Ell Marquez is a self-described scientific hooligan, infosec noobie, and recovering Linux Administrator. As the creator of the It’s Okay To Be New campaign, she hopes to encourage others to circumvent gatekeeping while enjoying their journey into the land of technology.
Quick, everybody work from home!
Sure, working from home (at least occasionally) has been gaining acceptance for years. But nobody could have been prepared for the mad scramble that kicked off in March 2020. Almost overnight, countless companies had to figure out how to transition entire workforces out of offices to work from their homes. In the rush to maintain business continuity, there was little time to ponder the security implications of this work from home exodus, either for the organizations or for our own personal networks.
Which, when you stop and think about it, is a bit scary. Many offices are still treated like hardened fortresses. But now, with no more than a few days’ notice, everyone’s been sent outside the walls and expected to not only work from home, but see to their own security, as well. The need to help remote workers protect themselves is a critical one, and it requires measures those working from home can put into practice on their own.
Earlier this month, I had the opportunity to attend Duncan McAlynn's webinar focused on the best practices companies need to establish to protect their remote employees. It was enlightening, with insights that are actionable for remote workers, good reminders for security pros, and generally valuable for everyone. If you want to keep your people safe while they’re working from home, or just make sure your own defenses are up to snuff, follow along.
First things first
The first thing you should always do is ensure that all of your systems are patched and up to date with the latest releases. It may be tempting to hit “remind me later” over and over, but staying on top of patches and security updates is the best way to protect yourself from new vulnerabilities and exploits. In 2019, 20,262 new security vulnerabilities were reported, up from 16,500 in 2018. And not all of these vulnerabilities are targeted at work computers and their operating systems. When speaking about patching, you need to also consider third party applications, routers, switches, firewalls, and IoT devices.
Think about it. When was the last time you ran a firmware update on your printer?
One application you should always keep up to date is your antivirus software. Antivirus helps protect computers by looking at data traveling across your network, watching for known threats and abnormal activity. There are several types. Some use malware signatures (a sort of digital fingerprinting), while others use system monitoring or even machine learning.
How do you pick the best antivirus software? McAlynn states that, if you’re running Windows, Windows Defender may be all you need. Unfortunately, the answer isn’t always so simple, and choosing the right antivirus software for your specific needs will probably entail doing your own research.
Dangers behind free VPNs
Virtual Private Networks (VPNs) create an encrypted tunnel between you and the internet, and have long been used by companies to maintain security when employees are working outside of the office. There’s little argument that VPNs are important, but we need to be extra cautious when it comes to free VPN services.
The Commonwealth Scientific and Industrial Research Organization raises a huge red flag that close to 75% of Android VPN applications use third-party library embedding to help gather information for tracking or advertising purposes. When you consider that VPNs are meant to protect your data, this lands as a pretty shocking invasion of privacy. Yet this important information is rarely disclosed.
More shocking still — 38% of free VPN applications contain some malware presence, despite being highly rated by users. Malware inside of VPNs can help obtain your data, which can then be used to steal your online accounts and gain access to your login credentials for secure transactions, such as with your bank or online shopping.
There’s also a baseline of trust placed in VPN services, as these applications are allowed to intercept and take full control over a user’s traffic. This makes it easier for unscrupulous actors to abuse that trust and target you as a victim of ransomware.
Picking the right VPN
Understanding of these risks, how can we better arm ourselves to make an educated decision? Duncan explains that we should do our own research, looking for VPNs with a zero-logging policy, support for your specific operating system, and full support of encryption protocols.
You may also want to consider how many simultaneous connections the VPN service allows. This will help ensure you can keep both your workstation and your personal computer protected.
Now that we’ve secured the information coming into our devices from the outside world, how do we ensure that information stays protected?
One common mistake is assuming that a website is safe because it offers an https connection, or has a green padlock in the address bar. In fact, these are simple to configure on any site by installing a Let's Encrypt certificate. While the https:// prefix and padlock do indicate that communication between your browser and the web server is encrypted, they don’t guarantee that the website you’re visiting is safe.
Why is that?
Think of it like a phone call on a secure line. The connection itself might be secure, but that won’t help you if, say, the person on the other end of the line is a scam artist posing as a legitimate business. If you give a scam artist your credit card info over a secure line, you’re still giving a scam artist your credit card info.
Bad actors regularly take advantage of the sense of safety that https:// lulls people into. Typosquatting, also known as URL hijacking, is a common practice they employ, taking advantage of typographical errors such as Goggle.com instead of Google.com, or Amazom.com instead of Amazon.com. These small typos can be easy to miss, whether you’re typing them into the address bar yourself, or clicking links in an official-looking email.
To play it safe, you should confirm the URL of the site you’re on before entering any personal data.
Secure your accounts
Despite taking all of the precautions listed above, the sad truth is that, at times, we have no control over our own digital lives. Data leaks happen and our information is for sale for pennies on the dollar. What can we do?
Head over to https://haveibeenpwned.com/ and see if your email has been reported as part of a known compromise. Please note that if your email address is not listed this does not mean you are in the clear; it’s entirely possible it may have been taken in a compromise that has not been found or that has yet to be reported.
Next, ensure that you’re using best practices for creating your passwords or better yet, passphrases. Use a different passphrase for every account you create so that a compromise on one account doesn’t endanger the rest. Worried about remembering all these passphrases? Download a password manager such as Lastpass or Bitwarden so that you only have to memorize one passphrase.
Finally configure two factor authentication (2FA) on your accounts so that if your accounts are compromised, you have one final safeguard. Programs like Authy and Duo are highly recommended by industry professionals.
Education is key
These are just a small sample of the recommendations Duncan suggested through his webinar. For me, his most impactful recommendation was that we should all make a conscious decision to focus on our education regarding these matters. A Cloud Guru is here to help you with this journey, whether it is about your physical devices or security in the cloud. If you’d like to hear the remainder of Duncan's recommendations take a moment and listen to Working From Home: How to Keep Remote Workers Safe.
Learn to play it safe
Master the art of defense with security-focused courses and labs from A Cloud Guru