When working from home, we need to be extra vigilant when it comes to online threats. For some, working from home is great, while for others the responsibility of managing sensitive company data and credentials can be daunting, particularly if your company has a BYOD (Bring Your Own Device) policy and you're using a home PC that is likely shared between multiple members of the household.
When you are out of the office, away from the protection of your business’s protective measures, it is harder to know if sites have been compromised, if your sensitive data is being intercepted or if there is malware on your machine snooping in. Luckily, there are simple steps you can take to give yourself peace of mind (and hopefully get on with some of that pesky work!)
1. Keep Windows updated
First up is operating system updates, mainly because it's a straightforward way of bolstering your defences but often gets neglected until something breaks or the update is forced upon you. Make sure you are installing updates regularly as these often contain patches to stop the majority of malware in its tracks, so it will go a long way in keeping your device secure.
A recent example is the EternalBlue zero-day which exploited a flaw in the SMB 1.0 protocol (used for file shares) to move laterally across the network. This had a devastating impact on several industries and can be mitigated by installing the latest Windows patches.
2. Install antivirus
Up-to-date antivirus software is a critical component in keeping your data safe. It is especially important to ensure your signature database is updated often (ideally daily) and you are running regular full system scans. There are many features available in antivirus clients that offer various levels of protection, so choose a package that meets your needs. Not having one installed at all is a very risky move.
3. Browse the web safely
There are a few important steps to take when browsing the web safely, the first of which is using a modern web browser. The web is the biggest threat when using a computer and so a lot of work is done at software companies such as Google and Mozilla who develop browsers to identify and eliminate vulnerabilities and bugs. Hackers are quick to pick up on old vulnerabilities, so install these updates as soon as they become available. Luckily most modern browsers now enable automatic updates by default. Double check yours is set to automatically update and install any that haven't yet been installed.
The second step is more difficult but just as important and that is paying attention to what you are doing online. Never use the web on autopilot, particularly if you are sending information. Passwords, email addresses, physical addresses, phone numbers... the list of sensitive data is endless nowadays. When you are sending data to the server check everything and then check again.
Some helpful things to consider are:
Has the site verified themselves with a valid SSL certificate? Are they even using SSL? (A simple way to check this is if your browser trusts it – if it does there will be a padlock in the web address bar. If you want to be extra cautious you could double check the certificate with a trusted CA - https://www.digicert.com/help/)
Does the address of the website change to something different when you click login and get redirected?
Is this domain verified?
It's important to keep in mind that security is an ongoing process and a frame of mind. We are bound to make mistakes from time to time, but that's why it is vital to have a solid antivirus program installed.
The final step in safe web browsing is to be careful when downloading files from the internet. It is good practice to never trust ANY file that has been downloaded from the internet without scanning it with your antivirus software. Even when downloading files from trusted sources there are still ways to become compromised. For example, a trusted website could have been compromised recently and the download button could redirect the user to download the software from a malicious source instead. Worse yet, the software you intended to install could still be downloaded whilst silently installing a backdoor onto your system, meaning you would never even know what had happened until the damage was done.
To summarise, remain alert whilst browsing the web, particularly when inputting or sending information. Choose a modern web browser and keep it up-to-date. Finally, scan every file you download with your chosen antivirus software. If you want to be extra secure, use a website like Virus Total which scans the uploaded file with many different antivirus signature databases.
4. Secure management of passwords and logins
Let's face it, we all have way too many passwords, and when you combine your personal passwords with your work passwords it becomes a headache to manage. There have been some improvements in authentication, but we're still not in the password free eutopia that we were promised would come. That's where a good password management tool comes to the rescue. There are some great options that you can use across multiple devices with some offering browser extensions that automatically fill in the credentials for you. These are great at mitigating against keyloggers because you never type in your password manually, so there is nothing to intercept and then steal.
We all (hopefully) now know that it's a bad idea to reuse the same password for multiple accounts. Our technical director, Ged, made a great statement about this recently, when he said "I no longer know any of my own passwords". Which sounds funny initially but shows you the power of a credential manager. Not only does it keep your credentials secure, it removes the burden of thinking about and remembering your passwords.
5. Use two-factor authentication on remote access
As more of us begin to work from home, we open certain doors into our network that wouldn't normally be open. Recently, businesses have been forced to adapt quickly to allow most of their workforce to work from home, and this means a lot of rushed remote working projects. Shodan.io recently released some worrying numbers on the increase in remote desktop servers open to the public internet. We can't stress enough the risk of this configuration. There are exploits that are not yet known in use in the wild and repeatedly remote desktop servers have proven to be lucrative playgrounds for malicious actors. It just isn't worth the risk when there are options available that are provably secure and cost effective. If you must use a remote desktop, secure it with two-factor-authentication.
The only way to be confident that your data is kept away from prying eyes when transmitting over the public internet is to encrypt it. There are a lot of methods to accomplish this but a VPN capable firewall or remote access server, allowing all your clients to connect back to the office using an encrypted tunnel is the easiest. This also means you don't have to expose your internal Infrastructure to the internet and whilst exposing a VPN server is still a risk, it is massively reduced.
I’d also like to quickly mention our old friend PPTP. If you're still using this protocol to provide remote access to your infrastructure, you may not be aware of the dangers now widely known. PPTP was deprecated in 2012 when a report was released detailing huge security flaws in it. Microsoft then released an updated protocol which was then similarly exploited. Microsoft themselves recommend not using PPTP in a secure environment with some companies dropping support completely. Save yourself the headache and avoid PPTP completely. If you are still using PPTP because it's deployed via a Windows remote access server, then deploy a LT2P/IPsec tunnel instead which has provable secure encryption using TLS (a protocol designed to securely transmit data over the public internet) and is also free.
6. Encrypt disks
Last up with a worthwhile mention is disk encryption. If you have company issue devices that are taken offsite, it is imperative that the disk is encrypted. Laptops are particularly vulnerable to being lost or stolen and encrypting the disks is an effortless way to remain confident that no one will be able to retrieve any of the data stored on the disks. This is also a requirement for GPDR.