When Jane Katungi received a brand-new laptop and a smartphone as part of her home working package, she was elated. “Every crisis comes with a silver lining”, she whispered to a friend as she packed her newly acquired gadgets as she moved her office to home.
By Allan Sserwanga – Security Researcher
The coronavirus pandemic has changed the way people live, work, and communicate. Traditional leadership styles have been disrupted too. Every disruption brings opportunities and threats. Whereas Jane’s employer was flexible and agile in providing the required capabilities in terms of a laptop and a smartphone to act as a modem to connect to the Internet from the home office, they forgot a critical element of security hygiene briefing for remote workers.
Remote-working (teleworking) is a must for several enterprises to survive in business today, following the COVID-19 pandemic crisis. There has been an unprecedented rise in virtual workplaces where employees are working from geographically dispersed areas, both within and outside standard business hours. Remote working has been fostered by various information and communication technologies that include e-mail, videoconferencing, teleconferencing, discussion groups, chat rooms, project management software, collaborative design tools, knowledge management systems, and message boards.
Nonetheless, it is important to note that with the influx of virtual teams also comes cybersecurity concerns that could frustrate all efforts for the anticipated benefit, not to mention the fake COVID-19 help guides that hackers use to exploit unsuspecting users and the ‘zoomboombing’ that has had several videoconferencing sessions hijacked with pornography and/or violent hateful material. It is upon these grounds that we would like to equip you with reliable security tips to succeed as a remote worker. In times like these, you cannot wait for guidance from the employer. You must take the initiative to learn the basics on your own so that you achieve your targets in a secure environment.
Remote Work Tools
Tools being used are varied ranging from social network connections to group phone calls. The covid19 pandemic as has singlehandedly helped Video conferencing tools: These tools help you set up video meetings with multiple people, so you can visually engage your team. It also requires that remote workers have high-speed Internet access, a microphone, and a quality web camera. Popular among this kind of tool is Skype, Google Hangouts, Zoom, join.me, and BlueJeans, GoToMeeting, MicrosoftTeams, and many more. The covid19 pandemic has given birth to new remote working innovations and tools. Old ones have also been repackaged to make them
To reinforce teamwork remotely, collaboration tools inevitably come into play. These have diverse roles covering storage and file sharing, remote desktop access, and project management, and examples include Dropbox, Google Drive, Microsoft 365, TeamViewer, Trello, and Pivotal Tracker, among others.
Like any carpenter, so many tools at his or her disposal, but you need to pick the right one for the task at hand. Is it drilling a hole in the wood, or hitting the nail. Different tasks call for an ideal tool from the toolbox. You must know which one works where. And that is where every staff needs the training to make the right choice. One of the worst leadership decisions is spending money on acquiring the wrong tool. But that is not the only risk. Potential cybersecurity breaches are one of such top risks that must be proactively anticipated and managed. Because companies must allow external connections to their critical systems from users outside the network, the risk increases. Many companies have invested in smartphones that are used as modems, thumb drive modems, and home wifi capabilities. Many of these gadgets have dynamic IP addresses making whitelisting of known IPs next to impossible. With massive traffic into the company systems, limited checks by the firewall, the problem of the legendary lion in the sheep’s clothing is high.
A Case in Point: ‘Zoombombing’ Incidents
As many people have gradually adapted to working remotely, hackers too have sharpened their tools for a big catch of their prey. It is imperative that top management and business owners not to overlook cybersecurity obligations, but take active roles in their cybersecurity programs or face reputational loss and the possibility of potential shareholder lawsuits.
Recently, the CEO of the Zoom video-conferencing platform apologized for having fallen short of the privacy and security expectations from the user community. Not to be sidelined for the influx of more than 190 million users that turned to Zoom for daily meetings and discussions, hackers seized the opportunity to exploit a security loophole by finding out the details of the meetings either via links that had been shared publicly on social media platforms and/or websites or by simply guessing the nine-digit ID code. This new phenomenon has been nicknamed, ‘zoombombing‘, and has of late entailed uninvited guests to join video conferences and in the process, had such meetings disrupted by pornographic and/or hate images and threatening language being posted during a live event. It would, however, have been easy to prevent these attacks by password protecting meetings and not allowing anyone other than the host to share a screen. To this end, Zoom has had to invest in the best in class security systems.
