Coronavirus Work-from-Home Response A Boon for Cybercriminal Exploitation
Here are some of the key issues of which law firms and companies need to be aware and steps that should be considered to minimize the risk to keep everyone — and client data — safe.
March 13, 2020 at 05:14 PM
9 minute read
This article appeared in Cybersecurity Law & Strategy, an ALM publication for privacy and security professionals, Chief Information Security Officers, Chief Information Officers, Chief Technology Officers, Corporate Counsel, Internet and Tech Practitioners, In-House Counsel. Visit the website to learn more.
Companies determined to protect their employees and minimize the impact of COVID-19 are enforcing travel restrictions and strong work-from-home policies. However those actions can be used against employees as any firms are likely unprepared for the criminal appetite for the cyberattack exploitation of a remote workforce. Here are some of the key issues of which law firms and companies need to be aware and steps that should be considered to minimize the risk to keep everyone — and client data — safe.
|What You Don't Know Can Hurt You
When we are unaware of a risk or threat, and without knowledge of the threat, we generally don't take any precautions.
Criminals are willing to kick you while you're down and we are witnessing evidence of this now. For example, a Coronavirus-themed email is targeting healthcare workers. The email sent from their IT teams with the subject "ALL STAFF: CORONAVIRUS AWARENESS" informs employees that "the institution is currently organizing a seminar for all staff to talk about this deadly virus" and solicits employees to click on a link to register. In one case, a Czech hospital was shuttered after a Coronavirus-themed attack.
TechRadar reports fraudulent outbreak maps are being used to attract unwitting victims and then deliver malware through various well-test tactics. And ThreatPost is reporting two Coronavirus-themed campaigns that use PDF and Microsoft Word documents to deploy remote access tools (RAT), clipboard-copying, keystroke logging, desktop image capture, and a cornucopia of malware. CheckPoint security discovered another Coronavirus-themed campaign targeting Japan that delivers the reigning champion of credential harvesting Emotet.
This is nothing new. It's a well-rehearsed playbook, exploiting the chaos and fear caused by major weather or other natural disasters. eSentire reported a similar attack back in 2012 and early 2013 during and after the chaos caused in New York by Hurricane Sandy. During the weeks around the debilitating storm, client traffic dropped by up to 30%, while malware and other malicious traffic increased by the same percent.
|Using Your Own Tools Against You
As workforces take up social distancing to shelter at home, the risk of attacks against corporate remote access systems goes up. Criminals target employees to harvest their VPN credentials as a backstage pass to corporate assets.
VPN credentials grant legitimate access to remote administrative tools, like PowerShell and Microsoft Remote Desktop Protocol (RDP). These tools are the keys to the kingdom and a preferred vector of criminal exploits. At the microscopic level, the difference between legitimate admin activity and malicious behavior is obvious. But to the naked eye, it often goes unchecked and is only discovered once the cyber event matesticizes and the crippling symptoms emerge.
|Steps to Securely Enable Your Teams to Work Effectively from Home
There are specific controls and practices that firms should put in place to protect themselves during times of chaos and uncertainty:
Revisit Your Business Continuity Plans
Every company should have a business continuity plan (BCP) designed to minimize the impact of a prolonged power outage, major storm, pandemic or IT system failure. The point is to know where the emergency exits are located, and the gathering point outside the building before someone pulls the fire alarm. Your plan should include contingencies to provide uninterrupted service through a secured, remote workforce. Ask yourself if you can secure a distributed workforce to the same level you can within the confines of your firewall.
Keep Your Employees Informed
The easiest way to minimize risk is to keep your employees informed of Coronavirus-related scams, phishing schemes and fraudulent websites. When it comes to best practices, your employees should be getting their information from you in a transparent fashion, and not social media sites like Facebook or other potential sources of misinformation or exploitation.
Firms should publish weekly updates that reinforce company policies, security protocols and clear lines of communication. Employees should also have a mechanism through which they can safely report suspicious activity, such as questionable emails.
Use Protected and Trusted Internet Connections
Firms should prohibit working from public places, such as coffee shops or on public transportation, where third-parties can view screens and printed documents. Laptops should always be deployed with privacy screens. Employees should only connect to trusted, password-protected internet connections, such as home wifi, and avoid public hotspots which can be spoofed.
Use a VPN to Protect Remote Connections
This goes without saying. Data at rest (stored on a drive) should be encrypted. And all connections should be encrypted with a Virtual Private Network (VPN) service. This is table stakes in any cybersecurity protocol. In businesses with a hardy remote workforce, using a VPN is common practice. For more gregarious businesses with traditional office arrangements, using a VPN might not be as familiar. Ensure your workforce is trained and understands how to use the VPN properly.
Enforce Multi-Factor Authentication
While a VPN provides a layer of security, credential harvesting is an easy way for criminals to travel your safe corridors alongside legitimate employees. Using multi-factor authentication (MFA) can reduce the risk of compromised VPN connections. MFA requires a second source of user validation (such as entering a key texted to a secure phone, a pre-generated token or other mechanism) tied to a certificate-based system. It doesn't eliminate the risk, but it certainly reduces it.
