Aspects of cybersecurity not to overlook when working from home
Just because your team has gone remote doesn't mean you need to be vulnerable to hacks, breaches, and scams.
13 April, 2020
Pixabay
- Prior to the COVID-19 outbreak, many enterprises had yet to contemplate a mass work-from-home scenario and were therefore unprepared to support it securely.
- There are practical steps you can take to safeguard confidentiality and cybersecurity with a WFH workforce.
- Applying best security practices to test for vulnerabilities, supervise access controls and password management, secure connections, and apply endpoint encryption can go a long way.
<p>Due to <a href="https://bigthink.com/coronavirus/" target="_self">the novel coronavirus situation</a>, billions of people are currently working remotely, many for the first time in their lives. It could be out of personal fears of infection, in obedience of local <a href="https://bigthink.com/politics-current-affairs/social-distancing-math" target="_self">social distancing regulations</a>, or in accordance with company-wide policies, but the end result is an unexpected shift from the norm of working in the office to <a href="https://www.walkme.com/glossary/wfh/" target="_blank">working from home (WFH)</a>.</p><p>Managing a workforce that has been suddenly <a href="https://bigthink.com/videos/working-remote" target="_self">transformed into a remote one</a> is challenging on many levels, not least because of the need to maintain cybersecurity standards. Prior to the COVID-19 outbreak, many enterprises had yet to contemplate a mass work-from-home scenario, and they therefore lack the policies, devices, or processes to support it securely. </p><p>What's more, in recent weeks, companies have been scrambling to preserve their security profiles in the face of an uptick in <a href="https://thenextweb.com/corona/2020/04/02/2600-per-day-coronavirus-related-cyberattacks-are-booming/" target="_blank">malicious actors seizing the opportunity</a> to hack corporate systems. That's the bad news. The good news is that you're not powerless. There are practical steps you can take to safeguard confidentiality and cybersecurity with a WFH workforce.</p><p>Here are a few of the basics.</p>
1. Set up a VPN for your employees.
<img type="lazy-image" data-runner-src="https://assets.rebelmouse.io/eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpbWFnZSI6Imh0dHBzOi8vYXNzZXRzLnJibC5tcy8yMjkzMjAwNC9vcmlnaW4uanBnIiwiZXhwaXJlc19hdCI6MTY0NzcxMTcxN30.a0RK7cVfupvPdbhMvIFUXr0G_yQ6-FHhDX0BkgeuT3w/img.jpg?width=980" id="1c63b" class="rm-shortcode" data-rm-shortcode-id="605223fe03ac55182fc3ed7fb9d8eda3" data-rm-shortcode-name="rebelmouse-image" alt="laptop with VPN installed" />Photo by Dan Nelson on Unsplash
<p>A VPN (Virtual Private Network) is the first and most obvious way to secure your organization when employees are logging in from home. When people work from home, they use public internet or weakly-secured WiFi connections to access confidential data in your central database. They also share sensitive files, offering a golden opportunity for hackers to intercept data mid-stream.</p><p>A VPN uses strong encryption to create a "tunnel" for any interactions between your employees, and between your employees and your secure corporate network. </p><p>Atlas VPN, one of the biggest VPN providers, reports that <a href="https://atlasvpn.com/blog/vpn-usage-in-italy-rockets-by-112-and-53-in-the-us-amidst-coronavirus-outbreak/" target="_blank">VPN use has surged</a> in areas with high numbers of coronavirus cases, such as Italy and Spain. </p>2. Be proactive about testing.
<p>Ignorance can be your biggest danger. If you're used to dealing with a secure internal network, you won't always know where your vulnerabilities and weaknesses lie when it comes to remote access.</p><p>This kind of blindness can lead quickly to data breaches that you might not even be aware of until months after the event.</p><p>To resolve this issue, use tools like Cymulate's breach and attack simulation platform, which runs <a href="https://blog.cymulate.com/cyber-risk-assessment" target="_blank">simulated attacks across remote connections</a> to assess your cybersecurity risk levels. This can help you determine the extent to which your settings, defenses, policies, and processes are effective, and where you need to make changes in order to maintain a secure organization. </p>3. Train (and retrain) to minimize human error.
