WFH Cybersecurity: 12 crucial sensors for cyber safety
July 29, 2020
Cyber Security | WFH Cybersecurity
WFH cybersecurity has been thrust into the limelight ever since the COVID-19 era arrived and rapidly ushered many office-dwelling workers into the nooks and crannies of their homes for the bulk of their workday. But while you are staying safe from COVID-19, don't forget to also stay safe on the cybersecurity front.
On this topic of WFH cybersecurity, we're frequently asked what types of sensors work well in combination to lead to a secure cyber perimeter. Although we've mentioned many sensors in various blog articles on this site, it occurred to us that we had not organized them into a consolidated location for your reading enjoyment. So, without further ado, here are our thoughts on the sensors that you should look to first, when raising your WFH cybersecurity strength.
Key WFH Cybersecurity Sensors
Data Breach Monitoring
Work from home has heightened the importance of data breach monitoring in a historic way. Imagine you have an employee who is half-monitoring some work topic while preparing dinner, but also keeping an eye on their personal social media accounts. Do you think they have two laptops open -- one for work and one for personal? We don't.
The line between a computer used for work and a computer used for personal, has blurred in transformative ways over the past few months. A mistake that we're seeing more and more often is when an employee accidentally (or possibly, naively) uses their work email address to set up a personal account of some nature. It could be a social media account, an account on the website of some eCommerce vendor that they are purchasing from, or something else. It's usually not intentional, but it's happening a whole lot more, ever since we lost the subconscious cue of knowing that the work laptop is for work use, and the home computer is for personal use.
When an employee accidentally uses their work email address as the username on some personal-use website, what are the odds that they also used their work password as the password for that personal-use website? We're working on some statistics on that (more in a future article), and you won't like what the data shows.
Tying it all together: if a personal-use website gets breached, and that site happens to have one of your employees email address and password pair, it could be "game over" as far as maintaining your company's cyber perimeter. We don't want that to happen. That's why we monitor breach databases for disclosures of any email or email/password pairs that include users from your domain name. WFH cybersecurity has brought this vulnerability into focus as hackers stage their attacks.
System & Service CVEs Monitoring
You heard about the Windows 10 worm, right? If you didn't, here's a Threat Primer on Worms, and CVE-2020-0796 discussing the recent Windows 10 worm. It's bad -- really bad. A remote code execution vulnerability is one where an attacker can run a program of their choice on your Windows 10 device. From anywhere in the world. And the program they choose to run, will invariably be designed to ruin your day (or your year). And, bad news: your home network is probably going to do a whole lot less to protect you from that particular type of exploit, than your work network might have.
When a CVE is issued for some piece of software you use, you need to know about it. The hacking community monitors CVEs rigorously. Even the most novice hacker can read a new CVE, search the dark web for a ready-made exploit, and begin creating trouble for unsuspecting victims. We feel incredibly strongly that you need to be alerted about CVEs that are pertinent to the software that your business relies on. Think about it as a 101 level task to secure your cyber perimeter.
Accelerating Bad Actor TTPs
In the cybersecurity community, TTP means Tactics, Techniques, and Procedures. Over the past several months, hackers have found weakness induced by the fact that we're no longer all sitting in offices where we can physically see each other. And they've developed (or emphasized) tactics, techniques, and procedures that take advantage of that behavior change.
Let's get really specific. There is a growing trend of phishing campaigns that are based on the premise of the boss dropping an employee an email asking for a handful of gift cards to be purchased as gifts certain deserving clients or partners. The ploy continues on by mentioning that due to a crucial meeting, the boss can't be interrupted to discuss the matter further, and furthermore needs help completing the task right away. Sound familiar? This attack has occurred many thousands of times this year.
Guess what. In the office, pre-COVID, this attack was only marginally effective against small businesses. Why? Because sometimes the recipient could plainly see that the boss was standing in front of the coffee machine, or making smalltalk with some visiting guest, or walking around saying "hello" to colleagues. Busted. The boss didn't really ask for gift cards five seconds ago, because the boss is 10 feet away filling up a mug of coffee. And so, the threat is averted.
Play back that same script while visualizing a relatively junior employee working at home, alone, remotely. The boss isn't 10 feet away. And, "the boss" supposedly needs those gift cards, and needs them now. My guess is that the gift cards get purchased (and that, in the exclamation point that occurs in this attack, they get conveyed to the attacker).
