EBOOK

WORK AT HOME ENTERPRISE SECURITY GUIDEBOOK

WORK AT HOME ENTERPRISE SECURITY GUIDEBOOK 2

CONTENTSIntroduction ��������������������������������������������������������������������������������������� 3

Best Practices For Employees Working From Home ��������������������������� 4 Physical Security of Company Devices ���������������������������������������������������������������������������4

Access To Company Networks ���������������������������������������������������������������������������������������5

Authorizing Financial Transactions ��������������������������������������������������������������������������������5

Susceptibility to Phishing Campaigns ����������������������������������������������������������������������������6

Protecting Endpoints From Malware ������������������������������������������������������������������������������6

Defending Against the Psychology of Fear, Uncertainty and Doubt ���� 7 Using Fear to Aid and Abet Fraud �����������������������������������������������������������������������������������7

Exploiting Human Vulnerabilities �����������������������������������������������������������������������������������9

Nobody is Immune To Social Engineering ����������������������������������������������������������������������9

Fear Doesn’t Work on Machines �����������������������������������������������������������������������������������10

5 Things CISOs Need To Do To Endure During COVID-19 ����������������� 11 Security Awareness and Training ���������������������������������������������������������������������������������11

Patch, Update And Maintain Open Communication Channels ������������������������������������12

Enforce Policies | USB, Installation Of Unauthorized Software �����������������������������������12

Life Goes On | Onboarding And Termination ����������������������������������������������������������������13

Prepare For The Long Haul, Security Team ������������������������������������������������������������������13

Conclusion ���������������������������������������������������������������������������������������������������������������������14

INTRODUCTIONIn a matter of just a few weeks, businesses around the world have begun to engage in the largest exercise in organizational change ever conducted, and at a pace that, like the Coronavirus pandemic that precipitated it, is entirely unprecedented� There are no textbooks, use cases or research studies on how to conduct such a rapid and fundamental transformation successfully� In providing the infrastructure and support for large-scale teleworking, organizations need to prepare themselves and their employees for the increased cyber security risks such a shift can bring� In this eBook, we outline some of the challenges and best practices for staff suddenly faced with a transition from office-based work to remote work�

WORK AT HOME ENTERPRISE SECURITY GUIDEBOOK 3

WORK AT HOME ENTERPRISE SECURITY GUIDEBOOK 4

BEST PRACTICES FOR EMPLOYEES WORKING FROM HOMEPhysical Security of Company DevicesFirst of all, it’s important to note that just because employees won’t be working from the office doesn’t mean they won’t travel or work in public places. When doing so, employees are exposing themselves to a greater risk of losing their laptops and all the data that resides locally�

Do – Ensure all devices that support it use full disk encryption� If a machine is lost, the data on the device should not be accessible to thieves�

Do – Implement robust password management for laptop access� All accounts on the device should require unique login credentials, and where practical user accounts should be restricted to non-Admin privileges�

Do – Remind employees to log out whenever the system is not in use, even at home� Screensavers should also require a password� Encourage employees to remember and use handy keyboard shortcuts like Win-L (Windows) and Ctl-Cmd-Q (Mac) to quickly lock the screen whenever they step away from the computer�

Do – Remind staff of the necessity of basic security practices, such as ensuring that they don’t leave company property unattended in public places� Remind your employees not to be that Starbucks customer who goes to the counter for a refill while leaving an open laptop on the table� When working on the laptop in a public place, staff always need to be aware of those around them�

WORK AT HOME ENTERPRISE SECURITY GUIDEBOOK 4

WORK AT HOME ENTERPRISE SECURITY GUIDEBOOK 5

Access to Company NetworksWhen accessing corporate networks remotely, there is a higher risk of unauthorized access and data leakage� Employees may engage in behavior they never would do at the office, such as sharing a device with other family members or using the same device for both personal and work activities� In addition, the use of Home ISPs and public Wifi services present an attack surface that is outside of your IT or security team’s control�

Do – Use a VPN to connect remote workers to enterprise networks and servers� A virtual private network provides a direct connection as if the remote device were connected to the organization’s LAN� The encrypted communications cannot be spied upon by the user’s home ISP and can prevent a ‘man-in-the-middle’ type attack�

Do – Implement a 2FA or MFA mechanism for logging in to the company network� Short-time code generators like Google and Microsoft Authenticator should be in use wherever possible to minimize the risk of compromise through credential theft or phishing�

Do – Remind staff that a laptop used at home is still company property and should only be used by authorized personnel for company business� Any non-work related activity should be conducted on the employee’s own devices�

Authorizing Financial TransactionsThe biggest financial losses due to cyber crime occur through Business Email Compromise (BEC/EAC), where attackers take over or spoof the account of a senior manager or executive, and use that account to instruct another member of staff via email to make a wire transfer to an overseas account, usually on the pretext of paying a phoney invoice� An increased number of staff working remotely presents an opportunity for BEC fraud, as the whole scam relies on communications that are never confirmed in person.