As of this writing, zoom calls are secured by encryption. Thereby making it very difficult for unauthorized people to conduct man-in-the-middle, ID code hacking using brute-force attacks and other similar schemes… and that is the essence of software and collaborative tools development. Improve the systems by addressing the new emerging risks. And such an approach calls for agility and responsiveness to market developments and customer needs.
National Information Technology Authority – Uganda (NITA-U) has fortunately issued these Zoom security guidelines2 to help us along the way:
- Always keep your software up to date
- Never share your meeting ID
- Always use passwords to protect your meeting
- Always share the meeting details securely
- Always use a meeting waiting room
- Always lock the meeting to restrict joining
- Beware of phishing
- Use voice-only meeting when the internet connection is poor
- Disable join before host
- Limit Screen Sharing to the Host
- Enable only authenticated users to join
- Require registration
- Disable Automatic Recording of Meetings
The zoombombing scenario is just among the many ways hackers can exploit inadequately secured systems. However, with the recent updates by zoom by introducing session encryption, such risks in newer versions have been minimized or removed altogether. But as old attack vector are addressed, new ones emerge. That is why on-going cyber hygiene practices are critical to winning. New attack vectors now target meeting hosts and participants by stealing meeting credentials from their emails! And that is why you must be alert about phishing and similar social engineering schemes. Cybercriminals are now using more sophisticated attacks to steal assets ranging from intellectual property to the sensitive personal and financial information of an enterprise’s customers, partners, and employees.
Working from home can give a false sense of security and comfort to the extent that some basic security procedures and practices are easily compromised than they would in a corporate and regularly monitored workplace. Get hold of these tips for your safety while you remotely execute your duties.
1. Access Controls
a) Strong passwords:
The tyranny of multiple accounts can be tempting to make easy passwords since the requirements may be daunting; a capital letter, a number, a symbol, and more than 8 characters. But it’s possible to create secure, strong passwords that meet these requirements and are fairly easy to remember.
One strategy is to think of passwords as passphrases. We can turn the idea of a hobby, event, or put into a sentence or a thought. For instance, “Hockeyis1coolGame!” meets all of the requirements and is generally memorable. It makes a much more secure passphrase.
Remember, the longer the password, the better. Now if you add in this the mix of special characters and numbers, you make it difficult for hackers since available password cracking tools on the market focus on brute-force attack by trying possible combinations of words and letters known to exist in the dictionary (dictionary attack), and any combination of words and letters (brute force). A longer password in the form of a passphrase that is mixed up makes things all too difficult.
b) Password manager:
Being online requires keeping track of lots of email addresses, user names, and passwords for different services. It is recommended that you use a different strong password, though, in practice, it is often pretty difficult.
To help ease this task, we can use a software called a password manager, which protects all passwords and other pieces of information like notes and security questions with one master password that you only need to remember. Many password managers can also generate passwords for you when the need arises to sign up for a new service or update an old password.
A variety of good password manager software is available on the market including LastPass, KeePass, and, 1Password. A software solution is generally much more secure than using a paper notebook and it is common wisdom to never write down passwords. The bottom line is to avoid password reuse and to avoid keeping your password in plain text on your computer.
c) Multifactor authentication:
If you own a Facebook, Google, or Twitter or any such social media account, you have probably been asked to enter your phone number after creating an account with your email address. When you create the account, an SMS is sent to your mobile phone separately.
This helps to confirm that you are indeed who you say you are. A company like Google knows that to have a mobile phone number in your country, some form of identity verification was done against which you received the phone number. Remember the SIM card registration exercise in Uganda and the requirement that only folks with national ID get the SIM cards?
In the instance that someone hacks into your account, information like changing your phone number cannot be easily changed since the fraudster is required to put the passcode sent to the phone number against your account, and since they do not have the mobile phone with them, they are unable to add the code, in which case you can easily reclaim your Gmail account.
