COVID-19 may not be the only virus health organisations need to worry about.
The current COVID-19 crisis afflicting the world has changed the lives of billions of people. Forced into isolation in both our private and working lives, more employees than ever before are now working from home across most industries. With this major crisis leaving many hospitals and healthcare organisations on the edge of their breaking point and more vulnerable to serious technological disruption, it was almost inevitable that the technological vultures known as cyber criminals would soon be circling, looking to maximise profits against vulnerable, high-value targets.
The following article is intended to shine a light on some of the recent concerns surrounding cyber security during COVID-19 that are occurring around the globe, and will provide readers with some quick safety tips and resources for further information. All information provided is general in nature, as we are not IT security advisers, and recommend specialist consultation where possible.
The Current Situation – Cyber Security During COVID-19
Healthcare organisations have traditionally prioritised spending (and rightly so) on equipment and staff over ICT infrastructure, which has unfortunately led to healthcare organisations often being behind the curve when it comes to cyber security with the perception of being “soft-targets” to cyber criminals.
Australia is no exception, as illustrated by the well-publicised ransomware attack affecting multiple Victorian hospitals in October of last year (ACS, 2019). Figures released by the Office of the Australian Information Commissioner (OIAC) showed the Healthcare provider sector to have the highest number of reported data breaches for the entirety of 2019 (OAIC, 2019).
A particularly severe event in the Czech Republic left a major hospital and COVID-19 testing centre without access to critical equipment, forcing the delay of surgical procedures and relocation of some patients to other institutions (Humanitarian Law & Policy, 2020).
Cyber Attack Vectors
Though ransomware/crypto attacks are often the most publicised methods of attack, increases in multiple attack types have been observed and warned against by numerous security agencies including the FBI, Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) to name a few (www.us-cert, 2020). Some of the more common ways in which attacks happen have been listed below.
Human/Social Engineering Risks
Regardless of the security posture of any organisation, and despite even the most robust IT systems, the weakest point in any infrastructure is always the user. Some common methods used to manipulate users into circumventing security controls are listed below.
There is a reason phishing emails are such a common occurrence, despite “Nigerian Prince” type scams being the “oldest trick in the book”—people are still falling for them, so they’re still being used. In this context, likely scenarios are emails convincing users to open malicious attachments that steal personal information or install remote access trojans (RAT).
Emails can also convince the user to click links to malicious websites that mine the user’s IP address or install Remote Access Trojans.
Several recent phishing campaigns have been observed on our shores, with emails purporting to be from the WHO and Australia Post for the exact reasons listed above.
Business Email Compromise (BEC) Attacks
Closely related to the phishing, several email scams have been reported whereby users are conned into donating money to COVID-19 charities, including some purporting to be from the WHO.
An additional form of a BEC is a spoofed email pretending to be from one of the targeted business’s VIPs, directing an employee to provide passwords or transfer funds to different accounts.
Closely related to the above voice phishing (vishing), is an impersonated phone call attempting to verbally achieve similar goals to phishing, by coercing a user into providing personal details, credit card numbers or browsing malicious web links.
SMS phishing (Smishing) uses SMS messages for similar purposes to vishing.
Tech Support Scams
Tech support scams may take any of the above forms and usually involve a malicious actor attempting to convince a user that they need to “urgently” access their computer remotely to fix an issue, when in reality they are after computer access to install a RAT or otherwise cause harm.
Obtaining remote access to a target system is particularly effective in circumventing firewalls, as often rules are applied that ignore returning traffic if it was initiated inside the network. Meaning while a malicious actor can’t launch malicious traffic directly from an outside source, they can have a user initiate first contact and then gain access via the reply traffic.
DDOS Attacks (Distributed Denial of Service)
There have been some minor increases in DDOS-type activities, where malicious individuals try to overwhelm systems with massive traffic volumes for botnet armies etc. Firewall policies can mitigate these as can most ISPs.
Software and Operating Systems
End of life or out of date OS software is always a security risk in organisations. Microsoft ended support for Windows 7 and Server 2008r2 in January of this year, meaning any newly discovered security vulnerabilities will not be patched in these operating systems and they should be upgraded as soon as possible.
Even the latest versions of operating systems are vulnerable without adequate security patching and up to date Anti-malware software.
Remote Access Technologies
The rapid expansion and increased reliance on work from home infrastructure, tools such as VPN appliances/concentrators, RDP endpoints, communications platform (Zoom, Skype) and remote access platforms such as Citrix, have exacerbated security risks and formed threats such as poor network design, configuration mistakes and out of date devices and software.
Several vulnerabilities were found to have been exploited in major vendor products including Citrix, Palo Alto and Fortinet. Likewise, an increase in phishing attacks centred around popular communications software products Zoom and Teams, where in some instances sessions were even hijacked by external sources.
A majority of these issues can be avoided, by merely ensuring OS, hardware and software products are up to date with the latest patches, and by using security controls such as strong passwords and two-factor authentication.
With the increased in aforementioned risks, it is clear organisations and medical Practices should take steps to ensure they do not become victims as a result of lax cyber security during COVID-19.
Though by no means a replacement for specialist cyber security advice, some simple risk mitigation steps for the above threats include:
- Stay abreast of current threats and trends. Links for some official advisories are included below.
- Carefully read and ensure emails are from a legitimate source and don’t click on suspicious links or attachments.
- Never give out account or personal information. Financial institutions will never ask you for passwords or account details.
- Ensure you only use supported and up to date versions of operating systems and software, with particular emphasis on anti-malware products and communications. Outdated software is more likely to be a target for security vulnerabilities.
- Ensure all remote access technologies are up to date with patches and monitor the vendor websites for notification of recommended updates.
- Use strong, hard-to-guess password or better yet “passphrases”. “mydogsnameisspot” is vastly superior to “spot123”. HINT: Password1 (or similar) is not an acceptable password at any time.
- Use two-factor authentication where ever possible. Though it can be frustrating at times, it is preferable to falling victim to a cyber attack.
- Always ensure you have backups of critical data and systems, preferably offsite and encrypted. This is particularly important for Best Practice Software users. For details on how best to back up your Best Practice software, contact support.
- Consult a cyber security specialist for tailored advice on cyber security during COVID-19.
This is a confusing and often daunting time, especially for those new to remote working arrangements, where the security and peace of mind of the office network is no longer present.
However, cyber security during COVID-19 starts with simple, manageable precautions that can and should be undertaken by everyone to ensure security for you and your organisation during this unprecedented time.
Security Advisory Services
Though by no means an exhaustive list, the following links are to official government security advisories for warnings, and should be monitored regularly for advice on cyber security during COVID-19.
Australian Cyber Security Centre
Australian Cyber Security Centre – Protecting Your Small Business
Department of Homeland Security – Risk Management for Novel Coronavirus
Mark Dexter | Technical Operations Analyst
Best Practice Software
ACS. (2019, 10 2). cyberattack-hits-regional-victoria-hospitals-.html. Retrieved from ia.acs.org.au
Humanitarian Law & Policy. (2020, 4 2). cyber-attacks-hospitals-covid-19/. Retrieved from blogs.icrc.org
Interpol. (2020, 4 4). www.interpol.int. Retrieved from Cybercriminals-targeting-critical-healthcare-institutions-with-ransomware
OAIC. (2019, 5 13). notifiable-data-breaches-scheme-12month-insights-report. Retrieved from www.oaic.gov.au
Reuters. (2020, 3 24). exclusive-elite-hackers-target-who-as-coronavirus-cyberattacks. Retrieved from www.reuters.com
www.us-cert. (2020, 4 8). ncas/alerts. Retrieved from www.us-cert.gov