Do – Restrict the number of people authorized to conduct new, overseas wire transfers, and ensure that all new requests are subject to secondary confirmation.

Do – Make use of teleconferencing technology (Skype, Zoom, and similar) to ensure that financial transactions are actually coming from a legitimate, senior member of staff.

WORK AT HOME ENTERPRISE SECURITY GUIDEBOOK 5

WORK AT HOME ENTERPRISE SECURITY GUIDEBOOK 6

Susceptibility to Phishing CampaignsPhishing campaigns are a threat for all employees whether they are based in-house or remote, but for workers who are unused to working ‘home alone’ and are now dealing with an increase in email and other text-based communications, it can be easier for them to lose perspective on what is genuine and what is a scam� In particular, with a rise in malspam playing exactly on fears of Coronavirus from the “usual suspects” like Emotet and TrickBot, remote workers need to be extra-vigilant�

Do – Train staff to habitually inspect links before clicking by hovering over them with the pointer to see the actual URL destination�

Do – Train staff to deny requests to enable Macros when opening email attachments� Ideally, use an advanced EPP/EDR security solution that can enforce a policy to prevent Macro execution or block malicious content if it is executed by the user� CDR (Content Disarm and Reconstruction) software can also help protect against exploits and weaponized content in emails and other external sources�

Protecting Endpoints from MalwareUnlike the desktop computers in your office, which likely never connect to any other network than the company intranet, portable devices like laptops and smartphones used by remote workers can have a history of network promiscuity� If such devices are unprotected, you never really know where they have been, what they have been connected to, what peripheral devices have been plugged into them or what processes they are running� All the measures mentioned above won’t prevent a network breach if a user with an infected device logs on to the corporate network�

Do – Protect all your endpoints with a trusted, next-gen security solution that acts locally on the device itself and does not require cloud connectivity�

Do – Protect your endpoints by enforcing device control that gives you the capability to manage the use of USB and other peripheral devices across all your endpoints�

Do – Ensure you have visibility across your entire network so that you can detect unprotected devices and receive notifications of anomalous behavior.

WORK AT HOME ENTERPRISE SECURITY GUIDEBOOK 6

WORK AT HOME ENTERPRISE SECURITY GUIDEBOOK 7

DEFENDING AGAINST THE PSYCHOLOGY OF FEAR, UNCERTAINTY AND DOUBTEarthquakes. Floods. Tsunamis. Wildfires. Landslides. Hurricanes. Tornados. SARS, H1N1 (swine flu)� MERS� Ebola� HIV� AIDS� Zika� And now COVID-19, also known in the media as the coronavirus�

Natural disasters and epidemics have much in common, including the tragic loss of human life� But there is a darker and more sinister connection–the use of this same human tragedy by bad actors to spread malware, launch phishing and spear-phishing campaigns, and commit fraud by exploiting emotion� Such is the case for the coronavirus, also known as COVID-19�

The World Health Organization (WHO) has been continuing to warn against the use of the coronavirus emergency to send phishing emails that contain malware�

Using Fear to Aid and Abet FraudThe bad actors don’t limit themselves to malware� The US Food and Drug Administration is also warning consumers about fraudulent products that “claim to prevent, treat, mitigate, diagnose or cure coronavirus disease 2019 (COVID-19)�” It’s a full-court press when it comes to fraud�

In December of 2019, SentinelLabs released a groundbreaking report about the relationship between the cybercrime group TrickBot and North Korea, a recognized Advanced Persistent Threat (APT) actor. The use of TrickBots capabilities is magnified when the effective use of psychology is deployed against email recipients�

WORK AT HOME ENTERPRISE SECURITY GUIDEBOOK 7

WORK AT HOME ENTERPRISE SECURITY GUIDEBOOK 8

Recently, SentinelLabs identified a malicious campaign that uses a coronavirus healthcare notification from Canadian authorities to distribute malware aimed at financial institutions.

Johns Hopkins University and the Center for Systems, Science, and Engineering have developed a map that models the spread of COVID-19 by country, region, state and city� As of March 10, 2020, the top countries are China, Italy, Iran, South Korea, Spain, France, Germany, the United States, and Japan� That means each country becomes the context for phishing emails that target large numbers of users�

Context is extremely important when crafting an email designed to deliver a malicious payload� Human nature has always responded to fear of loss more predictably than the potential for gain� For example, in the context of COVID-19, which email subject line would generate a higher likelihood of response?

