No Vaccine in Sight for Ransomware: Tackling Security Challenges in the Remote Work Reality

From healthcare to education to critical infrastructure, nobody seems to be safe from cyber attacks. Not even video game creators. 

News broke in early June that video game giant Electronic Arts was one of the latest victims of a major breach. 

At first glance, this is just another story of hackers breaking into a victim and finding their way to a sizable pay day. Nothing new here. Plenty of attacks happen every week, right?

However it was the way that the attackers got in that was interesting.

According to Sergiu Gatlan’s reporting in Bleeping Computer, the attackers bought a cookie for EA’s Slack that let them reach out to the IT helpdesk. From there, they told the IT team a story about how they lost their phone at a party over the weekend and needed help to log back into their account. 

This story was important since it helped them defeat the Multi-factor Authentication (MFA) that EA probably had on their accounts. 

The IT helpdesk, trying to be helpful, then helped the attackers to create an account and “get back into action” as it were. 

Once they had control of a legitimate account, the attackers worked their way through EA’s network to access the source code. While there is no evidence that customer data was compromised, the source code is the company’s “crown jewels” since it is their product. The attackers then reportedly claimed that they had buyers willing to pay $28 million for the stolen code. 

Tackling Security Challenges in the Remote Work Reality

On the face of it, we can look at this as yet another cyber attack. Yet another company has had a security process breakdown and is dealing with the unfortunate consequences.

However, there is a lot more to learn from this incident than just the fact that the attackers succeeded with their mission.

Instead, it is a story about how security teams are still adjusting to dealing with remote workers. And apparently still have a ways to go. 

From the start of the COVID-19 pandemic, authorities and cybersecurity experts warned that attackers were going to take advantage of the fact that employees would be working remotely. They knew that organizations were going to bend (or even break) the rules and good security practices that they had in place to prevent these kinds of attacks from being successful because people were unable to show up to the office to deal with security incidents face-to-face.

In the pre-COVID-19 era, an employee who lost their phone would have had to show up at the IT department and likely get approval from Security as well. However since we are still in the remote phase of the recovery, many organizations continue to find themselves in a grey-zone. 

This is just how the hackers like it. 

Given the massive costs of falling victim to one of these attacks and their likely continuation ad infinitum, what can companies do to better protect themselves when tackling security challenges in the remote work reality?

Strategies for Data Loss Prevention

Reducing risk of compromise involves many processes and practices, but here below are a few of the big ones that can help to keep your organization a fair bit safer.


The first point to raise here is that even if the hackers found a way around the MFA protections, strong authentication measures like MFA still provide significant measures of safety and should be used. 

A report from Microsoft in 2019 found that MFA can help prevent 99.9% of account compromise attacks. There will always be instances where a smart bit of social engineering can overcome a technological barrier, but the numbers don’t lie. Using MFA will always help to put the statistics for security in your favor.

Use Activity Monitoring and Behavior Analytics Tools

Having a remote computer monitoring solution in place that can track and identify suspicious activities from employee devices or accounts is important in case the attackers succeed in compromising an account.

Picking up on anomalous behavior can help to raise a red flag that someone might not be who they say they are. Along with standard insider attacks where a disgruntled or opportunistic employee may try to steal or otherwise damage their employer, hackers love to use compromised credentials to work stealthily within their victim’s network, running silent until they can exfiltrate their stolen goods.

By utilizing activity monitoring and behavior analytics tools, organizations can spot suspicious activity and shut it down in real-time, hopefully mitigating the risk before any serious damage can be done.

Make IT a Little Less Helpful

It may seem a bit counterintuitive, but organizations need to train their  IT teams and other employees to be a little less helpful and a bit more suspicious. 

If we were in the office and received a suspicious message over Slack or email that asked us to take a risky step or break a best practice/rule, then we would simply walk down the hall to ask her in person. However in the remote setting, this can be a bit more challenging. 

The best practice here would be to ask for other verified channels to confirm her identity. It does not do us any good to ask Sue if she is really Sue over the same channel if she is asking us to go out and buy a bunch of iTunes gift guards to pay a vendor.

Instead, pick up the phone or reach out to her on a communication platform that is disconnected from the one that you received the message from. Yes it is a bit slower, but that is the point. Add friction and avoid critical mistakes.

Put a Plan in Place for the Hybrid Future of Work

Now that rates of COVID-19 appear to be on the decline in much of the western world, organizations have begun setting “Return to Office” (RTO) dates and putting in place plans for hybrid working situations. 

Beyond the health precautions that will need to be enacted, we understand that we are going to need to rethink our cybersecurity practices as well. 

If an employee loses their phone, is it safe enough for them to now come into the office and get their access approved by seeing another human in person? Is that appropriate in all cases? Perhaps for instances where valuable access to the company’s core IP are concerned, then maybe it should. 

Many organizations have their RTOs set for September. Plenty of others have decided that their employees can work from home forever. For most, the future will likely be a hybrid mix where not everyone shows up in person every day, and remote becomes a fixed part of the way that we work. 

In any case, now is the time to think about those policies and start to plan how to deal with these challenges and prevent the next attack.  

Source link

Isaac Kohen