A huge increase in cyberthreats spawned by the coronavirus pandemic — combined with mass remote working and many others idled at home — is threatening the security of digital data and communications.
What happens when practically everyone on the planet is suddenly told to stay home, all depending on their digital connections to the outside world? And what happens when many are working remotely for the first time, with little or no preparation for securing their computers, networks, and equipment connected to the enterprise?
It’s “perhaps the fastest, starkest change to working patterns around the world in living memory,” as Check Point Software Technologies put it in a recent blog.
A huge increase in cyberthreats spawned by the coronavirus pandemic — combined with mass remote working and many others idled at home — is threatening the security of digital data and communications. This includes engineers and IT managers, government employees and intelligence service workers, as well as consumers and cybersecurity professionals. And it’s occurring on a scale not seen before.
Covid-19-related threats growing
Bad actors of all kinds are taking advantage of the upheavals and uncertainties caused by the coronavirus.
In March, SpyMax Android surveillanceware was found disguised as a legitimate coronavirus tracker app created by Johns Hopkins University. The real tracker app shows the spread of Covid-19 throughout the world, and within countries, updated hourly. But the spyware pretending to be this app actually keeps track of users’ phone data and text messages, and can modify settings, record audio, and operate the camera.
A different Android coronavirus-tracking app, also discovered in March, contained CovidLock ransomware that locked users’ phones and threatened to erase all data unless users paid $100 in bitcoin.
Similar to the notorious NotPetya malware in operation, Windows “Coronavirus” malware bricks a computer by overwriting its master boot record. Discovered by SonicWall Capture Labs’ Threat Research Team, this destructive trojan is delivered via email attachment, fake app, or file download.
Those working on the front lines to cope with the pandemic are not being spared. In an attack apparently designed to spread misinformation and disrupt its ability to respond, the U. S. Department of Health and Human Services was hacked last month. Although the agency suffered a distributed-denial-of-service (DDoS) attack, its operations were not disrupted.
A Czech hospital in the middle of a Covid-19 outbreak was hit by a cyberattack, and a biotech company doing coronavirus-related research suffered a ransomware attack and theft of company data. In another ransomware attack, data was stolen from a British Covid-19 vaccine test center and posted online.
Remote workers under attack
Coronavirus-related cyberattacks include both public and private sectors: remote workers at federal agencies are also affected. NASA employees, for example, have experienced “significant” increases in cyberattacks, including a doubling of email phishing attempts and an “exponential increase” in malware attacks on NASA systems.
With millions of people sheltering in place and telecommuting, the massive increase in endpoints has vastly expanded the attack surface. IT departments are faced with suddenly having to provide the same levels of security for remote workers in the home environment as they do in the enterprise environment. But their ability to control the security of data, equipment, and lines of communication has been reduced while the number of unknown vulnerabilities has risen.
Check Point Software Technologies and Dimensional Research surveyed over 400 IT and cybersecurity professionals in companies with 500-plus employees. The results are “sobering,” they report. The three biggest challenges caused by the jump in home workers are providing secure remote access, the need for remote access scalable solutions, and the use of untested software, tools, and services. Since the beginning of the Covid-19 outbreak, 71% have seen an increase in attacks or threats, including phishing, fake coronavirus advice websites, malware, and ransomware.
Cybersecurity researchers Cybereason Nocturnus have tracked the increase and variety of several different types of related attacks, including phishing, fake ransomware called “scareware,” and fake apps aimed at the growing number of home workers. These include malware disguised as VPN installers, and malicious coronavirus-recovery mobile apps claiming to originate with the World Health Organization.
These attacks and schemes have increased so fast that the FBI issued a Public Service Announcement about them in March, giving consumers detailed descriptions and instructions for reporting. As Covid-19-related ransomware and malware incidents mounted, a few weeks later the U.S. Department of Homeland Security (DHS)’s Cybersecurity and Infrastructure Security Agency (CISA) and the U.K.’s National Cyber Security Centre issued a joint advisory detailing the increases, along with mitigation methods and resources.
Specific small office and home office hardware has also been targeted. In DNS-hijacking attacks against D-Link and Linksys routers, users were redirected to sites offering fake coronavirus information apps. Downloading them installed malware that stole user data, specifically the routers’ admin-level passwords.
Connections between home offices and enterprise networks, often used for video meetings, have vastly multiplied. The National Institute of Standards and Technology (NIST) has issued a set of guidelines for securely conducting virtual meetings.
The security problems that made school districts, Google, and several national governments ban the Zoom platform for remote conferencing, which Zoom has been addressing, illustrate the difficulty in sudden scaling that’s also affected VPNs and other distance communication platforms.
Enormously increased internet traffic also means that monitoring it all has become a big challenge for intelligence services. The fact that their own employees are working remotely may mean their security isn’t guaranteed, so those workers can’t always access the most sensitive data needed for intelligence gathering.
Newer data protection technologies
There are many solutions already available for securing networks, endpoint devices, and data, but not all of them are designed for handling large numbers of remote workers. Employees who must now access critical infrastructure—such as industrial control systems (ICSs) and operational technology (OT) networks—in large numbers from home need especially secure connections and data protection.
Several organizations are offering free cybersecurity tools and resources for enterprises with distance employees. A recent SecurityWeek article curates a substantial list of these.
Some newer solutions that specifically address the increase in remote workers include those from Dispel, Active Cypher, and Keyavi Data.
