Staying Cyber Safe While Teleworking
An AFCEA expert provides guidelines on cybersecurity for all at home.
As people around the world practice self-isolation in an effort to reduce exposure and spreading of the COVID-19 virus, the need to maintain a strong cybersecurity posture arguably has never been higher. Millions of people have shifted their daily lives to an environment relying on telework, distance learning, Internet-enabled social engagement, streaming news and entertainment and other activities.
This “new normal” is facilitated by the robust capabilities of the Internet. Yet it presents a significant cyber risk. During the COVID-19 crisis, we’ve seen bad actors stepping up their game with increased incidents of phishing, disinformation, watering hole attacks and other criminal activity.
The average home-based computer user often is not as well-versed on cybersecurity best practices. Even established information technology companies have problems with cyber hygiene in their offices. Therefore, as adversaries have stepped up their game, cyber professionals need to step up theirs as well in educating the general public and promoting best practices to employ.
Several key recommendations stand front and center to be shared with family, friends and co-workers to maintain safe and effective continuity in their daily lives.
The first is to understand the risks. As people transition to telework, distance learning and other Internet-enabled activities, many do not recognize that the cyber risk calculus has changed as they pivoted to home systems. Enterprise information environments generally are better protected with a dedicated, trained cybersecurity team. When a user pivots to operating a home computer system, its cyber defenses likely are not as robust as are normal business or school systems. Cyber criminals and others know that and seek to take advantage of systems that have weaker defenses.
Remind your family, friends and co-workers that their cyber risk is elevated when operating from home systems; that bad actors are actively engaged in increased phishing, malware and disinformation campaigns; and that they should follow best practices—such as those outlined here to best manage their cyber risk.
The second is to ensure that a home system is current. Adversaries prey on devices that are not running the latest operating systems and applications. Manufacturers of operating systems and applications continually update their products to ensure the latest security and performance capabilities are available to their customers. A system should be checked daily for necessary updates, and users should only download updates from the manufacturer—and encourage others to do the same.
At the same time, families should understand and adhere to local school district policy, choose hard-to-crack passwords rather than relying on default passwords for home WiFi and be sure to never use family names or addresses. Also, the family should be aware of and able to identify every device on the home network using a password manager, use two-factor authentication and ask the service provider about additional tools to protect the network.
On a related note, parents and guardians should not be bashful about ensuring the devices their children use are not open to the greater network with proper credentialing. It also is important that parents instruct their children on networking dos and don’ts. And while they’re at it, families can and should check every single home appliance that connects to the Internet, either locking them down entirely or to an appropriate degree.
Another important point is to seek information from reputable sources. Bad actors generate a prolific amount of disinformation during times of crises, when people are eager to gather as much information as possible. Many nefarious operators leverage a technique such as a “watering hole attack” to attract victims to a website they control, serve up hidden malware to visitors and gain access to their systems. We are seeing numerous phishing emails directing people seeking COVID-19 related information to visit suspicious sites. Government and known institutional websites such as cdc.gov and www.who.int remain the safest, most current and most authoritative sources of COVID-19 information. Actively encourage your family, friends and co-workers to avoid unknown or unrecognized websites, as they may present unacceptable cyber risks.
Furthermore, sharing information is key. Everyone ought to participate in a neighborhood watch, including in the cyber neighborhood. It is important to engage in information sharing about cyber risk. Participate in information sharing organizations such as AFCEA, your critical infrastructure’s Information Sharing and Analysis Center, ISC2, ISACA and other well-established sources of cyber threat and information sharing. Ensure you regularly share information about cyber threats, risks and best practices with your family, friends and co-workers.
And finally, be careful what you click. As with the third point, cyber professionals are seeing a rise in the amount of phishing emails directed at home users. Many speculate that this may be an attempt to gain control over the systems used by teleworking personnel. Often, these phishing attempts feature embedded files or links that supposedly lead to information intended to be valuable to the recipient.
Before opening an email, I suggest people “READ” the message—employing that word as an acronym for action. First, the message ought to be “Relevant.” Second, it ought to be “Expected.” Third, the reader should “Authenticate” that it actually came from the expected source. Finally, is the email “Digitally signed?” Digitally signed messages generally provide an extra layer of security adding capabilities such as nonrepudiation to risk assessments. If the incoming message doesn’t pass the READ test perhaps it should not be opened, and neither should links or attachments be trusted. Manually typing the link into a browser reduces risk. Additionally, whenever possible, users should scan attachments for malicious code prior to opening them. Help your family, friends and co-workers understand the risks associated with clicking links and opening unverified attachments.
Cybersecurity is not just a technology issue. Effective cybersecurity involves people, process and technology. Everyone needs to make sure that they do their part to ensure the safest possible cyber environment.
These recommendations can serve as sample cyber conversations you ought to be having with your family, friends and co-workers.
Let’s be safe out there. In addition to regularly washing your hands, wipe off your keyboard, phone and tablets regularly!
Retired Air Force Brigadier General Greg Touhill was the first federal chief information security officer of the U.S. government and is a member of the AFCEA Cyber Committee. Now serving as president of AppGate Federal, he also serves on the faculty of Carnegie Mellon University’s Heinz College.