The problem with secondary infection – and how this relates to island hopping
June 24, 2020
Rick McElroy at VMware Carbon Black explains how criminals are using vulnerable third parties to target organisations and why remote working is making this problem worse.
One of the biggest challenges every country is facing with COVID-19 is that healthcare workers are sometimes becoming infected, often with no knowledge that they have the virus. In turn, these healthcare workers may be infecting people they are tending to.
This secondary infection, which has always been the worst-case scenario for the healthcare industry, really speaks to the concept of island hopping and why island hopping is so dangerous – because it is infection that occurs via a trusted partner.
For those less familiar, island hopping is the practice in which hackers attack third-party suppliers with weaker cybersecurity practices in order to reach their final target. Attackers use vulnerabilities in the first company’s defences as a point of entry to the second.
Today, island hopping is exploding. Attackers are using the digital transformation efforts of organisations to attack their customers, with increasing cyber-physical integration meaning that they are hijacking the physical environment of that entity, not just the technological environment. Here at VMware Carbon Black, we are seeing an increase in island hopping where networks, websites, mobile apps and the mail service of organisations are being commandeered. And all their digital transformation efforts are being seized. And then that infrastructure is pushing out attack code against their board, their company and their customers.
This has been exacerbated by the situation we find ourselves in right now. With everyone home working, there is a heavy reliance on collaboration tools and technology platforms that enable us to continue to work but these very tools, if not adequately secure, can be used to infiltrate organisations.
To date there has been a sharp increase in the number of COVID-19 related attacks such as phishing, spearphishing attachments, cybercriminals masquerading fake VPNs, remote meeting software and mobile apps, ransomware and island hopping. Attacks are targeting organisations from every sector, including healthcare organisations on the frontlines of the battle against COVID-19.
Remote work has intensified the underlying problems that have always existed - although not as heightened - when the workforce wasn’t working from home. I say this because now we’re having meetings in our living rooms, dining rooms, bedrooms and so on and we've built an entire security foundation that doesn't take into consideration aspects such as digital distancing, and which doesn’t protect organisations and users against cloud-jacking and lateral movement.
Attackers know this and they also know the implicit trust that the remote worker puts into VPNs and VPN security. And the implicit trust being placed on the endpoint being used because it is a corporate laptop. There is a lot of room for cyber-criminals to commandeer that endpoint and then hijack that secure tunnel, and the packets within that tunnel. It is very difficult for security professionals to monitor all packets coming through trusted connections.
And so, we need to do a much better job of protecting things from the inside out, we need to have the existing control points within the infrastructure, protect the infrastructure, intrinsically, and suppress attacks and behavioural anomalies in real-time.
Going back to our home network, users need to take their security much more seriously. We can't just rely on our employer to protect us at home just because we’re using a corporate laptop and a VPN.
Some of my recommendations are quite simple.
You need to practice digital distancing between your device and your spouse/partner and children's devices and the smart devices in your home. And the easiest way to do that is your router has two networks, one network should be dedicated just for your work devices and the other network should be dedicated to your spouse/partner, children's, and your personal smart devices.
You need to pay attention to your router and whether it is updated. Unplug it for a good minute and wait for it to reboot to make sure it has the latest firmware updates on it. And never use the same password that it came with.
And just like you would with your own home, where you close the windows, lock the doors and set the alarm, you need to take the same actions with your devices, and how you digitally distance your devices at home. I expect you have rules about conduct in your home, you should also employ digital rules around how your network is used by your children, by your loved ones, and by visitors.
And finally, remember today Infosec is no longer just restricted to the office or home, think about all the other devices that users connect to. As an organisation how do you inherently secure all these aspects so that you're ready for any event? It's not necessarily about securing the organisation, it's about securing people in the organisation who have their own cluster of devices, apps, passwords, home appliances that could all be used to infiltrate the company – they’re all potential islands from which attackers can hop into your network, or from your network into your customers.
And while we all continue to work from home, I’ll leave you with a few tips for utilising video conferencing software
Set passwords for meetings so that only invited attendees can join.
If sensitive material must be discussed, ensure that the meeting name does not suggest that it is a top-secret meeting, which would make it a more attractive target for potential eavesdroppers.
Restrict the sharing of sensitive files to approved file-share technologies, not as part of the meeting itself.
Use a VPN to protect network traffic while using the platform.
Utilise two networks on your home Wi-Fi router, one for business and the other for personal use.
Are the supply chain processes fit for purpose in the 21st century? Bridget Kenyon, Global CISO, Thales eSecurity, joined us at #teissLondon2019 to deconstruct the complexities between trust and security.