You are advised to set up dual authentication mechanisms as a security second line of defense in case you are hacked. Many times at our Summit Consulting Ltd lab, we receive so many such cases and if the person did not do basic cyber hygiene, it becomes difficult to help them.
Authentication information generally comes from knowledge factors (things you know e.g. passwords, security questions), inherent factors (things you are i.e. biometric information like a fingerprint, your face pattern, or retina scan), and possession factors (things you have e.g. mobile phone). In the above example, online systems use things that you know (passwords) with things that you possess (mobile phone) to authenticate you. Without having set dual authentication, for example, Google may not help you recover your email in case it was hacked into and your identity is stolen.
It is a strongly recommended practice that employees and device owners make use of multifactor authentication to protect access to critical applications and highly sensitive data. This increases security in a world where passwords are leaked all the time. Take for instance when you log into a site or app with two-factor authentication, instead of just using a password, the site requires a password and a code, which comes from a dedicated device.
Nevertheless, it is crucial to know that some biometric properties can be stolen. If, for example, you leave a clear enough fingerprint on a smooth surface, it’s possible to recreate an artificial finger with that print and use it to fool a security system. Markedly, you cannot just change your fingerprint to a new one, like you can with a password once the fingerprint is compromised. Retina scans are generally much harder to fake, as well as face recognition sensors when coupled with thermal sensing. In light of these considerations, biometric access should be used as a second factor alongside a different factor, like a pin code or password.
d) Physical protection of critical assets:
Ensure that physical protections for critical assets are in place and active. While away from your home office, keep your computer and other devices out of sight in a secure location.
At your home, do not be reckless with the company resources. Neighbours may see into your house that you have the latest gadget or computer, and then visit at night to pick it. You must be careful. Some employees live in community settings in houses without perimeter walls. In that case, it could be easy for someone to casually walk into your house and move out with your laptop or phone. You must be very careful.
e) Remote access monitoring:
Ensure that remotely accessed assets have privileged and updated access control lists (ACLs), and security devices such as firewalls and intrusion detection systems are being monitored to examine incident trends. Remote access services and user profiles should be active only when required.
Make sure you comply with the remote working policies and procedures. If your employer has provided you with VPN access, make sure you use that. If you have a fixed IP address to access the services, make sure you keep it private and use that. In case you lose your modem, make sure you report immediately to your IT so that the IP is blocked instantly, and then you may report to the police so that you can have it replaced. Plus you don’t want someone to use your lost modem identified with your username and national ID to hack into government or sensitive information in which case it could later be traced to your national ID and that could be a disaster to your reputation and career in case you had failed to report in time.
f) Security on shared computers:
For some reasons, you may need to use a shared computer, however, that has to be handled as carefully as follows to mitigate security risks:
- Use the private browsing mode so that your browsing history is not saved on the shared computer and that other user’s passwords, cookies, and sessions do not interfere with yours.
- Be certain that two-step authentication is enabled for your accounts before you work in a shared environment.
- Look out for certificate warnings in the browser and suspicious or unfamiliar browser add-ons and software that might compromise your data.
- Refrain from logging into services you do not inevitably need to avoid the risk of keystrokes being recorded.
- When working with files, use a cloud file storage system like Dropbox, Box, or Google Drive to ensure the protection of your files.
- File names should not disclose any personal or official information about you.
- Check the print queue and printer for any stuck jobs or print-outs before you leave.
- Look for portable versions of the software online that can run from a personal USB drive.
For shared resources comes accountability, in the form of active directory. The manager of the shared resource environment must make sure that everyone logging into the shared server or computer, has some form of a unique username and password against which they can be identified, absence of which could lead to problems. In that case, keep your username or active directory name, and password confidential. You don’t want someone to steal your credentials and use them to delete files or make unauthorized changes on the company server.
