Within a few weeks, the Coronavirus pandemic has upended personal and business life around the world. Indeed, events unfolded so rapidly last week that the stock market’s so-called ‘fear index’ (the VIX volatility index) spiked to its highest level ever, higher than after the 2008 financial crisis or even 9/11.
Such crises bring out both the best and worst in society, with healthcare workers, medical researchers, and elder caregivers all working to stanch the growing disaster. However, it also brings out the unsavory elements of society looking to capitalize on the chaos.
I wrote a couple of weeks ago, “never let a good crisis go to waste” in making the case for using the business disruption as an opportunity for positive change. Sadly, scammers, cyber-crooks and rogue nations follow the same credo and are out in full force seeking to exploit millions of new, often naive, remote workers forced to live outside the cozy confines of the corporate campus.
As everyone who has spent any time on social media over the past week knows, millions of people around the world are now forced to work from home (WFH), full time, usually with little preparation and using whatever equipment and workspace are available to them. In many cases, this means using a personal laptop, at least in the short-term, since many employees like customer support agents, financial and accounting personnel and receptionists are tied to a desk using a desktop PC.
Ideally, organizations will make arrangements to let capable employees take their desktop set up home for the duration of their WFH adventure. However, for now, they could be using an adware-invested laptop that's 9-months behind in its OS patch levels. Their phone situation is likely no different where their 4-year old Moto G4 running Android 7 does double-duty as a primary work phone. (For a terrifying look at the mobile OS environment hackers find in the wild, look at these statistics on Android platform usage).
WFH + a scary pandemic = a target-rich environment for malefactors
Security companies that monitor the global cyber threat environment have seen a marked increase in coronavirus-themed attacks seeking to exploit a nervous public's keen interest in updated news and advice. For example, Check Point Software's Threat Intelligence monitoring service has recorded more than 4,000 new coronavirus-related domains registered since January. Of these, its scans found 3 percent to me malicious and another 5 percent suspicious, making the probability that coronavirus Internet domains are malicious 1.5-times that of the average site. Check Point sees the malicious sites being used in phishing campaigns or are scams set up to "sell face masks, vaccines, and home tests that can detect the virus." According to Check Point:
A widespread targeted coronavirus themed phishing campaign was recently spotted targeting Italian organizations, hitting over 10% of all organizations in Italy with the aim of exploiting concerns over the growing cluster of infections in the country.
A new report from Radware notes that most scams use coronavirus as a lure in phishing emails or texts to increase the likelihood that recipients click on attachments or links to websites hosting malicious code. Furthermore, attacks aren't just against client PCs, but increasingly target VPN systems. Radware's report identifies more than a dozen vulnerabilities affecting popular enterprise VPN and remote desktop products from Citrix, Fortinet, Microsoft, Palo Alto Networks and Pulse Secure. According to Radware, these "vulnerabilities allow remote attackers to take control of an affected system and get unrestricted access to the internal network."
FireEye, another security firm tracking coronavirus-themed attacks, has observed activity emanating from China, North Korea and Russia using the global health crisis in spear-phishing attacks. Again, these use heightened interest in information about the epidemic to increase the probability that targets open infected documents hosting code that installs a system backdoor, network penetration probe or remote control and administration software. According to Jens Monrad, FireEye's Head of Threat Intelligence for EMEA, attacks fall into three categories:
- Nation-state campaigns targeting particular users for surveillance or IP theft.
- Financially motivated cyber criminals of all stripes, both sophisticated and opportunistic.
- Bogus social media accounts driving disinformation campaigns, often espousing conspiracy theories about the virus's genesis (e.g. as a biowarfare agent).
Phishing messages, both email and text, are currently the most common method of coronavirus-themed attacks, however, both FireEye and Radware warn of possible DDoS attacks against enterprise VPN infrastructure. Although these would initially be a nuisance, Monrad fears that attackers could use VPN outages as a ruse to entice employees into visiting malware-infested websites that ostensibly provide updated outage information or instructions. Indeed, the U.S. Department of HHS has already been hit with a denial of service attack that appeared related to a social network disinformation campaign.
Safety tips - bolster the infrastructure and harden employees
We assume that organizations mandating remote work have already done the basics such as providing employees with encrypted VPNs (typically using IPSec or SSL) and endpoint protection software. Still, these can be strengthened in several ways:
- Isolate VPN gateways on a restricted network that only provides limited, controlled access to commonly used services such as email, file shares and enterprise applications. Don't terminate VPNs on a campus LAN.
- Secure VPN access with multi factor authentication such as a security token (e.g. YubiKey) or app-based one-time password generator (e.g. Google Authenticator, Authy, Symantec VIP). Avoid SMS-based security codes (see my earlier column detailing why).
- Likewise, ensure that employees using password managers/vaults like 1Password or LastPass protect the master password with MFA.
- Organizations with obsolete or inadequate security technology should take advantage of the many free trial offers leading vendors have made available in light of the crisis. Our friends at Packet Pushers have a comprehensive list. Of particular benefit during periods of rapidly evolving threats are monitoring and threat updating services that augment existing security controls to block new attack methods.
Employees must do their part by increasing their skepticism towards unsolicited messages, particularly those tagged with trending topics like coronavirus or related quarantine activity. Specific actions include:
- Verifying the sender of any unsolicited coronavirus email. As Monrad quipped, "if you're not expecting a message from the World Health Organization, it's probably not legitimate."
- Redouble basic phishing defenses:
- Be alert to spelling and grammatical errors and generic, "Dear sir/madam" greetings.
- Don't interact with unsolicited attachments or weblinks from unknown senders.
- Trash unsolicited requests for personal information or directing to a website requesting user login information. Don't succumb to messages imparting a sense of urgency or danger. Hackers prey on impulsive decisions.
Spies, criminals and scammers thrive on chaos and disruption, so an increase in cyber-attacks should be expected as society adapts to the radical changes necessitated by the Coronavirus outbreak.
However, these are temporary speed bumps that can be thwarted by rigorous security design, processes and employee vigilance. Despite the worsening situation, I retain the optimism I express two weeks ago that:
The crisis can stimulate much positive change by cutting through stifling bureaucracies, eliminating moribund practices and inciting radical changes that entail some short-term pain, but yield long-term gain.
In terms of how and where employees work, by rapidly transitioning vast swaths of the workforce into remote work, the crisis might only be accelerating a change that needed to happen eventually. I agree with Matt Burr, CEO, and co-founder of Nomadic Learning, who writes in a recent column that after the crisis abates, many workers will not want to return to traditional work environments:
The age of the office as we know it is probably over, and the bell can’t be unrung. And there’s really no need to try. The traditional office was already fading into obsolescence. The Coronavirus pandemic radically sped up the timeline.
Give people the leeway and trust to schedule their work lives around their personal lives (not the other way around), and they will discover that they tend to be more productive, more driven and happier. Organizations will learn that they benefit tremendously from losing the limitations that come with traditional office settings.
As Burr notes, the office environment provides managers with "the illusion of control," that, once lost, will be seen as an unnecessary custom, not a critical piece to ensuring order and discipline. Although the adjustment to remote work is disturbing and uncomfortable for many, both front-line employees and managers, I agree with Burr that it might not take long before it feels normal.
We're not in Kansas anymore, but if, nay when remote work becomes the norm, we might finally achieve the elusive work-life balance people long for while simultaneously boosting productivity through fewer management layers, more efficient work processes and happier employees.