It’s no secret that cybercrime has risen exponentially since the start of the Coronavirus pandemic. But, what can we do to educate clients, especially while they’re working from home? Grayson Milbourne, Security Intelligence Director at Webroot joined our Aterans for a webinar on this exact topic. If you missed the live event, you can catch up here – or read on for a summary of the highlights, complete with real-life examples of threats found in the wild by the Webroot team.
Working from Home: Is it That Different from Working while Travelling?
The simple answer is yes. And it’s all about the devices that your clients are using. When employees work from home, they are much more likely to use personal devices instead of managed company devices. Managed devices are much easier to control, regulate, and enforce policy updates on. This option doesn’t exist on personal devices, which are often used by multiple users, usually on shared local admin accounts where users can do whatever they want. It’s no surprise then that consumer devices see almost double the infection rate, in comparison with business devices. Home networks in general are often less secure than WiFi, and users are more likely to use unencrypted file-sharing programs or fail to update browsers and applications to the most up to date versions.
Be Less Afraid of Your Router!
Another attack vector that users often ignore is their router. People plug in their router, see that it works, and promptly forget about it altogether. However, this can often be a rented machine from their broadband provider, and regularly has default admin passwords, or firmware that is left without an update for years at a time. This makes routers extremely vulnerable to cyber-attacks. Grayson told Aterans to lose the fear, and get friendly with your router, exploring the settings, changing the admin passwords, and seeing if there’s an option to automatically update firmware. If not, maybe it’s time to update your router, especially during this working from home reality.
Education is really key. Even if your users don’t have managed devices, there’s a lot that you can support them with, in protecting personal devices. Install remote management, make sure patching is up to date on browsers and applications, reduce the attack surface any way you can. Make sure that your clients are using a VPN, and not just to get onto the corporate network, but more widely on their home computers. Ensure that they are protected with 2FA, with a token generator on a separate device, such as a mobile phone.
Understand the Scale of Cybercrime Growth During Covid-19
Here are some of the top threats that have escalated over the past six months, in line with the global pandemic.
Remote Desktop Protocol: RDP has fast become the preferred method for delivering ransomware, usually starting with a brute force attack. Businesses need to be able to use remote desktop software, but this should be handled securely, with both a VPN, and 2FA. On top of this, move off from using default ports, and add in access control as a new layer of defense.
Misinformation: Cyber-criminals have weaponized COVID-19 through fake news, scams and phishing websites, all of which are at an all-time high. Phishing websites are sometimes hard to spot, and take advantage of COVID-19 through preying on the goodwill of businesses. No doubt you’ve seen companies offering free trials, offers and giveaways throughout 2020. Cybercriminals leverage that with fake websites that promise the same, stealing information or executing malware attacks once users click on the link.
Zoom blew up right off the bat, with anyone working from home quickly becoming familiar with this video conferring software. However, did you know that there are more than half a million Zoom credentials for sale on the dark web? These cost about a penny a login, meaning anyone can grab hold of a fake account and engage in some Zoom bombing. We’ve also seen exploits that mirror the way that Zoom installs, but actually hold malware such as this crypto-miner example, below. There has also been a 2000% increase in malicious files with the word Zoom inside, for example, zoom-cloud-meetings_01621164491.exe.
Fear: Many of these COVID-19 related attacks even pretend to have information about vaccines, trials, or where COVID patients currently are, encouraging users to give away sensitive information, financial details, and GPS locations. These attacks are not only launched on home computers, but also on mobile phones.
You might think that your clients would see these attacks coming a mile off, but studies have shown that users are now more than 3 times as likely to click on a malicious link from a phishing attack. Educate your clients to look out for the warning signs of these kinds of scam, from attachments that are suspicious, typos, grammatical errors, or awkward use of English, to anything that appears too good to be true. In almost all cases, clicking on these links or enabling macros in an attachment will open PowerShell, and launch a script that downloads an infection. From this vantage point, attackers can move laterally throughout the network. For a minimal cost, you can prevent this by launching drills, and testing how your employees would react to a phishing email, really getting some cyber awareness training happening throughout your organization.
One useful resource could be the COVID-19 Cyber Threat Coalition, which shows a blacklist of URLs that are malicious. We in the cybercrime prevention industry need to work together to protect our customers as best we can, MSPs included.
Promoting a Layered Approach to Cybersecurity
So, on top of education, how can you protect your remote workers? Firstly, recognize that no solution on its own is 100% effective, so a multi-layered approach is essential. If a threat gets past one set of defenses, there needs to be another robust solution waiting, and so on.
At Webroot, the solution is split into two categories, the pre-execution preventative techniques, which starts with user education itself, and then the post-execution detection and remediation, which needs to act fast if a new type of malware makes it to the execution stages. Malware will always try to make itself seem unique, and you shouldn’t trust a solution that says it will always spot an attack pre-execution. Instead, ask your provider how long it takes them to uncover an attack, their TTD (time to detection). It was great hearing Webroot discuss how they can stop 80% of executed attacks in under 30 minutes.
Each of these layers of threat prevention is made up of a sophisticated weapon against attack. Let’s take DNS protection, for example. DNS requests will expose your internet use to your ISP, as well as your router. For employees working from home without a VPN, this is an immediate threat and takes away a lot of the control you have over your traffic data.
As Webroot adds a DNS protection agent, the traffic no longer goes via the router and is seen by no one external at all. Not only does this protect the traffic data, but Webroot can classify the content types, stopping 88% of malware traffic, and allowing you to add policy-based control over how your employees use the web during working hours, blocking websites such as social media or sports streaming. While we always advocate for managed devices where possible, this adds a formidable layer of protection to personal device use where managed devices aren’t an option.
Stay Ahead of the Perpetual Cycle
While COVID-19 has increased the threat, none of us are naïve enough to think that we will ever get ahead of the cybercrime industry altogether. Risks are evolving all the time, and there will always be a cycle where new malware emerges and users fall victim. A robust solution should therefore cover all of your bases, including a strong back-up that is fully air-gapped, for if the worst occurs and attackers do make it to your sensitive information.
With the working from home culture a fixture for the foreseeable future, staying informed, and keeping your clients informed is more important than ever. Why not send this article to your clients? Then, schedule a security briefing to discuss each client’s unique security requirements, and a roadmap to get ahead of the growing threat.