The COVID-19 pandemic may have hit like a bolt from the blue, but the repercussions may be felt for years to come. That’s not a doom-laden economic warning, it’s recognition of the fact that the coronavirus may cause a permanent shift in the way people work. For businesses, this is an opportunity: remote workers are generally happier, more productive and less likely to move jobs. But it’s also a challenge without the right security plans in place.
The uptick in attacks on home workers has highlighted in one swoop the cyber-threats facing organisations in this space. Tackling them will require a common-sense blend of new technologies, processes and policies.
A perfect storm
Email has for decades been the number one threat vector for cyber-criminals, and so it continues to be today. However, the current crisis has provided several new factors which malicious actors are eager to exploit. In many organisations the number of remote workers has soared from around 10% to 95%+ of all employees: this offers an opportunity to target endpoints that may be less well protected than the usual corporate desktops. Staff may also be more distracted at home, and prone to click on links or open attachments they may otherwise have avoided.
IT staff may also be distracted; stretched to the limit by the demands placed upon them to support mass home working and other behind-the-scenes projects as their organisation tries to rapidly adjust to the new normal. These gaps may become even bigger if security staff are forced to take sick leave due to the virus.In many businesses, the number of remote workers has soared from around 10% to 95%+ of all employees #RemoteWork #COVID19Click To Tweet
What are the threats?
A joint advisory from the UK’s National Cyber Security Centre (NCSC) and the US Cybersecurity and Infrastructure Security Agency (CISA) points to the main strategies being deployed today by both APT attackers and financially motivated cyber-criminals. These are:
- Phishing, using COVID-19 as a lure. This could be designed to steal user credentials, or deliver malware
- New domains registered containing COVID-19 references and wording, to be used in combination with phishing emails
- Attacks against remote access/working infrastructure
This aligns with what Barracuda Networks is seeing in the wild. Its filters picked up a 667% increase in COVID-19 spear-phishing attempts between January and the end of March, for example. A further breakdown shows the range of tactics at play here: 54% were scams, 34% were brand impersonation attacks, 11% were extortion, and 1% were business email compromise (BEC) attacks.
Video conferencing and VPN infrastructure is particularly at risk, with the black hats keen to exploit overlooked vulnerabilities and/or unsecure default user settings. The NCSC has observed phishing emails/sites attempting to harvest log-ins for collaboration apps and exploits for flaws in VPN products. Microsoft was recently forced to alert several dozen hospitals that their gateway and VPN appliances were being targeted by ransomware in this way.
Tried and tested
The good news is that many of these tactics should be familiar to IT security leaders. Social engineering and phishing emails, vulnerability exploitation and BEC are all tried-and-tested approaches which have their own best practices mitigations. What’s more, despite the sensational news headlines, researchers aren’t actually seeing an overall rise in cybercrime levels — it’s just that existing resources and campaigns are being repurposed to take advantage of the global interest in the pandemic and users searching frantically for vaccines, face masks and official guidance.
That said, other factors are at play that may complicate things for IT security bosses. Few will have had the time, money or foresight to equip every single employee with a corporate laptop or device before government lockdowns and home working orders were issued. That creates serious visibility and security challenges: an overnight explosion in potentially unmanaged and under-protected endpoints. The opportunity for shadow IT, the use of unsanctioned applications and devices, is off the scale. Corporate IT leaders need to work out quickly what their policies are in this area.
Another challenge may be in their use of VPNs. For many organisations, this is a best practice way of securely connecting remote workers to the corporate network. But what happens when the entire workforce wants to connect, and for the entire day, not just sporadically? The VPN service itself may become overloaded, to the point where it can’t be used to deploy critical patches to endpoints. That may eventually put pressure on organisations to find alternatives, and could herald a push towards greater use of cloud services like Office 365, using a zero trust approach which emphasises multi-factor authentication and a “never trust, always verify” policy.
Once the initial panic has died down, these are all important long-term issues that IT leaders should be thinking about. But in the meantime, the focus must be on protecting the current home working environment. That means:
- Gaining visibility into all remote endpoints and their security status using automated asset/patch management tools
- Ensuring all endpoints, including home working machines, are up-to-date and secured with multi-layered email and web protection
- Pushing out updated user awareness training to all employees on how to spot COVID-19 threats
- Revisiting access policies, to enforce two-factor authentication (2FA) for all accounts
- Enhancing native cloud security (ie built into Office 365) with third-party email/web security platforms
- Drawing up a list of approved video conferencing/collaboration apps and end user policies (ie mandated use of 2FA)
- If using a VPN, ensuring it is easily deployed and highly scalable
- Investing in an incident response service to automate alerts and block threats
- Cloud backup for all home working employees
Phil Muncaster is a technology writer and editor with over 12 years’ experience working on some of the biggest technology titles around, including Computing, The Register, V3 and MIT Technology Review. He spent over two years in Hong Kong immersed in the Asian tech scene and is now back in London where information security has become a major focus for his work.