+1 (415) 529-5225
info@definisec.com

WFH With CyberSecurity Threats

Managing CyberSecurity Threats while Working from Home

If your job compels you to work in an office, chances are you’re attempting to continue business operations while working from home. Whether or not your company was previously well-equipped to do so, you’re now operating in an environment with an elevated threat to both company data and your own.

It’s no secret that our Political leaders asked for calm from would-be thieves and criminals. To nobody’s surprise, this hasn’t done anything to inhibit the recent uptick in CyberSecurity activity. This is of course especially disgusting to us, but despite that, the idea of preying on innocent and/ or hardworking people is pretty despicable all by itself, no matter when it’s done.

In this article, we’ll cover some basic realities that are known to some but not obvious to others, talk about what you can do to help protect sensitive data, and offer up a couple alternatives that you and your company can consider. Either way, it’s a good time to recognize your IT and Security folks who are in a mad scramble to make services available for all.

Home Networking and LPBs

Though everyone’s home network is different, let’s talk about the basic setup: A single broadband connection, a cable modem or similar broadband device, and wireless networking for a family of users.

Though most devices used to connect broadband signals come with a basic set of security controls, it’s best not to rely on them: They are not hard to defeat. By all means, use them – but you’ll have elevated protection by purchasing a suitable network protection device to run, “inside” the broadband drop, between it and your sensitive gear. Depending on what you have and use, you can split the network and isolate entertainment usage from professional usage – either using the additional device’s capabilities or by simply connecting others directly to the broadband device and maintaining your corporate device(s), “behind” the more aggressive hardware.

In any case, make sure you keep up-to-date with your broadband device’s firmware (software programmed into the physical unit, which you can update) and if you want to be extra careful, rotate the device’s administrative username/ password on a regular basis. Always make sure you change it from the default settings, and though these days by default such devices disable remote access, double-check that only you, from, “inside”, can administer the box.

Though we like to poke fun at those who insist that their, “Military Grade Encryption” is somehow beyond what everyone else in the world uses (it’s not, there’s no such thing though no two encryption solutions are alike, see below), there are Professional-grade networking devices that go well beyond the protective posture of what has appropriately been called LPBs, or, “Little Plastic Boxes”. LPBs aren’t very hard to bypass (it’s almost trivial in a lot of ways).

Bottom Line: If you can purchase the device off the shelf at a big box store down the street, it’s probably not going to offer a lot of protection. Talk to your IT team about what they would have you do in order to isolate yourself from other users on your home network. That brings us to…

Cross-Polluting Systems: Corporate Threats and Consumer Issue

First, note that we’re talking in general terms here: There are exceptions to every rule and we can’t talk about all cases. In general, we’re focused on the non-technical users who typically work in an office and maybe work from home on occasion, but without special hardware controls, purposed networks, or other more aggressive configurations specifically designed to minimize the risk associated with the things we’ll discuss here.

So let’s assume you’re working at home with a single broadband connection. Unless you live alone, that same connection is shared by your family members – spouse, kids, maybe even parents (and quite possibly your neighbors). In general, you’re subjected to a wide variety of threats and influences that cannot be easily controlled, and in some respects information you manage on your device(s) is subjected to any threats that maintain a presence in your home network. This can arise if someone else clicked on a malicious link, angered a gamer who is adept at infiltrating adversary home networks, and so forth. These overlap the types of things you see in an office network, but your home network isn’t managed 24/ 7 by a team focused specifically on detecting, analyzing, and stopping threats. As a result, the impact to you and your computing devices is elevated beyond the typical work environment.

There’s also the flip side of the coin – company-based threats. Though claims vary, many corporate networks are infiltrated by so-called botnets and other malicious realities. When you connect to the corporate network, even with a VPN, you’ve created an opportunity for those very same corporate threats to find their way into your home device, and thus into your home network. Do you use TurboTax for your yearly filing? Do you have exported .PDF documents that contain your information? Those are probably sitting on a storage volume somewhere on your local network, in plaintext – and your SSN, address, and income are pieces of information critical to those looking to steal your identity.

Bottom Line: When connecting home networking and corporate networks, you run the risk of cross-polluting one another with resident and future threats. Consider a suitable encryption solution (see below) to protect sensitive data, make sure you stay up-to-date with OS patches, and use either built-in Windows security or a good after-market Anti-Virus/ Anti-Malware solution. And read the next section on VPNs.

What VPNs Really Do

VPNs seem to be misunderstood – we’ve heard people tell us, “I connect to my corporate office using a VPN, so I don’t have to worry.”
Entirely untrue: a VPN provides a link between your network and the corporate network, and though most well-implemented solutions attempt to isolate VPN terminations (on the corporate side), they aren’t very useful if you can’t get to the information your company is ultimately not making publicly available from anywhere else.

