With so many people working from home, more attackers are adapting their strategies to focus on employees as a way to bypass organizations’ defenses, FCW reports. During a webcast hosted by Venable, several Federal and industry experts discussed the challenges associated with remote work, particularly in organizations that previously required physical modes of identification.
Sean Connelly, Trusted Internet Connection (TIC) program manager at the Cybersecurity and Infrastructure Security Agency (CISA), said attackers are increasingly using fake social media accounts and phone calls to trick employees into handing over their credentials or installing malware.
“Those attacks are shifting everywhere traditional network security controls are not located,” Connelly said. “Many attackers are actually calling employees and encouraging them to log on to those fake pages and then grabbing their credentials from those pages.”
Connelly added that it’s much harder to defend against phishing attacks on social media when employees are working from home.
“How do you put security controls around a social messaging app?” Connelly asked.
Wendy Nather, Head of Advisory CISOs at Duo Security, explained that many previous security assumptions are suddenly no longer applicable.
“Because we're not physically co-located anymore, there are a lot of authentication factors we used to assume, that we now can't use,” Nather said. “If somebody calls the help desk, how are you going to verify them if they can't walk over and show you their CAC [Common Access Card]?”
Likewise, Ross Foard, a senior engineer at CISA, said well-established forms of authentication in the government are hard to transfer to a remote environment.
“Some of the things that we've long held as pretty strong controls like the PIV [Personal Identity Verification] and the CAC, they have weaknesses now because a PIV card requires an in-person validation, like a fingerprint,” Foard said. “That is not as easy to do now.”
Despite these difficulties, organizations need to continue operating. New-school security awareness training can help your employees to thwart social engineering attacks in both their personal and professional lives.
FCW has the story.
New-school Security Awareness Training is critical to enabling you and your IT staff to connect with users and help them make the right security decisions all of the time. This isn't a one and done deal, continuous training and simulated phishing are both needed to mobilize users as your last line of defense. Request your one-on-one demo of KnowBe4's security awareness training and simulated phishing platform and see how easy it can be!