Your team needs education on the latest TTPs (Tactics, Techniques, and Procedures) so that they know a suspicious attack when they see one.
Darkweb Mention Monitoring
It would be really, really helpful if you knew about a hack attempt before it happened. If hackers were discussing a particular type of attack on a particular list of domain names, and your domain name was one of the targets, you'd want to know. Don't laugh, I know it sounds outlandish, but this is real and getting more commonplace every year.
Imagine that there is a particular wordpress plugin that is now known to have a defect. And, that hackers have accumulated a list of the ~1,300 websites that have that vulnerable plugin installed. And, that an attack is being planned.
You need to know that. And you need to know that before the attack occurs. The mitigation might be very simple, but the timing of knowing in advance is what matters.
Hackers know that one of the weaknesses in WFH cybersecurity make this attack much more viable. Specifically, when there is some system or software that requires manual patching / maintenance, they know that many companies haven't finely tuned a way to make sure that doesn't fall through the cracks. When the small (and stressed) group of people that maintain the company's systems are suddenly geographically spread out, it's more likely than ever that a non-automatic patch effort gets remembered and completed. When those types of things fall through the cracks, your company becomes part of a target-rich environment for hackers.
Look-a-Like Domain Registrations
Would your average client notice if they received an email "from you" and the domain name had been made plural, or an "l" was replaced with an "i", or an additional "." or "-" was somewhere in the domain name? It's tough to say.
We believe that 2020 will be the biggest year for phishing, ever. There are at least 60,286 known phishing sites currently. And, they prey on the fact that the dramatic change in work styles this year have led us (on average) to be a little more stressed, and maybe a little less detail-oriented than we would have been in the comforts of our longstanding office workspace.
Now is the right time to proactively purchase look-a-like domain names to keep them away from hackers. If one gets registered that you haven't proactively purchased, you need to know. Right away. So that you can alert your clients, partners, and employees to be on alert that any emails originating from that particular domain name are invalid. Maybe they should be blocked via G Suite, O365, or other infrastructure, too.
The most common timeframe for spear phishing attacks relying on look-a-like domain name deception is within a few days of the look-a-like domain name being registered. So, time is of the essence in alerting your stakeholders to beware of fraudulent emails.
Endpoint Virus & Malware Protection
If your home is like many in this time of great complexity, there is a dramatically increased chance that your work computer is also being used for some personal websites, applications, or workflows. That additional multitasking may not be avoidable, but the risk can be managed. With good virus and malware protection installed, it'll be dramatically easier to stem the risk that some personal task/download/application brings aboard virus or malware software.
It's especially helpful (we highly recommend this) to have every computer in the company running the same type of virus/malware protection. Doing it this way prevents the chaos of wondering (and worrying) about which anti-virus software came pre-installed on which laptop. Because you can bet that some of the pre-installed anti-virus programs have fallen out-of-date or hit the end of their trial period. That's a risk that is not worth taking.
Website Vulnerability Scans
We'll keep this section brief. We all know that our domains need recurring website vulnerability scans. That statement is not controversial, and hasn't been controversial for a long time. But, with the crazy times that are upon us, it's important that there be a scheduled, recurring website vulnerability scan. One that doesn't have to be kicked off manually. One that can't be forgotten, because there is nothing to "forget". One that happens automatically without any need to remember to start it. Welcome to the WFH cybersecurity era where we need things done for us more automatically than ever before, because the stakes are too high to rely on a calendar item that reminds us to kick off a vulnerability scan "today".
SSL Certificate Issuance Monitoring
Wouldn't it be great to know the moment that a hacker succeeds at deviously setting up a fraudulent SSL certificate that claims to be from/for one of your domain names? Having a sensor to detect SSL certificate issuance for your domain names, and running (not walking) for help when an issuance occurs that you know not to be legitimate, is a likely way to save yourself from a tremendous amount of trouble that could occur.
In a work-from-home environment, setting up your full technology team to be notified when an SSL certificate issuance is detected, is your best path to spurring immediate conversation each time. 99%+ of the time, that conversation will end with "sorry, I forgot to mention to you all that I needed to renew the SSL cert for our domain today". But, let's be conscious that there is a different conversation variant... It goes like this: "Was that you?" followed by "It wasn't me", and then "It wasn't me either."
