As companies and government agencies send their employees home to avoid contact with the coronavirus, many cybersecurity teams are facing the unenviable challenge of securing sprawling, vulnerable networks.
Every time an employee connects to their corporate network from home, they’re creating possible access points for hackers to exploit. When this happens 1,000 times on a single network almost overnight, as it has amid orders for regional lockdowns, it’s increasingly difficult to ensure every connection is secure.
The specific security challenges are wide-ranging. While those using company-provided laptops are likely protected by internal safety measures, they could still be vulnerable if their security software isn’t updated or their remote network connection isn’t perfectly configured. The bigger problem is employees using their own equipment that security teams can’t monitor for malicious traffic. For all they know, these devices may already be infected with malware.
The challenge can overwhelm security personnel, especially for those companies that have previously discouraged employees from working from home. Pivoting from office desktops to laptops at home are projects that security teams at large companies execute over months.
Instead, the shift to working at home has happened in days. And with so much emphasis placed on simply making sure company operations don’t come to a grinding halt, network security can be an afterthought.
“What we’re seeing is a help desk or an IT department that wasn’t really responsible for setting up a mass network of remote users until a week ago,” said Allan Liska, senior security architect at cybersecurity analytics firm Recorded Future Inc. This can lead to equipment and software being poorly configured and vulnerable to exploitation. “We’re going to see workers using lots of different workarounds as things fail,” he said.
A major power utility in southern Europe, for instance, sent home hundreds of employees last week. In a matter of three days, the company increased remote accessibility from just 9% of their machines to 53%, said Andrea Carcano, founder and chief product officer at Nozomi Networks Inc., an industrial security company in San Francisco.
“There’s a risk of opening access to all of those plants,” said Carcano, whose company provides network security tools to some of those power systems. He declined to name the utility. “That customer has some visibly. But it is a fact, you’re opening a new door that used to be closed. If it’s an opening for you, it could be an opening for an attacker.”
The huge influx of people working at home has expanded the places hackers can exploit. As companies across Europe and the Americas come to grips with this new normal, hackers are tweaking their attacks — sending phishing emails that claim to be about the coronavirus or purport to be from a trusted health agency — to leverage fear of the global pandemic.
There has been a “flood” of cyberscams and hacking attempts related to the virus, according to Michael Daniel, president and chief executive officer of the Cyber Threat Alliance, an intelligence-sharing nonprofit organization. “It’s really quite amazing how rapidly the bad guys have moved into that area.”
There’s also been a surge in hackers targeting work-from-home tools, such as the virtual private networks companies use to let employees recreate secure office connections, said Andrew Tsonchev, director of technology at the cybersecurity firm Darktrace.
Hackers appear to be targeting the most vulnerable. Data analysis from Italy indicates that companies that have quarantined workers or instructed them to work from home are prime targets for attackers, according to Cynet, a New York-based cybersecurity company.
“This shows the propensity for hackers to shift their focus to remote work environments in order to capitalize on the virus while thwarting corporate security measures,” according to a Cynet blog published Wednesday.
With a daily onslaught of scary news about the virus, people who are working at home may be more likely to click on bogus misinformation links spread on social networks, cybersecurity experts said. And because they expect to get out-of-the-ordinary emails from their IT staff, they may be more likely to click on phishing messages.
Security teams are also working from home, which means they don’t have access to the tools they ordinarily use to defend corporate networks.
“The security teams themselves are largely not able to go in, and a lot of the tools that they were relying on are not necessarily at their disposal,” said Adam Meyers, the vice president of intelligence at the cybersecurity firm Crowdstrike Inc.
When security professionals do have access, ordinary ways to protect corporate networks are not always useful for defending a remote workforce. “A lot of the tools that they were using don’t necessarily make sense for the job anymore,” Meyers said.
Employees can do their part at home. Updating passwords and using paid virtual private networks and multi-factor authentication are a good start, experts said. Keeping kids off your personal computer, if you use it for work, is a good idea, too, because they could download games or other material infected with malware.
If you want to go the extra mile, buy a home router kit that lets users segregate their networks, said Aaron Zander, head of IT for San Francisco-based HackerOne Inc., a vulnerability detection and coordination platform. He warned that allowing “internet of things” devices — such as Amazon’s Echo speakers and security cameras — to live on the same network as corporate data further expands the attack surface.
“Everyone needs to be more diligent,” Zander said. “If you get an email asking you to make payment, it’s important to verify who that message is coming from.”