Disable Administrative Privileges
Criminals access remote access tools using a legitimate VPN account to create new accounts with administrative rights. These avatars can then move freely through your network, access network infrastructure, deploy script and collectors on services and even disable security mechanisms.
Most employees do not require administrative rights. What's worse, it's often senior management or rainmakers who are granted full rights and privileges — and they are the ones with access to the most valuable information. It's counterintuitive from a security perspective. So disable them. Or at least consider suspending administrative access.
For IT managers and team members who require administrative rights, consider two controls. The first, never use first.last name nomenclature for accounts with administrative powers. These types of usernames are easy to engineer from public information like LinkedIn. So, an IT employee will have multiple accounts. Perhaps the first.last account for normal employee activities and communications, but another more complex account for administrative IT activity.
The second, more advanced, control is Privileged Access Management (PAM), which provides limited and expiring access to specific systems. In this way, an IT employee is granted administrative rights to a critical system for a specific (documented) purpose that must be completed within a fixed period of time. This means, a senior employee validates and authorizes the work in a logged system. This makes hijacking remote access extremely difficult from criminals.
Protect Your Endpoints
Many firms rely on faulty security architecture when it comes to remote workers. Most firms are well protected within the confines of their office spaces, but their mobile endpoints, like laptops and smartphones are only protected when inside the firewall. Remember, many attacks use zero-day malware (undetectable) or non-malware-based attacks (like VPN hijacking) that evade traditional antivirus systems.
For this reason, many firms deploy endpoint protection platforms (EPP) and endpoint detection and response (EDR). These systems provide additional layers of detection capability, local forensics to determine impact, and even limitation mechanisms through device isolation. In essence, EPP and EDR extends your protective cloak from the core network to the mobile devices, and offers mechanisms to respond to a threat while the device remains quarantined.
Manage BYOD Devices
If you allow personal devices, consider limiting access to critical systems from these devices, or deploying enterprise device management (EMM) or mobile device management (MDM) tools that provide layers of control to minimize access from personal devices, and enforce security controls on the devices themselves. And, employee devices to be running the latest manufacturer software updates prior to permitting access to any remote systems. It's good hygiene.
Consider Running a COVID-19 Exercise
The biggest challenges IT leaders face is getting the C-suite and managing partners to understand the risks and challenges raised by cyber threats leveraging the confusion and fear around the Coronavirus outbreak. One of the best ways to gain aligned mindshare is to run a tabletop simulation. The point is to face the worst case scenarios in a safe environment, and build consensus around proactive and ethical response. For example, run an exercise in which a key employee tests positive for COVID-19, after meeting with their team and clients in face to face meetings. Consider quarantine, exposure risks, and the specifics of communication with employees and customers.
|Beyond Coronavirus
Digital transformation is dominated by nebulous perimeters, distributed workforces, global connections, artificial intelligence-driven decision-making and critical systems moving to the public cloud, and these changes are only going to increase in speed and complexity. The Coronavirus serves as a warning of a much larger issue.
As we enable a distributed workforce, we must weigh the risks against the rewards. We must remember that criminal elements are willing to exploit the chaos of a global event, or even the confusion around the deployment of new technology.
Like all disasters and major global events, Coronavirus will pass. Let's use this event as a call to arms and ensure we are prepared for a world of distributed workforces, always-connected systems and critical assets stored outside the confines of our traditional security walls.
*****
Mark Sangster is a cybersecurity evangelist who has spent significant time researching and speaking to peripheral factors influencing the way that legal firms integrate cybersecurity into their day-to-day operations. In addition to Mark's role as VP and industry security strategist with managed cybersecurity services provider eSentire, he also serves on our Board of Editors and as a member of the LegalSec Council with the International Legal Technology Association (ILTA). Look for Mark's new book, "No Safe Harbour: The Inside Truth About Cybercrime, and How to Protect Your Business," coming this Fall. He can be reached at [email protected].
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllIn Lawsuit, Ex-Google Employee Says Company’s Layoffs Targeted Parents and Others on Leave
6 minute readPre-Internet High Court Ruling Hobbling Efforts to Keep Tech Giants from Using Below-Cost Pricing to Bury Rivals
6 minute readWill Khan Resign? FTC Chair Isn't Saying Whether She'll Stick Around After Giving Up Gavel
Trending Stories
- 1Trailblazing Broward Judge Retires; Legacy Includes Bush v. Gore
- 2Federal Judge Named in Lawsuit Over Underage Drinking Party at His California Home
- 3'Almost an Arms Race': California Law Firms Scooped Up Lateral Talent by the Handful in 2024
- 4Pittsburgh Judge Rules Loan Company's Online Arbitration Agreement Unenforceable
- 5As a New Year Dawns, the Value of Florida’s Revised Mediation Laws Comes Into Greater Focus
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250