Reinforcing Government, Enterprise, and Individual Cybersecurity during COVID-19

Souheil Moukaddem, Executive Vice President at Booz Allen Hamilton and Ziad Nasrallah, Principal at Booz Allen Hamilton, highlight the major attack types that the entities and individuals should prepare themselves for and strengthen their cybersecurity postures against.

The COVID-19 pandemic has created an environment in which cyber threat actors can exploit information technology (IT) infrastructure, technology use, and human behaviour. These adversaries target both fearful populations seeking information to remain safe and aware in addition to security gaps in the rapidly expanding domain of remote work across the spectrum of daily business and mission-essential operations.

As governments, enterprises, and individuals across the Middle East North Africa (MENA) region adapt to new ways of thinking, collaborating, and working, it is imperative to pay increased attention to the protection of critical information and infrastructure during this time.

Heightened awareness of attack methods, potential vulnerabilities, threat actor tools, and social engineering tactics can help mitigate cyber risks as the threat landscape continues to rapidly evolve in response to COVID-19. There are four major attack types either already playing out or likely on the horizon that entities and individuals should prepare themselves for and harden their cybersecurity postures against: denial-of-service attacks, remote work exploitation, phishing and financial scams, and misinformation campaigns.

Denial-of-Service Attacks

Denial-of-service attacks are cyber-attacks in which a threat actor seeks to make machines, networks, tools, or websites unavailable to users. With a greater portion of the population operating remotely than ever before, denial-of-service attacks are an increased risk as workers are physically cut off from others and depend entirely on network reliability. Additionally, threat actors are likely aware that governments and enterprises prioritize the availability and performance of critical applications and networks for their employees. This may lead to security lapses or cut corners – potentially providing additional vulnerability points in less secure areas of a network or via new routes created to facilitate remote work. Indeed, in a time of an evolving global health crisis, it is possible that more denial-of-service attacks will occur.

Worse yet is the possibility that attacks could hit critical healthcare institutions or government entities, hampering their crisis response capabilities and placing lives at risk. While no major incidents of this nature have yet been reported regionally, an attempted attack on the U.S. Department of Health and Human Services and hospital-focused ransomware attacks are telling indicators that threat actors are not sparing institutions involved in COVID-19 response. In addition, recent reports on emerging internet-of-things (IoT) botnets, based on the Mirai botnet that temporarily crippled a large portion of internet traffic in 2016, suggests major attacks are potentially on the horizon.

Remote Work Exploitation

Similarly, cyber risks posed by the exploitation of remote work – not only tools and technologies but also human behaviour – are significant. In this environment, there are numerous potential vulnerabilities for threat actors to target including personal computing devices, home Wi-Fi networks, and free or low-cost telephone and video conferencing services (such as Zoom, which has already seen its usage grow exponentially worldwide, despite significant security lapses). These vulnerabilities create opportunities for threat actors and can result in data loss including both personally identifiable information (PII) or sensitive corporate data.

On this front, companies and entities in the Middle East are acutely vulnerable. While, major foreign companies and multi-national corporations (MNCs) with globe-spanning operations are often well-positioned for remote work, the same is not true of many local governments and enterprises – especially small and medium businesses. In mid-March, as COVID-19-related lockdowns and government-mandated remote work requirements entered into force, just 12 percent of companies in the Gulf had remote work arrangements in place based on a survey of 1,600+ Gulf-based business executives. In the ensuing weeks, even as many shifted to remote work, entities often lack robust corporate virtual private networks (VPNs), secure conferencing capabilities, two-factor authentication, and other measures necessary to provide security in a distributed work environment – creating a fertile environment for cyber threat actors.

