Companies determined to protect their employees and minimize the impact of COVID-19 are enforcing travel restrictions and strong work-from-home policies. However, those actions can be used against employees as firms are likely unprepared for the cyberattack exploitation of a remote workforce. Here are some of the key issues of which law firms and companies need to be aware and steps that should be considered to minimize the risk to keep everyone — and client data — safe.
What you don’t know can hurt you
When we are unaware of a risk or threat, and without knowledge of the threat, we generally don’t take any precautions.
Criminals are willing to kick you while you’re down and we are witnessing evidence of this now. For example, a coronavirus-themed email is targeting health care workers. The email sent from their information technology teams with the subject “ALL STAFF: CORONAVIRUS AWARENESS” informed employees that “the institution is currently organizing a seminar for all staff to talk about this deadly virus” and solicits employees to click on a link to register. In one case, a Czech hospital was shuttered after a coronavirus-themed attack.
TechRadar reports fraudulent outbreak maps are being used to attract unwitting victims and then deliver malware through various well-test tactics. And ThreatPost is reporting two coronavirus-themed campaigns that use PDF and Microsoft Word documents to deploy remote access tools, clipboard-copying, keystroke logging, desktop image capture and a cornucopia of malware. CheckPoint security discovered another coronavirus-themed campaign targeting Japan that delivers the reigning champion of credential harvesting Emotet.
This is nothing new. It’s a well-rehearsed playbook, exploiting the chaos and fear caused by major weather or other natural disasters. eSentire reported a similar attack back in 2012 and early 2013 during and after the chaos caused in New York by Hurricane Sandy. During the weeks around the debilitating storm, client traffic dropped by up to 30%, while malware and other malicious traffic increased by the same percent.
Using your own tools against you
As workforces take up social distancing to shelter at home, the risk of attacks against corporate remote access systems goes up. Criminals target employees to harvest their Virtual Private Network (VPN) credentials as a backstage pass to corporate assets.
VPN credentials grant legitimate access to remote administrative tools, like PowerShell and Microsoft Remote Desktop Protocol. These tools are the keys to the kingdom and a preferred vector of criminal exploits. At the microscopic level, the difference between legitimate admin activity and malicious behavior is obvious. But to the naked eye, it often goes unchecked and is only discovered once the cyber event metastasizes and the crippling symptoms emerge.
Steps to securely enable your teams to work effectively from home
There are specific controls and practices that firms should put in place to protect themselves during times of chaos and uncertainty:
- Revisit your business continuity plans: Every company should have a business continuity plan designed to minimize the impact of a prolonged power outage, major storm, pandemic or IT system failure. The point is to know where the emergency exits are located, and the gathering point outside the building before someone pulls the fire alarm. Your plan should include contingencies to provide uninterrupted service through a secured, remote workforce. Ask yourself if you can secure a distributed workforce to the same level you can within the confines of your firewall.
- Keep your employees informed: The easiest way to minimize risk is to keep your employees informed of coronavirus-related scams, phishing schemes and fraudulent websites. When it comes to best practices, your employees should be getting their information from you in a transparent fashion, and not social media sites like Facebook or other potential sources of misinformation or exploitation. Firms should publish weekly updates that reinforce company policies, security protocols and clear lines of communication. Employees should also have a mechanism through which they can safely report suspicious activity, such as questionable emails.
- Use protected and trusted internet connections: Firms should prohibit working from public places, such as coffee shops or on public transportation, where third-parties can view screens and printed documents. Laptops should always be deployed with privacy screens. Employees should only connect to trusted, password-protected internet connections, such as home Wi-Fi, and avoid public hotspots that can be spoofed.
- Use a VPN to protect remote connections: This goes without saying. Data at rest (stored on a drive) should be encrypted. And all connections should be encrypted with a VPN service. This is table stakes in any cybersecurity protocol. In businesses with a hardy remote workforce, using a VPN is common practice. For more gregarious businesses with traditional office arrangements, using a VPN might not be as familiar. Ensure your workforce is trained and understands how to use the VPN properly.