“How to prevent the spread of the coronavirus in 3 easy steps.”

“URGENT: You have been in contact with a verified coronavirus patient.”

The first subject line does not create fear of loss, only the potential to gain more information about stopping the spread of the coronavirus� The second subject line attacks the heart of the matter – fear of death� A related behavior affects the belief in the scarcity of a valued item� With COVID-19, it could be the availability of test kits�

“Don’t lose your chance to get these hard-to-find coronavirus test kits.”

The last email subject combines both fear of loss with scarcity� Thousands of years of human evolution have made us loss averse� This same evolution has also reinforced the primary purpose of our brain� And that is to keep us alive� Everything beyond that is a bonus�

It’s irrelevant that citizens can’t purchase these test kits, and that only the government has them� The fear of loss, the sense of urgency, and the amount of media dedicated to COVID-19 create conditions that override our common sense and force us to act based on primal fears� Death is the ultimate trump card�

WORK AT HOME ENTERPRISE SECURITY GUIDEBOOK 8

WORK AT HOME ENTERPRISE SECURITY GUIDEBOOK 9

Exploiting Human VulnerabilitiesCriminals have become more advanced in their understanding of manipulating human emotion to achieve a targeted action� Social engineering is based on the premise that I can get you to take action you believe to be trusted, but which is actually malicious, using manipulation, influence, and deceit�

Nation-state actors have long relied upon social engineering to achieve targeted goals for espionage, system compromise, election influence, and social media manipulation� Business Email Compromise (BEC) relies upon convincing the recipient of an email that a sender is a person of authority and that a particular action (like transferring hundreds of thousands of dollars) should be done�

The number one tactic used by adversarial governments and bad actors isn’t exploiting a vulnerability� It’s exploiting human weakness� In an article I wrote for The Hill, I outlined how Russia had successfully used the first attack with the malware known as Black Energy� The initial method of compromise? A spear-phishing email sent purportedly from the Ukrainian government� The attached Excel spreadsheet asked the user to enable macros�

And just like that, the initial payload was delivered� Nothing fancy� Just a sense of urgency (Ukrainian government) overriding common sense (never enable macros from an attachment)�

Nobody is Immune to Social EngineeringThe psychology of fear, uncertainty, and doubt is a powerful weapon� During my time in law enforcement, I specialized in serial crime profiling and behavioral analysis interviewing. Getting someone to click on a link in an email isn’t nearly as difficult as getting someone to confess to murdering another human being�

In the behavioral analysis interview (BAI), I analyzed the case (context) and framed my questions accordingly� The goal of the BAI is to determine if the subject is being truthful or deceptive� If the subject is being deceptive, and it appears they could have committed the crime, then it’s time to move from gathering facts to the interrogation� Not every interview leads to an interrogation, however�

WORK AT HOME ENTERPRISE SECURITY GUIDEBOOK 9

WORK AT HOME ENTERPRISE SECURITY GUIDEBOOK 10

During the interrogation, the goal is to cause the subject to manifest anxiety to the point that the only way to relieve it is to be truthful� I taught these same techniques at the National Security Agency to damage assessment agents who had been involved in some of the most serious espionage cases in United States history� It is the same reason an employee might click on a suspicious link, or open a malware-laden document: to find out the answer and relieve the manifested anxiety of fear, uncertainty, and doubt�

What is the moral of this story? It’s that no matter how much security awareness training you do, how many posters on cyber hygiene you plaster in your offices, or how many weekly reminders you send out in an email, in the end, hundreds of thousands of years of human behavior will eventually win out� That means fear of loss (death) and self-preservation (relieving the anxiety/stress) will trump common sense�

Fear Doesn’t Work on MachinesHowever, there is a silver lining to these dark clouds on our horizon� The use of Artificial Intelligence and Machine Learning has shifted the balance of power from the attackers to those being attacked� Rather than responding to and recovering from attacks, AI/ML has increased the speed and precision of detection and prevention�

The behaviors that have been ingrained into our DNA over thousands of centuries can be counterbalanced by the deliberate application of technology� Rather than requiring a user to determine whether something is ‘safe’, it’s easier to prevent it in the first place. It is easier to prevent a ransomware attack than it is to recover from one� And it is far easier to manage good press than bad�

Artificial intelligence doesn’t give in to fear. It doesn’t have human emotions to be manipulated, and it can’t contract the coronavirus� This just may be the perfect antidote to fear, uncertainty, and doubt�

WORK AT HOME ENTERPRISE SECURITY GUIDEBOOK 10

WORK AT HOME ENTERPRISE SECURITY GUIDEBOOK 11

5 THINGS CISOS NEED TO DO TO ENDURE DURING COVID-19It is too early to tell if Working from Home will be the “new normal” for enterprises� However, it is safe to assume that this will be the main mode of operations for the foreseeable future� Since no one knows how long this will last, we advise CISOs to think about the endurance of their teams and organizations� Endurance can be defined as: ”the ability to withstand hardship or adversity”. Here are five things that CISOs should do to endure this period�

