Article by Al.com- May 2020- If you’re not working at home yourself, you’ve likely heard about the difficulties from someone else who is. The changes brought on by COVID-19 have been unprecedented, as even businesses that handle sensitive information are operating remotely through videoconferences, online collaboration software, and email. Data is flying around like never before and cyber security has been outpaced. This is a perfect storm for cyber criminals—hackers, scammers, even foreign agents. Common sense is not enough; we need to be hypervigilant. Read on to learn some basic threats and tips from cybersecurity experts from a veteran defense engineering firm.
“This era demands heightened attention to cybersecurity for individuals, businesses and institutions,” said Tyler Carter, Software Engineering Division Manager at Intuitive Research and Technology Corporation (INTUITIVE), an aerospace and engineering firm headquartered in Huntsville. “On the one hand, thousands of new domains are being created to prey on people seeking information on COVID; and on the other, concerted efforts to hack into municipal systems, critical infrastructure, and businesses are on the rise.”
In April, the World Health Organization (WHO) itself was targeted by an organized cyber-espionage group. The WHO reported in late March that attempts at impersonation and compromising its security have doubled. Less organized diffused efforts are aimed at you, personally, with apps that have even imitate health sources.
The Department of Defense maintains stringent cybersecurity requirements for every project, with thousands of pages of requirements devoted to the matter. Old systems need to be updated and new systems put under diagnostics to expose weaknesses. There is no better place to go for insight into cybersecurity than an aerospace and engineering firm which has been leading the conversation on software engineering, virtual reality, and cybersecurity for the past two decades. INTUITIVE employs cyber experts who anticipate future threats and react. According to Carter, the simplest key activities for a cross-section of people to be wary of are videoconferencing, document sharing and downloading, emailing, and browsing unfamiliar websites or apps.
Zoom Out
“Zoom is an obvious place to start to eliminate threats,” said INTUITIVE cybersecurity expert Daniel Miller. “Although the popular free video-conference software performs well for casual use, it was not designed for sensitive information and the kind of business traffic we have seen in mind.” Zoom sessions operating without a password can be eavesdropped upon by anyone. In the session they may gather emails and any material shared and even record the call for reference. Even if you set a password for your Zoom session, some hackers can gain access. Further, what Zoom does with your data is questionable; in April, the company admitted it had routed traffic through Chinese servers (Chinese servers are government-monitored).
“While you’re at it, think twice about using any casual, free-wheeling software or personal device for sharing private information,” said Miller.
Phishing and Ransomware
Cyber criminals with various levels of intent will take your information however they can get it. Sometimes they are small-time crooks who want your credit card, and other times they are from organized groups who want to hold your company’s server hostage using “ransomware.”
“Usually delivered via phishing, ransomware has gotten much more aggressive and is increasingly targeting critical infrastructure, state and local Government, as well as commercial organizations,” said Chuck Speaks, an INTUITIVE cybersecurity subject matter expert. Recent research suggests ransomware incidents spiked almost 150% from February to March this year. Why? Cyber-crime pays better during a crisis and the distributed nature of our workforce presents a much broader attack surface.
Phishing can be a blind game of chance or a sophisticated impersonation scheme, but the goal is the same: to get you to respond with personal data or login credentials. Phishing begins with gathering email addresses. Then the perpetrator attempts to lure you to divulge personal information, click a link, or download a file attachment. Often, what happens next is you unwittingly download ransomware, a program that allows the remote user to encrypt your information and only give you access after you pay them in bitcoin. Tens of millions of dollars were lost to ransomware in 2019.
“Recent tactics, techniques, and procedures from ransomware operators include trying to accelerate payments through cyber shaming (leaking reputationally-harmful information or intellectual property) to prove they have your data and then directly threatening your customers with their stolen information,” said Speaks.
He also noted that a general attitude of suspicion towards attachments and downloads is warranted: “The best phishing attempts impersonate real friends or colleagues and may make realistic requests.” INTUITIVE’s experts also recommended multi-factor authentication for anyone who accesses desktops from work remotely as a standard practice.
Malware and Malicious Apps
The difficulty of working from home and switching to leisure on the same device is this: access to private business information and/or networks can remain available. Your computer can become an unsuspecting participant, allowing hackers to choose any time in the future to profit. Malware is easy to understand—its malicious software used by people to track your behavior, infiltrate other connected systems, and collect information.
Daniel Miller asserts many of the websites that have emerged to spread malware in the past months are specifically COVID-19-related. Indeed, around 50,000 such domains have been registered since January, and thousands are just there to look legitimate enough to get a click. You could be taking home a bank-information extractor or malware that will spread to your business network later just by visiting these sites.
Using “common sense” sounds too casual. Maintaining vigilance as INTUITIVE’s team recommends is not natural in a home environment. If possible, try some of these other telework tips:
- Be careful about using a work computer in a public space, connected to a public WiFi, and never leave it unattended or open.
- Use your corporate VPN whenever working away from the office and investigate the use of reputable personal VPNs for your own devices
- Do not use cell phones or other personal devices for work (if possible).
- Back up data so that you are less vulnerable to ransomware.
- Follow legitimate tech blog and social media sources that report emerging threats.
The pandemic and its resulting emphasis on remote work has created an opportunity for bad actors to ramp up their activities. However, simple steps and a bit of awareness go a long way to protect yourself from cybercrime.
If you’re interested in joining INTUITIVE’s team of problem solvers, click here.