Today we wanted to share some tips for working more safely and securely from home.
Perhaps some of you have been used to a work-from-home routine for years, and your company has all the software, infrastructure and policies/procedures necessary for you to do your job successfully. If that describes your situation, consider yourself blessed! Why? Because after the coronavirus outbreak, many companies found themselves needing to support hundreds of remote workers – almost literally overnight. That meant purchasing and provisioning laptops, configuring VPN software and hardware and boosting Internet bandwidth at the office to support all these new remote users.
7 Minute Security has been helping clients navigate these new challenges, and while doing so, we were reminded of how easy it can be for security to take a back seat when IT-focused emergencies pop to the top of the priority pile. So as you settle into your new routine of cranking through a day of Zoom Webinars in your jammies while hoping your dog doesn’t bark too loudly when the mailman comes, lets keep the following practical security tips in mind:
Pick Powerful Passwords
You’re probably sick of hearing IT and security folks nag at you as to why Winter2019 is not a good password, and you’re already rolling your eyes to be reading about it again right now. But I will plead with you until I’m blue in the face: picking a long, strong and unique password is super important – perhaps more now than ever. Why? Because after the virus outbreak, cyber attacks increased 37% in April, and one sneaky thing attackers love to do is called password spraying. The idea behind password spraying is if I want to hack into an account at your company, I will create a list of employee usernames and try to log into each one with a password I know people love, like Winter2019! If I do that, my hacking tool output might look like this:
- Attempting to login as joe.smith with password Winter2019: failed
- Attempting to login as suzy.q with password Winter2019: failed
- Attempting to login as tommy.boy with password Winter2019: failed
- Attempting to login as shirley.temple with password Winter2019: failed
- Attempting to login as bruce.wayne with password Winter2019: SUCCESSFUL!
And boom, just like that, I can log into Bruce’s email account, snoop through his corporate files and steal sensitive data. Sounds like a simple attack, right? So lets not have the next victim be you!
Tips for picking a good password
In order to pick a good password, lets first talk about some properties of a bad password. Passwords should not contain the following:
- Your name
- Your birthday
- Your company name
- Simple “keyboard walks” such as asdf1234 or asdfjkl;
- Any combination of season plus year, for example:
In order to pick a good password, one strategy we recommend is using a password manager like LastPass or 1Password. A password manager will generate crazy strong passwords (like Ct]gubrG6^[nL4_a) for all your accounts. You don’t need to remember these gnarly passwords, you just need to remember the master password which unlocks the password vault itself.
If you are not quite ready to jump into a password manager just yet, here’s another simple way to start generating stronger passwords:
- Open a book in your office to a random page.
- Take note of the four words closest to the page number. For example, in my book I opened to page 504, and the four words by the page number are Tameka Noted Severe Issues.
- Take the four words plus the page number and special character, and that is your new random and strong password! For me, the password is Tameka Noted Severe Issues 504!
What I especially like about this method of password generation is I can leave myself a password hint right on my desk without that hint being a security concern. For example, I could stick a bookmark in page 504 of that book, and nobody would know its significance. I could really even go one step further and leave a note on my desk with the book title and page number of my password hint, and it still wouldn’t give anybody a clue as to its importance.
Just don’t write the actual password on the note, and also make sure you use a unique password for each and every account you use. We’ll talk about why in a little bit.
Lock Down Your Wifi
At work you probably have a wonderful group of IT and security folks who keep careful watch over anything bad happening on your network (make sure you check in with them regularly during this stay-at-home time, they’re working tirelessly!). Now that you are working from home, more of that security responsibility shifts to you.
Use a strong wireless network password
We just finished talking about how important it is to have a strong password on your online accounts, and the same guidance applies to your home wifi password. In fact, I’d say having a strong wifi password may be more important, and the reason why is captured in this adorable picture:
Any idea what this is? This cute little rascal is called a Pwnagotchi. If you want to see this bugger in action, 7 Minute Security did a Webinar all about it which you can check out here. A Pwnagotchi costs about $40 in parts and its sole purpose in life is to make it easier for attackers to hack into your network. How? Well, when you boot up your laptop in the morning, your laptop and your wireless router do what’s called a handshake, and somewhere hidden inside that handshake is your wifi password.
Why does that matter? Because an attacker can easily get in range of your wireless network, fire up their Pwnagotchi and grab a copy of that handshake. Then, the attacker can drive home, load that handshake file into a password-cracking program, and try to guess the actual password using lists of different word combinations. If the attacker successfully guesses the password, they can drive up next to your house, join your network and do additional attacks against your devices – all from the comfort of their vehicle!
While you cannot prevent someone from grabbing the network handshake, you can make it much harder for someone to crack the password by following the tips in the previous section to create a long, strong password that would be incredibly difficult to guess.
Defend Your Digital Identity
The HaveIBeenPwned Web site is a great (and free!) way to keep tabs on your personal and professional email accounts and also get notification if any of them become involved in a known breach/hack. HaveIBeenPwned also helps emphasize the importance of picking good passwords. For example, if an online shopping site called Super Cool Shopping Site gets hacked, sometimes the attackers will actually post a list of usernames and passwords like this:
It’s bad enough that these users had their passwords for the Super Cool Shopping Site compromised, but what if these folks also use these passwords for their work email? Or all their social media sites like Facebook and Twitter? Or their banking and 401k accounts?! Yikes.
