Hackers see every major event, good or bad, as an opportunity. The Olympics. March Madness. The Super Bowl. The World Series. Tax season. Summer vacations. Elections.
And yes, natural disasters like Hurricane Katrina, or the current health crisis.
So when, seemingly overnight, the large majority of working Americans are doing their jobs from home (or are unable to work at all) it is no surprise that hackers are looking to take advantage of every security weakness that a crisis might expose.
Beyond that, the scale of this “event” is unlike any other. As endless headlines and nightly news broadcasts remind us, working remotely, while not a novelty, is now at a level never before seen.
And in the online world, that makes staying secure from inevitable attacks more difficult. Especially when those attacks have ramped up. A recent reader poll by Threatpost found that 40% reported that their companies were “seeing increased cyberattacks as they enable remote working.”
That should be no surprise. Hackers are opportunists, and they see an unprecedented event as an unprecedented opportunity.
First, know your weaknesses
But it doesn’t mean the targets of those attacks are defenseless. The first thing to do when facing this kind of threat is to know your own weaknesses. Those weaknesses have been identified by numerous experts. They include:
- Stress, distractions, haste and unfamiliar tools. Those who are working at home for the first time will likely be affected by all these issues “as they try to balance family and work responsibilities in a new and unfamiliar daily routine,” said Jonathan Knudsen, senior security strategist at Synopsys, noting that “people make more mistakes” when they are under those combined pressures.
One example: While video web conferencing has been mainstream for more than a decade, that doesn’t mean everybody is used to it. If employees are suddenly required to use unfamiliar tools like WebEx or Zoom from home, they are more likely to make mistakes. And if such a system has been set up in a rush to enable meetings that would normally be in a conference room, it is more likely to be insecure.
- Lack of human connections. Security awareness is the responsibility of every individual in an organization, but group support generally makes it more effective. Remote employees working alone may be more likely to fall victim to phishing attacks — especially business email compromise (BEC) like a fake email from a “senior executive” directing a money transfer — when they can’t check on the authenticity of that email as easily as they could at the office.
- Insecure home networks and computers. They are more likely to be out of date, unpatched and unprotected.
That is not a universally shared view. One comment on the site of cryptographer, author and blogger Bruce Schneier was blunt: “Bro have you ever seen a fleet of computers managed by the IT section of a big company? Logging into the VPN [virtual private network] endangers my computer, not the company’s computers.”
That anecdote may be true. It is also true that it will be more difficult, even when a network has rigorous security policies, to maintain that security when workers are outside the corporate perimeter and logging in from personal Wi-Fi connections. Patching and securing hundreds of thousands of endpoints is not easy.
Still, on average it is likely that a corporate network, with a staff focused on keeping security measures current, will indeed be more secure than that of the average employee working from home for the first time.
- Insecure access to organizational networks. “As stay-at-home employees flood the Internet with videoconferences, and stay-at-home others flood the Internet with streaming video, expect to see slowdowns and service interruptions,” Knudsen said, noting that workers who get impatient may “turn to personal accounts or services that haven’t been evaluated by the organization.”
- Spotty VPN coverage. An organization with good security will already have a VPN for remote access. But if not, “they’re either trying to get one quickly or not bothering at all,” Schneier wrote. “Handing people VPN software to install and use with zero training is a recipe for security mistakes, but not using a VPN is even worse.”
- Data leakage. It is human nature to do the convenient thing even if it takes only a few seconds less than the secure thing. Which means it is likely that sensitive, confidential corporate data will end up outside the network, as work-from-home (WFH) employees save data on their own computers, where it is less likely to remain confidential.
Surely there are other potential security weaknesses, but those are the most common. So what can/should both individual workers and their organizations do in the face of elevated attacks seeking to exploit elevated weaknesses?
Haste will waste you
Knudsen recommends that the first thing workers should do is resist the temptation to rush. “Take a minute. Slow down. Think about what you’re doing and what could go wrong.”
“As your finger is hovering over that send button, or you are about to start up an unsecured cloud service — don’t do it! — take some time to think like an attacker and understand what could go wrong,” he said.
For organizations, much of it comes down to “security hygiene” — the same basics that are preached at security conferences year after year.
A lot of that involves technology, but some of it involves people. Any organization, whether its workers are remote or together at an office, will be more secure if employees are well trained in security awareness.
SANS, a security awareness firm, has offered a Work From Home Deployment Kit aimed at quick training for employees who likely have never worked remotely before.
Next, use a VPN. The Threatpost survey found that only 37% of respondents said their organizations are requiring workers to use VPNs to access corporate resources. Some respondents said they’re using alternatives, such as direct access via a cloud service.
As Schneier noted, a hastily deployed VPN isn’t good, but it is better than nothing.
Another basic is the principle of “least privilege.” It’s the digital version of limiting the physical access of employees. Obviously, everybody in an organization doesn’t need access to the C-suite, on-site servers or to the heating system, for that matter.
So an organization should segment its network. The VPN shouldn’t be able to talk to everything. It should function in what some experts call a “DMZ” that lets users get access to what they need but nothing more.
Build security in
Of course, the most careful employees and the most restrictive VPN won’t help much if their applications, network and systems, and the software that runs them, are not secure. So another basic is to “build security in” to proprietary software, and make sure that components and apps from third parties or open source are kept updated and patched.
Building security in, now a universal mantra, means testing software while it is being built, from the beginning to the end of the software development life cycle. There is no single tool to do that, but a “toolkit” of them can analyze it in multiple ways — static, dynamic and interactive — along with software composition analysis (SCA) for open-source components. Those, along with penetration testing at the end, can make an organization’s software pretty close to bulletproof.
Finally, with virtual meetings more of a necessity than ever, the National Institute of Standards and Technology (NIST) has a list of precautions to take, no matter what provider an organization uses. They include:
- Limit reuse of access codes.
- For sensitive meetings, use one-time PINs or meeting identifier codes, plus multi-factor authentication.
- Use a “waiting room,” and don’t allow the meeting to begin until the host joins.
- Enable notification when attendees join. If this is not an option, make sure the meeting host asks new attendees to identify themselves.
- If available, use a dashboard to monitor attendees, and identify all generic attendees.
- Don’t record the meeting unless it’s necessary.
- Disable features you don’t need, like chat or file sharing.
- Remind those who might share screens not to share other sensitive information inadvertently.
Bottom line: Working remotely is new and unfamiliar to most employees. Some of it may be distracting, stressful and unsettling. But most of the solutions are well-established security practices. There are numerous resources out there to help. Use them and your organization (and employees) will be a much tougher target for opportunistic hackers.