<img type="lazy-image" data-runner-src="https://assets.rebelmouse.io/eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpbWFnZSI6Imh0dHBzOi8vYXNzZXRzLnJibC5tcy8yMjkzMjAwNi9vcmlnaW4uanBnIiwiZXhwaXJlc19hdCI6MTYxNTY0NjU4Nn0.O_SLWJo3PjU0m1dfm7daqmeKmgbf8URstNH18uCjEo8/img.jpg?width=980" id="20c7a" class="rm-shortcode" data-rm-shortcode-id="ebb965d4cf3a21d1d10d34f7abe39c15" data-rm-shortcode-name="rebelmouse-image" alt="three people looking at computer monitors" />Photo by Mimi Thian on Unsplash
<p>Employees are vital to your success, but they can also cause your downfall. According to security experts at Kaspersky, <a href="https://www.kaspersky.com/blog/the-human-factor-in-it-security/" target="_blank">52 percent of businesses</a> acknowledge that human error is their biggest security weakness. What's more, some 46 percent of cybersecurity incidents in 2019 were at least partially caused by careless employees.</p><p>Employees can cause data breaches in multiple ways, like failing to use a secure connection to download confidential data, forgetting to lock their screens when working in a public place, or falling for phishing emails that install malware on their devices. In addition, your employees might be the first to know about a security breach but choose to hide it out of fear of repercussions, making a bad situation worse.</p><p>It's vital to invest time and energy in employee training to ensure that everybody knows how to reduce the risk of successful hacking attacks and is not afraid to report security incidents as soon as they occur. Frequent reminders, online refresher courses, and pop-up prompts help employees take security seriously.</p>4. Be strict about access control.
<p>Access controls are a vital layer of security around your network. Losing track of who can access which platforms, data and tools means losing control of your security, and that can be disastrous. </p><p>Even in "normal" times, <a href="https://solutionsreview.com/identity-management/thycotic-releases-2018-global-state-privileged-access-management-pam-risk-compliance/" target="_blank">70 percent of enterprises</a> overlook issues surrounding privileged user accounts, which form unseen entrances to your organization. As the WFH situation drags on, it's even more likely that access controls will lag, opening up holes in your perimeter.</p><p>In response, <a href="https://www.imperva.com/learn/data-security/role-based-access-control-rbac/" target="_blank">use role-based access control (RBAC)</a> to allow access to specific users based on their responsibilities and authority levels in the organization. By monitoring and strategically restricting access controls, you can further reduce the risk that human error might undermine your careful cybersecurity arrangements.</p>5. Use endpoint encryption on devices and apps.
<p>Because most companies were not yet set up for remote work when the COVID-19 crisis hit, the lion's share of devices used to connect from new home offices are not owned or configured by employers. </p><p>And with employees more likely to use their own computers when working from home, endpoint attacks become even more serious. <a href="https://labs.sentinelone.com/threat-intel-update-cyber-attacks-leveraging-the-covid-19-coronavirus-pandemic/" target="_blank">SentinelOne</a>, an endpoint security platform, <a href="https://www.raconteur.net/technology/covid-19-cybersecurity" target="_blank">reported a 433 percent rise</a> in endpoint attacks from late February to mid-March. </p><p>Although it can seem difficult to secure endpoints when employees are working remotely, it is possible. <a href="https://www.sentrybay.com/" target="_blank">SentryBay's</a> endpoint application encryption solution takes a different approach, <a href="https://dwaterson.com/2020/03/02/protected-endpoint-applications-provide-common-security-posture-for-enterprise-cloud-ecosystems/" target="_blank">securing apps in their own "wrappers,"</a> as opposed to working on a device security level.</p>6. Apply multi-factor authentication and strong passwords.
