During the current pandemic of COVID-19, professionals around the world are working from home and connecting remotely onto their organization's networks to stay productive within their respective businesses and occupations. In the mind of a cybercriminal, now is the perfect opportunity to perform malicious attacks on organizations and their employees. Whether the goal is to steal valuable information, disrupt productivity, or simply interrupt a network, the potential for cybersecurity risks is expected to grow during this pandemic. To prepare your institution for the challenges that lie ahead, a few of the most popular cyber-attacks and risks are presented below along with the proper controls and procedures that can be put in place to mitigate such.
Social engineering is a familiar attack that we should all be aware of, as it is one of the leading causes for security breaches amongst organizations and institutions. Social engineering can be defined as a type or form of technique utilized by cybercriminals and hackers to lure users into providing or granting access to confidential information, infecting their computers and systems with malware, or opening links to infected websites. The most popular and widely used technique for a social engineering attack is the classic "phishing" e-mail, which is used to persuade users that the e-mail is coming from a legitimate source (such as a trusted entity or generated system), with the purpose of obtaining access to company data. Once a user is lured into providing credentials, or simply clicks on a link included in an e-mail, malware, such as viruses, spyware, or ransomware, could instantly be installed onto the device, or access can easily be gained to a system containing sensitive data.
Although phishing may be considered the most common social engineering technique within the past 30 years, there are many other types that are also used amongst cyber criminals (malware, dumpster diving, shoulder surfing, etc.). So what can your organization do to prevent an attack? The best solution is security awareness training for all employees within the company. Users must be properly trained to never click on links that seem suspicious, and have knowledge of best practices when guarding their log-in credentials, whether at the office or working from home. As state regulations have been requiring institutions to perform adequate security awareness training on an annual basis, training programs should be placed as a higher priority. An institution could also consider hiring a third party to perform a social engineering test, with the purpose of testing the knowledge of their employees and identifying any weaknesses that could be improved.
Unlike social engineering, ransomware attacks do not have to rely on luring or tricking users in order to gain access to systems or sensitive information. Rather, a hacker could gain access to a user's network by finding security vulnerabilities within a network or figuring out weak passwords being used. Once a system has been compromised by the hacker, malware is then used to encrypt files and make them inaccessible unless a ransom payment is made to the cybercriminal. There are numerous ways this malware can infect a system, such as through attachments and links within phishing e-mails, or an infected USB device or website. A popular technique that you may be familiar with is the WannaCry ransomware attack, which occurred in 2017. The attack was designed to exploit a vulnerability within Windows and caused an estimated $4 billion in financial losses worldwide.
As with social engineering, the best way to avoid ransomware attacks would be through employee security awareness training. Employees should be educated enough to understand the harm that a ransomware attack could cause within an organization, and continue to adhere to best practices within information security. Other controls that can also be taken into consideration include continuously applying security patches onto systems, the performance of continuous vulnerability assessments, real-time traffic monitoring, log monitoring and analysis, and reliable backup and recovery. With proper knowledge (along with common sense), simple factors such as training and testing can go a long way and prevent a user from becoming a victim from an attack.
Third Party Risk
Third-party risk is more on the governance side and can be defined as the potential risk that arises from financial institutions relying on outside parties (or vendors) to perform services and actions on their behalf. This allows third parties to obtain an extensive amount of access in order for them to perform their duties and services. Access can range from physical access, such as secure facilities and server rooms, to informational access of data that may be classified as sensitive or critical. Because of this, organizations must do their part in mitigating third-party risks and making this a top concern.
With the current ongoing pandemic, the use of third-party services has increased tremendously, especially with professionals having the ability to work remotely from home. Some of the most common third-party risks that organizations should be aware of include the following:
Although managing third-party risk is an ongoing process, organizations should realize that this is more about prevention rather than reaction. In order for organizations to mitigate these types of risks, an enhanced governance program for management of third parties should be established along with designated responsible individuals. In the midst of COVID-19, organizations should continue to perform their due diligence and third-party review process while also considering the following:
Maintaining an Incident Response Plan
In addition to the recommendations listed above, your organization's Incident Response Plan should be well-maintained and include, at a minimum, the following:
1. Preparation: This includes, but is not limited to, developing policies and procedures in the event of a cyber-attack, prioritizing security issues, outlining roles and responsibilities, and establishing an Incident Response Team.
2. Identification: This includes identifying and assessing the incident, gathering evidence, deciding on the severity level, and documenting the actions to be taken.
3. Containment: Once your team has isolated the cyber incident, the goal is to prevent further damage. Steps may vary based upon the type of incident and severity level.
4. Eradication: The goal is to make changes while minimizing the effect on the operations of the organization. This can be achieved by stopping the incident and limiting the amount of data that has been exposed.
5. Recovery: The purpose of this phase is to bring the affected systems back into the production environment and, more importantly, ensure that they do not lead to another incident.
6. Lessons Learned: The Incident Response Team should identify if and how the incident was properly managed and eradicated. Actions that were taken should be evaluated, and areas where the Incident Response Team needs improvement should be identified.
The finalized Incident Response Plan should be tested on, at least, an annual basis in order to validate the effectiveness of the aforementioned. The most commonly-used test is called a table-top test, which includes different types of scenarios such as a security breach, an attempted network intrusion, the spread of malware throughout the organization, or denial of service.
What Should Your Organization Continue To Do?
Cybersecurity risk is an area that should never be ignored and always be taken with extreme measures. In addition to the topics discussed above, more risks will continue to propagate in the world of cybersecurity. Likewise, your organization should continue to implement the best types of controls in order to prevent these risks from occurring and posing a threat to your organization, as well as the controls and procedures should an incident occur.
Bottom line, if your organization experiences a security incident one day, members of the Incident Response Team must know their role in order for the plan to be effective. At this moment in time, we are still unsure of how long this pandemic will last, which will prolong the duration of employees working remotely. As many cybersecurity and information security professionals have stated, a cyber-attack should not be viewed as "if" it will happen, but rather, "when" it will happen. The question is, will you be prepared when an incident occurs at your organization?
Jasper Zabala, CISA
Manager, Information Technology & Cybersecurity Audit Team
Jasper Zabala manages and conducts complex and thorough reviews of information technology and cybersecurity controls, disaster recovery and business continuity procedures, server room and physical security controls, internet/mobile banking processes, and core and network access controls. He also performs internal and external vulnerability assessments, penetration testing, social engineering testing and other IT/Cybersecurity risk management services for the Firm’s clients. Additionally, he has developed new processes for testing IT and Operational internal controls to align with SOX/FDICIA and the COSO framework. Mr. Zabala is a Certified Information Systems Auditor (CISA) with a B.A. in Information Technology and Informatics from Rutgers University. He has been with the firm since 2015 and previously served as an IT consultant.