Before the coronavirus pandemic hit, cybersecurity felt somewhat like “protecting the castle.”
Now, as Daniel Desko, cybersecurity and IT risk advisory shareholder at Schneider Downs & Co. Inc., puts it, “there is no more castle.”
Since COVID-19 arrived in Pittsburgh, with both small businesses and large corporations moving to remote operations, cybersecurity professionals have encouraged local companies to be on heightened alert for attacks. With offices closed, employees are working from home offices, kitchen tables and couches dispersed across the city. For some companies, the transition was smooth. For others, it has been rocky.
“You have those who have done it before, and it’s a matter of scaling,” Brett Creasy, president and director of digital forensics at bit-x-bit LLC, said. “And then those who it is a brave new world for them.”
A vulnerable landscape
Working from home made visible the vulnerabilities in a business community unprepared for a shift of this magnitude.
Pittsburgh-based business management consultant Ceeva Inc. has seen record call volume in recent weeks. The company’s average calls per day jumped more than 300%. On the busiest days, Ceeva answered queries from more than 175 companies without full work-from-home plans in place.
Ceeva took its engineering staff out of the field, put projects on hold and turned its team into an all-hands-on-deck “giant service desk” for clients scrambling to get their businesses up and running virtually, said Rick Topping, vice president of technology for Ceeva.
Some businesses did not expect their virtual private networks (VPNs) to need to accommodate the capacity they now do. When those companies got their employees — sometimes in the thousands — access to VPN, employees found themselves using protocols and practices they were not familiar with.
Some workers can connect to home Wi-Fi networks, but typically don’t have the security features in place that office systems often do, according to Corey Bussard, director of cybersecurity practices as Blue Bastion, Ideal Integrations’ cybersecurity division.
Topping added that employees often don’t know or understand the details of their home networks, including the fact that cable internet is shared across a neighborhood.
It’s like “the wild, wild West” of machines joining networks with no protection mechanisms in place, Bussard said.
Adding to the list of ways remote work has created a landscape vulnerable to cybersecurity attacks, Topping included slow home networks and poor internet connectivity.
The list goes on. Creasy also cited young people leaving sensitive information in the gaze of roommates and home burglaries of unencrypted devices. And there’s also an increased use of mobile devices for work and sharing devices with family members and children.
“The surface-area risk has increased drastically, and you have a lot more things to be worried about securing than you did in the past,” Ideal Integrations CEO Michael Stratos said. As software vulnerabilities and employee confusion swirls through the business community, companies are simultaneously overwhelmed and distracted by the goal of getting their operations back up and running. And consultants are busy backfilling security measures for companies that did not have proper measures already in place.
“This environment is ripe for fraud, and cybercriminals are going to exploit everything they possibly can,” Matt LaVigna, president and CEO for the National Cyber Forensics & Training Alliance, said.
What to look out for
With COVID-19 silently and invisibly spreading, people are scared, worried and curious. LaVigna said that’s a perfect storm for cybercriminals.
“With any significant event, whether it’s a hurricane that results in hurricane relief funds or a public event like an election or something else that touches on human emotion, there is always heightened risk of criminals seeking to leverage that human emotion to commit crimes,” LaVigna said.
Cybercriminals lure people in through COVID-19-related campaigns, LaVigna said. They impersonate financial institutions, government agencies and health care officials, using websites and domains that look similar to those of legitimate organizations.
Sometimes they even feature logos, wording and formats to closely resemble the Centers for Disease Control and Prevention or the World Health Organization, said Sherrod DeGrippo, senior director of threat research and detection at Proofpoint, which has cybersecurity operations in Pittsburgh.
Cybercriminals launch attacks that mimic new incoming information. Through phishing, malware and spam email campaigns and ransomware attacks, they are looking to steal user names and passwords, breach data sources, compromise business emails and install malicious viruses.
These malicious emails and robocalls sometimes promote false claims of a coronavirus cure. Or they’re disguised as information regarding Paycheck Protection Program (PPP) documents and stimulus payments for businesses. Or they come in the form of fake notifications of positive COVID-19 cases in a certain area and fake emergency funds collecting money.
