Working from home
What should you be alerted to?
During the country-wide lockdown, effective from 26 March 2020, in order to minimise the spread of COVID-19, your organisation’s goal would be to enable your teams to work securely from home. This is necessary so your organisation can continue to deliver quality services to customers and stakeholders.
This security alert prepares your organisation on the risks of working from home, so your teams know how to avoid unauthorised access to your organisation’s systems and sensitive data.
What are the threats while working from home?
Your teams are key in your defence against cyber attacks during this extended period of working from home.
Individuals should be alert to increased social engineering attacks and phishing attempts, especially during this time of both dramatic change and urgency. Social engineering is a psychological attack, where attackers trick or fool their victims into making a mistake during “business unusual” times.
The COVID-19 pandemic opens up your organisation to a new avenue for malicious actors using phishing e-mails or "social engineering" to gain access to or steal sensitive information from individuals and your organisation.
Phishing e-mails can be disguised as coronavirus updates or as updated company policies aimed at deceiving employees.
Some examples of threats:
- Safety guidelines offered in a CoronaVirusSafetyMeasures_pdf, which deploys a remote access tool and malware, and an erroneous Microsoft Office document deploys keylogging and other malware.
- A phishing attack uncovered by Abnormal Security, targeted users with bogus e-mails in a bid to steal their Office 365 credentials, by redirecting unsuspecting victims to a fake Office 365 login page.
- Malware-laden spam e-mails are increasing. F-Secure researchers have observed a new spam campaign that aims to capitalise on the widespread mask shortage to trick recipients into paying for masks, only to send them nothing.
- Cyber attacks have increased against hospitals and testing centres. Phishing campaigns distribute malware such as AZORuIt, Emotet, Nanocore RAT and TrickBot via malicious links and attachments, and execute malware and ransomware attacks that aim to profit off the global health concern.
- Checkpoint reported that over 4 000 coronavirus-related domains have been registered in 2020, of which 8% were malicious or at least suspicious. Therefore, use only trusted sources, such as legitimate government Web sites, for up-to-date, fact-based information about COVID-19.
Be aware that hackers could launch distributed denial of service (DDOS) attacks on VPN services and exhaust their resources, crashing the VPN server and limiting its availability. With the VPN server acting as a gateway to the organisation’s internal network, this would prevent all remote employees from doing their jobs, thereby impacting on productivity and customer service.
What security controls should typically already be in place in your organisation to protect key systems and sensitive information?
To protect the individual’s machine and the organisation’s information against cyber attacks, the individual’s machine has specific security policies configured.
Use only the organisation-issued machines for business purposes as the organisation-approved operating system is installed with regular software updates
The individual’s machine should have approved anti-virus software, with the latest anti-virus updates and Microsoft patching updates. To stay current, automatically push updates to machines. They should not disable automatic updates.
Machines should have configured built-in personal firewalls, which need to remain enabled.
Backup your organisation information on machines and servers once a week at least, or as per your backup and retention policy (online and offline).
Use Bitlocker or similar for encryption of the machines’ hard drive for security reasons in the event of machine theft.
When remotely accessing the organisation’s network, ensure your teams do so through a secure virtual private network (VPN) with strong end-to-end encryption.
When sharing sensitive organisation information, your teams should use only approved repositories, for example, SharePoint, One Drive, Email or Teams Chat.
Avoid sharing sensitive company information using text messaging or private chatting on social media or WhatsApp as this poses a security risk to the organisation.
Personal e-mail (eg, Gmail) should not be used for business purposes.
What security controls should you strengthen?
Constantly assess concurrent traffic by your teams on the firewall infrastructure to ensure this security layer can handle all the increased inbound traffic.
Monitor VPN accounts for abuse, compromises or exploits by attackers. Monitor VPN performance and availability of VPN services.
Ensure the VPN infrastructure remains patched and up to date.
Preferably all teams use multi-factor authentication on login to the company network, and accessing critical systems. This protects VPN accounts from unauthorised access.
To avoid RDP account takeovers by cyber attackers, strengthen how system administrators in your organisation, or third-party support staff, access servers, databases and networks systems.
Migrate to an advanced e-mail protection with an SLA-based managed e-mail protection service, especially if you are concerned about the risks from sophisticated business e-mail compromises, attempts by threat actors to gain unauthorised access to e-mails, unwanted disruption from e-mail malware, phishing attacks, e-mail malware, mail virus infection and mail-born spam.
In the event of a suspected data breach, ensure individuals reset their Active Directory password, use multi-factor authentication and restrict access to critical information. For example, in the event of suspected affected VPN accounts, or suspected data breach.
Advise individuals to change the default administrator password of their home. WiFi router to be a complex password. An attacker can easily discover the default password.
If your teams become aware of a possible data security breach while working from home, they should inform your service desk so that your security incident response process is followed, which will be overseen by your CISO/head of information security and security team.
If you require more information and assistance, Caesar Tonkin, Logicalis SA CISO, and our Team would welcome a virtual meeting to explore this with you.