Categories
Security

Increase in remote work sparks insider threat concerns

Any horror movie junkie will tell you, if the protagonist gets a creepy phone call, it’s probably coming from inside the house. That same logic can be applied to cybersecurity and insider threats — especially now that more than half of US employees are working remotely. In fact, insider threats increased by 25 percent last year, thanks in large part to remote work. 

Insider threats are largely misunderstood, yet their costs to organizations can be just as high as attacks by cybercriminals. And while breaches by insiders are most often the result of well-intentioned negligence, remote work has further complicated (and diluted) office security, leading to an increase in the use of shadow IT. Of course, we can’t forget that deliberate, malicious sabotage by insiders, though less common, is also made that much easier by remote work.

Remote work a boon for insider threats

As of today, more than half of the American workforce is working remotely “always” or “sometimes,” according to a February 2021 Gallup. More than a year into the pandemic and remote work is holding strong — and so are insider threats. 

In fact, insider threats have risen sharply over the last three years in volume and cost. The 2020 Cost of Insider Threats Report by Ponemon Institute found that malicious insider threats increased by 47 percent from 2018 to 2020. In addition, the cost of those threats surged 31 percent over the same period, from $8.76 million to $11.45 million. Of all industries, retail and finance experienced the most growth in insider threats over the two-year period. 

But a rise in remote work is adding fuel to the fire, leading to an even greater increase in insider threats through the pandemic and beyond. Forrester found in its Predictions 2021: Cybersecurity report that breaches caused by employees increased by 25 percent in 2020, thanks in large part to remote work. 

So why does remote work cause insider threats? 

Insider threats were far less threatening before the rise of remote work. Before the pandemic, a minority of organizations’ employees worked remotely, so security policies were lax. (As were the security habits of remote workers.) A lack of physical oversight made it difficult to enforce stronger policies or even to push out updates. Weakened traditional office security infrastructure, going from brick-and-mortar to virtual, also allowed for more mistakes by employees and more opportunities for malicious actors. 

Malwarebytes Labs’ 2020 report on Covid’s impact to business security found that 20 percent of organizations experienced a breach because of a remote worker. Pandemic conditions often led to hastily thrown-together remote infrastructures built by potentially outstretched, overworked, or underfunded IT/security teams. Work from home (wfh) user behavior also led to mistakes, resulting in security breaches. That behavior has only been exacerbated the longer the pandemic has stretched on. 

Margaret Cunningham, principal research scientist of Forcepoint X-Labs, recently conducted a survey of 2000 European workers’ wfh behaviors to determine why insider threats happen. She found that while younger workers reported a much higher use of shadow IT than older workers, an average of 50 percent were using some sort of shadow IT. That’s a lot of people and a lot of different exposure points for organizations’ assets and data. 

The survey found that mistakes were made by users because of:

  • increased stress (especially for caretakers, such as parents or those caring for a sick or disabled family member) 
  • blending of personal and professional boundaries 
  • lots of distractions 
  • well-intentioned innovation or creative problem-solving 

This last one is interesting and may be a harbinger of increased insider threats to come. An employee may be working on something potentially innovative or creative to get their job done, but in doing that, they create security issues.

All of this well-intentioned behavior doesn’t mean the entire US workforce is benevolent. While the majority of insider threats are honest mistakes, there are still plenty of malicious insiders. Ponemon’s 2020 Insider Threats Report also found that 23 percent of insider threats are deliberate, malicious acts. 

Case in point: In Q4 2020, Shopify was breached in an insider incident. The customer data of about 200 merchants was exposed by two employees who were scheming to steal transaction data. The data exposed included details like email, name, street address, and order details, but didn’t involve complete payment card numbers or financial information. 

While malicious insider threats are less common, they are more costly than those made by careless mistakes. Ponemon found that careless or negligent employees cost organizations an average of $307,111 per incident, and malicious insiders or credential thieves cost $871,686. The cost of insider incidents on the whole has surged by 31 percent over the last two years. 

So what can organizations do to mitigate these risks? What’s NOT going to work is making it even harder to do work because of stringent security policies. We need to think more about what people are doing and why. 

