Handling the rise in cyber attacks in the era of remote work
March 2021 | SPECIAL REPORT: MANAGING RISK
Financier Worldwide Magazine
March 2021 Issue
The US Cyberspace Solarium Commission issued a supplemental white paper to address cyber security lessons learned during the COVID-19 pandemic. Among other things, the Commission highlighted that the significant surge in internet traffic, triggered in part by a massive shift to a remote working-focused economy, has led to a broader attack surface area for cyber criminals.
The rise in ransomware attacks and other malicious cyber activity we have observed over the past year results, in part, from cyber criminals’ decision to exploit the vulnerabilities presented by distributed work models. Organisations worldwide have shifted rapidly from office-based work to remote work, a move that allowed many companies to continue operations with relatively few disruptions. For some, this successful pivot to a work-from-home situation may be permanent. For others, while the change was necessary, it was hopefully just a temporary measure which will be reversed as soon as circumstances allow. Regardless, this swift change has created opportunities for bad actors. With sustained remote work on a large scale, hackers enjoy new vectors for social engineering, ransomware and other attacks.
The numbers: reports and statistics on trends
Reports from Verizon, Mandiant, CrowdStrike and others, highlight the evolution and growth of ransomware and other attacks on remote work environments. In Verizon’s 2020 Data Breach Investigations Report, security researchers noted that “ransomware figures more prominently in breaches” and is a “big problem that’s continuing to get bigger”. According to CrowdStrike, 50 percent of the global workforce is working outside their companies’ headquarters for at least 2.5 days per week, and has discussed the risks of accessing sensitive data through unsafe home WiFi networks, as well as the increased burden on incident response teams in “hunting for intrusions from a greater number of entry points”. Others have noted a 37 percent month-to-month increase in phishing attacks and a 600 percent increase in phishing attempts since the end of February 2020.
Government actors have also reported this trend. In the US, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and other government agencies have issued guidance to public and private organisations on common vulnerabilities that cyber actors exploited in 2019 and 2020. The guidance highlights that hackers are targeting organisations that hastily deployed cloud-based collaboration services, such as Microsoft Office 365, that might be vulnerable to attack due to oversights in security configurations.
Security teams tasked with guarding against and responding to incidents face significant challenges due to pandemic conditions as well. A January 2021 Ponemon Institute report found that increased hours and workloads have placed pressure on security teams as a result of the COVID-19 remote working environment, leading to operational challenges and struggles with burnout.
Ransomware and social engineering
Ransomware has taken centre stage in the remote-work era, as several prominent ransomware threat actors expanded their presence and activities. One specific ransomware variant, MAZE, has threatened a variety of organisations since at least May 2019, and this has continued since the shift to remote work. In November 2019, Mandiant identified MAZE ransomware attacks that “combine targeted ransomware use, public exposure of victim data, and an affiliate model”. Whereas ransomware traditionally would lock up data and not subject it to exfiltration and exposure, MAZE changed the game by combining the impacts of system disruption and data encryption with exfiltration. Threat researchers have tracked more than 100 alleged MAZE victims reported since November 2019, spread across industries including manufacturing, financial services, healthcare, technology and others.
REvil, also known as ‘Sodinokibi’ or ‘Sodin’, is another ransomware variant that has made waves during the pandemic. In May 2020, reports indicated that REvil had compromised a prominent law firm in Manhattan, known for representing a number of celebrities. The REvil/Sodin actors demanded $21m initially, which doubled to $42m when the firm did not pay the ransom. Following the model of MAZE, the Sodin actors released several gigabytes of data purported to have come from the law firm, when their ransom demands were not met.
Social engineering attacks are also on the rise and are more likely to be effective given current conditions. Previously, if an employee received a suspicious email, he or she might have been able to quickly walk down the hallway and check with the chief financial officer (CFO) before authorising a disbursement to a new vendor or bank, but that is no longer possible. Employees cannot easily have the short clarifying conversations that could avert a cyber incident. Instead, many are making decisions in isolation and without the same level of access to IT or security teams.
Conclusion
Remote work presents opportunities for hackers, and hackers are working overtime to exploit them.
Given this environment, organisations may benefit from considering at least some of the steps outlined below.
Assessing and hardening systems. There are a large number of actions organisations can take to harden systems, including patching common vulnerabilities, adopting a comprehensive patch and vulnerability management programme, ending reliance on end-of-life software applications and implementing multi-factor authentication and identity and access management best practices wherever possible.
Completing workforce training. Employees should be required to complete training for remote work best practices. Training efforts can focus on ways to identify phishing attacks, the importance of applying software updates as soon as possible, and getting comfortable communicating.
Establishing voice verification. Even though employees will not be able to walk down the hallway, they must begin to rely more on mobile phones to reach their colleagues quickly. As incident response dynamics change in remote environments, running table-top exercises at various levels of organisations may be helpful.
Implementing security by design. The basic aim of security-by-design is to ensure that security is an indispensable factor in the development and adoption of software. In short, security considerations should guide decision making. As organisations develop and adjust IT infrastructures to accommodate a shift to remote work, it is important to systematically identify the security requirements that each tool must meet. Controls such as authentication, access management, audit logging and transmission security can mitigate potential risks.
Miriam Wugmeister is a partner and Mike Burshteyn and Taj Moore are associates at Morrison & Foerster LLP. Ms Wugmeister can be contacted on +1 (212) 506 7213 or by email: mwugmeister@mofo.com. Mr Burshteyn can be contacted on +1 (415) 268 7663 or by email: mburshteyn@mofo.com. Mr Moore can be contacted on +1 (212) 336 4363 or by email: rmoore@mofo.com.
© Financier Worldwide
BY
Miriam Wugmeister, Mike Burshteyn and Taj Moore
Morrison & Foerster LLP
Q&A: Managing identity fraud risks
Prepare now for the next catastrophe
Maintaining regulatory compliance
Digital transformation and the increased regulatory burden
Lions and gazelles – the reality of the cyber jungle
Handling the rise in cyber attacks in the era of remote work
The importance of curated data for robust portfolio and risk management
Four current regulatory risks facing US insurers