A lot of companies have been quickly forced into a remote-only work environment, and we’d like to help make the security aspect of that reality easier to navigate. Remote work definitely comes with its own unique security challenges and may require both technical changes and process (and behavior!) changes. In this blog post, we’ll dissect the what, where, and why of this new “way of life”.
This is Part 1 of our COVID-19 series. Part 2 will provide suggestions for IT/network admins. If you have questions we can answer in future posts, please email info [at] carvesystems.
Protect your computer
You may have other compromised hosts on the network (your son/daughter’s gaming PC with a million mods downloaded from the internet? Grandpa’s computer with all the pop ups?). Protect your corporate computer from other malicious network hosts:
- Update your corporate computer to the latest OS version for the security patches
- Disable any local network sharing access (For example, this article shows you how to set up sharing on a Mac. Do the opposite!)
- Use a unique, strong password on your computer that others don’t know
- Set your computer to lock when resuming from screensaver, and set the screensaver timeout to 5 minutes or less (balance convenience with security)
Protect your meetings
Updated April 7, 2020
Zoom video conferencing is getting a ton of attention, both good and bad. Investors rushing to be a part of the financial upside are buying the wrong stock. The FBI issued guidance about Zoom Bombing. And researchers are analyzing Zoom’s development and security practices. Amidst all this, what should you do?
- Zoom’s selling point is removing friction in video conferencing. However, if your organization already has another video conferencing solution built into your workflow (Google Hangouts, Skype, etc), consider using that.
- Make sure all your meetings have a password, or you’re manually admitting attendees from the waiting room. Configure at https://zoom.us/profile/setting:
And/or enable the waiting room for your meetings:
Of course, the balance here is that these settings make Zoom slightly harder to use, and that may be very frustrating for some users. In most cases, however, the experience is frictionless: the password will be embedded into a calendar invite, sent out to the intended recipients, and automatically sent when joining the meeting. More resources:
- Excellent visual guide from Nardello to reduce Zoom Bombing risk
- Zoom’s guide to securing your meetings
- Analysis of Zoom’s issues from Bruce Schneier
- Brian Krebs shows how to find open Zoom meetings
Protect your network
Connecting to the enterprise network through a VPN can help mitigate some threats to the network (eavesdropping, DNS attacks) by encrypting traffic on the way to the enterprise network and possibly also handing DNS, but there are still plenty of reasons to secure your home network:
- Ensure the WiFi network is not using the WEP authentication protocol: WEP is an old, broken standard. While modern routers won’t even support it, there could still be some old ones out that do. Ensure that they know WEP is not a sufficiently strong authentication mechanism for their network.
- Use a strong password for the network: Generally the only thing protecting home WiFi networks is the password. If the password is compromised, anyone can get on the network and sniff traffic, attempt to set up a man in the middle, or send traffic from the same IP (which could be a problem if your developer has whitelisted their home IP address in a firewall somewhere. We’ve seen this happen!).
- Disable Wi-Fi Protected Setup (WPS): Most home-grade routers offer some form of WPS, either via PIN, push-button, or sometimes more obscure methods such as NFC or USB. This feature was introduced to easily add new devices to the home network, sacrificing security in favor of usability. The PIN method is broken and easily brute-forceable, and ironically is the only authentication method that the standard requires to be implemented. Completely disabling WPS is encouraged when securing home networks.
Home routers play a key role in protecting your home network, and are a popular target for attacks. Lots of router malware changes DNS routes to direct the user to fake sites to harvest personal info.
- Change your router’s default password and, if supported, enable automatic updates. Try browsing to http://192.168.1.1 to find your router if you have no idea where to start. If that doesn’t work, find the model number of your router on the back/underneath and look up the manual online.
- If your router doesn’t support automatic updates, then manually update your router’s firmware to the latest version
- Many routers support “port forwarding” or “NAT passthrough”. This can be used to put a port/service directly on the internet, and may be required by some systems. It can certainly be a dangerous feature if not expected or configured correctly.
- Disable remote admin and “home-grade” VPN if enabled/supported by your router
Unfortunately there are no generic instructions for how to configure your router. Look at the manufacturer’s website for the user manual, or search for some of the key words above plus the model number of your router (e.g. “port forwarding asus rt-n66u”).
Take another look at your “smart devices”. If you have a “smart home” device, it can be used by an attacker as an entry point into your network.
- Are they set up with factory default/easily guessable passwords? Change the passwords on the devices or, if there is a web management panel somewhere in the cloud, change it there as well. This is another great reason to use password managers!
Protect from: yourself
It’s important, both from productivity and security perspectives, to maintain safe browsing habits at work, because failing to do so could not only impact your focus but also help compromise your company infrastructure via your VPN-connected workstation with direct access to the corporate network.
- This might be a good time to revisit the security training materials we hope your company has provided you to be able to better spot phishing emails and websites. Phishing attacks are on the rise. Cofense has a good collection of news stories/advice.
- Now more than ever, it’s important to never ignore the “Certificate mismatch” errors that your browser throws. The rule of thumb here is, if the browser generates an error like this when you navigate to a website, do not continue on to the website.
- With so many IT processes disrupted and new policies being rolled out quickly, be extra cautious about social engineering scams. Beware of anyone asking for your password, “urgent” emails, or requirements to enter personal or company information
Protect from: your family
We would generally discourage using personal computers to connect to corporate resources, but with the entire family at home, technology resources may become scarce. There are a lot of good reasons to make sure that your work computer stays out of the family resource pool:
- Children/young adults may be doing distance learning and need certain programs. It can be tempting to download those programs from whatever website offers them – legal, malware-infested, or not!
- It’s easy to delete an email, move a calendar invite, or leak/view sensitive customer/patient/other data on a work computer. This can cause confusion for an overburdened IT staff, or require reporting as an incident.
We’ve covered some basic threats/mitigations. There are plenty of others. This is a perfect example of where we can use threat modeling to enumerate other threats, especially those unique to your situation. By the way, looking at technology through the threat modeling lens is something that we recommend that our customers always do, coronavirus or not.
In this case, when we leave the “walled garden” of the enterprise, the technology setup that comes with the change – i.e. how you now access work resources compared to before – brings a new set of threats. For one, it unfortunately becomes easier for you to get to bad content on the Internet as your remote routes likely have lighter protections against malicious websites, phishing emails etc.
In addition, there are now corporate assets on your home network. Therefore, in any of the scenarios below, an attacker is one step away from corporate assets:
- An attacker can steal/crack/social engineer your home WiFi credentials
- An attacker can exploit your home-grade router that’s exposed to the Internet
- A malicious Internet-of-things device (e.g. a smart light bulb that gets compromised) provides miscreants a tunnel into your network
- Malware can get installed on a computer you share with other family members
Objectively, a lot of these threats aren’t new. But there are some new threats that are very situation-specific, such as COVID 19-specific phishing/malware slinging campaigns that exploit everyone’s fears over the rapidly growing pandemic.
We’ll follow up with Part 2 for IT/network administrators. In the meantime, if you have questions we can answer in future posts, please email us at: info [at] carvesystems.