WORK FROM HOME CHALLENGES AND SOLUTIONS
One thing that’s very important for every organization should be. Just don’t get hacked.
As you know, organizations around the world have had to force their entire workforce to work from home. No warning, no planning time, nothing! With so many unanswered questions – do we need to implement new services? Is an extension of existing systems good enough?. In simpler terms, this would be a prime example of are you sinking or swimming?.
However, as most organizations will be fixated on ensuring the work can be done they are forgetting the most important challenge – not being known for data breach or security incident that might trigger customer trust issues.
Well, it all starts with the loss of all the security protections you once had within the walls of your protected castle, I mean office/datacentres due to users not being on the VPN (so the policy set by the company does not apply). And just to clarify that by protection I mean firewalls, anti-virus, blacklisted IP addresses and endpoint protection and well without these you become defenseless against the cybercriminals.
So now that all workers are remote and will be spending most of their time online, be this on their corporate laptop or their own devices (mobile/tablets/laptops), anything on the internet has the possibility of being compromised. This could be compromisation due to the poor security awareness of the user or usage of the misconfigured software or system.
Of course, you have the given problem on whether to allow users to use their own personal devices for work purposes, in other words, Bring Your Own Device aka ‘BYOD’. This option is provided by cloud services such as IBM, MobileIron, etc. which are used by organizations to allow workers to use their own devices. However, there will always be the risk of these devices possibly having less protection compared to corporate devices – hence it is not recommended to allow these systems to connect directly to the infrastructure.
You will also have the concern of users connecting to the organization’s network through a free open Wi-Fi. What is the problem here you ask? There are a few actually;
•Risk of using a rouge WIFI network,
•Man In the Middle (MiTM) attacks
•Distribution of malware over unsecured WIFI,
•Snooping and sniffing,
•Malicious certificate installation execution of malicious software on the device
Now ask yourself is it worth it?
The most common and simplest way to expose yourself to any vulnerability from cyber threats is via a weak password, which, if cracked by a cyber-criminal would
lead to loss of sensitive information and/or access to other apps. Now a question to ask yourself: Do you use the same password for all your different application logins? Let me guess your answer was “yes”. Well in your case “you are the weakest link”.
A more sophisticated way of acquiring a user’s credentials would be through phishing. As you know hackers are not bound to time limits – hence they follow the “net-based fish hunting” rather than “fishing for single fish”. In cyber it is called phishing – an issue that has always been there and has taken troll due to the current situation. Unfortunately due to fear and desperateness of either worker wanting to know more, or simply scared in the current situation, the use of faux emails has successfully bagged cyber criminal’s user credentials and successful downloads of malicious attachments containing a key logger. Now let us get more technical, one of the techniques used by cybercriminals is Cybersquatting. For those of you who don’t know what this means, it is the practice of registering as Internet domains identical or similar to any targeted company name, with bad intent or in easier terms when the human eye doesn’t realize what has gone on. Well, guess what this is happening a lot in this period of time. An example of this would be receiving an email from your bank which is called SunTrust but receiving the mail from @suntust.com. Because of the eagerness to know more, most people would not realize that in fact, the email address is not legitimate. An example of this has been shown in Figure 1 below.
Recommended Actions –What should you do, do you ask? Well here are some for starters:
The use of a corporate laptop is vital as not only will it give the IT team oversight of the organization’s IT infrastructure but it allows for monitoring of any malicious activities, such as malware and unauthorized activities. This would also require that users use and do not defer from any updates sent by the IT teams.
Ensure training is provided for staff on how to identify phishing emails and the importance of raising an email if it identifies as being a phishing email.
Policies and procedures should be set up for reporting threats to IT security teams and instructions should be given to employees on the correct course of action if they believe they have fallen for a scam.
As you cannot just rely on the human factor it would be just as important to ensure email security controls are implemented to block phishing attacks and detect and quarantine malware threats.
To ensure the prevention of access to high-risk websites and blocking of risky file types.
Ensure employees are to connect to the corporate network using secure wireless.
Ensure that at least two-factor authentication (password and SMS) or Multi-Factor Authentication is enabled and that user’s credentials are different from ones they use for other applications.
If the organization for whatever reason needs to allow non-managed devices (users own device) to connect to the corporate VPN/Infrastructure, ensure there are minimum policy requirements that are met:
•The device must have Anti-virus
•Latest operating systems are running with relevant security patches
•That the devices are not jailbroken.
By Najwa Bouchab, Offensive Security Analyst
London, UK