Computer investigators do not look for people’s DNA or faces. No. We look for the unique IDs – usernames, session IDs, accounts, and specific IP addresses that attackers used to make changes or modifications that caused the fraud. It is your responsibility to keep your credentials safe and secure. You are responsible to report immediately, once you get to know of the loss of your accesses.
g) Monitor app permissions
Take time to analyze the permissions an app requests rather than clicking through the installation prompts. Permissions act as a safeguard against unintended access so you must be aware of the permissions you have granted to installed apps. Assess whether permission requests to photos, microphone, contacts, location, and other features, match what is expected of the mobile app. You should occasionally review these permissions and revoke them where necessary.
As a user, make sure you avoid unnecessary app downloads and installations on your phone. Before you download any app, check the official developer website, and look at their app maturity and user reviews. Besides, be careful with the kind of authorizations you give to the app to access your camera or emails. Some apps are phishing apps, where they could be taking your picture in the background whereby you could be exposed to risks of keyloggers.
h) Guest accounts on your computer:
Disable Guest accounts that unauthorized users could use to access any resources that are accessible over the network when logged in with no password.
Neglect of this can potentially lead to a data breach since any shared folders with permissions that allow access to the Guest account are openly accessible.
2. Data Security
a) Device security:
Security concerns for your devices can save a huge lot of personal information, ranging from contacts and calls to notes, emails, photos, and documents, to account credentials and passwords, from landing into jeopardy.
- Enable full disk encryption on your laptop to protect sensitive information in case your laptop is stolen.
- Regularly update operating systems and applications on network endpoints.
- Think very carefully before you let someone use your laptop while considering the risk for malware, information compromise, or illegal activity.
- Your screensaver, lock screen photo, or desktop image must not unnecessarily expose personal information.
- Set passcode at a minimum of 6 numbers or a strong password to keep unauthorized people from using your mobile phone.
- Change your phone notification settings so that apps don’t show actual content on the lock screen but rather on the unlocked interface.
- Be extra cautious not to load apps from anywhere other than the device’s app store.
- Be certain not to provide personal information to public Wi-Fi access points especially without a VPN
- Do not give out personal information to random callers but it will most likely be a phone scam.
- Guard against prying eyes when dealing with sensitive information on your device.
- Before you donate your mobile device, erase the device using the built-in restore functionality.
b) Virus and malware scans:
Viruses and malware are common threats for computers of all types, however, there are free reliable options to combat them. Microsoft Defender is readily available on Windows 10 and Microsoft regularly updates its definitions to curb malicious software, hence users should often check for updates. Apple also provides anti-malware software that runs in the background on macOS. Ensure that virus and malware protection, whether built-in or third-party, is ensured all network endpoints.
c) Cloud configuration and management:
Use a strong, unique password when you sign up for a cloud service and enable two-factor authentication if it is available. Above all, ensure that cloud configurations are up-to-date and secure. Periodically review your vendor’s responsibilities for security with critical assets.
d) Full-disk encryption:
Full-disk encryption is a feature that is available on major operating systems to cryptographically protect the contents of your hard drive. By only allowing access to data on the provision of a password, this gets useful when you lose your computer. On Windows PCs, Windows device encryption and BitLocker can offer full-disk encryption depending on license versions, whereas on Macs, the full-disk encryption is FileVault.
You can also particularly add security to sensitive files like financial records, medical records, or anything else that might be more private than other information. Many tools can encrypt files, for example, VeraCrypt which creates encrypted volumes inside which you can store files to keep private.
e) Secure back-ups:
It is crucial to note that backups should be on a dedicated disk separate from your computer, not just a copy of your data in another location on the same computer. Often test your backup for assurance that you can ably retrieve your files in case of a disaster.
For the best security, encrypt your backup to prevent unauthorized access from intruders. Windows backup with BitLocker, Time Machine with an encrypted HFS+ partition, and Backup or automated Rsync jobs on a Linux encrypted LUKS partition enable creation and maintenance of secure backup files.
f) Intellectual property:
Everyone has the responsibility to protect information assets at work while putting into account these considerations:
- If you work with sensitive files on your computer, make sure your computer’s hard drive is encrypted or that the information is stored in an encrypted container.
- At the very minimum, do not forward intellectual property files to personal email accounts.
- Be certain to lock your screen when you step away from your computer and do not expose sensitive information when you share your screen in a meeting, video chat, or presentation.
