In recent months, an invisible virus has changed the world; working from home and remote interactions with services have become the new norm and the way we work, interact and live have shifted significantly. What a year 2020 has been!
Within a few months, we’ve learned many lessons about cybersecurity as well. Just like our day-to-day lives, the attack landscape has changed and it is essential to know what is different and how to react to it, in order to keep your organization safe and secure.
Phishing Campaigns & the Human Factor
Phishing campaigns were the first attack vector to adapt to COVID-19. The virus caused a change in people’s behavior – people started looking for data on new areas of interest, looking for scarce supplies, visiting new sites, and clicking on new links they have never known before.
This behavior change is heaven for phishing and spear-phishing campaigns. Phishing sites scrape legitimate data and sales offers, putting them on a malicious website, and adding their code to it to exploit user machines. Any unsolicited link or site that is mentioning one of the terms below should be heavily scrutinized:
- COVID-19, Corona, Virus, etc.
- Supplies that are scarce – toilet paper, water, cleaning supply, etc.
- Health supplies – masks, KN95, N95, Alcogel, etc.
- Government restrictions, regulations, stimulus payments, etc.
- Relevant statistics – confirmed cases, fatality rate, testing numbers, etc.
- Health-related organizations and people – WHO, CDC, NIH, local health bodies
From a technology aspect, phishing prevention systems also need to adapt as the domain age indication is less indicative than before; many legitimate COVID-19 sites were built quickly and are new domains. The phishing prevention solutions should adapt and recognize such young domains from the malicious domain that have the same behavior and age. Organizations need to make sure their phishing protection is updated with the latest data and algorithms.
From the human aspect of phishing, phishing campaigns are always a psy-op – convincing a person to click the malicious link. COVID-19 creates a perfect storm in this regard: the pandemic made people feel vulnerable and scared of the unknown, and working from home (e.g., less social interaction), engenders a feeling of isolation.
In such a situation, people will pay less attention and have fewer options to consult on what is the right thing to do, cybersecurity-wise. During the pandemic work-from-home, it is a lot harder to beware of suspicious links when the kids want attention, your boss wants the job done yesterday, and an urgent message shows up from your HR department.
More than ever, it is crucial to train employees to detect phishing campaigns and to explain the changing attack surface; employees need to know that COVID-19 related content can be used against them as a phishing campaign. People want to do the right thing, and if we give them tools to do it and raise awareness, they can mitigate a lot of the risk in phishing attacks. The new psychological situation should also be discussed – guiding employees not to be anxious and to stop and think before acting on new data\link\email.
The Home is Still the Office
Many organizations are using tools to secure the employee’s endpoint. But in parallel, working from home increased the already growing trend of BYOD – connecting personal devices to the organization network. Working from home means the devices are also connected to non-corporate networks (mostly the home network), with other devices that are entirely out of reach for the organization’s IT department and policies.
These devices are inherently less secure – other family devices, IoT devices, ISP’s routers, and others that are out of the control of the company. Many employees are also sharing their devices with family members, who are sometimes less technology-oriented and less familiar with cyber hygiene. And last, from a physical security perspective, it is usually easier to break into houses than to offices.
To handle this BYOD and remote work trend, endpoint security should be enforced to protect the organization owned devices as much as possible. Still, it has to be combined with a zero-trust approach, multi-factor-authentication (MFA), and training (log out from organization accounts on devices, etc.).
“Traditional” Organization Network
There is a massive increase in organizations’ network usage due to employees working remotely. Organizations need to enable this increase and to ensure service availability.
- Connectivity: Make sure internet connectivity is sufficient to handle the influx of new traffic. Consider having a second \ redundant ISP.
- Denial of service protection: When the entire workforce is remote, a DDoS attack is more than taking down a public-facing site; it’s also preventing the workforce, as a whole, from working. The cost of such attacks is a lot higher, and as a result, the risk (calculated by the probability multiplied by the loss) is a lot bigger. Indeed, we saw a significant increase in DDoS attacks in March compared to January-February of 2020. Companies need to make sure they have proper protection for DDoS attacks.
- Infrastructure: Make sure the infrastructure can support more traffic – routers, ADCs, firewalls, either on-prem or in the cloud. The infrastructure should be protected from DDoS attacks to ensure availability.
- VPNs: With the increase of VPN traffic, make sure the VPN solution can handle the new surge in usage.
- Applications: Ensure enough server capacity to handle new requests – expand the server capacity either on-prem or in the cloud, while controlling cloud cost and securing the cloud deployment. Applications should be protected by a WAF to ensure availability.
- Visibility: Maintain performance monitoring and SLA measurements to detect problems before they impact real users.
- Authentication and identity services: These services also experience an increase in capacity and importance – it is now even more critical to prove your identity when you cannot meet face to face.
New Services in Times of Crisis
When the world is changing, our technology needs change with it. New features are added to products, new sub-portals are added to portals, and the changes need to happen ASAP – every day counts.
In parallel, the workforce is remote and is, in general, less physically available than before. It is important to remember that while rushing to the release of a new version or feature, one cannot overlook cybersecurity aspects. The risks are high when trying to finish things quickly, and we have to control the rush of the version release and take (even a little) time to consider where things can go wrong and prevent them from getting there early in the development process.
To summarize, many things have changed in the last few months, including the way we work and consume our internet traffic. The cybersecurity industry should react to these changes in order to continue securing organizations and their people. On top of the reaction aspects, the changes should also start a discussion of longer-term strategic moves, which will be the subject of my next post.