems are accessed, so that the attacker creates maximum damage on the victim.\nOnline sales postings have also become more frequent, where attackers try to sell access to multiple networks to other threat actors. In addition, bad actors are now exfiltrating large amounts of company data before unleashing ransomware to conduct what is called \u201cdouble extortion.\u201d. Double extortion also creates massive disruption in businesses who have to deal with compromised networks as well as the threat of the actors releasing their intellectual property, trade secrets, and other confidential information.\nSo what can organizations do? Cisco recommends that businesses employ a comprehensive approach, including prevention, detection, and response. These include:\n\nEmail security\nPatch management\nLeast functionality\nLeast privilege\nSystems and network monitoring\nNetwork segmentation\nBackup and recovery\nPolicies and procedures\nSecurity Awareness Training\n\nPasswords\nAccording to Verizon\u2019s 2020 Data Breach Investigations Report, stolen credentials are the second most common activity conducted by attackers during a breach. This is crucial because using authorized passwords is one way bad actors can gain access to a network while staying under the radar.\nLike the ransomware trends, credentials are being used for future attacks\u2014\u201ccredential dumping\u201d is a technique when an attacker scours a computer for more credentials for further intrusions. Because there are plenty of areas within operating systems where credentials are stored, like memory, databases, or files, attackers can easily attempt to copy passwords once they have infiltrated and dump the credentials.\nTo defend against credential dumping, organizations can:\n\nMonitor access to LSASS (Local Security Authority Subsystem Service) and SAM (Storage Area Management) data bases\nWatch for command line arguments used in credential dumping attacks\nMonitor logs for unscheduled activity on domain controllers\nLook for unexpected and unassigned connections from IP addresses to known domain controllers\n\nIf you want to learn more, read Cisco Secure\u2019s Defending Against Critical Threats report.