Cunningham’s survey showed that the sense of being burdened by security policies mirrors the use of shadow IT: It’s parallel. We may need to loosen our guard in one area — allow some low-risk security faux paus — in order to shore up the other. Security and IT teams should also be more communicative about why they’re blocking access or what’s at risk. 

For more information on risk mitigation for insider threats, check out this article on building a secure, cloud-based remote workforce: https://blog.malwarebytes.com/business-2/2020/03/remotesec-achieving-on-prem-security-levels-with-cloud-based-remote-teams/

For a refresher on best wfh security practices, consider sending your employees this article: https://blog.malwarebytes.com/how-tos-2/2020/03/security-tips-for-working-from-home-wfh/

Here’s a video interview of Margaret Cunningham discussing the factors that influence remote worker behavior: https://www.bankinfosecurity.com/remote-work-creates-insider-threat-concerns-a-16240

Categories
Security

Brute force attacks increasing on open RDP ports

Ever watch a procedural cop show where the lead detective is some kind of password savant? Then you know this scene: The detective walks into a suspect’s apartment, finds a locked computer, and, after his partner complains they’ll need NSA hackers to get in, cracks the tricky password in a single try. While I love a good Hollywood cybersecurity gaffe, the truth is Detective Special Skills actually would have a decent chance at getting into that computer if he knew the suspect’s name and attempted using a few of the most popular default passwords today. (I’m looking at you, 1-2-3-4-5.)

But let’s say this suspect is a little more tech savvy and has a stronger, unique password in place. That’s game over, right? No getting in? Unfortunately for us good guys trying to protect our personal or business data, the answer is no. By using brute force attacks that automate trial and error, cybercriminals are able to run thousands or even millions of username and password combinations until they crack the code for credentials.

COVID-19’s grip on the global workforce has remained tight for nearly three quarters, keeping the majority of corporate employees — including technicians, security, and IT staff — confined to their homes. The repercussions of ongoing work-from-home conditions continue to be felt, especially a generally weaker security posture for all organizations, the natural result of having a distributed workforce. One such repercussion is a massive increase in open RDP ports, from 3 million in January 2020 (pre-Covid) to 4.5 million in March (post-Covid).

Cybercriminals of course pounced immediately, and to our detriment, they keep throwing everything they’ve got at us. COVID-19 misinformation, scams, social engineering laced with malware, Emotet and more of its friends, digital card skimmers, targeted ransomware attacks, and now brute force attacks, which themselves are methods of endless, everything-but-the-kitchen-sink attack.

Brute force attacks are typically automated or conducted via application, which allows threat actors to “set it and forget it,” coming back to their target once the app notifies them of a successful crack of the desired credentials. And lately, they’ve been cracking open a lot of RDP ports, exposed to the Internet so that remote workers can access company resources from home or IT staff can troubleshoot employee devices remotely.

Once cybercriminals have brute forced their way into an open RDP port, they can launch ransomware attacks, install keyloggers or other spyware on target organizations, or conduct espionage or extortion — pretty much a nightmare scenario. To protect against brute force attacks and shield RDP ports, I recommend:

  • Limiting the number of open ports
  • Restricting access to RDP ports to only those that need it
  • Enhancing security of the port and the protocol (with security software that blocks malicious IPs from compromised servers, for example)
  • For remaining RDP port users, disabling legacy usernames, rotating passwords, and enabling 2FA

At Malwarebytes, we’re now exploring new protective features to combat rising brute force attacks on open RDP ports. Stay tuned for some news on that soon!

To learn more about brute force attacks on the rise and how to protect open RDP ports, read our blog on Malwarebytes Labs: https://blog.malwarebytes.com/exploits-and-vulnerabilities/2020/10/brute-force-attacks-increasing/

For advice on how to protect RDP access from ransomware attacks: https://blog.malwarebytes.com/security-world/business-security-world/2018/08/protect-rdp-access-ransomware-attacks/

And for a refresher on best security practices for all work-from-home employees: https://blog.malwarebytes.com/how-tos-2/2020/03/security-tips-for-working-from-home-wfh/