Remote work is seemingly here to stay, with many workers forgoing their commute to work for a nice stroll to their in-home office. The WFH movement provides great flexibility but comes with even greater challenges for cybersecurity.

 

A 200% increase in cyberattacks has been witnessed following the remote working surge, leading to a greater emergency than most experts expected. Prying eyes understand the immense vulnerability working from home represents as we log into unprotected Wifi networks, access servers away from the safety net of the office, and even take our private data with us on the go. This ability for greater work flexibility works to expand and increase the attack surface for cybercriminals, enabling easier access to potential private data through a multitude of unprotected endpoints. Gartner called this expanded attack surface and increase in public cloud use, a major threat in 2022.

 

Remote Work's Impact

Remote work can dramatically increase the potential attack surface and according to Gartner, “These changes in the way we work, together with greater use of public cloud, highly connected supply chains and use of cyber-physical systems," Gartner warned, "have exposed new and challenging attack 'surfaces.'“

 

Working from home increases the use of new technology which may not be detected or equipped with proper security solutions. Many workers now rely on their emails for primary communication, resulting in private information potentially being sent via mobile devices, unsanctioned laptops, etc. Moving this equipment away from the in-office defense can leave unsuspecting users helpless in the event of a cyberattack.

 

"Those had been protecting the castle, but now, people aren't working inside the castle," said Ed Skoudis, president of SANS Technology Institute. "They're out in the field, so those defenses don't protect them there. We've been saying for years that the network perimeters we built were dissolving because of things like wireless and cloud, but then, COVID came and blew it all up."

 

Cybercriminals understand the increased opportunity for hacking that WFH brings, as many users are under the impression it won’t or can’t happen to them, even though they had been under an umbrella of security protocols, firewalls, and other solutions to block attacks and thwart criminals for years while in-office.

 

Most Common WFH Risks

 

1. Expanded attack surfaces

Security teams are already stretched incredibly thin these days, and the expanded attack surface of remote work can make it impossible to secure each endpoint.

 

2. Less oversight

Workers are more in the dark than ever before when it comes to remote work, as they don’t have security teams or experts on their home network, to keep an eye on anything suspicious.

 

3. Poor data practices

Sending unencrypted emails containing sensitive files can be a recipe for disaster and most remote workers aren’t thinking about this layer of protection when they are downloading or sharing private data.

 

4. Phishing attacks

Phishing continues to see stratospheric growth as sophisticated threat actors become more creative with their attempts at garnering link clicks. Remote workers rely heavily on their emails potentially increasing the likelihood of accidentally clicking on a phishing email disguised as a pertinent request from your boss, for example.

 

5. Unprotected Networks

The use of unprotected networks for work purposes can be a costly mistake, as unprotected networks, to a skilled threat actor, can be like putting all of your information out for the world to see. The U.S. Cybersecurity and Infrastructure Security Agency (CISA), highlighted the risk of nation-states attacking home routers in 2022, proving that some attacks may very well be out of your control if you do not possess the technical know-how. VPNs are critical, especially if you choose to use public wifi.

 

6. Cloud misconfigurations

As we all know, the cloud is an essential component to our lives and especially remote work, but still does not go without challenges. Misconfigurations present massive liability on the grounds of failed access controls and accidental provision of too much access to certain users. The “2022 Cloud Security Report” highlighted more than one-fourth of all security professionals experienced cloud security incidents within the past year.

 

7. Webcam hacking 

At one point, the odds are you have used Zoom or Microsoft Teams for a video conference, interview, chat with friends, etc. but even these platforms can be hacked. Cybercriminals have reportedly sabotaged and disrupted online video chats, some even undetected enough to crawl around, stealing data and corporate emails for future use.

 

First-Line Defense

 

1. Keep Your Devices Updated

Any device that connects to the internet is vulnerable to risks. The best defense is to keep device security software, web browsers, and operating systems up to date.

 

2. Use an Antivirus

Antivirus software acts a shield for your computer against incoming threats such as viruses, ransomware, spyware, and other malware.

 

3. Separate Work and Personal Devices

The more devices containing private, company specific information, leads to greater vulnerabilities and gaps in protection.  Limit your personal devices for just as it sounds, your personal life. It may be tempting to take work "on-the-go" but refrain from this mentality when you can.

 

4. Enable Multi-Factor Authentication

No matter how strong your password is, a breach is always possible. Make it harder for cybercriminals to access your account by enabling multi-factor authentication which adds another step for access.