<p>Finally, weak passwords are a known gift for hackers. The problem only grows when employees work from home, as the contextual shift makes it easier for them to ignore reminders from your security team. They are also more likely to share or save credentials for faster remote access when it takes time to get a response from a newly remote security team.</p><p>If you don't already use a password manager to force employees to generate strong passwords and avoid sharing or saving credentials, now is the time to begin. CyberArk Enterprise Password Vault requires users to update passwords regularly, enforces multi-factor authentication (MFA) to reduce the chances of hackers entering your network through stolen passwords, and provides auditing and control features so you can <a href="https://www.cyberark.com/products/privileged-account-security-solution/enterprise-password-vault/" target="_blank">track when someone uses</a> or misuses an account. </p><p>Consumer password managers like <a href="https://www.lastpass.com/" target="_blank">LastPass </a>and <a href="https://1password.com/" target="_blank">1Password </a>likewise offer business tiers with similar features.</p>WFH doesn’t have to undermine network security
<p>With enterprises unprepared for mass remote working, industries worldwide could face a security nightmare. However, applying best security practices and using advanced tools to test for vulnerabilities, supervise access controls and password management, secure connections, and apply endpoint encryption can go a long way.</p><p>Make sure your employees know your security policies will help harden your attack surface, improve your cybersecurity posture, and prevent COVID-19 from causing a cybersecurity plague. </p>
Keep reading
Show less
'Misleading marketing': Zoom video meetings may not be as secure as you think
Video meetings on the popular platform don't seem to offer end-to-end encryption as advertised.
01 April, 2020
Zoom
- Despite claims, Zoom's video and audio meetings don't support end-to-end encryption, according to a recent report from The Intercept.
- End-to-end encryption is an especially strong form of security that, in theory, scrambles online data so that it's decipherable only to the sender and receiver.
- Zoom also faces a class-action lawsuit after a Motherboard report showed how the platform passed on user data to third parties.
<p>The video conferencing platform Zoom has become <a href="https://markets.businessinsider.com/news/stocks/zoom-stock-price-surged-coronavirus-pandemic-video-work-from-home-2020-3-1029023594" target="_blank">wildly popular</a> as millions of people have switched to remote work during the COVID-19 pandemic. The platform offers high-quality streaming, an easy-to-use interface, and end-to-end encryption (E2E), which scrambles data so that it's decipherable only to the sender and receiver. In theory, end-to-end encryption would prevent the government, internet providers, and even Zoom itself from eavesdropping on users' meetings.</p><p>But a <a href="https://theintercept.com/2020/03/31/zoom-meeting-encryption/" target="_blank">new report from The Intercept</a> shows that Zoom's audio and video meetings don't seem to actually support end-to-end encryption, at least as that term is commonly defined. </p><p style="margin-left: 20px;">"Currently, it is not possible to enable E2E encryption for Zoom video meetings," a Zoom spokesperson told The Intercept. "Zoom video meetings use a combination of TCP [Transmission Control Protocol] and UDP [User Datagram Protocol]. TCP connections are made using TLS [Transport Layer Security] and UDP connections are encrypted with AES [Advanced Encryption Standard] using a key negotiated over a TLS connection."</p><p>In other words, Zoom does encrypt video meetings, but it does so through transport encryption. This means Zoom has the ability to access users' private meetings. One concern among privacy advocates is that the government could someday compel Zoom to hand over recordings of users' meetings, which were advertised as being encrypted end to end. </p>