Phishing and Financial Scams

The COVID-19 health crisis has likewise witnessed a significant uptick in phishing and financial scams by cybercriminals. This type of threat activity always surges in crises as threat actors exploit human behaviour and a captive audience eager to receive guidance and information on COVID-19. Similarly, with many employees living in a state of fear as workplace policies rapidly change in response to the outbreak, there is a heightened risk of employee missteps or mistakes that could facilitate threat actor access to corporate networks. Since the outbreak started, threat actors have propagated malicious documents with COVID-19-themed names and phishing campaigns have been linked back to groups operating from Pakistan, Russia, China, North Korea, and others. Malicious files in these campaigns install malware, ransomware, or remote administration tools (RATs) after users are enticed to open emails or visit fake websites.

Across the region, governments have warned their citizens and residents to be on guard – including an advisory from the Saudi Computer Emergency Response Team (Saudi CERT) on the heightened risk of phishing attacks. Similarly, banks and financial institutions have aggressively messaged on the risk posed by financial scams. Warnings from Bahrain, the Central Bank of the UAE (CBUAE), and the Dubai Financial Services Authority (DFSA) all note that – especially as many institutions have suspended or reduced in-person transactions and pushed operations online – individuals and entities face a greater risk of attack and exploitation. Attacks observed have even included phone calls and WhatsApp messages, a communication mechanism not used for official bank communications. Most recently, a UAE consortium consisting of the UAE Banks Federation, CBUAE, and the Abu Dhabi and Dubai police forces launched a joint anti-fraud awareness campaign. Indeed, with Trend Micro reporting more than 3,000 COVID-19 cyber-attacks across Gulf between January and March – including more than 600 cases of email phishing in the UAE alone – attacks of this type are highly likely to continue increasing throughout the crisis.

Misinformation Campaigns

Lastly, the threat of misinformation campaigns – first highlighted globally in the 2016 U.S. presidential election – is continuing to grow and evolve whether from nation-states, cybercriminals, or even well-meaning but misinformed individuals. Indeed, the current information environment is ripe for exploitation given the fear and uncertainty surrounding COVID-19 as individuals seek information or worse, latch onto unproven medical treatments or false government guidance. With governments – including first responders such as police and security personnel – preoccupied with response operations and public communications, available resources to counter or dispel emerging misinformation campaigns are low.

Across the Gulf, countries including the UAE, Saudi Arabia, and Kuwait have all issued warnings – including the threat of fines, jail, and deportation – for those caught spreading or encouraging misinformation. Kuwait has likewise already acted against several individuals found in violation of the law; however, the threat will remain a persistent reality throughout the duration of the crisis.

Recommendations

Ultimately, making changes to the information security environment during a crisis is difficult. Fortunately, there are steps – especially focused on communications and awareness – that can be effectively leveraged to help.

The following recommendations are provided to help reduce the increasing digital attack surface and prevent deeper, more persistent exploitation of an organization’s people and assets, during the current state of prolonged remote work deployment:

1. Vulnerability management and security operations teams should address existing vulnerabilities that open the door for denial-of-service attacks. Prioritize patching and security tool deployments (e.g., content delivery networks designed for website security and to address the availability of services during times of increased user traffic).

2. VPN connections should be established with multi-factor authentication enabled to control and protect access to enterprise networks.

3. Security teams should be prepared to increase detection and monitoring capabilities and maintain heightened vigilance of susceptible assets and infrastructure, especially those with public exposure or mission-critical assets.

4. Information security policies, specifically for remote work arrangements, should be routinely communicated and validated with staff to establish awareness, vigilance, and cyber hygiene. Complex policies may overwhelm workers, while basic cyber hygiene guidance and virtual training sessions can quickly establish an effective baseline.

5. Employees should be warned about phishing emails with COVID-19-themed filenames and attachments designed to entice them to click and open. Training should reemphasize how to identify suspicious emails or URLs suggesting links to COVID-19 information. Companies should provide guidance and links to authoritative, trusted content to reduce employee impulses to seek alternative information sources.

6. Incident response plans should incorporate out-of-band communications channels to reach employees in the event of a cyber attack to help prevent added confusion and fear, especially in a dispersed work environment for a prolonged period.

7. Enterprise networks should ensure and reinforce blocking for downloads of unauthorized tools, applications, and software on enterprise networks or personal devices used for remote work purposes.