Uncertainty, chaos, and distractions create an ideal climate for cybercriminals to thrive in, which is why we’ve seen the number of daily cyber-attacks increase in the midst of COVID-19, writes Geoff Schomburgk.

As COVID-19 has spread across the globe, the cyber attacks have also spread — closely following and evolving to target the increasing number of remote workers.

Whether it is for financial gain, data theft, or spying, attackers have targeted unprepared Australian organisations using a range of attack methods to trick unsuspecting or unaware employees that are working from home. The Federal Government has responded by raising concerns over international cybercriminals who are attempting to exploit users during the coronavirus pandemic for their own gain — specifically hospitals, medical services, and crisis response organisations.

The warning coincided with a new technical advisory detailing the most common tactics, techniques and procedures used by bad actors to target Australian networks.

This includes the creation of new, malicious domains masqueraded as genuine COVID-19 information websites. For example, some sites let individuals track the progress of the coronavirus on an interactive global map, but are actually injecting malware into users’ machines.

Additionally, there has been a rise in phishing attacks where users believe they are donating to a COVID-19 relief charity, but instead are entering their credentials or financial information into a phishing website. Business Email Compromises (BECs) and account takeovers are also growing in number. Some have even made ransom demands to well known Australian organisations, including money management company, MyBudget that confirmed a ransomware attack is responsible for a major outage which has left 13,000 clients in limbo and its payment services down for two weeks.

To keep up with the ever-evolving threats to an increasingly digital world, the lead Australian agencies for cybersecurity — the ACSC in cooperation with the Australian Signals Directorate (ASD) — have recommended that organisations implement eight essential attack mitigation strategies as a baseline.

The Essential Eight Maturity Model

The eight mitigation strategies are designed to minimise the potential impact of cybersecurity incidents and to improve cybersecurity maturity. It assists security and business leaders with self-assessing the maturity of their organisation’s security infrastructure using a Maturity Model with three maturity levels for each of the eight mitigation strategies.

Is this relevant for all organisations?

No single mitigation strategy is guaranteed to prevent all cybersecurity incidents, which is why organisations of all sizes are recommended to implement the eight essential mitigation strategies as a baseline. A common error that often causes complacency, and ultimately puts the organisation at risk, is adopting one mitigation strategy and stopping there without pursuing further strategies. Additionally, the ACSC specifically recommends that organisations should aim to reach “Maturity Level Three” for each mitigation strategy, and states that a phased approach should be adopted to achieve this.

What is MFA and why is it important?

One of the eight recommended mitigation strategies is Multi-Factor Authentication (MFA), which is defined as “a method of authentication that uses two or more authentication factors to authenticate a single claimant to a single authentication verifier.”

MFA uses a combination of at least two of the following authentication factors:

• Usernames and passwords
• FIDO security keys (YubiKeys, Google Titan keys, etc.)
• Physical one-time password tokens (RSA SecurID, Symantec VIP, etc.)
• Biometrics (fingerprint, facial recognition, etc.)
• Smart cards
• Mobile app one-time password tokens (Google Authenticator, Authy, etc.)
• SMS messages
• Emails
• Voice calls
• Software certificates

MFA is one of the most effective controls an organisation can implement to prevent an adversary from gaining access to a device or network and stealing sensitive information. In fact, MFA is one of the Essential Eight mitigation strategies proven to limit the extent of cybersecurity incidents, such as phishing, man-in-the-middle attacks and malware.

While MFA should be implemented wherever possible within an organization, the Essential Eight “Maturity Level Three” states that it is particularly important to protect privileged users in positions of trust, access to highly sensitive data repositories, or employees that log in to corporate data via VPNs, RDP, SSH and other remote access technologies.

Achieving maximum security with security key MFA

The Australian Signals Directorate states that Australian organisations should use FIDO Universal Two Factor (FIDO U2F) security keys as their MFA method to achieve maximum security and effectiveness.

Security keys should be certified by the FIDO Alliance to ensure they are in compliance with the latest FIDO specifications, FIDO U2F or FIDO2. FIDO U2F is an open authentication standard for 2FA that enables internet users to securely access any number of online services with one single security key instantly – no drivers or client software needed. FIDO2 is the latest generation of FIDO U2F and allows for the added capability of passwordless login. An extensive range of enterprise services already support FIDO U2F and FIDO2 including major identity access management (IAM) vendors, password managers, VPN solutions, email providers, and more.

The Power of the Essential Eight

Whilst Australian organisations continue to navigate this challenging time, some have embraced it as an opportunity to adopt a ‘new normal’ approach to how and where their employees work and are accelerating their path to digital transformation.

It is important to remind Australian organisations that no single mitigation strategy is guaranteed to prevent cybersecurity incidents and they need to start enforcing strong security by implementing all of the Essential Eight mitigation strategies. This proactive approach to their security will be more cost-effective in terms of time, money and effort than having to respond to a large-scale cybersecurity incident.

*Geoff Schomburgk is Vice President Australia & New Zealand, Yubico

Comment below to have your say on this story.

If you have a news story or tip-off, get in touch at editorial@governmentnews.com.au.  

Sign up to the Government News newsletter