Security Awareness and TrainingCyberthreats have not subsided with the shift to remote work� If anything- they have increased� Google reported a 350% increase in phishing websites between January and March 2020, so it’s not surprising that many organizations are reporting a rise in attacks and phishing attempts, nor that many of these attempts will inevitably be Coronavirus-themed�

This is why it is prudent to maintain and even increase awareness training for employees� Remember that your employees have never experienced COVID-19 themed phishing attempts before, and that might make them more susceptible to these social engineering attempts� One CISO mentioned that compared to the average response when running a phishing awareness campaign to the one he’s running this week, he’s seen the number of users that click on (simulated) malicious links more than double. The longer your employees spend away from their offices, the lower their awareness levels are likely to become, so keep them informed and keep the training programs running�

WORK AT HOME ENTERPRISE SECURITY GUIDEBOOK 11

WORK AT HOME ENTERPRISE SECURITY GUIDEBOOK 12

Patch, Update and Maintain Open Communication ChannelsWorking from home has introduced a new challenge for IT and security teams� Although it is always necessary to keep devices and systems up to date, it is even more critical when working from home� Security teams are required to inspect and ensure that all company-issued endpoints (laptops) are equipped with updated versions of endpoint security agents, and update older versions if there happen to be any� The same goes for security updates and patches to operating systems and other software� In addition, it is critical that employees feel welcome to approach security teams with every need and any request, and also to inform the appropriate security or IT admin regarding any phishing attempt or abnormal behavior they experience�

Enforce Policies | USB, Installation of Unauthorized SoftwareWorking from home can cause employees to be lax about security procedures� Even employees that are vigilant about separating home and work use machines can forget and insert a USB device into their work laptop� In fact, a recent attack by a Russian threat actor utilized this exact mechanism: they sent “Best Buy” themed letters to a hospitality provider and included a fake gift card with a USB thumb drive, allegedly containing a list of items the gift card could be used for� In fact, this thumb drive contained a PowerShell command that installed malware� This emphasizes the need to implement proper security hygiene policies regarding USB devices, as well as 3rd party or unauthorized software that employees might be tempted to download and install when working from home�

WORK AT HOME ENTERPRISE SECURITY GUIDEBOOK 12

WORK AT HOME ENTERPRISE SECURITY GUIDEBOOK 13

Life Goes on | Onboarding and TerminationAs part of the realization that this peculiar situation will be with us for a while, some organizations have taken cautionary steps to mitigate the expected financial burden. This has resulted in termination of millions of employees across industries such as tourism, aviation, retail and others� While this is of course tragic in many respects, it shouldn’t be so on an IT security level� Security teams should have an organized procedure in place for remote termination, including a process for returning and cleaning of company IT equipment, revoking access rights to company assets and deleting user licenses in order to save money and reduce the potential damage of an attack by disgruntled former employees�

On the other hand, some companies are recruiting even in these uncertain times� For these companies, it is essential to ensure that new employees receive company equipment installed with all the necessary security systems� They need to receive proper onboarding and training on how to safely access company assets� Both departing and new employees pose the greatest security risk to the organization, and handling them should receive top priority�

Prepare for the Long Haul, Security TeamAnd a final note on employees. The most important employees (at least for the CISO) are the security operations team� They are critical for the secure operation of the organization� They are also working under a lot of stress and have to deal with new circumstances they are not accustomed to – like supporting users from afar and managing security incidents from home rather than from the SOC� The team should be briefed about the latest security trends, and they should receive proper guidance in order for them to be able to address queries from employees� It is also prudent to ensure that operational teams (like SOC or Incident Response) have ample rotation and rest times� If needs be, consider relieving some of the pressure by utilizing external security service providers� This period could easily stretch on for another full quarter or beyond, so it is important to avoid quick burnout and ensure the team is healthy, equipped for the long haul, and in good spirits�

WORK AT HOME ENTERPRISE SECURITY GUIDEBOOK 13

ConclusionThis period will test the endurance of organizations around the globe� It is not a sprint, but a marathon, and should be considered as a long-term effort� As such, organizations that can manage their employees intelligently, maintain a proper balance between security and keeping the business running (albeit with compromises where necessary) will survive and emerge from this period more resilient than before. It is fine to make adjustments to your security policies (even Gartner recommends that): the goal is to deal with the crisis and allow people to keep working in the safest, most viable manner�

WORK AT HOME ENTERPRISE SECURITY GUIDEBOOK 14