I was thinking end of last week, “what I would tell my friends and family about being safe online while being forced to work from home”. I started writing a few ideas (nothing Earth shattering), and then released those thoughts this morning in a blog post. If you find it useful at all, please share with those who may get value out of it.
#cybersecurity #rapid7 #onlinesafety
Article from Rapid7 Blog: https://blog.rapid7.com/2020/03/16/how-to-wfh-and-keep-your-digital-self-safe/
We have rapidly entered a new era of living with a global pandemic. As a result, many are working from home – at kitchen tables, sitting on the sofa, or typing at a desk next to the bed. With very little notice, our work and personal lives have changed, and we don’t know how long this will last. Without any talk of FUD (fear, uncertainty, doubt), it got me thinking about how we can stay safe online in this new world.
BE ON HIGH ALERT FOR ONLINE SCAMS
In times of uncertainty, we should anticipate bad actors looking for an opportunity to capitalize. This could be through phishing emails, financial scams, or other tactics that prey on human nature. Fortunately, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) is monitoring and notifying the general public on cybersecurity scams related to COVID-19 and has provided the following guidance:
- Avoid clicking on links in unsolicited emails and be wary of email attachments. See Using Caution with Email Attachments and Avoiding Social Engineering and Phishing Scams for more information.
- Use trusted sources—such as legitimate, government websites—for up-to-date, fact-based information about COVID-19.
- Do not reveal personal or financial information in email, and do not respond to email solicitations for this information.
- Verify a charity’s authenticity before making donations. Review the Federal Trade Commission’s page on Charity Scams for more information.
- Review CISA Insights on Risk Management for COVID-19 for more information.
While at home, it may be a good time for you to review your company’s security awareness communication regarding remote working and stay up to date with any new guidance as company plans and protections are likely to evolve over the coming days and weeks. Although it may be tempting or seem appropriate to “fast track” or “bypass” some of the processes or controls laid out, I advise against it. Internal controls and processes are in place for a reason and must be followed to avoid scams and in some cases, ensure compliance with external regulations.
MAKE SURE YOUR CORPORATE PASSWORDS ARE NOT ABOUT TO EXPIRE
Everyone’s experienced some challenges when it comes to changing passwords and it can get even more difficult and complex to change your password when you are NOT in the office. Check to see if your password is expiring in the near future and make sure you know how to change it. Also consider checking with your IT team beforehand to ensure all systems for remote password changes are in order. The risk here is that your password expires while you are out of office. Once you’re locked out from the corporate network, it can be difficult to get yourself back online while remote.
CHECK YOUR WIFI CONNECTION
As many of our work laptops or mobile devices auto-connect to WiFi networks, check to ensure that you are connected to your home network (or intended hotspot). You might be surprised that you are connected to a public hotspot offered by a broadband provider, or a nearby neighbor’s WiFi network. To ensure you have the utmost privacy, just check your WiFi settings and ensure you are on the network you intend to be on.
CHECK YOUR VPN CONNECTIONS
Everyone does remote work a little differently, but most of us have some kind of VPN solution that gets us to critical internal systems we need to do our jobs. Please resist the urge to rig up your own RDP, VNC, or ssh tunnel (okay, maybe that last one, but only if you *really* know what you’re doing). Those solutions tend to mean poking holes in your firewall, exposing stuff you don’t mean to, and you probably haven’t instrumented your endpoints with logging, brute force resistance, or otherwise hardened them for the wild and wooly internet. Even if it’s “just temporarily” open, there’s nothing quite so permanent as a temporary fix. I promise, your IT department is there for you, and probably has a few extra licenses for a professionally managed VPN solution. And, if you haven’t exercised your VPN in a while, now is a great time to test it out. Better to find out that your VPN is busted now rather than later when the support requests really start to pile up.
If you have any questions about any of the above, I strongly recommend you reach out to your IT or security teams, who will be seeking ways of making remote working more practical for the organization during this difficult time. By being aware of the factors above and vigilant for malicious activity, you should be able to embrace remote working with confidence, hopefully reducing one area of stress relating to the COVID-19 pandemic.