With more than half the world now working from home, the home network and its devices become an extension of the corporate network. From the organization’s point of view, the attack surface is expanded to include points of exposure on home Wi-Fi networks, access points, home routers, mobile devices, workstations, and laptops. IT administrators take steps to mitigate risks through security policies that enforce security controls (Windows UAC and Group Policy, for instance) and mandate the usage of corporate VPNs. Additionally, there are certain things that employees can do themselves to tighten security. In a remote working scenario, security is a shared responsibility between the organization and its employees.
By Brian Pereira, Principal Editor, CISO MAG
Here are 4 things to secure in your IT infrastructure while working from home:
Secure network connections
Home network connections are mostly wireless, and we know that wireless connections are not as secure as wired (Ethernet) connections. If your home router has a weak password or the default one, it could be hacked by a tech-savvy neighbor. Even Bluetooth connections can be hacked (Bluesnarfing attacks).
To secure your home Wi-Fi, get out the router manual (or download it from the Internet). Look for the default router ID and password. The ID could be “Admin” and the default password could also be “admin”. Now load your browser and type the following in the address bar: 192.168.1.1 You should then see your router’s login page. Log in using the default credentials. Then head to the “change password” section and type in a new password. Read the guidelines for the password as mentioned in the manual. Also opt for strong wireless security standards like WPA-2 and AES.
Use strong passwords
Users tend to use a common password across services. If even one of those services is hacked, then the user’s account on the other services becomes vulnerable. So, maintain different passwords.
According to Microsoft, 30 percent of reused or modified passwords can be cracked within just 10 guesses.
If the browser (or an extension) offers to “remember” passwords, decline that request. Should you opt for a password manager then do keep a different master password.
When creating a new password, do not include a complete word in the password string. Hackers use password dictionaries that run multiple word combinations until the real password is matched. This is called “brute force” hacking. Passwords should be a minimum of 8 characters. Use a mix of upper- and lower-case letters, numbers and special characters.
And if the service offers the option for password thresholds, then use it. That’s the number of tries you can attempt for entering a password. Notice that online banking services already enforce this. If you forget your password and enter it wrong three times, you are locked out of your bank account. A call to your bank, with authentication checks will reset the password. But that’s a process implemented by the bank. Windows 10 also offers account lockout thresholds.
Use multi-factor or two-factor authentication
Email services like Gmail offer multi-factor authentication and two-factor authentication (2FA) for verification, but few Gmail users make use of this feature.
A Google report in 2018 suggested that less than 10% of Gmail users employ two-factor authentication, which is considered one of their best security features.
An organization can also set two-factor authentication for services on the company portal, or for corporate email.
With 2FA, you can opt to receive an SMS code on your mobile device whenever you try to log in. Gmail also lets you use one of your devices for authentication. For instance, you can tap your mobile phone screen (Push to Verify) after receiving an authentication message from Google. A third way is to use a hardware token like Google Titan Security Key or Yubikey (Yubico). And a fourth method is to use an authentication app like Google Authenticator. There are other methods for 2FA and it depends on what the service offers. Even social media sites like Twitter, LinkedIn and Facebook offer multi-factor authentication. Banks have enforced 2FA for many years (mainly through hardware tokens).
Secure mobile devices
There are four main things to secure: the mobile OS, the apps, the data and the device itself (physical security). Potential threats include data theft, stolen user credentials, malicious apps, inadequate user configurations, security vulnerabilities in the mobile OS and apps – and stolen devices.
You’d be shocked to learn about the things mobile malware can do – a hacker can activate your phone’s microphone and eavesdrop on conversations, for instance.
To secure the apps and the OS, update these often. Download apps only from authorized marketplaces (Google Play Store or Apple App Store). And ensure that the apps are verified (look for the “Verified by Google Play Protect” badge on the Play Store when downloading apps for Android phones). You can also scan all your installed apps later to verify them.
Don’t try to jailbreak your Apple phone or “root” your Android device. If you do that, the device becomes a threat to the networks and other devices it connects to. Malicious or unauthorized apps set up “backdoors” on jailbroken devices.
Mobile devices do not have firewalls, so install a firewall app (or a mobile security suite) to scan all traffic between the apps and their corresponding servers.
Disable the Bluetooth visibility/discovery mode. Use a Bluetooth PIN when pairing your phone with another user’s phone in public. And keep a watch on all the devices that have paired with your phone via Bluetooth. Remove old or unknown devices from the list.
Backup your contacts and data to an online service like Google Drive, Apple iCloud, or Microsoft Onedrive.
Physical security – Your mobile phone and laptop are likely to contain important data related to your work, your company’s policies, product information, email, customer data and other sensitive data.
To protect mobile phones, note down the IMEI number and install a SIM Lock (ask your service provider about this). Also, enable the device tracking feature – for Apple devices it is Find my iPhone and for Android, it is Android Device Manager. Encrypt your phone by putting a screen lock and enabling the encryption features.
For laptops, encrypt the drive using Bitlocker (Windows) or FileVault (Apple). Store the recovery key outside the device (on a pen drive or online).
Data security is a shared responsibility — both the employee and the organization are custodians of an organization’s data. Employees working from home need to take adequate steps, like those described in this article, to protect data and endpoints. There are other security measures to be taked, such as operating system and application security, both of which will be discussed in the next article. Meanwhile, stay indoors and stay safe.
Part-2: Application and OS Security