Dispel and Red Trident are partnering to bring an affordable, secure solution that can be quickly and easily deployed for remote access to ICS networks. Red Trident provides custom cybersecurity solutions for critical infrastructure, while Dispel provides remote access to ICSs. The partners’ solution can be deployed in four to six hours, the companies claim.
Dispel’s remote access platform uses a novel technology: a virtual infrastructure lets operators create and destroy access pathways over the Internet, between authorized users and target systems such as water and power plant equipment. This rapid, secure, remote access is done using Moving Target Defense (MTD) algorithms, Dispel CEO and co-founder Ethan Schmertzler told EE Times.
Applied to networks, MTD utilizes the Internet’s billions of IP addresses. A user is authorized to connect via a virtual machine (VM), which creates a temporary access “tunnel” that exists for only a short period of time, so there’s no fixed address for hackers to find. After use, that particular infrastructure is destroyed, and never used again. Also, the interior network architecture of each VM changes every time. User access can be controlled at both the application and network layers. Dispel’s implementation uses independently generated keys and two layers of AES-256-CBC encryption.
“Attackers must constantly expend effort to find a target network,” said Schmertzler. “If they do find one, we de-provision it and reprovision it somewhere else. But they’d have to invest enormous amounts of resources to go on finding them.”
The use of VMs also means that users and servers that don’t need to be linked, aren’t, and remain unaware of each other’s existence. “Our system puts a hard line between OT and IT networks, including two different tunnels for the VPN,” said Schmertzler.
In addition to security steps such as using VPNs and password managers, data should also be secured at the file level as a last line of defense for remote users connecting to the enterprise, according to security provider Active Cypher.
The dispersal of all or most employees outside the enterprise’s “security perimeter” causes file security problems similar to when an employee leaves a company. But now, during the pandemic, it’s happening all at once in high volumes, with millions of newly deployed, unsecured endpoints comprising personal laptops, routers, and Wi-Fi networks. By “moving the security perimeter to the file itself, the reliance on network firewalls and VPNs for this consideration is reduced or even eliminated,” Active Cypher said in a white paper.
The company provides AI-powered file security for cloud, hybrid, and multi-cloud networks, with infrastructure that was designed from the ground up for remote environments, CEO Mike Quinn told EE Times. Active Cypher’s File Fortress technology encrypts data wherever it resides: on a phone, in the cloud, in a desktop computer, on a server, or in a third-party environment. It also queries potential users about their identity, the device they’re using, and whether their certificate is correct and current. Encryption is available using either standard AES-256 or the company’s proprietary Quantum Encryption Standard.
“We can encrypt any file, anywhere, any time, forever,” said Quinn. “If I store a copy of my document, owned by the company I work for, and put it out on my iCloud—in an average business, that product belongs to the company. If I leave the company and that data is on my laptop, I can’t read that file anymore. The file knows what it is and how it’s encrypted and what its permissions are. On my laptop it’s now basically useless, a brick.”
For remote workers, no action is required on their part: a software agent operates in the background, automatically encrypting files on their device.
A medium-sized company with 10,000 to 15,000 users can deploy this solution in half a day, said Quinn. To help with the mass move toward remote work infrastructures, Active Cypher has offered existing and new clients free use of File Fortress for the duration of the Covid-19 lockdown.
Are VPNs On Their Way Out?
One of the newest solutions to security for remote workers comes from Keyavi Data. As we reported, instead of developing security measures against constantly changing data centers, endpoints, data flow, or data architecture, what if we could make data itself “self-intelligent, self-protective, and self-aware?” CEO Elliot Lewis suggested in an interview.
For every single file or group of files, Keyavi’s technology “wraps” the data in multiple, independent encryption layers. In contrast to data loss prevention (DLP) or other data protection methods, compromising any single layer triggers protection mechanisms in the other layers. The technology is API-, transport-, storage-, platform-, and application-agnostic.
Only when all permission parameters, set by the owner, are met can data be accessed. Access can be granted by location, including cities, streets, certain buildings or rooms; by specific individuals or groups; and for preset periods of time. Parameters can be immediately changed or revoked by the owner, so data stays under the owner’s control regardless of who possesses it or where it’s located.
For remote workers, admins can make sure each user is signed in at a remote home location. When the user is inside the house, that location becomes part of the company’s geofencing, said Lewis. These workers can then use their home devices and networks, and admins don’t have to worry anymore about the potential dangers of personal device use.
An off-the-record customer statement that Keyavi sent to EE Times notes that VPNs are designed for use by only about 15% of a company’s concurrent users, not 100% as they’re experiencing today because of the huge increase in remote workforces. This translates into more than five times the workload VPNs were designed to handle, and this demand will likely continue for the foreseeable future. Moreover, a VPN doesn’t really supply data protection: it supplies transport protection.
In addition to scaling issues that can occur when most of their now-remote users log on at once, VPNs have known vulnerabilities that are being targeted by malicious actors, and more continue to be found. Since they’re now being used 24/7, they’re also less likely to be updated and patched regularly. The problem is serious enough that the DHS’ CISA has issued Alert (AA20-073A) on enterprise VPN security, including guidelines for connecting to them from home offices.
As Keyavi’s customer points out, VPN and DLP are technologies created a decade or more ago. They were “never designed for situations where 100% of the workforce are working from home offices,” the customer wrote. ”And while the pandemic will eventually subside, the realities and benefits of [a] remote workforce will remain in place.”
In addition to all the other changes and upheavals the pandemic has caused in our society, our health, and our economy, it may also be forcing us to find, and shift over to, new technology solutions even faster than we were planning to.