 

Adding MFA to an account greatly increases your security. It may include:

• A code emailed or texted to an account
• A biometric identifier like a fingerprint
• A unique number, yes or no prompt, generated by an authenticator app

 

Closing Thoughts

Working from home has been a life-saver for countless individuals across the country, but understanding the risks that lie beneath the surface could be the difference between you becoming a victim of cybercrime.  Your organization retains a great deal of responsibility for providing adequate training and implementing security protocols across all sanctioned equipment and servers, but the weakest link can break the chain.  Be vigilant and be smart.

What is Phishing?

Phishing is a type of online fraud which aims to steal personal and financial information by impersonating reputable companies.

Phishing can be done through email, websites, and social media. One of the most common ways phishers try to get your information is by sending you an email from a company you do business with or from someone you know.

The email may ask for your account number or other personal information. It might even say that there's a problem with your account and that you need to update your personal information immediately.

How to Spot a Phish

The best way to spot a phish is by looking for red flags such as typos, spammy subject lines, poor grammar and spelling mistakes. If you are unsure about something, it is always best to contact the company directly via phone or email rather than click on any links provided.

How to Protect Yourself from Phishing Attacks

Phishing scams are becoming more sophisticated and harder to spot every day. It’s not always easy to tell if an email is legitimate or not, which is why it’s important for everyone to know how to protect themselves against these attacks.

The first thing you should do when you get an email from your bank, credit card company or any other service provider is to make sure it’s actually them by looking at the sender’s address in your inbox. A phishing email will often have the name of a well-known company such as “Bank of America,” but the sender's address may be “[email protected]” or “BbccoDc3H6sLfI8MCJpAAABXyh43. A golden rule is to simply use common sense, and truly think of the motive behind the email. It’s better to be speculative than to be gullible.

The Current State of Phishing

Cybercriminals are becoming more skilled and cunning with phishing methods every year, while using tried-and-true strategies to trick their victims and steal from them. The COVID-19 epidemic allowed hackers to increase the frequency in which fraudulent emails were distributed as part of cyberattacks, according to data from Verizon.  As our world shifted predominately online, phishing attempts rose drastically as many of us rely on email to communicate within the online work place.

It might be challenging to discern a phishing attempt from a legitimate email, sms, or information request since phishing attempts can take many various forms. As a result, phishing simulations are a great approach to gauge user knowledge and raise phishing awareness across the board in your business.

Examples of Different Types of Phishing Attacks

Phishing has developed over the years to become increasingly complex, alluring, and difficult to detect. This means there is not a one-size-fits-all approach to identifying spam.

Phishing Email

The annual list of catastrophic data breaches in the globe still includes a sizable percentage of phishing emails. Phishing emails are made to look like they are from a reputable source, such as PayPal, a bank, Amazon customer service, or another well-known company. Cybercriminals conceal their presence in minute details like an email link or the URL of the sender.

Spear Phishing

The information that a cybercriminal has previously gathered about the victim or the victim's company is the foundation of this more focused phishing email assault. Spear phishing emails frequently utilize urgent and well-known language to persuade its victims to take rapid action.

Link Manipulation

This assault uses carefully crafted phishing emails and contains a link to a well-known website. This link directs users to a fake version of the well-known website that is made to resemble the genuine one and requests that they confirm or change their account credentials.

Fake Websites

Phishing emails are sent by online criminals that contain links to bogus webpages, such as the registration login screen for a well-known mail provider, and urge the target to input their login details or other details into the false website's interface. In order to fool consumers, malicious websites frequently employ a small alteration to a well-known URL, such as using mail.update.gmail.com rather than mail.gmail.com.

CEO Fraud

An email address that the victim is acquainted with, such as the CEO's, the HR manager's, or the IT support department's, is used in this illustration of a phishing assault. The email begs the recipient to take immediate action and provide money, change employee information, or download a new program on their computer.

Content Injection

A cunning cybercriminal will hack a well-known website and add a phony authentication server or pop-up that drives users to a false website.

Session Hijacking

With the help of this sophisticated phishing operation, thieves are able to enter a firm's web server and steal the sensitive data that is kept there.

Malware

Clicking an unsolicited email is all it requires to download dangerous malware on a PC or corporate network. These files may even be presented as humorous cat videos, Ebooks, or animated images while still appearing to be legitimate.

OpenSSL originally warned this patch would fix a critical vulnerability impacting all OpenSSL 3.0 installations.

OpenSSL has released a patch fixing the headline-making vulnerability it first announced on October 27th, 2022.  

(more…)

The open-source cryptographic library is an industry-standard found in an enormous range of applications.

In late October, the OpenSSL Project announced it would release a patch for a critical security vulnerability on November 1st, 2022. The organization did not share any details about the vulnerability itself, other than the fact that it impacts all OpenSSL versions 3.0 and above.  

(more…)