Posts

Businesses are rapidly shifting to work from home strategies in response to the current COVID-19 situation.  Many are already adept at working from home and have strategies in place to protect networks, endpoints, and systems.  They have proven policies in place to keep tabs on business IT assets and ensure that systems are constantly patched while temporarily disconnected from the office network.  Antivirus monitoring still occurs, and their IT Managed Service Provider has already helped to secure remote access to systems and manage endpoint controls to keep their business secure.

This list is for businesses who did not have a plan in place and are being forced to shift rapidly.  There is still plenty that you can do to protect your business during a less than ideal work from home (WFH) situation.

If you run a business and have staff temporarily working from home, it is extremely important that you implement multi-factor authentication (MFA) for your email platform (Office 365, Gmail, etc.) and for VPN access.  MFA is the very best way to reduce the most likely cyberattack vector, credential harvesting via email phishing.

The following is a list of things that you can ask of your remote workers.  Some of them will be able to tackle these tasks on their own, others will need help.  Do what you can now and circle back to close any gaps as time permits.

Practical, easily implemented, work from home security strategies.

  • Update the firmware on home Wi-Fi routers.  Cyber criminals take advantage of known vulnerabilities to gain access to your home network. Fortunately, router manufacturers routinely release patches for known vulnerabilities, you just need to apply them.
    • Step 1 – Log into your router.  If you don’t know how to do this, first find the name and model number of your Wi-Fi router. Then, search Google for instructions on how to access your router’s internal web server/admin page.   In most cases you access this via a web browser on a computer connected to your network.
    • Step 2 – Take a backup.  Backups give you a restore point should something goes wrong during the update.  Look through the Admin settings in the router to find a backup option.  If you can’t find it, Google your router model to find instructions.
    • Step 2 – Run updates.  Look through the Admin settings in the router to find a firmware update option.  Again, if you can’t find it, turn to Google for some help.

  • Set a new admin password on your home Wi-Fi router.  The administrative credentials you used to access your router are the keys to the castle.  They should NOT be left at the manufacturer defaults (e.g. admin, password) and they should be very strong.
    • Step 1 – Log into the router with your existing admin credentials.  If you don’t know them or don’t remember them, turn to Google to see if you can find instructions on how to reset the password OR try the default credentials for your router and give that a try.
    • Step 2 – Look through the Admin settings in the router to find an option to change the admin password.  Change it to something unique and long (15 – 26 characters).  The longer the password, the better.   Make sure to record the new password so you can find it when you need it (a password manager is the best place to store credentials).   Make sure the admin password on your home Wi-Fi router is NOT the default and it is long (15 – 26 characters)

  • Save the non-business Internet browsing, social media, email, and chat for your personal devices and your home/personal Wi-Fi network.  As tempting as it might be to browse the Internet while your co-workers aren’t looking over your shoulder, you don’t want to be the one to introduce a virus while you’re working from home without your business firewall and otherrestrictions to keep you protected.  Do it on your own device, not the business device.

  • Devices accessing and storing any sensitive, confidential, or personally identifiable information (PII) should be encrypted.  Windows 10 Professional operating systems can be encrypted using the built in Bitlocker.  Be sure to keep a record of the encryption keys.  When possible, a PIN code or passphrase on boot up is preferred to using windows credentials to unlock.  If you are using a computer owned by your employer, you should consult with your IT department or management before encrypting the device on your own.
  • If you are using a personal device (PC, Laptop, iPad…) to work from home (or if your business doesn’t already have a strategy in place for antivirus, operating system patches, account privileges, and a password manager):
    • Install and update a good antivirus application.  If you don’t have antivirus software, consider using Windows Defender (free for Windows devices and baked into Windows 10) or consider purchasing one.  Macs also need antivirus protection.
    • Make sure antivirus is running and launch the antivirus program to check for updates and set the software to automatically update as required.
    • Check for Operating System updates and install them until there are no more updates to install.  If you don’t know how to do this, Google “how to run updates on [your operating system here]” and follow the instructions.  If you have a Windows device the instructions should come from Microsoft.  If you have a Mac, the instructions should come from Apple.  Do NOT download updates from anywhere other than the manufacture.  Windows and Mac updates are performed from the device and you don’t need to visit a website for updates.  Be careful not to download updates from a malicious website.
      • For Windows, click on the start icon and type “Windows Updates” and choose the option to install updates on your computer.
    • Create a separate admin account to be used only when you must perform an administrative task (i.e. install a printer or a new application).  Use a non-admin account for your day to day personal and work tasks.
      • Step 1 – Create a new user on your computer with administrative rights.  Keep a record of the new username and password (a password manager is the best place to store credentials).
      • Step 2 – Log off your computer and log in with the new admin user you created.
      • Step 3- Find your primary user account and make that user a non-admin or “standard” user.
      • Step 4 – Log off with the admin account, log back in with your primary user account and work as usual.  If you are prompted for administrative credentials while trying to install software, a printer, running updates, or some other expected reason, enter your admin credentials to allow the task to complete.  If you are prompted for admin credentials out of the blue, it might be an indication that you’ve tripped across malicious software that is attempting to install on your system.  Don’t enter the admin credentials unless you are sure it is for a legitimate purpose.

