COVID-19 is here. It's there. It's everywhere. Stores are closing, businesses and governments are canceling events and asking people to stay away from large social gatherings as much as possible. This is the good and right response as we prepare ourselves for exposure and ease potential stresses on our healthcare systems.
In whatever way our combined communities and governments determine to cope with the inevitable exposure, we need to make ourselves as prepared as possible in physical health, logistics, and communications so that we can follow the old British WWII adage of, "Keep Calm and Carry-on".
For those of us that are doing a significant amount of telework, that means doubling down on protecting ourselves and our organizations' information while also keeping our families safe. It's no secret that stock markets around the globe are taking a hit right now, but that does not mean that our personal information or the private information of our companies have to as well.
While global pandemics cause most of us to have feelings of vulnerability, insecurity, and fear, for cybercriminals, it's Christmas morning. This is because cyber-criminals see times of crises as an opportunity today, tomorrow, and well into the future. They know that the change of routine, combined with uncertainty may make people more susceptible to cyber-attacks like social engineering.
"Cyber-criminals are also acutely aware of the fact that more people are going to be using their devices at home, where oftentimes organizational rules may not be in place and Wi-Fi security may not be as strong as it should be, making a ripe environment for cybercrime to occur. For example, I've received 5 times more Phishing Robo-calls in the past week than my entire life!"
Benjamin Brooks – Vice President of InfoSec Strategy
To help do our part to help and to thwart the attacks of the adversely adjusted attackers, RedTeam Security has compiled these tips for the tenacious teleworker to help them keep their organization's and their family's information safe and secure. As a bonus, these tips and tactics can be used anytime, not just when you are doing work in your robe and bunny slippers!
Most computers and connected systems in your house (and anywhere for that matter) are a combination of software and hardware. As with any complex human-made system or device, computers and the equipment that allows you to network, requires maintenance. When you are at work, the IT department or your Managed Secure Service Provider (MSSP) will push software updates or patches to your systems to not only make them more efficient but also more resistant to bad-guys. While you are teleworking, you may not have the luxury of that service, but it is still vitally important to keep these systems up to date with their latest internal code. That begs the question, "When was the last time you checked to see if your systems are up-to-date?
Fortunately, with better security practices being more popular, keeping software up to date tends to be a simple process, and often it is automated in software. However, when it is not automated, understanding if you a running your machine with its best security can provide a little bit of a challenge. To make sure we are up to par, take the following steps:
PRO TIP: Don't forget to do the same for all other devices in your homes such as smart-phones and tablets.
Here's where things get slightly trickier but not outside of the realm of the average at-home user's capability. Hardware such as printers, cable modems, and Wi-Fi routers all have software on-board that also may require an update. It is a good practice to check those devices by logging into them individually and seeing if they need a firmware upgrade. For instance, most routers have a small web page that you can log in to adjust the settings, they also have a default password on them, which leads us to our next trip.
Better yet, make your passwords into passphrases! Password compromise is one of the largest problems that we have encountered but it's not because passwords don't work, its because we have a 2 fold problem:
Check out this link on Passphrasing and then when you are done reading, go and do this for all your passphrases! You'll be glad you did and way more secure for it.
Now, remember that router? Check to see if the default password is still set by logging in to the webpage hosted on the device. If the default password is still in place, use our password lesson to teach you how to quickly and effectively change that for the better! If a bad-guy were to gain access to your cable modem or Wi-Fi router, they could potentially wreak havoc on everything that you have connected to it. That means your computer, your phone, your Alexa, and all the information that is stored in those devices. How would they gain access?
Wi-Fi is one of the easiest ways to break into systems, especially if there is a weak password or no password at all. Guest networks, insecure networks, and hidden but not password-protected networks, all present a significant amount of risk to the users and all the systems that are connected. Attackers can make use of the weakness to start lurking in any connected system, just like above. That said, all a person has to do to significantly improve that scenario is to create a stronger passphrase. We also suggest attaching things like your Alexa, Smart Fridge, and other Internet of Things devices to the guest network which can limit the damage that could be caused by those harder to secure devices.
We would not be thorough if we did not address the concern of Vishing, Phishing, and SMSishing at this time. Whenever there is a crisis, bad-guys will always try to take advantage of people's disrupted day-to-day. The easiest way to do that for many is through social engineering attacks called Vishing and Phishing and SMSishing. All of these attacks are similar in that the attacker reaches out, "disguised" as a legitimate concern, to the intended victim, uninvited, and asks for information that can be used in other illegal activities.
Robo-calls, fake help desk workers, and the impersonation of government officials are all examples of personas commonly used by attackers to attempt to legitimize their requests. Typically, the attacker is looking for credit card numbers or bank account numbers, passwords for accounts, and or personal information like a social security number.
For more information on these types of attacks, read: What You Need to Know About BEC Scams
The easiest way to defend against these attacks is to simply ignore them. A legitimate government communication will come in the form of an official letter. If a "bank" texts you with alerts, do not click/ use the link they sent, use your already installed app or go to your known-good website. Similarly with Phishing, alert your real, known-good helpdesk of the attempt (no need to forward the email), and do not click the link or call them using the information provided in the e-mail.
With all the confusion concerning current events, the last thing that we want to have to worry about is a breach! So be safe, be secure, and be cyber-savvy.