Cybersecurity in coronavirus times – fraudsters want to exploit it, let’s defend ourselves
Cybercriminals try even in normal times virtually everything to get access to our data, to infect our devices and to benefit from our vulnerabilities. Therefore it is doubtful whether there could be additional danger. At the same time now also those can be vulnerable, who were protected till now as they did not use remote connections and thus have no experience in protecting themselves.
Those who did not enable their staff to work from home or allowed remote connection only to privileged personnel, who in turn connected not with their own but with corporate devices, face new problems. Not everybody can be supplied with an employer-owned laptop, phone or tablet. The company has, however, no control over the private devices and the malware, the Trojan, the keylogger can already be installed before starting telework. Operating systems or office tools may not be legal on some, they may not be kept up to date – and thus well-known vulnerabilities may not be patched. These companies are not prepared to enforce certain security policies – which is technically already possible –, like password strength, forbidding users without passwords, limiting installation of applications, blocking opening of links directly etc., as a precondition of synchronising the service mailbox.
When endorsing the first remote connections, configuration of firewalls has to be changed and it is possible that “to be on the safe side” but actually endangering safety, the door is opened too wide.
When signing on from inside the office often password protection is sufficient, while from the outside, two-factor identification is necessary – the new challenge is to determine how to configure it, to decide which version (sms, token, smartphone app – all raise new questions) to use and how to ensure that it is indeed safe. Another possibility is to limit access to a certain range of IP addresses – while the IP address of a cable connection only changes when something else (switching the modem off, network disconnect) also changes, in the case of a DSL connection the user gets a new IP address at every connection. Access can nevertheless also be limited to the MAC address of the devices registered by the user.
This is important because, as we could see some years ago no a “Hacktivity” conference, by taking over, hacking one, not even privileged, single workstation, the intruder can get through even a “white list” firewall, override correctly configured access limitations and take over the server and even change access of other users.
That’s why it is important to secure sufficiently remote access even if it is urgent, however inconvenient this is. In the interest of teleworking the employee has to renounce certain liberties (rather libertinisms) – even maybe the possibility for his youngsters to use the family computer without limits –, at least temporarily. If the family has one computer, all users have to observe the security rules – if different members use it for work, the strictest ones. If the telework access is temporary, we have to take care also to stop access rights when we release these limitations.
Suddenly increased data flows can cause problems also where connections and accesses were correctly monitored.
Capacity of the IT area may even decrease due to the epidemic and this unchanged or in the worst case decreased capacity will have to monitor a data traffic which is maybe bigger by a magnitude. And among the increased “noise” an illegal access will slip through easier.
After having done everything, we still cannot accommodate ourselves with a false sense of security. Two factor identification, for example, also has its risks. Recently a new hacking method started on WhatsApp: we received a message from one of our contacts asking us to send over a six digit code received via sms stating that he lost control over his phone and therefore had the code sent to us (the argument is imaginary as I was not concerned and thus don’t know what exactly the message contained). The first risk: every user of Whatsapp whose phone number is in our address book, is our contact on WhatsApp. The real trap: the six digit code we receive (the message indicates it more or less but not everybody reads the message attentively) is nothing else but the code needed to change the password of our account which, when sent, enables the attacker (who could have hacked the account of our contact or is someone we hardly know) to take over also our account.
Using private e-mail or chat accounts to exchange official information is usually not recommended. Nevertheless, in the extraordinary situation we may have to use tools which are not available for our employer (group exchanges, videoconferencing – “Skype” – already platforms have come forward to help users to cope with demand, such as Microsoft, Google and Zoom. In this case it is advisable to consider which tools are more secure (if you want to look into Zoom, for instance, you can do it here and here.). It is also advisable not to use the existing private accounts but to create new ones for this purpose.
Since the outbreak of the virus epidemics e-mail spoofing and phishing attacks have multiplied, asking access data (passwords) with the pretext of protection and registration, ask us to open links and files promising various news and information, which can infect our devices. Workers have to be prepared not to fall for all these tricks also. It has to be emphasised that their employer never asks them registration, sign on or access data vie e-mail or through any other page beyond the normal sign on (and of course they have to know how to identify the real and a fake page). If there is nevertheless something needed, this should be requested accordingly through official channels enabling a second channel to confirm that the request is real. Obviously, passwords cannot be requested to be disclosed, thus, if there is a need to access a functional mailbox (not linked to a person and often accessible by several persons like a mailbox of a team or for handling of specific requests), this has to be solved differently. The advantage of a formal process is also that the measure is being recorded and it can be followed who requested access and why.
There are a million things left to say but the above already show that the more telework is new for a company, the more it is worth to go through all the risks and solution possibilities in order that the new working methods should not cause problems but also to be able to benefit from the advantages of the new approach and working method – maybe not just now but also in the future.
László S. Szabó, Szabó Consulting
Cover photo: Getty Images
