34
P E E R T O P E E R : I L T A ' S Q U A R T E R L Y M A G A Z I N E | S P R I N G 2 0 2 1
2019, emphasis added.) And security controls of
these personal devices are really out of bounds
for corporate control and may bump up against
employees' rights for those subject to the EU's
GDPR or the California Privacy Rights Act.
Add to this the challenges of scanning for
threats over limited bandwidth; controlling and
managing security patches and other updates
especially on personal devices; the difficulty or
added cost of physical access to devices at home;
or difficulties in discovering, managing and
remediating in the event of a malware infection –
and the security challenges are significant to say
the least.
WFH is truly the nail in coffin of a hardened
defensive perimeter and means virtually limitless
points of entry.
The Phishing Is Great Here!
Phishing remains the number one mode of attack.
While it is easy to fault employees – and many do –
phishing attacks have become incredibly difficult
to spot when they rely on social engineering and
other techniques. Their technical sophistication
has increased too and can fool the security
measures intended to stymie them. "Israeli-based
email security provider IRONSCALES in its two-
year study of more than 100,000 verified SEGs
[secure email gateways] failed to stop almost all
non-trivial email spoofing attacks, including
sender name impersonations and domain look-
alike attacks." (Urrico, 2019)
Unsurprisingly, "71% of security
professionals reported an increase in security
threats or attacks since the beginning of the
coronavirus outbreak. The leading threat
cited was phishing attempts (cited by 55% or
respondents), followed by malicious websites
claiming to offer information or advice about
the pandemic (32%), followed by increases in
malware (28%) and ransomware (19%)." (Check
Point, 2020)
Hackers have tapped into anxieties around
COVID-19, using health information and alerts,
news about the vaccine and other "lures" to
engage users. An Interpol report of April 2020
details that, "In one four-month period (January
to April) some 907,000 spam messages, 737
incidents related to malware and 48,000
malicious URLs – all related to COVID-19 –
were detected by one of Interpol's private sector
partners . . . often impersonating government and
health authorities."
These same techniques, as well as cross-
site scripting, redirects and voice and text
phishing, will now be used to ape what appear
to be internal emails, company websites and
communications from co-workers. It would take
remarkable vigilance on the part of employees
to spot the socially engineered phishing lures
among the deluge of communications going out to
the distributed workforce concerning COVID-19
updates, HR matters, a communique from the
CEO or an email from a team member updating
the team on a current project. Consider too that
your employees' cognition is different now. Work
and personal digital activities are mixing more
than ever before and the boundaries between the
two are increasingly blurred. The attacks to guard
against are relentless. As detailed in a RiskIQ
report, there have been:
• 21,496 phishing domains across 478 unique
brands in Q1 2020.
• 720,188 instances of domain infringement
also in Q1 2020.
• 317,000 new websites related to COVID-19
in just over two weeks.
Given this new environment, it is clear that a
renewed emphasis on employee training is needed
that goes beyond general awareness of phishing
and provides some in-depth background on the
techniques used, including socially engineered
phishing and spear-phishing, cross-site scripting,
deceptive linking and redirects and text and voice
phishing. Simply put, "These socially engineered
attacks are devastating because the spoof emails
have all the appearances of being real . . ."
(Sanders, 2019)
The Rise of the Citizen Hacker
As the one-time KPMG Global partner-in-
charge of KPMG's Risk and Compliance group,
Richard Girgenti was known to say, "When
times are good, there is more money to steal.
When times are bad, there is more reason to
steal." Given the current economic climate
around the globe as a result of the pandemic, a
continuing rise in crime is foreseeable. People
are desperate, right? Cybercrime is not going to
be the exception.
One of the drivers of increased methods of
attacks is very likely to be the use of ransomware
as a service. For a modest amount anyone can
buy all the tools you need to perpetrate a crime.
F E A T U R E S