The old rule books aren’t holding up. Coronavirus has changed, and continues to shake, every aspect of our private and professional lives - both in the real and digital worlds.
Cyber criminals know this and they are taking advantage. To understand the latest tactics, attack vectors and scams that are being aimed at us, BCS discussed:
- How coronavirus is changing the cyber security threat landscape.
- How we can turn this threat intelligence into actionable defensive tactics and policies. Our experts were:
- David Emm, Senior Security Researcher - Kasperksy Lab.
- Mike Sheward, Senior Security and Compliance Engineer - Particle. The recent webinar ‘Cyber Security in a COVID-19 world’, forms part of the BCS #vITalworker campaign to celebrate friends and colleagues who are keeping us all connected.
1. The problem: Phishing - new ways to be evil
Bad actors are always quick to adapt and, unsurprisingly, they have seized on the coronavirus crisis as fuel for phishing attacks. According to Google, scammers are sending 18 million hoax emails about COVID-19 to gmail users alone.
‘These guys are always on the lookout for a hook,’ says Emm. ‘They’re trying to lure us. It could be sporting events like the Olympics, natural disasters… it could be peak shopping times. Anything… at the moment they have a great hook [in COVID-19] and the hook is going to be around for a long time.’ ‘One statistic I’ve seen is a 350% increase in phishing directly related to coronavirus - this is significant,’ says Sheward. ‘And, as we speak, 80 million people in the US are about to get their stimulus cheques. Any time there’s an exchange of money - particularly through a government process - it becomes an obvious target for cyber criminals and scam artists.’
From a personal perspective, it’s key that we all understand what phishing is and how it works. As BCS members, we often fall into the natural role of providing tech support for friends and relatives who might be vulnerable. Gently explain to them what phishing is and how it might work via emails:
- Stories have power and criminals know this. They use timely and often emotionally charged messages in the hope of making us do something - maybe download, buy or click on something.
- Generally, never open an email from somebody you don’t know or from somebody with whom you have never had previous dealings.
- Your bank will never email you asking for your account details or logins. Nor will it ever telephone you to confirm them. If you want to transact with your bank, instigate the transaction yourself - via a telephone number that’s been provided to you via official means (not a by a recent telephone call or email).
- If something sounds too good to be true, it probably is.
The corporate solution
Along with using phishing attacks to dupe and exploit individual, criminals also level this kind of attack against corporations and organisations.
‘Tricking individuals into doing something that jeopardises corporate security has always been a common first step for launching an attack,’ David Emm says.
Continuing, Sheward explains: ‘A lot of cyber security comes down to the human element… People are distracted… the coronavirus is a very distracting thing. That will translate itself into cyber risks fairly readily. People might not want to rock the boat and raise issues that they might otherwise.’
As such, Sheward encourages IT support and security teams to be very visible, engaging and very human. If they are, people will feel more comfortable engaging with them.
‘Security teams need to be super human,’ he says. ‘We need to understand that people are having an emotional time out there. Through a bit more outreach and engaging with people, we can maintain those good relationships that help us respond and detect. You can’t run a security team without trust.’
2. The problem: More viruses
Emm is keen to draw a hard line of distinction between computer viruses and human viruses but, feels there are clear parallels and, of course, the security community can learn from the medical world. Computer viruses, like their biological namesakes, need a host and they also need a means of transmission. Commonly phishing and social engineering provide a common means of transmitting viruses.
Possibly, you’ll receive an email with an attachment marked ‘urgent’ says the host of the webinar, Brian Runciman. That PDF or Excel file will have a malicious payload and, when opened, it will begin infecting your computer and fulfilling the malware’s programmatic attacks.
Emm says: ‘We’ve seen malicious applications masquerading as group meeting applications such as Zoom and WebX… we’re seeing documents redirect us to spoofed websites.’
The defences against phishing which we’ve discussed above, will help home users and corporate workers alike spot emails and direct messages that could be designed to make us launch malware. Be very sceptical about emails with attachments sent by people you’ve never heard of.
If in doubt, contact your IT department.
Other defences against malware are:
- Use antivirus software and keep it updated. If you work for a big company with an IT department, it will likely do this remotely. For smaller organisations, free and paid-for anti-virus software is readily available.
- Keep your devices and key software updated and only download updates from reputable sources. Again, your IT department is likely do this for you remotely. If you work alone, your hardware and software manufacturer will publish details.
3. The problem: Remote working
‘Lots of organisations have to pivot and get remote working in place quickly,’ Sheward says. ‘That has meant changes to infrastructure to facilitate that. Criminals know this, they understand this and they are using this as part of any other ongoing attack.’
He continues: ‘A lot of organisations lost their baseline network visibility overnight. People have gone from working within the confines of a traditional corporate network to working remotely. So, we can expect [criminals] to take advantage of that lack of visibility.’
‘Criminals realise that, if there isn’t the process there to manage home working, there’s potential for rich pickings.’ Says Emm.
VPNs and access control are also a focus for criminals, Emm says. ‘There’s been an increase in attempts to trick help desks and support desks into providing access to people who may not otherwise need it or might be the right people to have that access.’
Remote working provides many opportunities for businesses and workers alike. This radical shift in working has also provided criminals with many new opportunities. Our experts’ advice can be summed up as follows:
- Update your operating system
- Update the applications that you use regularly
- Don’t use the same passwords on different services
- Use security software like antivirus and a firewall
- Develop a ‘default deny’ process - only let authorised applications run
- Backup data and store the backups in a place physically removed from your work computers and network
- Don’t give out admin rights. Give people sufficient access rights to data and infrastructure to do their job. And give them no more. This reduces an attack’s ability to do damage.
- Develop a wider security culture. Phishing and social engineering are successful. Technical solutions can only go so far - these are attacks on human behaviour.
‘These things are like home security,’ Emm concludes: ‘They’re like deadbolts, locks on the windows and burglar alarms. They don’t mean I’m impregnable but they do mean I’ve raised the bar significantly for somebody looking to burgle my house.’
A second conclusion: Mindfulness stops cyber criminals
These are incredibly difficult times and these are fast-changing times. We all want to feel connected, productive and we want to contribute. But, take time to think about how you’re working and the decisions you’re making.
If you do, you’ll likely make better security decisions, better business decisions and, if you do slow down, you’ll likely aid your own health and mental wellbeing too. If you know a cyber security professional who is doing invaluable work right now, nominate them in the BCS #vITalworker campaign.