- Enforce multi-factor authentication: While a VPN provides a layer of security, credential harvesting is an easy way for criminals to travel your safe corridors alongside legitimate employees. Using multi-factor authentication (MFA) can reduce the risk of compromised VPN connections. MFA requires a second source of user validation (such as entering a key texted to a secure phone, a pre-generated token or other mechanisms) tied to a certificate-based system. It doesn’t eliminate the risk, but it certainly reduces it.
- Disable administrative privileges: Criminals access remote access tools using a legitimate VPN account to create new accounts with administrative rights. These avatars can then move freely through your network, access network infrastructure, deploy script and collectors on services and even disable security mechanisms. Most employees do not require administrative rights. What’s worse, it’s often senior management or rainmakers who are granted full rights and privileges — and they are the ones with access to the most valuable information. It’s counterintuitive from a security perspective, so disable them. Or at least consider suspending administrative access. For IT managers and team members who require administrative rights, consider two controls. First: Never use first.last name nomenclature for accounts with administrative powers. These types of usernames are easy to engineer from public information like LinkedIn. So, an IT employee will have multiple accounts. Perhaps the first.last account for normal employee activities and communications, but another more complex account for administrative IT activity. Second: Privileged Access Management, which provides limited and expiring access to specific systems. In this way, an IT employee is granted administrative rights to a critical system for a specific (documented) purpose that must be completed within a fixed period of time. This means a senior employee validates and authorizes the work in a logged system. This makes hijacking remote access extremely difficult from criminals.
- Protect your endpoints: Many firms rely on faulty security architecture when it comes to remote workers. Most firms are well protected within the confines of their office spaces, but their mobile endpoints, like laptops and smartphones, are only protected when inside the firewall. Remember, many attacks use zero-day malware (undetectable) or non-malware-based attacks (like VPN hijacking) that evade traditional antivirus systems. For this reason, many firms deploy endpoint protection platforms (EPP) and endpoint detection and response (EDR). These systems provide additional layers of detection capability, local forensics to determine impact, and even limitation mechanisms through device isolation. In essence, EPP and EDR extend your protective cloak from the core network to the mobile devices and offers mechanisms to respond to a threat while the device remains quarantined.
- Manage BYOD devices: If you allow personal devices, consider limiting access to critical systems from these devices or deploying enterprise device management or mobile device management tools that provide layers of control to minimize access from personal devices and enforce security controls on the devices themselves. And employee devices should be running the latest manufacturer software updates prior to permitting access to any remote systems. It’s good hygiene.
- Consider running a COVID-19 exercise: The biggest challenges IT leaders face is getting the C-suite and managing partners to understand the risks and challenges raised by cyber threats leveraging the confusion and fear around the coronavirus outbreak. One of the best ways to gain an aligned mindset is to run a tabletop simulation. The point is to face the worst-case scenarios in a safe environment and build consensus around proactive and ethical response. For example, run an exercise in which a key employee tests positive for COVID-19 after meeting with their team and clients in face-to-face meetings. Consider quarantine, exposure risks, and the specifics of communication with employees and customers.
Digital transformation is dominated by nebulous perimeters, distributed workforces, global connections, artificial intelligence-driven decision-making and critical systems moving to the public cloud, and these changes are only going to increase in speed and complexity. The coronavirus serves as a warning of a much larger issue.
As we enable a distributed workforce, we must weigh the risks against the rewards. We must remember that criminal elements are willing to exploit the chaos of a global event or even the confusion around the deployment of new technology.
Like all disasters and major global events, coronavirus will pass. Let’s use this event as a call to arms and ensure we are prepared for a world of distributed workforces, always-connected systems and critical assets stored outside the confines of our traditional security walls.
- Smart ways for insurance professionals to work remotely
- Pandemic checklist: How individuals and businesses can prepare
- Coronavirus update: Global travel bans, CDC warning and more
Mark Sangster ([email protected]) is a cybersecurity evangelist who has spent significant time researching and speaking to peripheral factors influencing the way that legal firms integrate cybersecurity into their day-to-day operations. The views expressed here are the author’s own.