When all of the staff members that have business reasons to be working with SSL issuances get notified simultaneously of issuances, the conversation gets a jumpstart. And if the issuance is fraudulent, that jumpstart can make all the difference.
Weak Password Tester
An increasingly important sensor is a weak password tester. If you look at breach databases (we do, a LOT) you'll notice that even in the face of password complexity requirements, people have been incredibly inventive at finding ways to use very insecure passwords, that skate just on the "acceptable" line of a typical password complexity policy.
What does a good sensor do? It tries to log in to your site, using likely usernames and a large database of common weak and default user/pass combos. If the sensor gets in, you know you've got a problem. With any luck, you know before the hackers do. And get alerted in an unmissable way that makes it easy for a geographically distributed WFH cybersecurity team to take corrective, coordinated action.
CIS Compliance Framework Coverage
Geek out with us for just a moment here. Ever heard of the CIS Controls? They map to the NIST Cybersecurity Framework. And they are the result of a tremendous amount of work by many lifelong cybersecurity professionals, who think rigorously the types of attack threat vectors. One thing you want for yourself and your team -- as different types of threat vectors arise -- is to know that there is a recurring effort to revisit the CIS Controls and evaluate your company's cybersecurity posture against that framework. And flag newly emerging threat vectors, and handle them before they become a problem. It's work that needs to be done, and the CIS framework helps us think rigorously, so that we don't overlook an important threat vector that needs addressing. Unlike the many of the other sensors that we've discussed in this article, this one requires humans on the backend (like the team at Havoc Shield), to keep checking back with the CIS framework to reflect on emerging trends and address them in your cybersecurity posture.
Mail Armor Diagnostics
The "poor Dave" attacks are increasing. Heard of that? Imagine "Dave" (no offense intended, if the reader happens to be named "Dave"). Dave is an employee that has some level of valuable/important access to corporate resources, but is a little less technology savvy than the average employee. When Dave receives a phishing email that others might consider extremely suspicious and move immediately to their Trash folder, Dave takes a different course of action. He looks a little closer, just for a few seconds, and then makes his own conclusion about the legitimacy of the email. Sometimes Dave's conclusion is right, sometimes it's wrong.
The challenge? When the company wasn't in WFH mode, Dave sat right next to Sally. And Sally was tech-savvy. When Dave leaned over to show Sally a suspicious email, Sally could help him make better decisions. But now Sally is working from home, just like Dave is, and is an email or call away. So, Dave makes more decisions on his own without bothering Sally. And WFH cybersecurity suffers.
WFH has increased the effectiveness of phishing attacks on unsuspecting (especially less technologically savvy) victims. And a Mail Armor sensor is a way to regain the edge against phishing, giving Dave the second opinion that he needs -- quickly and efficiently.
Endpoint Malicious Traffic DNS Filtering
Let's go back to thinking about the 60,286 known phishing websites (and there are doubtless many more that we are unable to count in that tally). When a phishing website gets discovered, there are some very actionable ways to stay safe. One of the best, is to configure our endpoint security in a way that forbids network access to the known-dangerous website. And that's exactly what DNS Filtering is all about: it's about the virtuous loop of discovering problematic websites and disallowing network traffic to them. Having a DNS Filtering sensor that stands guard, prevents a wide range of attacks.
In the old (remember, before COVID?) world where a savvy IT person configured your office's network infrastructure, DNS filtering may have been handled centrally, through one of the many sophisticated pieces of equipment in your company's telecom closet.
But now, when we are each at home -- browsing the web through our various home wi-fi routers -- we need DNS filtering on the endpoint (translation: on your laptop). It's a sensor that can keep you just as safe at home, as you were in the office.
The sensors that we've described in this post are important to your company's ability to remain safe from cyberattacks. These particular sensors are especially relevant in the context of WFH cybersecurity, where much has changed in our daily workflows -- both by tradition and by policy. However, implementing these sensors doesn't need to be intimidating -- we specialize in helping companies bring these sensors to life, and sleep better knowing that they've followed industry-leading practices to create a secure cyber perimeter. Ready to get started? Try our Rapid Threat Test, and let's talk about the results.