The world as a whole is coming together to quell the spread of COVID-19 by limiting social interaction, and in some instances, initiating full quarantines. Schools are closed for weeks, if not longer. Organizations have initiated very strict work from home policies to keep employees safe, and many restaurants and bars are only open for take-out service. If these mandates were initiated 15, or even 10 years ago, the world would essentially come to a standstill. Luckily among all of this, we live in a time where technology enables us to continue operating with a high level of consistency and effectiveness.
From schools shifting to virtual learning platforms, to businesses using online meeting solutions, these technologies are being relied upon and utilized in new and interesting ways, now more than ever before. In light of these changes, it’s critical that we consider what we’re using these distance-enabling technology platforms for, what new risks are emerging as a result, and what new threats we must contend with.
We’ve already seen adversaries leveraging this situation for their benefit, and while some have promised to stand down on these types of attacks, we’ve learned time-and-time again that as soon as we become complacent, we become exposed, and our risks increase exponentially.
As individuals and organizations look to leverage new digital tools and applications in our current environment and beyond, your security checklist for staying technologically safe should include the following:
- For virtual schooling, ensure there are multiple security checks and balances, plus very detailed communications surrounding cybersecurity best practices for students and their parents that may not be accustomed to e-learning platforms. This is a prime opportunity for phishing attacks from adversaries looking to compromise identities to steal PII data. Make sure that links and URLs are validated and that the sharing of documents is only done via the specific platform in-use.
- In the context of emails, look for misspelled words, identify poor language usage, and examine every image for anything that looks out of place. If something looks suspicious, don’t click on it. This will help prevent ransomware, or other attacks. If you are unsure of an email or URL, follow up with the sender via phone call, text, etc. before you fall into an attacker’s snare. Never provide personal information over the phone.
- For businesses, ensure you’re following the same steps laid out above. However, keep in mind that your security posture needs to be even more rigorous, as malicious actors are after your customers’ PII data and the confidential information you may be working on, and sharing via virtual technology platforms. Using your corporate VPN, in addition to a private VPN, is a way to provide a layered security approach. Also consider the risks of transferring non-encrypted data across the internet, since you may be sending data or documents via a new home-office connection.
- When it comes to software applications, don’t be fooled into updating them from counterfeit websites. When in doubt, open up software applications themselves, find the “Help” or “About” functions, and update from there. For example, to update Google Chrome, you need to find the three vertical dots in the far right, upper corner of the browser. Select Help, then select About Google Chrome. This will automatically tell you if a valid update is available from Google. If there is an update, apply it immediately and follow further instructions. Most other applications have something very similar, plus you can always search for instructions on how to update an application from the company that makes the software.
- For the general public, try to separate daily “fun” activities from critical ones. Meaning, don’t log into your bank account, retirement account, medical account, etc. while at the same time, surfing questionable sites within the same browser. Physically log out of each and every site before moving on to anything else, don’t store passwords and banking information, and ensure you’re using different log-in credentials across sites.
- Stay away from social media surveys, contests, or anything else that prompts you to answer a litany of personal questions, like the year you were born, where you were born, mother’s maiden name, etc. Attackers who are trolling the web for nuggets of information often used it compromise accounts. If attackers have somehow gotten your login credentials, many times the only other thing they need are the answers to the security questions you already provided them.
- If you see a URL or email address that makes no sense whatsoever, like firstname.lastname@example.org you can almost guarantee it’s malicious. Also, suspect any domain that doesn’t have a .com, .edu, .gov, .org, etc. at the end. If you see URLs or email addresses with two characters after the final dot, they are country codes in almost all cases. For a list of two letter county codes, see this link.
In addition, according to InfraGard, which is a coordinated effort between the FBI and private-sector security professionals, here is what they say:
- FAKE CDC EMAILS – Watch out for emails claiming to be from the Centers for Disease Control and Prevention (CDC) or other organizations claiming to offer information on the virus.
- PHISHING EMAILS – Look out for phishing emails asking you to verify your personal information to receive an economic stimulus check from the government
- COUNTERFEIT TREATMENTS OR EQUIPMENT – Be cautious of anyone selling products that claim to prevent, treat, diagnose, or cure COVID-19.
Although the recommendations above are a starting set of guidelines, if everyone does their fair share in following these and others, they can immediate reduce their risk landscape. We’re living in a time where changes are occurring almost hourly. And while this may seem difficult, working together and doing our part – from washing our hands to enforcing secure technology usage habits – is critical, and will benefit us all in the long term. We hope that everyone stays safe and secure, both physically and digitally.