  • Purchase and use a password manager.  There are many on the market.  Following are a few of the most popular:
    • StickyPassword.com
    • keepersecurity.com
    • dashlane.com

  • Be on the lookout for email phishing scams designed to harvest your credentials and gain access to your work or personal email.  Criminals will absolutely attempt to use the fear and uncertainty surrounding the COVID-19 environment to entice people to cough up their usernames and passwords.  You will likely see “apply for assistance…”, “sign up now for information…”, “login to protect your account…”, “login to access government assistance…”.  Suspicion is not retroactive.  Slow down and think before you act.  Anything marked “urgent” or where you are being pressured to “act now” should raise your level of suspicion.

  • Proactively change passwords that haven’t been changed in the last 30 days.  Consider the following:
    • Workstation (Windows or Mac) login.
    • Office 365
    • Windows Active Directory
    • Personal email
    • Wi-Fi Router admin credentials
    • Wi-Fi wireless password (SSID & Guest)

  • Take an inventory of where you are storing important data (business and personal).  Is that data being backed up?  If not, implement a backup strategy. If this needs to be done on the fly consider an online cloud service or backing up to USB drive and then getting that drive disconnected from your systems so that it isn’t encrypted along with everything else on your computer in the event of a ransomware attack.

The above guidance is provided with the intention of helping businesses and their people while we all work to make sound decisions in a rapidly changing environment.  These guidelines are not comprehensive.  Rather, they are intended to address some of the most significant risks.  Some of the above recommendations will not be possible in your environment and may even give rise to other issues.

If you are using IT assets owned by your employer, it is very important that you consult with your IT personnel or IT Managed Service Provider before acting.  They may already be managing some of these things for you and/or ad hoc changes might cause other issues.

If you run a business and would like help managing the above tasks proactively and without having to rely on your personnel to do this on their own, please call Go West IT.  We will be happy to help, and we have resources standing by to tackle this for you.

Third party VPN services do not secure your data.  They may provide an additional brick in your security bunker but they are not the invisibility cloak they claim to be and in some cases they may actually do more harm than good.  For starters, who is your third party VPN service provider?  Are they trustworthy?  Are they subject to US or EU privacy laws?  Or, did you just decided to pipe 100% of your data through an unknown third party?

Three very popular third party VPN service providers, NordVPN, VikingVPN, and TorGuard, were recently breached due in part to poor security practices that resulted in leaked expired TLS (encryption) keys.  Now users of these services may be sharing their data with an unknown criminal instead of the third party service provider.

Just like all security measures, they are only as good as the weakest link.  Businesses and individuals need to discover their vulnerabilities, prioritize their vulnerabilities, and then systematically work to layer security to mitigate the risk.  Start by securing corporate networks with a good Unified Threat Management (UTM) appliance, making sure 100% of your devices have good business class endpoint protection software that is automatically updated, patch all of your hardware and software on a routine basis, BACK UP YOUR DATA, implement phishing prevention measures, and TRAIN YOUR PEOPLE.  This is just a start.  If you don’t know how to do this, put something in your budget to work with someone who can help and get started on the path to better security.

– Go West IT

I’m often contacted by CEOs or managers after a business experiences a cyber incident that results in real damages. After describing the event, they often ask if they should fire an employee who fell victim to a social engineering attack (vishing, phishing, credential harvesting…).  In most cases the answer is a resounding NO! First, the business just spent the amount of the loss training the individual because that person will never again fall for the same type of attack. Second, it is HIGHLY likely that the manager and/or company failed this individual by not implementing the proper controls and providing the proper training to prevent the breach in the first place. Third, if you do fire the employee, they will likely go to a competitor who will be happy to have a good employee who is more savvy than most about cyber risk.

If you own a business or have responsibility for managing business risk you need to take steps to protect your business, your shareholders, your employees, your vendors, and most importantly your customers. It’s on you! It is likely that you’ve delegated responsibility for IT support and cyber security, but you are the leader and you are responsible for defining your expectations and supporting the initiatives to implement controls, procedures, and training. If you haven’t implemented controls and trained your people, it’s on you. Don’t fire the employee who fell victim to an attack. Step up and protect your employees.

– David Lewien, President

 

Your credentials can be phished, period.  If you think you’re above being phished, you’re wrong.  We all have weak moments and the criminals are really good at praying on our whims and emotions.  Trust me, you can be phished.  Don’t put so much pressure on yourself.  Implement multi-factor authentication (MFA) wherever possible to protect your accounts even if you are phished.  This is so important that we put together a video to show you how.  Watch this video.  Please just give us a call if you want help or want to discuss additional configuration options to ease implementation for your business.  We will be happy to help.

If you don’t know anything about Office 365 Multi-Factor Authentication please check out our blog and video from December 2017 for a complete overview https://www.gowestit.com/office-365-multi-factor-authentication.