<img type="lazy-image" data-runner-src="https://assets.rebelmouse.io/eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpbWFnZSI6Imh0dHBzOi8vYXNzZXRzLnJibC5tcy8yMjkwODYyNS9vcmlnaW4uanBnIiwiZXhwaXJlc19hdCI6MTYxNDUxMTc2M30.SrMmv6XimT1hqBltnGUmvgiPFW8fY3n2p_Y3-f1rWWU/img.jpg?width=980" id="7b736" class="rm-shortcode" data-rm-shortcode-id="6ddc0c3789ec1125f7931ba0264274e2" data-rm-shortcode-name="rebelmouse-image" alt="screenshot of Zoom website with promise of end-to-end encryption" />
Zoom screenshot
The Intercept
<p>Speaking to The Intercept, a Zoom spokesperson described the platform's definition of "end to end":</p><p style="margin-left: 20px;">"When we use the phrase 'End to End' in our other literature, it is in reference to the connection being encrypted from Zoom end point to Zoom end point...The content is not decrypted as it transfers across the Zoom cloud."</p><p>Although Zoom might not decrypt data as it transfers across the platform's cloud, it certainly has the ability to do so. "They're a little bit fuzzy about what's end-to-end encrypted," Matthew Green, a cryptographer and computer science professor at Johns Hopkins University, told <a href="https://theintercept.com/2020/03/31/zoom-meeting-encryption/" target="_blank">The Intercept</a>. "I think they're doing this in a slightly dishonest way. It would be nice if they just came clean."</p><p>In a recently <a href="https://www.accessnow.org/cms/assets/uploads/2020/03/Letter-to-Zoom-.pdf" target="_blank">published open letter</a>, the human rights group Access Now called on Zoom to publish a transparency report that includes the following information:</p><ul><li>The number of government requests for user data you receive by country, with compliance rates, and your procedures for responding to these requests</li><li>The circumstances when you provide user information to government authorities</li><li>Policies on notice to potentially affected users when their information has been requested or provided to government authorities, or exposed by breach, misuse, or abuse</li><li>Policies and practices affecting the security of data in transit and at rest, including on multi-factor authentication, encryption, and retention</li><li>Policies and practices affecting freedom of expression, including terms of use and content guidelines for account holders and call participants, as well as statistics on enforcement</li></ul>
Other privacy concerns
<p>Zoom is also facing criticism for passing user data on to third parties. Last week, <a href="https://www.vice.com/en_us/article/k7e599/zoom-ios-app-sends-data-to-facebook-even-if-you-dont-have-a-facebook-account" target="_blank">Motherboard published a report</a> showing that the Zoom iOS app was sharing user data with Facebook — even if Zoom users didn't have a Facebook account. On Monday, a Zoom user filed a class-action lawsuit against the company, alleging:</p><p style="margin-left: 20px;">"Upon installing or upon each opening of the Zoom App, Zoom collects the personal information of its users and discloses, without adequate notice or authorization, this personal information to third parties, including Facebook, Inc. ("Facebook"), invading the privacy of millions of users."</p><p>Looking for a video-conferencing platform that does offer end-to-end encryption? Consider looking into Microsoft Teams, Signal, Clickmeeting, and Wire.</p>
Keep reading
Show less
China implanted tiny spy chips in servers used by Amazon, Apple
A new report from Bloomberg describes how Chinese subcontractors secretly inserted microchips into servers that wound up in data centers used by nearly 30 American companies.
04 October, 2018
- A 2015 security test of a server sold by an American company found that someone in the supply chain had successfully embedded a tiny microchip on a motherboard.
- The company that manufactured the compromised motherboard provides servers to hundreds of international clients, including NASA and the Department of Homeland Security.
- U.S. officials linked the hardware attack to a People's Liberation Army unit, though it's unclear what, if anything, hackers have done or to what they have access.
