The Human Element in Security
The COVID-19 health crisis has forced many people across the globe to work remotely, bringing access to sensitive information and communications to employees on home networks like never before.
Unfortunately, because of this increased access, there are growing examples of cybercriminals taking advantage of people’s fear and uncertainty (and lack of awareness) to prey on remote workers. The stress and distractions many employees are experiencing make them vulnerable targets. Typically, an organization’s most important security perimeter is the company firewall and related system infrastructure, but with workers now at home, the most important defense really does become the people themselves.
Humans are the weakest link.
Since the pandemic began, malware attacks have tripled and, according to a recent report from BitSight, home office networks are often less secure and 3.5 times more likely than corporate networks to be infected by malware. Threats such as the Mirai botnet were observed at least 20 times more frequently on remote workstations compared to corporate networks. Many employees are going straight to applications hosted on the cloud to obtain information or store documents, so this opens up additional risks to your data. You can defend against this by clearly outlining procedures for connecting to organizational systems from remote locations and by enforcing the use of approved applications only. Proving users with approved, secure solutions that are also easy to use will reduce the likelihood that they will circumvent policy and create workarounds to complete their tasks.
Another big target has been mobile devices/phones. When mobile devices are connected within a corporate environment, they are typically controlled by mobile device management solutions configured by the security team and enforce organizational policy and procedure. With less restrictions in place and users connecting to residential networks, organizational risks are increasing because the devices being used are found to be out of date, running older versions of operating systems, and have various, non-approved applications installed. These devices create another weak point that could allow hackers to compromise information or gain access to other sensitive networks.
Perhaps the biggest threat right now, however, is social engineering and coronavirus-themed phishing scams sent to convince potential victims to make donations, click a link, or provide access credentials. Attackers are sending emails impersonating trusted sources of information, such as the CDC, local health and government agencies, and universities to trick recipients into clicking links or opening attachments that can infect devices with malware. Cybercriminals have even registered domains and created new websites that promote information about the health crisis and interactive maps that detail the spread of the virus, all in an effort to steal information from the unsuspecting human. These sites are infected with malware and ransomware that then infect the visitors’ devices and any connected networks.
More focused phishing attacks (called spear phishing campaigns) are being sent out to targeted employees within an organization, appearing to come from a company official, regarding the coronavirus and plans the organization is making with links for more information. As employees struggle to understand their new working environments and are bombarded with daily updates regarding organizational changes and procedures, these attacks are often successful. We have also seen an increase in whale phishing attacks in which hackers target senior officers of an organization. These attacks are more specific and use a combination of well-researched, targeted spearphishing campaigns, website spoofing, and full-frontal network assaults.
Create an effective defense.
Organizations should limit employee access to systems and sensitive data as much as possible, and implement tools to track access to and use of sensitive information. Technological solutions that block or flag potential phishing emails are available, and many organizations are tagging emails that originate outside the organization with a header indicating it is from an EXTERNAL source. These headers are intended to call out the increased possibility that the email is fraudulent and stop the human recipient from opening attachments or clicking on links. Unfortunately, hackers are constantly finding new ways around these systems and coming up with new tactics to bypass security controls so awareness and education remain a critical tool.
In a recent webinar with Nelnet International, Chad Wheeler, Manager of the Offensive Security Services for CampusGuard, shared several methods of human hacking including “pretexting” in which someone misrepresents themselves to elicit trust via social media. An example of this that he shared was a hacker friending an employee’s spouse or family member to gain access to the home network through their connection on social media. He also shared several techniques for protecting your organization, including technical controls like multi-factor authentication, as well as great tips for creating secure passwords and passphrases. Chad also reinforced the need to provide updated employee awareness training covering new attack methods, and strategies to motivate employees to change their overall behavior and thinking. It can be difficult to change the culture of an organization, but investing in cybersecurity education at all levels (not just within IT) is the best way to get there.
It is essential for staff to remain vigilant at all times and to be aware of common phishing techniques. Stress to employees that they need to exercise heightened caution while engaging with coronavirus-based content and seek information only from reputable/known websites. Make it easy for employees to report suspicious emails to your IT help desk. Continue awareness training to reinforce security best practices through multiple channels - supplementing your annual training with ongoing updates, email alerts, webinars, newsletters, etc. will not only keep them updated but the variety will help keep them interested. If you haven’t already, implement procedures that require employees verbally verify requests for payments or money transfers over a set amount. Most importantly, encourage staff to remain vigilant and take a few extra seconds to verify the email sender, and their request, are legitimate by picking up the phone to get voice confirmation, checking email headers to see if the email ID is legitimate, review the URL that the link will take them to, etc. One wrong click or response can cost your organization thousands in fines, lost revenue, customers, productivity, and reputational damage.
Additional guidance from our Offensive Security Services team below:
[Wheeler]: The sad reality is that attackers are going to do whatever they need to do to get what they want. Most are motivated by money, so even if they aren’t trying to steal money directly, they want to get to any data of value. They may sell it on the dark web, or they may demand a ransom from you or your organization.
It sounds so cliché at this point, but it is absolutely true - security is everyone’s responsibility. Most users would probably agree that they don’t want to be the source of a breach that costs the organization thousands, hundreds of thousands, or millions of dollars, so they should scrutinize everything and operate as if they are stepping through a digital minefield - because they are. Trust, but verify.