Cybersecurity Risks Increasing During COVID-19 Pandemic

By Aloke S. Chakravarty and James P. Melendres

With the efforts at reducing the rates of transmission created by the COVID-19 pandemic, where they are able, many employers are migrating to telecommuting and remote access options. With the increase in remote access to corporate servers, coupled with historic exploitation of crisis situations, companies should consider taking precautions with respect to current security threats and involving employees as the front line of cybersecurity. The federal government has issued guidance through the Federal Trade Commission (FTC) and reissued guidance from the National Institute for Standards and Technology (NIST) encouraging companies who are authorizing telework to: 1) expect cybersecurity threats and implement strong authentication, secure encrypted networks, and implement network segmentation and limited access controls; 2) develop a strong telework policy with a risk-based approach to access; 3) ensure remote access servers are adequately secured, and; 4) maintain current security standards on telework client devices. 

1. Cybercriminal activity increasing in wake of COVID-19

The Department of Justice (DOJ) has issued warnings that cyber criminals are ramping up attempts to exploit individuals and corporate networks during this time of heightened tension and atypical messaging.  The novelty of rampant closures and postponements of activities has led to a prevalence of email messages with unique titles and unique senders.  Because one of the favored and most successful cyberattack vectors is often through phishing campaigns intended to either deploy malware to a network or to steal user credentials, the current environment of concern is easily exploitable by malicious phishing attempts and misdirecting the public. In addition, criminals are creating specific fraudulent COVID-19 websites, apps and digital tools, which secretly deploy malware onto systems that navigate to them. In the wake of these concerns, companies can invest in robust email-filtering software, requiring mandatory training regarding phishing emails, as well as increasing testing and auditing.  In addition, companies may want to consider whether they have proper network segmentation, limited administrative access, and credential protocols, including multi-factor authentication and password management systems.

2. Remote access vulnerabilities

As employees resort to remotely accessing their company’s email and other networks, there are several risks that increase.  A compromised employee account could give a malicious actor access to one or more internal company networks.  This risk is pronounced if a new cohort of remote users have not been adequately trained or equipped to protect their credentials or to access the company’s network securely.  These concerns increase if the standard suite of security software and hardware is not deployed for companies who have a "bring your own device" (BYOD) policy. Companies should verify the security posture of personally-owned devices using a network access control solution. Two common techniques of remote-access include using a Virtual Private Network (VPN) to access a corporate network and the use of virtual desktop software, both of which are susceptible to malicious attacks.  During the rise of the COVID-19 pandemic, many cybersecurity professionals have observed attacker kits designed to exploit vulnerabilities in very popular remote access software. VPNs similarly are only effective if users are trained to use the VPN tunnel for all traffic, carefully manage credentials including by requiring multi-factor authentication, and ensuring secured Wi-Fi access.  Importantly, some VPNs have been known to be prone to pre- and post-authorization remote code exploits. Cybersecurity professionals may want to be vigilant in maintaining and examining VPN access logs, ensuring that there is adequate and prolific training within the organization, and revoking credentials until anomalies are adequately resolved.  

3. Existing threat environment was already widespread

The cybersecurity threats accompanying the COVID-19 pandemic are sad to be sure, but they come at a time when many cybercriminal organizations were getting more ruthless and persistent than they have ever been.  In the first quarter of 2020, cybersecurity professionals detected an uptick in cyber attacks on the private sector, many driven by traditional business email compromise and a prevalence of novel ransomware kits propagated through the so-called banking trojans, which work in tandem with polymorphic malware that cannot be stopped by a signature-based anti-virus software and which scrape credentials and then propagate across networks to encrypt and/or exfiltrate data.  A novelty in recent months has been that some of the threat actor groups who are using these tools are encrypting local servers of a victim company, extorting the company to provide the decryption key and then several weeks later, again extort the company threatening to release or sell sensitive data that they had exfiltrated.

4. Current security standards on telework client devices

Many of the heightened risks in today’s unique environment can be addressed with security measures which cybersecurity professionals have been touting for years.  As the federal guidance suggests, good digital hygiene, appropriate training and reinforcement, investment in security resources and a culture of cyber-caution are all important reminders during this time.  Having robust and segregated back-ups of your most sensitive data, an updated managed and visible network in which patches are regularly made, current anti-virus and threat detection software, endpoint monitoring and robust security event logging and management are baseline necessities for complex networks in today’s world.  Having a risk-tailored cyber insurance policy; periodic penetration testing and auditing; establishing and refreshing relationships with federal law enforcement and third-party data protection providers, including law firms and cyber-forensic companies; and preparing and updating an incident response plan and an information security policy which practices what company leaders preach are all protective measures that could make your company more resilient to the inevitable increase in cyber attacks.