By Martin Roesler (Trend Micro Research)
The current workplace reality is that, in response to the ongoing coronavirus (COVID-19) outbreak, many companies around the globe have rolled out work-from-home arrangements. As a result, there has been an influx of employees signing in remotely to corporate networks and using cloud-based applications. But this shift could also open doors to security risks and cyberthreats.
In one of our security predictions for 2020, we discussed how organizations would have to be wary of risks introduced by work-from-home arrangements and connected home devices. Blurring the lines in enterprise security, remote devices could be infected and serve as launch points for supply chain attacks.
Security teams and home office users, however, can minimize the risks that come with remote-working setups. Below are some practical security measures that can be applied to this end.
- Set up your 2FA. Many major websites and services are implementing two-factor authentication (2FA). Make sure to have logins set up to not rely on passwords alone (e.g., use authentication mobile apps or biometrics). Passwords have time and again been hacked, leaked, or stolen.
- Preconfigure work-from-home arrangements. Assess your security and establish clear guidelines on remote working as aligned with company policies. Equip employees with intrusion prevention and protection against data loss and theft, preferably through IT-approved company-issued laptops.
- Remember to back up data. Follow the 3-2-1 rule in backing up data: Create at least three copies of the data in two different storage formats, with at least one copy located off-site (e.g., provide external SSD or HD drives).
- Ensure that there are enough VPN licenses. The increase in mobile workers means that organizations should have enough virtual private network (VPN) licenses and network bandwidth to accommodate the number of users.
- Limit the use of VPNs. Regulate access to VPNs, and require users to renew their logins periodically (e.g., allow a maximum of 12 hours of access each day per user and automatically log users off from the service).
Security teams can find more considerations for their company policies in the SANS Institute’s guide to securely transitioning to work from home.
- Use a company laptop for remote work if possible. Do not use your personal machine as it may have fewer security controls than your company-owned hardware. Work-issued laptops or machines should be for employee use only; other members of your household should not have access to your dedicated work equipment.
- If use of personal equipment cannot be avoided and you have to use your own machine, keep it as close as possible to office security standards. Use security software provided by your company, follow company data protection measures, and do not mix personal browsing and activities while working.
- Use company-designated VPNs and avoid free, public Wi-Fi. Use the dedicated enterprise VPN servers only on your work laptop or desktop to make the connection between your network and the office’s secure. But be wary of phishing attacks that steal VPN-related account credentials. If VPN connectivity is not on the table, ensure that data communication is done via encrypted email or Pretty Good Privacy (PGP) encryption.
- Split networks. Use a guest network to isolate the company laptop or desktop. If you have a router or switch with a virtual local area network (VLAN) functionality, activate it and dedicate a VLAN for office work only.
- Prepare a backup solution at home. Having backup options (e.g., hardware such as USB hard drives) puts you in a better position when something goes wrong, such as connectivity loss or server failure. For macOS users, Time Machine can be activated to create backups.
- Be wary of online scams. Unfortunately, scammers use current situations like the COVID-19 pandemic to prey on collective fear and misinformation for their fraudulent activities. These scams are sent through emails, malicious domains, fake apps, or social media, claiming to provide shipping notifications, COVID-19 information, and even supposed cures through attachments that actually bear malware. Fraudulent messages can often appear localized to the recipient to lend an air of legitimacy.
There are measures you can take to avoid getting duped. For one thing, be wary of telltale signs of phishing scams: unknown senders, glaring grammatical errors, mismatched URLs, and outlandish stories. Do not provide your identifiable information such as personal details and bank account information. Immediately alert your organization if you received such attempts to help others spot the scams.
- Secure the gateway: your router. The router is the gateway to all internet-connected devices in your home network. Attackers are known to compromise home routers with default credentials that users often neglect to change. It is good practice to regularly change the password for your router as it may have been previously shared with other users. Passwords that are not prone to dictionary attacks are recommended, i.e., those that have more than 12 characters, with a mix of letters, numbers, and special characters. Likewise, it is important to always update the firmware of your router to the latest version. Routers issued by internet services providers (ISPs) usually have automatic updates, but due diligence can be done through a router’s web console, which is accessible using its IP address.
Restrict user accounts on the router to two: A super-user account used only for setup and configuration (local account, not remote-enabled), and a personal account that is the default user allowed to manage the router (also local account, not remote-enabled). You, or somebody else in your family who is tech-savvy, can also do a port scan on your router’s IP address; if this is not possible, you may check your IP address on Shodan. Many routers also allow the automatic addition of new devices for convenience, but this feature should be disabled and unknown connected devices should be removed from the router configuration.
As a safety net, you may also consider a backup internet connection by way of a router that supports LTE in case your normal ISP line goes down. The tethering or personal hotspot function of your smartphone can also work as a connectivity backup.
- For advanced users: Work with a proxy. If you have a spare Raspberry Pi or an old Linux computer, you can dedicate a Pi-hole to protect your devices from ads or unwanted content. Alternatively, you can configure some network-attached storage (NAS) systems to block ads.
- Strengthen your passwords. Use a password manager to make it easier for you to handle strong passwords across multiple website and service accounts. This streamlines the use of long, randomly generated unique passwords and avoids the reuse of the same or similar passwords across websites and services.
- Keep your software up to date. Update all of the pieces of software that you use to their latest versions and install security patches immediately to reduce the chances of malware infection.
- Secure other computers in use. Since kids are also staying at home, likely having their online classes, and other members of the family may also be working remotely, home network security basics such as creating backups and employing a proxy service should be adopted. Create a safer digital environment by employing home network security that not only can block and filter sites, but can also protect your network and devices against hackers and web threats. Protect data against ransomware and theft by enabling Folder Shield. You can also consider employing router security that allows device management (e.g., disconnecting unwanted devices in the network), controls social media use, blocks inappropriate sites, and sets time limits for device usage.
- Protect smartphones. As with laptops and desktops, make sure phones are updated with their latest firmware versions. Download only legitimate apps from official stores and review the app permissions before installing them. Install a mobile security app to prevent malicious apps or codes from running on phones.
- Save bandwidth. As more users stay and work at home, bandwidth becomes a critical resource. Ensure seamless productivity by reducing consumption in streaming videos and other activities that throttle the bandwidth, especially during work hours.
- Discuss the importance of online safety. Help your family understand the public nature of the internet and its potential dangers. Remind them that they are responsible for ensuring that their online activities are safe and private by securing the way they set up and use their devices.
Setting up a secure remote-working environment is not an overnight job. It requires considerable effort from all people involved, especially in the case of those who are new to telecommuting. The measures laid out here should help companies and employees ease the burden and effectively protect work-from-home setups from cyberthreats.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
- Exposed Container Registries: A Potential Vector for Supply-Chain Attacks
- LockBit, BlackCat, and Clop Prevail as Top RAAS Groups: Ransomware in 1H 2023
- Diving Deep Into Quantum Computing: Modern Cryptography
- Uncovering Silent Threats in Azure Machine Learning Service: Part 2
- The Linux Threat Landscape Report