Now that more people are working remotely – as many states have issued shelter-in-place or closed all non-essential businesses – the likelihood of being the victim of a ransomware or phishing attack has risen.
HousingWire spoke to Ellie Mae Senior Vice President and Chief Security Officer Selim Aissi about how an attack could happen, what it might look like, and what to do if it does happen.
Aissi has an extensive background in information security, serving as the vice president of global information security at Visa and as a security strategist and architect at Intel before his current role at Ellie Mae.
Ellie Mae has been running exercises that simulate the challenges of having employees work from home, which has helped prepare the company for the current situation.
This interview has been lightly edited for length and clarity.
Q: Do you think people within the industry take this (cybersecurity) seriously enough in the context of the current pandemic? Why or why not?
A: I think our industry is taking it very seriously. There’s a lot of information being shared and I think there’s a lot of escalation of monitoring. I can see that across the industry, so there’s definitely a high alert. There’s a lot of custom malware that’s being distributed.
We know people are sitting at home, just spinning up websites and infecting malware. We have seen some ransomware out there as well.
Q: How is the disruption to not only the market, but peoples’ home and work lives increasing the risk of phishing and ransomware, etc.?
I think there are probably four different areas where the risk is increasing. First, where companies have not ensured that the endpoints and laptops that people are taking home are secure — with data loss prevention, malware protection and all of the necessary protection at the endpoint. That could be a huge gap, because people are not connected to the network within the corporate environment now, they’re somewhere else. But those endpoints definitely need higher security.
Second, I think there’s definitely some behavior where people are working remotely, but also searching for information: where they can buy toilet paper, which stores show up. And this thing about [COVID-10] infection maps, people are looking for where the infections are, and that’s where the bad guys are spinning up websites and fishing these people.
I think the third area where risk is increasing happens because people are busy at home with the kids running around having to do their work, and they’re probably not paying enough attention to phishing attacks, and we’re seeing a huge peak right now with COVID-19 phishing. That’s the biggest threat we see from an enterprise perspective.
And I think the fourth thing is, [we] are working from home, while some people might be working from coffee shops, they could be working from unsecure WiFi or hacked WiFi connections.
Q: A lot of people have been forced to start working remotely – how does using a home connection as opposed to a professionally secured network affect cybersecurity risks? Should all remote workers be using Virtual Private Networks?
Email usually doesn’t require VPN. A VPN is great when you’re a programmer and you’re accessing sensitive information on the corporate network. For normal tasks, like this video session or Zoom, that doesn’t need to be over a VPN. What we try to achieve is securing the endpoint.
So, when I send an email from my laptop, it’s secured over whatever connection, whether I’m using Ellie Mae internet in the building or I’m using my WiFi connection. The traffic is secure because we’re securing people’s laptops, from data leakage, from anti-malware and also a lot of these applications. They’re encrypted end to end, so it doesn’t matter what WiFi connection I’m using, or what network I’m using.
Q: What extra measures should people take to protect themselves and their clients’ data when working remotely or from home?
A: The extra precautions people should be aware of are, first they shouldn’t be clicking on anything that looks suspicious. They need to pay attention to all of the flood of information about the pandemic. People offering to help, companies who are offering help, they need to be really careful with their official sources for pandemic information such as the [Center for Disease Control], they only need to go to trusted sources, that’s a big one. There’s definitely an increased volume of those types of phishing attacks.
Second, they need to make sure that if they need to work outside of their home, they need to use a WiFi connection that is a trusted connection. I think the third one is definitely if they are going to use any critical application, or they need to access code repositories, development environments, anything that could potentially be touching production environments, or any critical business applications, or data customer data, they need to use VPN. Or, they need to use another secure channel, such as VDI. So, there are some secure mechanisms of accessing critical applications, critical systems that must be utilized in these types of remote working situations. .
Q: Does social distancing have an effect on phishing and ransomware risks, considering a notable percentage of the workforce has gone remote?
A: I think people are now starting to feel lonely, they’re starting to feel like they’re not having their teammates to talk to close by, and they don’t have the water cooler conversation over lunchtime. They’re reacting to a lot of the social media interactions and we’re observing a huge spike of malicious information and malicious messages going to people because there is a need for people to interact with their friends, their colleagues, family members.
The adversaries are taking advantage of this social inconvenience, this situation. Now, they take advantage of a sense of urgency when you need to file taxes. They could send you a phishing email saying ‘hey, your filing didn’t go through.’ It’s the same thing here — they know people are in need of information they need to hand out to their friends, they can send them urgent messages, offering either services or connections or other types of things that would fill this need for social interaction. [They are] definitely, definitely taking advantage of that.
Q: Is Ellie Mae seeing or capturing any data or insight into cyberattacks in the lending process? How are they advising lenders to be more safe and secure?
A: We’re definitely monitoring our own environment and our threat landscape. We are definitely tightening up our threat intelligence regarding Ellie Mae. And by doing that, obviously we’re protecting our customer data and our services that we offer to our customers,.
Q: What is the biggest technology challenge Ellie Mae clients are seeing in the shift to remote?
A: I think the technology challenge which we took on from the get-go, was the potential saturation of our VPN communication, which was not the case. We revamped our VPN capability before sending everybody home. I think the other challenge was the potential of reaching capacity on some of the services such as Zoom and things like that and, knock on wood, it’s still going fine, I think we have enough bandwidth.
From an operations perspective, things are normal. We’re monitoring hour by hour, we have all of these stand-up meetings every day. I’m probably attending about a dozen stand-ups every day with just monitoring and watching. Things are normal… I think we’ve been over-prepared for a lot of this… even from a pandemic management perspective.
Within our anti-phishing program, about four years ago we started running phishing simulations on a very regular basis. We change this theme all the time. Sometimes it’s personal themes, sometimes it’s work-related themes and we monitor the numbers. We send the notifications to the people who click on our phishing simulations. Also from a technical perspective, we’ve deployed some intelligent tools to detect behavior of these types of attacks. And, also from an email gauge perspective, we built a bunch of rules to reduce the number of these spray-and-pray types of attacks, and also targeted attacks. So we have different techniques for different types of attacks from a phishing perspective.
And then, from an awareness perspective, Erica [Bigley] has been a great partner with me on this, we publish articles on a regular basis for employee awareness. In fact, this week we published an article on how people can protect themselves against pandemic-specific phishing attacks, providing a lot of guidance, a lot of details, some infographics and visuals for people to look at.
Q: What should you do if and when you are attacked?
A: The best way to deal with it is to be able to detect it and block it. Typically what we really worry about as a SaaS company is the phishing attack that has been infected, or sometimes what we call a weaponized attachment. That’s how the ransomware was tagged, moving around the company and infecting all of the servers. So those are the things that we always do our best to detect and block. The rest of the phishing attacks, either where they asked for money, or this other category called business email compromise where the attacker sounds like a CEO asking the CFO to wire money.
There’s a lot of those also, of course. But as a SaaS, our biggest priority is to make sure that we don’t get infected, and phishing attacks have been a huge conduit of those types of infections and distribution of ransomware. We want to block those as much as we can. And also, we want to make sure that we have the right controls in place, and educate people in case some of those phishing emails go through that the end-user doesn’t click.
It’s a kind of dual approach: there’s the technology process but also a huge aspect of awareness across our employees. They should pay attention to these because technologies and tools are never perfect. And these attackers are innovating every single day. They’re getting really good at it and they invest a lot of money and effort in these efforts. So, technology is important, as is detection monitoring, but the human aspect is a hugely important business well. That’s how we get prepared for this.