Hopefully you can see why we’re trying to emphasize the use of strong and unique passwords for every account you use online.
Protect Your PC
It may be that while you’re waiting for your company to provision you a corporate laptop, you have to use a personal device to get things done from home. If that’s the case, make sure you are using good security hygiene to keep that device as secure and updated as possible:
Apply Windows updates
If you’re running Windows 10, it’s near impossible to have your machine not apply updates. If you’re running an older flavor of Windows, check to see that updates are scheduled to download and install regularly.
If you use a Mac, those devices are pretty good about nagging you as well. Mine gives me a little pop up window every day or so when things are ready to install. Remember that as annoying as updating can be, many times those packages contain critical security fixes that your device should receive ASAP.
Make sure your antivirus is up-to-date
I’ve been checking in on my not-so-tech-savvy family and friends during this stay-at-home time, and was concerned to see many of them using an antivirus product that was no longer receiving updates – either because something was functionally wrong with the program or they let the subscription run out.
Windows machines come with Defender, which has become surprisingly good at catching bad stuff in recent years. If you’re looking for something a bit more advanced that also supports Macs and mobile devices, clients have reported a good experience with Sophos Home, which has a lot of security bells and whistles and supports 10 devices for less than $50 a year.
Block Icky Stuff in Your Browser
I think it’s a safe assumption that you use a Web browser pretty heavily throughout your work day. To reduce the amount of ads and pop-ups (and potentially malware!) you see and boost your productivity, consider installing one of these junk-blockers:
uBlock Origin is available for Firefox and Chrome, it’s free and installs with just a few clicks. From my experience, it does an outstanding job of keeping stuff I don’t want to see away from my eyeballs. To give you a quick example, I recently visited cnn.com to read up on the latest Coronavirus news, and my uBlock install told me it blocked 32% of the content on the CNN homepage:
That’s an awful lot of ads, movies, scripts, sounds and other garbage!
If you want to block ads and potentially malicious or adult-themed sites for the whole household, look at OpenDNS. It’s a service that you configure once on your router, and then it will block content for every device connected to your wifi. Here’s a simple picture from our 7 Ways to NOT Get Hacked security awareness session that shows how OpenDNS works:
OpenDNS is free for the basic home plan, with several tiers of paid plans if you want additional controls and features.
Conference with Care
If you’re like me, almost all of your in-person meetings have been replaced with Zoom/WebEx conference calls. While in some ways those meetings are super convenient, it opens us up to security/privacy concerns we may not have thought much about when in the office. Consider these tips for a more secure – and private – conference experience:
- The mute button is your friend – it seems simple, but getting in the habit of muting yourself when not talking can save you from saying/doing something embarrassing. In fact, I’ve gotten in the habit of completely quitting my conference apps after each call.
- Check for software updates regularly – popular conference apps like Zoom have been making news for some security/privacy concerns researchers have uncovered (some of which have been blown out of proportion in my opinion). Most of these tools should just pop up a box asking you to install an update when it is available, but you can also check yourself. In Zoom, for example, you can click your profile picture and then click Check for Updates.
- Consider a privacy screen – many folks are now having to convert a closet, toy room or kitchen into a makeshift office. Depending on your room configuration, you might end up with your monitors on a desk that directly faces an outside window. While the chances may be slim that a peeping Tom would peer into the window and steal your sensitive company information, it might not be a bad idea to install a privacy screen. Amazon offers a variety of screens to choose from.
After the coronavirus became a hot topic, we’ve seen thousands of new virus-themed domain names pop up. Attackers are using these to entice you to click links, open attachments, divulge sensitive information and infect your system with malware. Regardless of what an email says or who it claims to be from, you need to be sure you’re careful with your clicks. Here are a few ways to do just that:
- Ask yourself “Do I know the sender? How can I be SURE?”
You might be really great at spotting someone called firstname.lastname@example.org who sent you an email pretending to be your boss. But what if your actual boss had her email hacked and sent you an email requesting that a large sum of money be transferred? For cases like these, we highly recommend you put a company policy in place that says all money transfers must be validated by an email and a phone call. In general, if you’re suspicious at all of an inbound email, get that person on the phone to validate.
- Ask yourself “Is this URL safe to click?”
Lets start this section with a quick test. Is this link safe to click?
If you said “Probably,” you’re right. This link goes right to the site that we know and (some of us) love: Facebook.
How about this one – is it safe to click?
If you said “Probably not,” you’re right. The letter “o” has been replaced by “0” (zero), and this link is trying to dupe you into going somewhere that is likely not Facebook.
Ok, last one. Is this site safe to click:
If you scratched your head and weren’t sure how to answer, you’re right! This link will actually take you to https://7minsec.com, but how would you know without clicking the link first? Whenever I’m suspicious of a link like this, I’ll paste it into CheckShortURL.com which, as its name suggests, checks short URLs. It then shows us where we’ll end up if we click the link so we can make a more educated decision:
Whether working at home is a pleasant dream or a hot nightmare for you, we all need to do our part to help protect our company’s people, systems and data. Hopefully this post helps you be a more secure person – whether you’re at work and at home (which is probably the same place right now :-).
Written by Brian Johnson | President, 7 Minute Security
Originally publised on www.7minsec.com