Hackers love chaos because it presents new opportunities for exploit and COVID-19 is no exception. Companies everywhere have rushed to provide work from home remote access to practice sheltering in place.
This confusion gives criminals the perfect set of ingredients needed for a successful hacking recipe.
Krebs On Security published a scheme based on a legitimate interactive dashboard of Coronavirus infections produced by John Hopkins University.
A Russian language cybercrime forum is using this to sell a kit for $200 to use in phishing emails. When unsuspecting victims click on a fake map, they are infected with a password-stealing malware.
It’s certainly interesting to read about these scams that use tools like AZORult to steal credentials. However, this is just your standard phishing attack.
A bad guy sends you an email, if they are good it peaks your interest, you get tricked to click on something and they steal from you. Obvious moral to this story – be careful on what you click.
This article started talking about COVID-19 presenting new opportunities to exploit, as it relates to work from home. The new opportunity is the massive increase of work from home employees using remote access technologies. This creates a big security hole, as both workers and IT are working with new processes.
Remote access is nothing new for your average IT person but rolling out a work from home strategy to the entire workforce in a week is.
To complicate matters is the whole issue that most workers have never worked from home.
Common everyday tools like email, phone, the software used to manage customers – just work differently when not sitting at your everyday desk. Every work from the home users can attest to this.
This most common work from home access is generally provided using a combination of 3methods:
- VPN access
- Web applications
- Laptops and virtual desktops
All companies have firewalls that can provide a VPN (virtual private network) access. Simply purchase licenses, have users install a special client or go to a URL like vpn.yourcompany.com and workers have access to the network.
The beauty of cloud apps like Office365, Salesforce, Dropbox, etc. is they can be accessed from anywhere. Go to the website and workers are ready to do their job.
There are an unlimited number of legacy apps that need to be loaded upon an actual Windows or Mac operating system.
Shipping home a laptop is a very logical thought – that’s what they were made for. To save on a laptop is a perfect use case for VDI (virtual desktop infrastructure) solutions by Microsoft, Google, VMware, Citrix, AWS, etc. to prove web browser access to a desktop.
These are all great solutions and are quick and easy. Each has security concerns but there is a massive commonality across all of them.
Full access to corporate data is granted from anywhere and ONLY protected by a password.
To make matters worse, outside of the laptop, workers are accessing from a home machine that is questionably secure at best – meaning there is probably malware on it stealing passwords.
By and far, the best way to ensure only the right person is accessing these resources – is the use of MFA (multi-factor authentication).
In addition to a username and password, an additional factor of authentication such as a mobile app push notification, text message, email or phone call is used. This measure alone makes all of the stolen, weak and default passwords outlined by Verizon DBIR as the number 1 method of attack almost worthless.
While a seemingly commonsense measure, MFA is often overlooked. While many small and mid-sized companies often lack strong security programs, that is not an excuse. Adding MFA as COVID-19 spikes demand for remote access needs to be the top security priority. Hackers will quickly discover those vulnerable and will strike.
Author: Brian Krause
Brian leads Idaptive’s Channels Team. He spends his time working with IT leaders and technology partners to build identity practices, to serve the complex needs of a rapidly transforming business environment.