application security  (Ditty_about_summer/

Hackers pivot to attack remote workers

As identity authentication practices at public- and private-sector organizations have transformed in response to the surge in remote work, cyber criminals are adjusting their tactics, according to federal security experts.

In the last six months, the attack vector on federal and commercial networks has changed, said Sean Connelly, Trusted Internet Connection (TIC) program manager at the Cybersecurity and Infrastructure Security Agency.

With the traditional TIC 2 architecture's "castle and moat" style of cyber protections, attackers would look for buffer overflows, DNS and other weaknesses,  Connelly said during a Sept. 22 Venable webcast on identity security. In the current work-from-home environment, however, attackers have shifted to more interactive techniques, trying to throw users off guard, he said.

"Now adversaries are trying to get you to click on something, like a social messaging app," Connelly said. "How do you put security controls around a social messaging app?"

Fake social networking profiles aimed at gaining employees' trust, as well as cyber thieves creating fake login pages are also increasing, according to Connelly. "Those attacks are shifting everywhere traditional network security controls are not located," he said. "Many attackers are actually calling employees and encouraging them to logon to those fake pages and then grabbing their credentials."

"Because we're not physically co-located anymore, there are a lot of authentication factors we used to assume, that we now can't use," Wendy Nather, head of advisory CISOs at Cisco’s Duo Security, said during the Venable event. "If somebody calls the help desk, how are you going to verify them if they can't walk over and show you their CAC [common access card].… Those sorts of processes have been breaking down."

"Some of the things that we've long held as pretty strong controls like the PIV [personal identity verification] and the CAC, they have weaknesses now because a PIV card requires an in-person validation, like a fingerprint," Ross Foard, a senior engineer in CISA's cybersecurity division, said during the webcast. "That is not as easy to do now."

CISA, he said, is using a card similar to a PIV card for new hires that has derived authentication that doesn't necessarily require an initial fingerprint from those new hires.

TIC 3.0 and Zero Trust can help federal networks adjust, but those technologies are still emerging, so network operators should be vigilant, said the experts.

This article was first posted to FCW, a sibling site to GCN.

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at [email protected] or follow him on Twitter at @MRockwell4.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected