Enabling a Remote Workforce is great, but it comes with new risks.
Steve Koinm, VP of Professional Services, talks about some of the new security risks that we are seeing as a result of a sudden move to a remote workforce.
With the move to a remote workforce in the wake of the COVID-19 Pandemic, we are finding new security weaknesses that can potentially be exploited by bad actors. One of the first things I noticed when we started our Work from Home program internally was that when connecting to Zoom, instead of 2 dial in numbers that were available for audio, there were suddenly 6. And when you would dial them, you would often get a busy signal a couple times before getting through. That tells you just how much more usage Zoom was suddenly taking on. Since then, those numbers have continued to climb as Zoom, WebEx, GoToMeeting, and Teams video conferences have simply skyrocketed in usage.
But that leaves us with new exploits that are being found within the systems. Zoom has managed to take the brunt of some of those security issues so far. First, it was noted that their website claims there is end-to-end encryption on the conversations. As it turns out, with them using TLS connections, that means they are encrypted by Zoom at their servers. So instead of encryption being passed between end points to set up a secure connection, all of the traffic passes through Zoom where it is joined together on their servers. Though they have no intention of decrypting and monitoring any of those calls, their severs do have that ability. This has led. to those environments where secrecy is important to ban the use of Zoom.
More recently, it was discovered that someone could send a chat link within Zoom that contains UNC credentials to a malicious site. What that means is that someone could send an innocuous message that contains a hyperlink that looks like a link to a Windows server somewhere. This server does not have to actually answer back with anything if you click on it. What Windows will naturally do is try to reach out and connect to that server and when it does it will try to log on. To log on, it will send the user's Windows username and hashed password. It will then get rejected because it was not a legitimate login and the user basically sees nothing happen. But that now gives the bad actor the encrypted password which can be typically cracked in a couple days.
This is why, in my presentations about password security, I recommend either the use of Multi-Factor Authentication or a much longer password. A complex password does not add any effort to the brute force cracking of a password hash, only length does that. My MacBook Pro can run through 6.8 billion combinations per second. That means I can crack any 8 character password, no matter the complexity, in 193 hours. But reality is that I will find the answer within 50% of that time rather than search to the end of the character space. So in 4 days with just my laptop, I have your password after this exploit. If I send it on into AWS, I can do that in less than a day. But make that password 9 characters and suddenly its 300-700 days to crack it. Still feasible with enough compute. But at 20 characters plus, it is out of the range of feasibility to brute force that password. But even without brute forcing the password, I can just interject the hash back into a login stream and never even need to crack it. This pass-the-hash method can often set of some warning alarms within an environment, but typically, those logs are not being looked at until well after the breach has occurred.
And don't think that I'm saying to not use Zoom and use one of the other tools. Each tool has its own flaws. Our sudden massive uptick in the use of the tools is what is now bringing some of those issues to light. Similar issues exist within many of these tools and the providers are working on resolving those issues as we speak. The UNC issue within Zoom was fixed a day after it was discovered. This is just a reminder to ramp up your security and security monitoring in other areas to watch for new activity that is harder to see. The baseline of the type of activity you see is constantly changing right now and it becomes difficult to know what is malicious activity.
And an easier way for a malicious actor to gain from your business is Social Engineering. In just the month of March 2020, phishing attacks have ramped up 667%! The nefarious actors are seeing the opportunity to gain from the confusion that is happening today. When users cannot see each other a couple cubes over, they are more susceptible to these attacks. The only way to really combat this is to train the users not to fall for these schemes. When something seems questionable, question it. If they have multiple ways to communicate with each other, then send a confirmation over another channel. For example, if you get a request via email, then confirm that request through Teams or a phone call. If you see a link that appears suspicious, do not click it, send it to the IT department as a potential phishing lure first. I am a big fan of KnowBe4. Check out their training and their anti-phishing tools as great additions to your environment.
If you need some assistance keeping your credit union secure in these times, we have prepared some resources such as Work From Home Policies and Procedures, Pandemic Incident Response Plans, and updated procedures for Disaster Recovery and Business Continuity during these times. Contact us and we would love to help your credit union stay safe, not only from the biological virus, but from the cyber viruses that can be introduced into our environment during these times.
Want to chat Security with Steve ? Click below: