Shifting an entire business to a remote workforce typically takes years of planning and implementation. Yet to prevent the spread of COVID-19, organizations had about a week to move most or all of their workers home.
It also took about the same amount of time for COVID-related scams to hit users’ home systems, the very same systems from which users are accessing their enterprise resources.
There’s a lot of news going around about risks and solutions, so this blog attempts to streamline the risks into three threat areas:
- User-owned devices accessing business resources are being targeted and compromised.
- Fraudulent websites, emails, social media messaging and other COVID-19 lure locations are on the rise.
- Medical, government and other important infrastructure are being attacked to stir up more chaos.
“A lot of enterprises overnight had to change their BYOD policies, but they haven’t changed their BYOD threat models,” explains Jake Williams, SANS instructor and owner of Rendition Infosec consultancy. “Bad stuff gets on the BYOD device. Then once the user has VPN’ed into the network, the bad guys use that access to move laterally through the enterprise, deliver more malware and steal sensitive data.”
Workers could also be accessing their resources through an intranet portal, the cloud, remote desktop, etc. with the same result, he adds. So organizations need to update their policies and scale their remote access protections to meet new demand.
This means using tools such as network segmentation, strong access and identity management, network packet capture, and remote endpoint management capabilities. (For more information, check out our SANS Security Awareness Work-from-Home Deployment Kit.)
Encryption and key management are also important for supporting remote endpoints securely, explains JD Kilgallin, senior integration engineer at Keyfactor, which recently released a remote worker security guide.
“You want to add a client certificate to each of the remote workstations accessing business resources, then only allow connections from those machines with certificates,” he explains. “But you need to deploy these certificates securely in environments where they generate strong random numbers.”
This is especially important for medical-related devices that feed COVID-related data to reporting systems and are known to produce weak random numbers, Kilgallin adds.
Phishing, Fraud and Scams
“Dangerous phishing, counterfeiting or misinformation scams are aggressively referencing trusted brands, products, government agencies and health organizations via fraudulent domain names, email, websites, apps, social media profiles and marketplace listings,” he says.
Attackers are after money or credit card information as well as personal data. They also take over the users’ computers, devices and phones in the process.
“What’s very concerning is that global consumers are being targeted with fake and potentially harmful medical products. This is especially dangerous now, since billions of people are in desperate need of a remedy to the COVID-19 pandemic,” D’Angelo says.
Increasing consumer and employee awareness, while deploying brand protection and domain name and DNS security best practices are important to mitigate these risks, he adds.
According to reports, attacks on the World Health Organization have more than doubled during the pandemic. Attackers are also hacking DNS to point routers to fake sites that look legitimate to the home user. SANS has reported an explosion of fake COVID-19 domains since February, providing tracking information and advice on its COVID-19 fraud page.
Williams also points to the medical system infrastructure, which is not prepared for the onslaught of COVID-related scams against hospitals and medical facilities. As a result, Williams has joined several hundred cyber investigators and intelligence professionals in the COVID-19 CTI League. These volunteers are collectively analyzing and sharing intelligence and indicators through healthcare information sharing and analysis centers (ISACs) and elsewhere to help hospitals protect their systems and digital resources. They’re also working with internet service providers to take down fraudulent sites.
“In past security operations, professionals have washed their hands from user devices, but right now you can’t do that,” says Williams. “You need to update policies and practices for the long-term, not just for the now.”