On March 20, the FBI issued an alert warning that cyber thieves are trying to exploit the coronavirus pandemic to steal money, commit identity theft, and engage in other hacking-related activity. The Cybersecurity and Infrastructure Security Agency (CISA) issued a similar alert earlier this month.
According to the those groups, hackers are sending phishing emails purporting to come from the World Health Organization, the Centers for Disease Control and Prevention, and other organizations. Those emails claim to offer information on the virus and ask recipients to click on links or open attachments, which allow hackers to deploy malware. Hackers are also sending phishing emails purporting to come from charitable organizations or trying to entice recipients to click on links by claiming to offer airline refunds, testing kits, vaccines, and/or financial relief. The FBI also warns that hackers are using websites and apps that claim to track coronavirus cases to deploy ransomware. These trends are not improving.
You have probably seen these phishing attacks yourself – on your smartphones and on your home/family computers. Cyber criminals are preying on the fear and uncertainty generated by the COVID-19 pandemic. Barracuda Networks reports it saw 137 incidents in January grow to 1,188 in February and 9,116 part of the way through March. While the topics of these scams vary, Barracuda associated approximately 2% of them with Coronavirus/Covid-19 topics.
On March 27, KnowBe4.com detected a particularly cruel and amoral attack – appearing to come from a hospital and directing the recipients to fill out the attached spreadsheet and proceed to the hospital because they had been exposed to the coronavirus via “colleague/friend/family member.” Unlike many attacks that have grammatical errors or clumsy syntax, this message was clear, concise and alarming.
The forced telecommuting requirements of today’s environment increases the probability that employees are relying on mobile devices and personally owned devices to conduct business that previously would be done from their offices, on a hardened network. This change opens a new vulnerability for businesses. Lookout security company reports that not only do the “features, functionality, and even the screen size” of mobile devices make it harder for a person to distinguish legitimate from suspicious communications, personally owned mobile devices are outside of company’s security perimeter.
Verizon reports in its 2020 Mobile Security Index (MSI) that the number of businesses reporting a mobile-device related compromise rose 44% from its initial report in 2018. While the rise is not unexpected, the 2020 index also notes a reduction in the number of companies who acknowledged sacrificing some form of mobile security for the convenience of mobile devices, due to a lack of financial or manpower resources.
Ultimately, while these malicious acts come in many different forms, their goal is the same – to trick the recipient into clicking on a link or take some action such as entering a user name or password, emailing confidential information, or transferring funds. Given that millions of Americans have transitioned to work from home, the risks associated with exploits have grown substantially, and phishing attacks on mobile devices are launched through methods other than e-mail, such as gaming and social media sites that office IT systems have normally locked down.
How can you help employees understand the risk these threats pose to their personal information and government data, and their role in defending against them?
On an organizational level, if you have not done so already, you should alert your workforce that these malicious acts are occurring and that workers need to exercise vigilance in defending against them. Like other cons, these coronavirus exploits are deliberately designed to pray on people’s fears and generosity. If this type of training and reminders for your employee group would be a new concept, you should coordinate with your CISO or security team to prepare an email to your workforce discussing these threats and reinforcing good cyber hygiene.
Items that you should consider including in your email incorporate the following tips taken from the FBI’s alert:
- Do not open attachments or click links within emails from senders you do not recognize.
- Do not provide your username, password, date of birth, social security number, financial data, or other personal information in response to an email or robocall.
- Always verify the web address of legitimate websites – manually type URLs into your browser.
- Check for misspellings or wrong domains within a link (for example, an address that should end in a “.gov” ends in “.com” instead).
Specific to mobile devices, consider reminding employees that when unexpected emails arrive in their inboxes, they can tap on the displayed name of the sender and see if the actual email address matches the displayed name, or if the sender’s information is spoofed.
In addition to this initial email, or if your historical security training includes fake phishing messages, agencies must remember that your employees are individuals who learn and retain information differently, person to person. If working from home remains in place for weeks or longer, recognize that alternatives to in-person training will be required to have the message reach a larger percentage of the workforce. Consistent and varied training reminders can go a long way towards protecting your employees’ data on their home devices and networks, along with reducing the odds of your network becoming a victim.
What advice and resources do you emphasize to employees that can strengthen their defensive posture?
The U.S. National Institute of Standards and Technology (NIST) published a Security for Enterprise Telework bulletin for employers and employees on best practices for teleworking securely that contains suggestions for Bring Your Own Device (BYOD) challenges as well. The bulletin and NIST Special Publication 800-46 on the bulletin’s additional resources list discuss security considerations that apply not only to BYOD, but also end-users home networks and physical security.
The telework/BYOD recommendations from NIST along with older security tips from CISA discuss the importance of security measures for the end-users’ homes. These include but are not limited to: changing the factory default log-in data for home routers; updating the firmware for the router; updating the software on devices; and strengthening passwords or using a password manager service (free or subscription based), and the often forgotten physical security of the BYOD that can be stolen or misplaced.
Many federal employees already use virtual private networks (VPN), and the demand for these resources will only grow as with the Office of Management and Budget’s guidance encouraging telework practices for federal employees is fully implemented. Sean Kelley the former deputy CIO for the VA and former CISO for the EPA, recently confirmed that the increased need for teleworking will strain the federal government’s VPN capacities, “Where you might have had 20, 30, 50% of your workforce connecting to the VPN at any time, now you have 80-to-100% of the workforce connecting via VPN all the time.”
This new dependency on telework makes CISA’s March 13, 2020 regarding Enterprise VPN security worthwhile reading because it provides concrete steps that are applicable for agencies, businesses and their employees.
The ransomware attacks against 22 Texas municipalities highlighted the fact that VPNs are not a panacea, unless they are given regular care and feeding – they are not an “install and forget” resource. The first mitigation item in CISA’s VPN Security alert is to update the security configurations and install the latest software patches for your VPNs, network infrastructure devices, and the devices being used to remote into work environments. This requirement can be difficult to address if there is limited ‘down time’ for these resources, but business leaders must think of patches and updates as being preventative maintenance for essential equipment. Keeping the computer network for a business up and running is no different from an overnight delivery service keeping its vehicles on the road.
Working from home also creates new challenges for organizations and employees due to increased loads on available bandwidth as well as impediments to data sharing and file transfers. Convenience is the hidden enemy of cybersecurity. It is important that you continue to remind your employees to resist the temptation to use their personal cloud sharing apps for company data or to save confidential information on their personal devices.
In the end, the best advice to address these problems is a tried and true response – continued attention and vigilance. The problem with that advice is that it is hard to do. Exercising vigilance in response to these malicious actions can go a long way to avoiding potentially catastrophic cyber events.
Erik Dullea is a Denver-based partner with the law firm Husch Blackwell LLP who focuses on administrative and regulatory law with an emphasis on workplace safety and security in critical infrastructure sectors such as mining, energy and aviation