<p>The Chinese military was able to implant tiny malicious microchips on servers that made their way into data centers used by nearly 30 American companies, including Amazon and Apple, according to a <a href="https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies" target="_blank">new report from </a><em><a href="https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies" target="_blank">Bloomberg</a></em>. </p><p>It's a wide-reaching and potentially ongoing attack that likely gave Chinese actors unprecedented access to sensitive data belonging to American companies, consumers, government agencies and one major bank. </p><p>The <em>Bloomberg </em>report describes how, in 2015, Amazon Web Services had approached a startup called Elemental Technologies to help with the expansion of its streaming video service, Amazon Prime Video. During a security test of the servers Elemental Technology sold as part of its video-compression product line, testers discovered a rice-grain-sized microchip implanted inconspicuously on one of the server's motherboards. The microchip wasn't part of the original hardware design, so its existence could only mean one thing: Someone at some point in the supply chain had surreptitiously embedded the chip.</p><p>Americans officials, some of whom had already heard whispers of China's plans to sabotage motherboards headed for the U.S., opened a top-secret and ongoing probe.</p>
Hardware vs. software attacks
<img type="lazy-image" data-runner-src="https://assets.rebelmouse.io/eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpbWFnZSI6Imh0dHBzOi8vYXNzZXRzLnJibC5tcy8xODY5MTA2Ny9vcmlnaW4uanBnIiwiZXhwaXJlc19hdCI6MTYyMjA0NzU5OH0.0WPhdoBtJqiKm6MFdZZWNc2-K_1GZaCwXNTr9FiiTZE/img.jpg?width=980" id="9a81d" class="rm-shortcode" data-rm-shortcode-id="e423402a993b7c338d49bb1227679b9a" data-rm-shortcode-name="rebelmouse-image" />The size of the implanted microchip.
<p>It's hard to overstate how ideal it is, from the perspective of a hacker, to successfully conduct a hardware attack, which differs from a software attack in that it alters the physical components of a computer and not just its code. Joe Grand, a hardware hacker and the founder of <a href="http://www.grandideastudio.com/" target="_blank">Grand Idea Studio Inc.</a>, put it like this to <em>Bloomberg</em>:</p><p>"Having a well-done, nation-state-level hardware implant surface would be like witnessing a unicorn jumping over a rainbow," he said. "Hardware is just so far off the radar, it's almost treated like black magic."</p><p>Even though the hidden microchips are tiny and hold small amounts of code, they pose outsized danger because hackers working from other computers can talk to the microchips and use them to gain access to networks and manipulate a server's operating instructions, all without alerting security systems. But one downside to hardware attacks is that they leave behind a paper trail.</p>Tracing the attack
<p>The servers sold by Elemental Technologies were assembled by Super Micro Inc., or Supermicro, the world's leading supplier of server motherboards whose customers include NASA and the Department of Homeland Security. Supermicro is based in California but most of its motherboards are manufactured by contractors in China.</p><p>American officials traced the supply chain of the compromised motherboards and identified four Chinese subcontractors that had been building Supermicro motherboards for two years. After monitoring the subcontractors, the officials found that the microchips had been ordered, by bribe or threats, to be implanted on the motherboards by a specialized People's Liberation Army unit.</p><p>"We've been tracking these guys for longer than we'd like to admit," one official told <em>Bloomberg</em>.</p>American companies deny knowledge of the attack
<p>Amazon, Apple and Supermicro have all denied knowledge of the attack or of the investigation.</p><p>"It's untrue that AWS knew about a supply chain compromise, an issue with malicious chips, or hardware modifications when acquiring Elemental," Amazon wrote. Apple said that it's "never found malicious chips, 'hardware manipulations' or vulnerabilities purposely planted in any server." And, perhaps unsurprisingly, the Chinese government didn't acknowledge the attack, stating that "Supply chain safety in cyberspace is an issue of common concern, and China is also a victim."</p><p>Despite the denials, 17 U.S. intelligence officials and company insiders, all of whom remain anonymous, confirmed the attacks to <em>Bloomberg</em>. Read the full report <a href="https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies" target="_blank">here</a>. </p>
<div class="rm-shortcode" data-media_id="8SsW0E0V" data-player_id="FvQKszTI" data-rm-shortcode-id="53c4acd644c6610e5cfe9aa017120cbd">
<div id="botr_8SsW0E0V_FvQKszTI_div" class="jwplayer-media"
data-jwplayer-video-src="https://content.jwplatform.com/players/8SsW0E0V-FvQKszTI.js">
<img src="https://cdn.jwplayer.com/thumbs/8SsW0E0V-1920.jpg" class="jwplayer-media-preview" />
</div>
<script src="https://content.jwplatform.com/players/8SsW0E0V-FvQKszTI.js"></script>
</div>
Keep reading
Show less
Popular
