July 21, 2020
Good morning, everyone!
|Last week Microsoft released security patches for a critical vulnerability in all versions of Windows Server. Without this fix, servers are vulnerable to remote code execution and it’s wormable (it can jump from computer to computer without human interaction). Please make certain all your Windows servers received this update! Read more here.|
Teleworking/Work From Home is here to stay
With the recent statewide face mask orders and school returns being delayed, I think it’s safe to assume that teleworking/working from home is going to be a part of what some people are calling the “new normal” – at least for the foreseeable future, if not forever. What does this mean for cyber security?
In early June, the FBI reported that online crimes reported to their Internet Crime Complaint Center (IC3) so far this year have quadrupled since January, with COVID-19-related cybersecurity threats alone numbering over 20,000.
If cyber crime was a country, it would have the 13th largest GDP in the world. Isn't that incredible? This problem isn't going away.
Many businesses were not prepared for teleworking/WFH when the pandemic first began, and were forced to implement temporary measures. Cyber criminals have been taking advantage of the situation, with ransomware in particular running rampant. Now that the immediate crisis has passed, it’s time to review your security measures and develop a plan for a secure, long-term, remote workforce when needed. Here are a few things to consider:
(1) Install a VPN.
Many small businesses simply opened up ports on the firewall for remote access, but without proper security, an open port is a backdoor to your network. Windows Remote Desktop Protocol (RDP) is a major target: “The number of daily brute-force attacks against Windows remote desktop service has almost doubled during the pandemic lockdown” according to this report. Last fall, F-Secure reported that 31% of ransomware attacks in 2019 were launched via RDP. At the Gulf Coast ISAC meeting last month, the Mobile area FBI agent dealing with cyber security named open RDP ports as one of the top threats to business networks.
If you already have a VPN,
- have enough licenses for everyone who needs remote access
- make certain you are running the latest version of software/firmware
- maintain a subscription for software/firmware updates
- replace it before it reaches end-of-life support by the manufacturer
(2) Set up corporate accounts for LogMeIn, GoToMyPC, etc.
You may have let every employee set up his/her own remote access account in a rush, and now is the time to consolidate. Corporate plans for these software applications provide administrative controls you can use to increase security, e.g., requiring the use of multi-factor authentication, forcing password changes, disabling user accounts, etc.
(3) Develop and promulgate an acceptable use policy for WFH.
Even when employees are using their own personal home computers, the employer can still require that certain security measures be in place, e.g., running a supported operating system with auto-update, antivirus/antimalware software installed with auto-update and routine scanning, separate user account for work use vs. home use. Set a policy for securing videoconference meetings.
Two easy steps to protect any video conference (not just Zoom) from unwanted guests:
1 - Create a new link for each meeting (don’t re-use meeting links)
2 - Set a password for every meeting
(4) Secure employee home networks.
Use your IT people (whether in-house or outsourced) to make certain that home routers are supported, up-to-date and running a secure configuration. A compromised home computer accessing your corporate network is a significant risk. CISA has published useful tips for home network security.
(5) Require multi-factor authentication everywhere.
Whether VPN to home office, Office365 accounts, remote access software or cloud services, you should require MFA whenever and wherever it is available. Remember this from last week’s newsletter:
“Speaking at the RSA security conference [in February of this year], Microsoft engineers said that 99.9% of the compromised accounts they track every month don't use multi-factor authentication, a solution that stops most automated account attacks.”
Google data shows that using 2FA blocks “100 percent of automated attacks, 96 percent of bulk phishing attacks, and 76 percent of direct, targeted attacks.”
If you can do only two things to improve your online security, personally and professionally, do these:
1 – Keep all software (especially the operating system) on all devices up to date.
2 – Enable 2FA whenever and wherever available.
(6) Invest in employee training.
Your employees are the last line of defense for your information systems. When that brand-new malware gets past your technical defenses and lands in an employee’s inbox, but he/she thinks it looks suspicious and doesn’t open that infected attachment, that employee has just saved your network from a possible data breach. (Psst: I do employee training!)
(7) Have good written policies, and train your employees on the policies.
Make it easy for employees to do the right (secure) thing. Train not just “what” is the policy but “why” – when you add context to your training, employees are more likely to embrace it and develop good (secure) habits. People remember stories. For example, it’s a simple thing to pick up the phone to confirm an email request to change bank account information for a wire transfer or payroll direct deposit, but it can save your business from losing large sums of money, and possibly even save your job.
Whether you are teleworking now, or expect that you and/or your employees will be doing so at some point in the future, now is the time to develop a security plan. We must continue to do what we can do protect our data everywhere it is accessed -- office, cloud, home, mobile devices....
Until next week!
Don't forget to check out my upcoming Work(fromhome)shops!
Midsummer Cyber Self Defense Series continues at 10:30 this morning!- Social engineering, phishing, ransomware defense, social media, password management techniques and more!
And I have a full slate scheduled for August!
And hey, check out our new website!
Talk to you again soon!