Corona pandemic, code name: Covid-19 caused by the virus SARS-CoV-2 is this century’s first pandemic, and hopefully the last, has caused problems in almost every industry. There has been a paradigm shift on a massive scale. As the governments, shutdown their countries in order to fight with the crisis, all the organizations are requested by their respective governments to close down their offices and all the employees are requested to work from home, if they are able. This is, in my opinion the best and the largest example of business continuity I have seen, ever!
Everyone is working from home full time, which means they connect remotely to their organizations either via VPNs or direct access. In the above sentence one can spot a security risk right away and that is the word “Direct”. Well that is a problem, but the bigger problem is “working from HOME full time”.
Let me explain, within an organization, you have a CISO (Chief information security officer) office, a SOC team (Blue team) and in some organizations there is an offensive team, performing penetration tests on regular intervals and then the organization has physical security measures in place like security guards, custom security guard round schedules, mantraps etc.
You see policies like, Clear desk, which includes all the white boards etc. be cleaned after use. You also see policies like mandatory document shredding etc. The aim of all these teams is to ensure that the organization does not get breached via an attack from either the outside or from a malicious insider. So on one side we have all these security controls which ensure that nothing gets leaked, stolen (from office premises) or compromised in any way, and then we have our Homes which are very secure, in general but not from a perspective of information/cyber security.
Since this crisis arose and new standard protocols have been in effect, I have noticed that there have been minor information disclosures, for example, everyone started posting screenshots of their video chats, be that an official meeting or a school/college/university online class. What did it disclose, well, from a technical perspective, their installed software, the software being used for video conference, meeting ID etc. At first glance there is no problem in the mentioned, being public, but we live in a world where certain seemingly unimportant information for you can be a goldmine for someone else.
As more and more people are online due to the government and organizational policies during this crisis, cyber criminals are very active with targeting organizations as well as private internet users. Due to the load on the ISP (internet service providers) networks, many people are exposing their internal network onto the internet by sharing folders, remote desktop endpoints etc. thus attackers now have more targets, which might not be up to date on patching etc.
Keeping all the above mentioned issues, in mind, I thought of creating a small list of Dos and Don’ts on the internet while working from home, during this current crisis.
- Always use a corporate VPN, and if your organization does not have a corporate VPN then request for one.
- It is always good to call the person who allegedly sent you an MS Office file, and confirm that it is really them who sent it.
- Third party, video conferencing services can record the calls, keep this in mind when connecting.
- If you are working on sensitive projects, keep your laptop in a safe, after the work is done.
- It is a good practice to connect to online video conferencing via the web browser, rather than downloading the software on your work laptop.
- Use a shredder (if possible) when disposing off documents.
- If you get disconnected suddenly, from your own WIFI network, immediately, shift to your mobile 4g network by setting up a Hotspot on your phone. Once the problem has been identified, then you can connect back to your WIFI network.
- The WIFI security should be set to the highest level. WPA2 (WIFI Protected Access 2) is usually the highest level in home WIFI access points/routers. There have been attacks against WPA2, but WPA2 is still better than WEP, which is the lowest level of security in a WIFI access point/router.
- Ask your corporate IT to enable computer firewalls deny all incoming connection rule on your laptop.
- Do not install any app onto your phone (Android based or IOS based) regarding COVID-19, without verification that it is published by a trusted source.
- When commencing a video chat, clear any unnecessary detail from your background. Some people have home offices with whiteboards etc. hence it is a good practice to erase everything on the whiteboard, unless that is required for the meeting
- Do not click on any link which might be received via a text message, email or via a phone call, unless received from a trusted source.
- If suddenly you get a notification on your Google calendar about a meeting which you never scheduled, do not click on the embedded link.
- Do not accept MS office files from unknown sender or if you receive a file which you think should be confidential and you should not be receiving it, please contact your IT/security department.
- Do not use a personal laptop for corporate work, unless officially exempted.
- Do not share your organizational credentials or any other credentials over the phone or over email, text or third-party services.
- Do not plug in a USB stick into a laptop if received via mail as part of some marketing campaign or any other reason, from a known or an unknown sender. Confirm first, if the sender is known.
- Do not share anything on social networks, which seems relevant at this time but in the long run it might be very bad for your OPSEC (operation security), especially on Twitter feeds, which are public and are harvested by so many different organizations for so many different reasons.
Arriving to the end, I would just like to emphasize on the fact that security awareness should be spread with in the family as well. As, most homes have one WIFI network, and if a child or someone from the family accidentally downloads a malware, the infection might also spread to other connected devices, among which is the corporate laptop. If the corporate laptop gets infected it can further infect the corporate network.
To conclude, I would just like to express my condolences to all the bereaved families who have lost their loved ones because of COVID-19.
Stay safe, Peace!