Desko said he saw one phishing campaign making its way around the internet that was designed to look like a coronavirus heat map developed by Johns Hopkins University.
“These coronavirus campaigns are effectively using social engineering to play into the fear, concerns and interest this pandemic has caused around the globe,” DeGrippo said. “People are more likely to make instinctive decisions about clicking a link or opening an attachment out of emotion, without proper vetting.”
Most of the cybercrimes being committed during the pandemic already existed in some fashion, but are, as Creasy put it, “on steroids right now.” However, there’s one form of attack made increasingly more popular by the coronavirus — Zoom-bombing.
Zoom-bombing — named after the video and telephone conferencing app that is being used much more as people are quarantined and social distancing — is when uninvited people disrupt video meetings or online classrooms with pornographic, hateful, threatening or otherwise inappropriate images and speech.
U.S. Attorney Scott Brady and Pennsylvania Attorney General Josh Shapiro put out a news release earlier this month saying the Western Pennsylvania COVID-19 Fraud Task Force will investigate and prosecute those caught hacking into video and telephone conferences.
“It’s a real payday for cybercriminals because they rely on chaos,” said John Hudson, cybersecurity practice director at Plus Consulting.
How to respond
When it comes to responding to these threats, cybersecurity professionals have a long list of advice.
Employee training is the first line of defense.
“If we are not training them, we are leaving a lot on the table no matter how much technology and consulting you have in place,” Hudson said.
DeGrippo suggested that individuals working from home don’t use the same password for multiple accounts and change the default password on their home Wi-Fi routers.
LaVigna said he encourages businesses to vary their communications. While emails work for the exchange of some information, also consider using an internal chat program and phone calls. And while it might be more inconvenient than calling out to an adjacent cubicle, he said it’s a good idea to call a colleague to verify any suspicious email before clicking on links or downloading attachments.
At bare minimum, most companies should now be using VPNs and two-factor authentication, Topping said. While logging in and out and taking these extra measures may feel tedious and time consuming, Topping said they are vital.
“The easier we make it, the less secure it is,” Topping said. “You have to play both sides of the card. You have to make it secure, but you have to make it accessible to the user.”
When using video conferencing tools like Zoom and Microsoft Teams, Seth Fosmire, senior sales executive at Ceeva, advised people not to screenshare. The screensharing function allows all the people on a call to see an employee’s open tabs and documents or emails and pop-up notifications, which can range from awkward to dangerous. Rather, Fosmire said people can use specific functions to only share a PowerPoint presentation, for example.
Desko said companies should think about hardware, too. With work distributed devices, he said companies should be aware of the antimalware programs installed on those distributed end-point computers. For those with a work-distributed laptop, don’t use it to order groceries or stream movies, he said.
When it comes to Zoom-bombing, Shapiro offered advice in the news release — make all meetings and classrooms private, with a password and waiting room feature, and don’t share links to meetings on social media or other public platforms.
If companies with employees working remotely do have time to “take a breath” at this point in the transition, Fosmire said, it’s smart to have an unbiased third party do vulnerability testing on company systems to find what needs fixing before cybercriminals do.
Scott Christensen, cyber practice director at GrayMatter, said just one of these fixes will not solve the problem. Rather, companies need to adopt “defense in depth” strategies that highlight overlapping technologies.
Hudson agreed, but pointed out that for overwhelmed companies feeling like they’re trying to do everything right now, prioritize the information that would really hurt the company to lose, and protect that first.
What all cybersecurity professionals agreed upon is the wake-up call the coronavirus pandemic has been for the need for practiced business continuity plans and incident response plans.
“This could happen again next year,” Hudson said. “And if it happens again next year, there should be a blueprint in place to say we know how to do this in a secure manner.”
Staying cybersafe working at home
Advice and strategies from cybersecurity experts:
• Don’t use the same passwords for multiple accounts, and consider using a password manager.
• Call colleagues to verify they sent emails with suspicious links or attachments.
• Change the default password on your home Wi-Fi router.
• Don’t use the screensharing function on video conference calls.
• Use two-factor authentication wherever possible.
• Try to designate a device for only work, if possible.
• Don’t share links to video conference meetings in a public space.
• Have a third party do vulnerability testing on your system.