For cybercriminals, chaos always means opportunity. For them, an unevenly communicated and rolled-out security patch means an opportunity to find users who feel protected, but aren’t. Unclear organisational rules about which apps staff should use mean an opportunity to capture sensitive data from employees who think they’re just doing their jobs. Rapid adoption of Internet of Things devices means an opportunity to find security holes where organisations wouldn’t even think to look.
Of course, for a criminal it doesn’t especially matter whether the opportunity arises as a result of some other company’s mistake, complex processes in your own business, or an attempt to evolve with new technology. They are focused only on what they can get out of the opportunity, not on why it came about.
Over the last few months, the COVID-19 crisis has wreaked global havoc, the extent of which we’re still figuring out how to measure. From devastating health impacts, to deep economic consequences, to untold personal anxiety, finding ways to manage the effects of this pandemic and fight back against them has, quite rightly, been everyone’s number one priority.
It has also, however, created chaos on a scale which is an unprecedented opportunity for cybercriminals – and for IT professionals, it has presented one of the greatest challenges they’ve ever faced. Indeed, research conducted by the Neustar International Security Council last month found that almost two-thirds of companies experienced at least moderate disruptions to their network security practices, with nearly a quarter reporting major disruptions.
Unknown network environments
The change which specifically opened the door to cybercriminals is, of course, the mass transition to home working. Faced with the pressing need to socially distance their workers, organisations found themselves going overnight from being able to assume that most staff (typically more than 90%) are accessing systems from within the office to having it almost guaranteed that they will be logging in remotely.
The efforts from IT staff which made this possible were nothing short of herculean, but it has meant that the bulk of a company’s networking activity has shifted from happening in a relatively controlled environment with lots of oversight to whatever network environment workers happen to have set up at home. That means a huge array of home routers, cable or fibre modems, and alternative connections like MiFi devices are now in touch with corporate networks.
Behind these, workers will be connecting not just their corporate laptop, but a range of home technology from personal computers and tablets to games consoles, televisions, and smart home devices. Generally speaking, these will all appear publicly as a single IP address, and any compromise in that network segment, even if it’s just a smart light bulb, can be used as a stepping stone to a serious breach.
New connectivity workflows
Of course, many of the corporate systems and tools that workers will use on a day-to-day basis are hosted in the cloud. This means that productivity software, communications platforms, and other vital tools are now often delivered in a way which anticipates remote access, and has a security stance which accounts for that fact.
There are still, however, a number of key systems which generally operate locally. These include payment gateways and financial systems, servers used for research and development work, authentication and directory systems. Even in the cloud-first era, a lot of value is still held in owned infrastructure. When teams are working remotely, virtual private networks (VPNs) are necessary to grant access to those core systems.
For many organisations there will be cases where VPN access is being expressly provisioned in response to this crisis. In every case where VPNs are keeping business going, the surge in remote working will place great strain on those VPN systems.
The net result of this way of working, together with an entirely different network architecture built from people’s home networks, is a new attack vector for malicious actors. In March alone, Neustar found and tracked over 28,000 COVID-19 related domain registrations and host names through its threat feed systems, all aiming to disrupt organisations’ activities and potentially open the door to phishing and ransomware attacks.
DDoS vulnerability
One of the major challenges with using VPNs to enable remote access arises before we even consider the security of those connections. Cyber criminals are aware that hardening a VPN against denial of service style attacks is very challenging – and often won’t have been done at all.
The nature of a VPN means that they must be fully encrypted connections. This keeps data secure as it is transported from its point of storage to its point of use. It also, however, means that some methods which inspect packets of data to identify whether or not they are malicious – and so spot and mitigate DDoS attacks – cannot be used on VPN connections. Instead, the attack will only be revealed when it reaches the VPN server and is opened up.
Those VPN servers can also be easy to identify, as businesses often use “vpn” as part of the URL name. Taken together, these factors create a huge opportunity to launch devastating attacks, which interrupt systems that businesses can’t afford to do without, with relatively little effort or technological sophistication. Even if a number of services, such as email, are hosted on public infrastructure, implementing VPN access to private infrastructure means potentially creating a push-button which takes the entire workforce offline.
The true cost of cybercrime
The deeper frustration in all of this is that, while the chaos is nobody’s fault, and IT administrators are doing nothing but good work to keep the world running, our attempts to mitigate the attack opportunities it results in risks critical, real, non-malicious information failing to reach its destination. While cyber criminals are exploiting these opportunities, lives are at stake – and in this period we’ve already seen some of the biggest DDoS attacks we’ve ever mitigated.
Through hard work and dedication, we will, collectively, turn the tide on this crisis. Remote working, however, will be part of our lives for some time yet – and there’s every sign that it will continue at far higher rates than before the pandemic.
Confidence in the security and resilience of a network will be more important than ever: now is the time for businesses to push their security stances forward. This involves finding ways to change the names of VPN servers to obfuscate their location, leaning on managed service providers who can provide the muscle to mitigate massive attacks and reduce the load on IT teams, and educating staff about how they can play their part in keeping information secure.
From a technical standpoint, we’ll come out of this much stronger. While businesses may be facing initial challenges now, software will improve and organisations will begin to better understand how their security strategies must change as workforces become increasingly remote.
Rodney Joffe
Senior VP, Technologist and Fellow at Neustar
