Work-from-Home Security Advice
SANS has made freely available its “Work-from-Home Awareness Kit.”
When I think about how COVID-19’s security measures are affecting organizational networks, I see several interrelated problems:
One, employees are working from their home networks and sometimes from their home computers. These systems are more likely to be out of date, unpatched, and unprotected. They are more vulnerable to attack simply because they are less secure.
Two, sensitive organizational data will likely migrate outside of the network. Employees working from home are going to save data on their own computers, where they aren’t protected by the organization’s security systems. This makes the data more likely to be hacked and stolen.
Three, employees are more likely to access their organizational networks insecurely. If the organization is lucky, they will have already set up a VPN for remote access. If not, they’re either trying to get one quickly or not bothering at all. Handing people VPN software to install and use with zero training is a recipe for security mistakes, but not using a VPN is even worse.
Four, employees are being asked to use new and unfamiliar tools like Zoom to replace face-to-face meetings. Again, these hastily set-up systems are likely to be insecure.
Five, the general chaos of “doing things differently” is an opening for attack. Tricks like business email compromise, where an employee gets a fake email from a senior executive asking him to transfer money to some account, will be more successful when the employee can’t walk down the hall to confirm the email’s validity—and when everyone is distracted and so many other things are being done differently.
Worrying about network security seems almost quaint in the face of the massive health risks from COVID-19, but attacks on infrastructure can have effects far greater than the infrastructure itself. Stay safe, everyone, and help keep your networks safe as well.
JonKnowsNothing • March 19, 2020 9:54 AM
Eons ago, in the dark ages of computers, when the first set of “fun viruses” started popping up on people’s CRTs with falling rain of bricks, it was neigh on impossible to get people to run a “virus check” on those “big funny black wobbly thingies” or those “cute hard plastic coffee coasters” from a central PC checker, or as things improved from software directly installed on their systems.
One may fault the short sightedness of people, managers and bosses but it’s also been a complete failure of the computer industry. A failure the industry passes along to the victims of their faulty designs, and thus far, they have successfully been able to blame the “user”: ESO, RTFM.
The entire computer industry is designed for planned obsolescence. Once that number was 5 years, then 2 years, 18 months, 12 months and moving along to 6 months. Smartphones, replacing many old standard corporate systems, fail spectacularly on ever shorter timetables. The primary response is: ditch it and get a new one.
Our computer industry holds the entire blame for over complexity, lack of true integration and the “fix it in the next release” or “fix it in the next model update or rollout” mentality.
We can see the same sorts of issues falling like dominoes during the COVID-19 crisis. Only this time it’s not falling colored bricks on a CRT, it’s costing people their lives.
Not only are some areas facing financial, and personal disasters, the very core structures of our global economy are shaking. Those same old STUXNET infected controllers are still running.
There is zero indication that any major provider or any subset segment, is changing tactics.
ht tps://en.wikipedia.org/wiki/Stuxnet
(url fractured to prevent autorun)