Many of us are already working from home (WFH), to do whatever we can to “flatten the curve” and reduce the potential burden on our healthcare system for those who need it, and those who have to operate in it.  Even more people are likely to start working from home this week, as we head into proper lockdown, and schools close.

Not everyone is super practiced at working away from the office, and for many people remote access has just meant getting emails and maybe some cloud file access on a mobile, tablet, home PC or work-issued laptop.  But working consistently from home inevitably requires almost everything you have access to at work.  This will place a large burden on IT and security functions, and some things are likely to be missed.  This is also at a time when the hackers and bots of the world are aware of and actively targeting these risks.

So here we set out of few of the main questions you can ask yourself, either as someone responsible for the efficacy and security of remote working, or as someone who is doing the remote working.  Some of the points below might seem a bit technical.  Some are things you might be able to action yourself, and others might require someone in your IT or security function to action.  But we wanted to arm you with a little checklist of the key things to consider, to be able to work securely and with confidence from home or just about anywhere:

  1. Do you use the Windows Remote Desktop application?

    • If yes, you should only use it if you have some type of “VPN” (virtual private network) in place.  A VPN creates a private tunnel between where you are and where you are trying to get to.  If think you might not have a good VPN running, you really shouldn’t be using Remote Desktop.
  2. Do you use Citrix, VMware Workstation or TeamViewer?

    • If yes, there is a good chance you have a robust, secure connection to your work systems.  There’s quite a lot of “devil in the detail” to make sure these are configured securely for access from any random computer, but the main thing we want to check is:
    • Do you enter something like a 6-digit code, as well as your username and password, when you log into your Citrix (or other such) session?  This is referred to as a “multi-factor authentication” (MFA) or “two-factor authentication” (2FA) code, and is a really important thing for preventing attackers from impersonating you.  When you don’t have MFA for these systems, you have to work a lot harder with password security, and anyone who gets your password (however they get it) can probably log into your systems and do everything you can do on them.
  3. Has your IT or security team restricted where you get remote access from?

    • For example, have they limited remote access to only coming from your home?
    • This is difficult to do unless your home internet is already properly set up for regular WFH. Normally this requires your work to have provided you with a router or firewall (like a little computer networking appliance), or at least to have arranged for your home internet connection to have a “fixed IP address” (an address that doesn’t keep changing).
    • Unless you have a router or firewall provided by your work, restricting your access to just being allowed from home is worthwhile, and an improvement over many types of remote access, but not really sufficient security and also restricts you to only working from that location.
  4. Do you have to open up a VPN connection before you can access work systems?

    • This is normally (but not always) an application that you need to open on your home PC or work laptop, where you put in some credentials like a username and password (and hopefully also an MFA 6-digit code or similar).
    • If you can’t get access to work systems without opening up the VPN application, this is good news and generally means you have a secure tunnel between your remote PC and your work networks.  It also means you can probably access work systems from anywhere on the internet, not just from your home.
    • Sometimes VPNs are pre-configured on work laptops, and all you have to do is turn it on (without providing your credentials).  This is also probably fine, assuming it has been pre-configured by your IT or security team.
    • But if you can open up your VPN without being required to enter an MFA 6-digit type code, you are probably not being as secure as you could be.  This is something you might want to raise as an important improvement, with whoever cares about security and privacy at your organisation.
  5. Does your remote computer have automatic updates configured for it?

    • Applying critical updates as soon as they are available is one of the most important steps you can take.  It isn’t a silver bullet (nothing in security is), but it is one of the most important layers of security.
    • Windows 10 Home essentially forces you to install updates within a short period of their release.
    • The latest version of the Mac operating system can push down critical updates to your PC without you even knowing.  Mac OS otherwise has good default settings that make it hard for you to ignore updates.
    • If you have a work-supplied Windows 10 Pro computer, you probably need to be connected to to your work systems in order for it to get its updates at a time decided by your IT team.
    • The key here is to try to check for updates regularly, and if possible to apply them asap.  This is true for applications installed on your PC as well as for the PC’s operating system itself.
  6. Does your remote computer have business-grade anti-malware running on it?

    • Anti-malware is a general term for what used to be called “anti-virus” and is sometimes still referred to as “AV” protection.
    • Lots of Windows computers come with anti-malware software installed on them (things like Norton).  We do not consider these to be business-grade (they are generally running in a “free” mode, and if something like this is free you have to ask where the value comes from).
    • Windows Defender is a very good option for anti-malware, if it is properly and actively configured by your IT or security team.  The main reason it is a good option is that it is provided by Microsoft, the vendor of the operating system itself, and performs well in anti-malware detection, false-positive and false-negative tests.
    • Defender is generally running in a basic mode on Windows 10 computers, and may be running on older Windows operating systems also.
    • Apple Mac computers, like iMacs and MacBooks, don’t have anti-malware running on them unless someone has actively installed it. You should not think of your Mac as being less likely to get malware than a Windows machine.  Although this has been true historically, it is less true today as good amount of malware targets Macs, and the biggest risks are your web browser and email application.
    • The most topical current threat is from email “phishing” which results in malware that maliciously encrypts your local and attached hard drives and network shares, known as crypto-ransomware.  Good, modern, business-grade anti-malware systems are designed to do the best possible job at preventing crypto-ransomware, and preventing previous unknown malware or exploits (known as zero-days) from entering your computer.
  7. Does your remote access computer have any policy enforced on it?

