Click Here for PDF
Recently we discussed NY DFS guidance to regulated entities, warning of the heightened cyber risks resulting from COVID-19 as cyber criminals look to exploit the increase in remote work and many individuals accustom themselves to the new normal of remote work. NY DFS based its guidance off of earlier guidance released by the Cybersecurity and Infrastructure Security Agency (CISA), the United States Department of Homeland Security (DHS), and the United Kingdom's National Cyber Security Centre (NCSC) (collectively the “Cybersecurity Agencies”), which goes into greater detail about the most common types of attacks and ways of defending against such attacks. We explore that guidance below and outline, common attacks, mitigation strategies, and helpful resources.
The most common attacks seen by Cybersecurity Agencies during the COVID-19 crisis are designed to take advantage of the increase in remote work. Two common styles of attack organizations face are (1) phishing attacks, a form of social engineering that exploits the human link in the chain, and (2) technical exploits, which rely on newly deployed or stressed telework infrastructure.
Phishing attacks, where an attacker communicates with users through email, SMS or other means and acquires access to sensitive information or account credentials through this communication, have recently expanded to leverage the COVID-19 crisis. As explained in the Cybersecurity Agencies’ guidance, recent phishing attacks have been using email subject lines such as: “2020 Coronavirus Updates,” “Coronavirus Updates,” “2019-nCov: New confirmed cases in your City,” and “2019-nCov: Coronavirus outbreak in your city (Emergency).” In addition to email-phishing, SMS-based phishing attacks are disguising themselves as public health warnings. These warnings often include links to fake websites that solicit personal financial information in the guise of providing COVID-19 related financial relief.
Mitigating against phishing attacks requires a focus on personnel communication and training. Because of the staying power of these attacks over time, there are a number of older resources that remain relevant today, such as this security tip from CISA in 2009, which lays out the basics of avoiding phishing and other social engineering attacks. In short, it is important to build a robust system that allows users to report suspicious emails or links and that conspicuously identifies emails from external sources. Communicate and train users to be security aware so they can spot common phishing attacks. Regularly test common “lures” by sending fake phishing emails to your own user base also provides an opportunity to strengthen security. These test-run phishing emails help users become accustomed to the hallmarks of a suspicious email and puts users in the habit of checking the URL of any link before they click.
Exploiting new telework infrastructure.
With the rise of telework, many organizations are quickly shifting substantial portions of their workforce online. This fire drill situation means a steep learning curve for organizations that would typically roll out a major telework program over time and provides new opportunities for attackers to take advantage of common mistakes and exploits. Using brand name software and services is not a panacea against security risk. Commonly used telework platforms such as Citrix, Pulse Secure, Fortinet, and Palo Alto have been affected by ongoing security vulnerabilities that require active patching from your IT teams. Also, with the 127% increase in Microsoft Remote Desktop Protocol (RDP) endpoints, many of the most commonly exploited vulnerabilities for RDPs are roaring back. Malicious attackers take advantage of known vulnerabilities and the fact that many organizations have trouble keeping up with the pace of security updates.
Mitigating against telework infrastructure security vulnerabilities is more of a technical challenge for IT departments compared to the focus on security awareness training to mitigate against phishing attacks. CISA’s alert on enterprise VPN security provides a starting point for organizations that are only just now looking into their security posture with the increase in telework during the COVID-19 crisis. To help organizations secure the myriad of network devices, CISA released guidance in 2018 on how to secure network infrastructure devices, which are a common attack target for malicious actors.
With the rise in telework, malicious actors have found they have many new and old ways to attack formerly secure systems. By implementing reasonable security practices and policies, organizations can defend themselves against a wide range of attacks and increase their flexibility to keep working throughout this crisis and the next one. For example, to the extent they have not already been taken, the following action items are good first steps to help protect against the threats discussed above:
- add a warning to the top of all incoming email messages to identify email messages that originate outside of your organization;
- develop and communicate standard practices for dial-in, Zoom, Webex, Microsoft Teams, and similar remote meetings, including reminding users to always require a password and making requests that attendees identify themselves;
- revisit and strengthen processes for selecting third party services for sharing information and documentation within and outside the organization;
- as referenced in the CISA guidance, set up automatic filtering of known malicious domains; and
- send out guidance to users reminding them to pause and take a moment to verify the recipient’s identity before providing information or resources in response to apparently urgent messages. Remind users that phishing and other social engineering attacks prey on social dynamics that punish communication by exploiting authority, urgency, emotion, and scarcity. See this NCSC guidance for more information.
Visit our COVID-19 Resource Center often for up-to-date information to help you stay informed of the legal issues related to COVID-19.