- Endeavour to follow any policies, guidelines, and regulations in place for working with sensitive data.
g) Policy reminders:
Remind employees of acceptable use and data protection policies concerning enterprise assets and/or bring your device (BYOD).
h) Secure online payments:
More often than not, we quickly reach for our credit card and enter the card details into a website to make an online purchase. It is imperative to note that credit card information including the credit card number, expiration date, and security code, once exposed, can be used to make unauthorized purchases anywhere in the world.
Consider these options to help secure your payments online:
- Choose not to store your payment information with a website.
- Use a dedicated payment card or gift credit cards for all your online purchases and a different card for your in-person or real-life transactions.
- Make use of a one-time credit card if you need to purchase something from a vendor that you do not reliably trust.
- Consider paying with an app rather than an e-check or wire transfer. Some apps like PayPal, Venmo, Cash App from Square, and Apple Pay Cash support this option.
3. Network and Web Security
a) Security questions:
Protect against other people who might know about you by treating answers to security questions as a different personality altogether.
b) Wireless security:
Wireless networks are great for accessibility though they can be a dangerous attack vector for hackers. Have these controls in place for your wireless security:
- Use a strong password for your home Wi-Fi and have the WPA2 encryption enabled.
- Consider setting your device name to something that doesn’t broadcast your real name especially when using wireless functionality.
- Restrict access to your Wi-Fi by MAC address white-listing.
- When not in use, turn off devices like printers, smart TVs, and streaming boxes, that can broadcast their Wi-Fi network to allow clients to connect directly.
- Use a VPN to add extra privacy to your communications.
- Turn off unnecessary Bluetooth connections to avoid the automatic transfer of files.
c) Safe browsing:
- Use private browsing modes to minimize the amount of personal information you send to web servers.
- Make use of a browser extension, like HTTPS Everywhere to help keep your browsing on public networks safe while also looking out for certificate errors.
- Block trackers and adware as you browse around the web by installing software from your browser’s extension store such as Privacy Badger, offered by the Electronic Frontier Foundation, and uBlock Origin.
- You can consider using the Tor browser to ensure location privacy when online.
- Refrain from using VPN providers that offer their service for free because they often log traffic and sell it to advertisers to make money. Choose commercial established VPNs such as ExpressVPN and Nord VPN among others.
d) Check link legitimacy:
Time and again, you will need to investigate links that show up on the web, in a chat message or email.
- Before you risk clicking on a link, hover the cursor over the hyperlink to see the URL that link is bound to take you to.
- Alternatively, you may usually just right-click the link and copy it your clipboard, then paste it into a text editor a better analysis.
- Closely look at the domain to see if it makes sense in the given context. If for example, an email comes from your bank, the link should not go to Facebook, Gmail, or Amazon, to mention but a few.
- Be sure to as well check up on well-known subdomains on a fake domain as this may be a little confusing at first. Take for instance a link like gmail.com.totallyrealwebsite.com, which may look legitimate to a rushing user.
e) Email security:
Over time, email accounts have proved to be the most widely used digital contact methods for work, banking information, online purchases, social networking services, mobile phone accounts, medical information, and other critical updates.
To limit the risk of compromise, ponder the security factors below when using email:
- Choose a reputable email provider with sufficient security features.
- Have a unique strong password.
- Since most email is stored in plaintext, use encryption plugins in mail programs or browsers to add an essential layer of security to your email content.
- Activate two-factor authentication if available.
- If you log-in to your mail using a webmail interface, keep the tab closed when not in use and always remember to log-out.
- Keep an eye out for password recovery emails you did not initiate. Read through the email header to trace the path of the suspicious email.
- Be vigilant about not clicking on spam, and evaluating incoming messages to combat phishing attempts.
- Think carefully of sites that offer your email provider for log-in because this can pose a high risk of a data breach.
Security is the responsibility of the individual user. You must read and be careful whenever your computer or mobile device is connected on the Internet. As technology evolves, so do attack vectors and their sophistication. It is important you continuously keep reading and updating yourself with new information.