This direct connection is available to attackers who have gained access to either endpoint, allowing them to move data back and forth or hop from one network to another. The corporate side of this connection should be attended to with an elevated level of attention, and should not expose the entire corporate network (reducing risk with minimized, compartmentalized exposure). This isn’t always the case, and unfortunately, VPN endpoints are often the very same devices that attackers use to break into corporate networks.

One thing that’s baffling to us: Some VPNs don’t have 2-factor authentication and don’t have inactivity timeouts. If you have a USB token you use when connecting, that’s a positive but by no means a protective reality for traffic flow – it simply protects who can connect to the corporate network, and who cannot.

Bottom Line: Minimize corporate VPN connectivity to limit exposure, connecting only when necessary and making sure you disconnect when finished. If you’re not using your device, it doesn’t hurt to put it to sleep, power down, or disconnect from the network entirely (physical or otherwise); this can greatly inhibit attacker mobility while you sleep, else they have free reign working from the other side of the planet during their daytime.

Recommended Strategy: Isolating Networks

Overall, the best strategy is to have and use a dedicated connection for professional use and a different connection for home entertainment. Though not always possible, you can as noted purchase quality gear that allows you to, “split” networks and isolate your corporate endeavors from home use. High-quality offerings provide a great degree of control and protection, and this is the better solution unless you have the luxury of acquiring multiple physical connections that you use independently.

As noted above, you can also minimize exposure by disconnecting entirely when you’re not active. If you happen to be unfortunate enough that an intruder has active access to your company network or your home network, this will frustrate the daylights out of them (trust us on this one) and it’s pretty obvious: If your device isn’t connected and isn’t powered up, there’s not a lot a remote attacker can do with it.

Note that you can also use your LPB’s date/ time access controls to shutdown network access in the middle of the night when you know nobody is computing (as a bonus, you may catch your 13 year-old’s frustration in the morning due to the sudden change in broadband access – check your mobile phone bill to be certain).

Encrypting Data at the Source

Despite all attempts at stopping intruders from gaining access to home and/ or corporate networks, they are going to get in – especially during the chaos that has been imposed on IT and Security teams to secure remote WFH dynamics. One way to further limit their success, so to speak, is with encryption.

An appropriate endpoint encryption solution can stop an attacker in his or her tracks. Be careful about solutions that don’t coordinate activity with cloud services – any data encryption software that works independently has to store keys together with the protected data. That inhibits those without moderate expertise, but won’t stop the type of attackers present in corporate networks (not by a mile).

Though beyond the scope of this article, we’d invite you to take a look at our solution, specifically designed for these dynamics. Ultimately, you want something easy to deploy, something that requires very little administrative oversight, and something that can be managed by a small team. Talk to your IT department about deploying and managing a solution to secure the data you and your teammates use every day – if they are agreeable, you can take a tremendous burden off their shoulders with a small bit of effort. With the right solution, you can share with other teams and third parties, and grow into something larger and long-term while also addressing today’s imminent threat.

Bottom Line: Data Encryption can go a long way in preventing attackers that may have gained a presence to home and corporate networks. Remember to protect you own data since it’s now susceptible to a level of attacker capability that may be well beyond the typical threat you’d see at home. Talk to your IT department and your team to see if you can deploy a solution for your daily needs. This can and will go a long way in protecting you and your company.

Conclusion

Attackers are going to take advantage of the fact that 10s of millions of people are in Work from Home dynamics, adjusting their approach to take advantage of targeted corporations by infiltrating home networks. This offers a far more simple path into a corporate network – they break into the home network, discover devices and find the laptop that’s connecting to a corporate VPN for example, then piggy-back that connection directly into the company to setup shop, watch information flow, and move around to take sensitive Intellectual Property.

As noted in this article, there are a variety of simple steps you can take to help your IT team during this challenging time. If you’re considering the idea of protecting data at its’ source without losing the flexibility required to continue daily work, consider a trial of our data management solution, offered as a full-featured deployment that takes minutes to deploy but also offers services and scalability to meet your company’s long-term needs. All documentation is freely available online, and the solution is application- and infrastructure-independent, extending beyond data encryption.

Bottom Line: We all have a role to play in these strange dynamics, and anything you can do to help your over-burdened IT and Security teams will be welcomed. Take a few minutes to review the suggestions in this article and with very little effort, you can have a huge impact on your company’s data and also your personal information during this elevated threat dynamic. And as always, send us an email or give us a call – if we can help, we will.