    • “Policy” enforcement means that certain important things are required by the computer’s operating system – you can’t avoid them.  Policy might be applied by “Group Policy”, for computers that are attached to a Windows Active Directory domain, or by some third-party software installed on the computer.
    • Examples of enforced policies include: minimum password complexity; requiring hard drives to be encrypted; requiring the operating system’s firewall to be enabled; etc.
    • If you are using a computer supplied and pre-configured by your IT or security team, there is a good chance it has policy enforcement applied.
    • If your IT team simply supplied a laptop for your home use, it might not have any policy enforcement on it.
    • If you just use your own home computer to access work systems and services, there is a strong chance you have no policy enforcement.
    • If you have no policy enforcement, there is a good chance you have a weak password, with no hard drive encryption and your computer’s built-in firewall may well be disabled.
    • These policies and protections are important parts of a layered approach to security, and you might want to talk to your IT or security team about improving this.
  8. Do you access cloud services as part of your work functions?

    • We’re talking about things like Google G Suite, Google Drive, GMail, Office 365, SharePoint, Dropbox, (and about a billion other cloud apps).
    • If yes, do you have MFA configured for all of these accounts?  If you are able to log into any of these services without providing an MFA 6-digit type code, or similar, you don’t have sufficiently secure access to that cloud service.
    • It is often possible for your organisation to require MFA for all accounts associated with your organisation.  Perhaps suggest to your IT or security stakeholders that they should be configuring that, for all work-related cloud services, if they haven’t already.
  9. Are you using the same password to access more than one cloud service (or more than one anything)?

    • Password re-use is dangerous, particularly where there is no MFA on a service.  Hackers can trivially extract a password you used for one cloud service and try your email address with that same password against all the other cloud services, just to see it it works (and see if they get prompted for an MFA code).
    • Passwords also need to be long and complex (like 12+ characters, ideally with all four character types included).  Managing a different, complex password for all the different services you access is nearly impossible.
    • So you should be using a good password management solution, like KeePass, LastPass, 1Password or Dashlane, to name just the main ones.
    • The better ones of these can help to tell you where you are re-using the same password, and some can even help you to change those for something unique and secure.
    • If you don’t already have a password manager, you should perhaps talk to your IT or security team about getting one.  In the meantime, you can improve things for yourself and your family by signing up for one personally – many offer a free subscription that is sufficient for most purposes.
  10. Be particularly aware of email phishing campaigns relating to Covid-19 and remote working

    • Needless to say, hackers gonna hack, and there are a lot of low-hanging fruit right now, with everyone thrown into remote working.
    • In particular, there are a lot of emails flying around that purport to offer useful information, perhaps even apparently coming from your own organisation.
    • The key things to remember are:
      • If you didn’t actively ask for, or didn’t otherwise expect, this email – start with a defensive or suspicious stance against it.
      • If a mail is trying to get you to click on a link, be even more suspicious.
      • If the mail is asking you anything about money or bank accounts, be double-suspicious, no matter who the mail seems to have come from.
        • Call that person on the phone to verify.  Don’t just action the mail.
      • Don’t click a link in an email without being really sure where it is taking you.
        • Hover over the link with your mouse.
        • Look for the “domain” that the link is pointing to (eg https://anything-or-nothing.phew.co.nz/anything-or-nothing?blah=blah).
          • Look really carefully at the last bits before the dots end (in this case the phew.co.nz).  Is that somewhere it is safe to go?  Do you recognise that and really want to go there?
          • Look at whether the link starts with “https”.  If it is missing that “s” off the end, you probably don’t want to follow this link.
        • If you really think it is OK to follow the link DON’T CLICK IT.
          • Instead, right-click and select “copy link” (or similar).
          • Then open up a web browser like Chrome and paste the copied link into the address bar.
          • This will help reduce the risk of going somewhere different from what was written in the email body.
  11. Have offline backups for anything important that lives on your remote computer

    • If the worst happens, and you do get crypto-ransomed, will you have reliable, recent backups of data that only exists on your remote computer?
    • Reliable means they can be used in predictable events like this.  It therefore means they need to not be crypto-locked along with the rest of your computer.  And for that to be true you generally need your backup drive to not be permanently attached to the computer, and/or for it to have file version histories that are “immutable” (which means they can’t be changed or overwritten by crypto-ransomware).
    • It is possible to use better cloud backup solutions, which, if well configured, can write securely to cloud storage that contains version histories and is marked as immutable.  These solutions give the greatest flexibility if you need to access the backups from somewhere other than say your home.  They can however be complicated to configure properly and securely.
    • Otherwise, a properly configured external hard drive that is only used for backup purposes is a reasonable and cost-effective option.  It is important however that this hard drive is properly encrypted at the drive level, that you save the encryption key somewhere secure (eg in your password manager) and that the backups software is properly configured to allow secure storage and reliable recovery.
    • Finally, consider that:
      • Multiple backups are better than just one
      • Multiple backups should be kept in different locations, and ideally on different media (eg securely in the cloud, plus on an encrypted external hard drive)
      • Not having the master/only copy of essential business data on your remote computer is the best plan, if you can avoid that
  12. Consider keeping an eye on public service announcements like CERT NZ

    • CERT NZ is a central government service that provides information and alerting on cyber security related events.
    • A good place to focus is https://www.cert.govt.nz/individuals/alerts/.
    • You can also get email alerts via the “Subscribe to updates” link at the top of that page, or by following them on Twitter.

 

There’s quite a lot of think about there, and perhaps you have IT and/or security teams well primed for all of that.  But there might also be some things for you to consider, and speak up about, to make sure you are doing your bit to flatten both the Covid-19 curve, and the IT/security burden curve!

If you’d like to better understand any of this, or discuss the “how” for any of these items, please do contact us – we’re keen to help.