August 2020

Improving your cyber security when working from home

Dr J. Rousselot

The rise of the remote worker

Who hasn't heard of the digital nomad? This modern times hero has it all: the security of a tech career, living by the beach and taking care of work on Skype when the weather is bad. Transforming work-life balance and enabling people to live their life to the full is certainly attractive and is becoming more and more popular and accepted by management, even for full time employees in some companies. Many aspire to a more flexible lifestyle.

Work from home

Working from home offers many benefits similar to our digital nomad friend in Thailand: no more commuting, lower living costs, informal dress code. However all is not rosy: a hot day can make it hard to work from home, kids and kitchen can be distracting, and the border between work and private life blurs. This novel situation has required most organisations to suddenly transform their operations.

Higher risks

Work from home was not planned in advance and many problems had to be resolved on the spot. This has been very challenging for large companies and SMEs. While startups are more agile and innovative, their operating practices too needed to be reviewed and updated. From governments and multinationals to startups, this abrupt transition to work from home has also attracted the attention of criminals.

Multi-vector attacks

We live in an era of complex and interconnected systems. Often, a security vulnerability in itself allows very limited possibilities to the attacker. It can be easy to dismiss it as there are more urgent business priorities. In practice, it is often the combination of two or more vulnerabilities that will enable a successful high-value attack.

The Twitter hack

You may have heard of the recent Twitter hack at the end of July 2020. The Twitter accounts of Jeff Bezos, Barack Obama, Elon Musk, Bill Gates, Joe Biden and Kim Kardashian among others were compromised by a small team of hackers. One of the attackers gained access to Twitter admin panel through phone spear phishing. Spear phishing is a targeted attack mechanism that leverages our digital footprints. Key employees may have been identified on Linkedin or through a company wide directory. It is unclear how the attacker obtained their phone numbers. After he reached out to them, he managed to gain access to the Twitter admin panel, from where he could take control of existing users. More info on this story by the brilliant team at chainalysis.com.

We can analyse four weaknesses here:

  1. the identification of key employees,
  2. access to their phone numbers,
  3. their ability to delegate access to the admin panel,
  4. the possibility for the attacker to take control of highly valuable accounts.

All these weaknesses were necessary to enable this attack.

The attacker initially started to access and sell short twitter handles (@B, @joe "OG Twitter handles" that can be sold for thousands of dollars), already through the admin panel. It is only later that he decided or found a way to gain control of high-value Twitter accounts from celebrities. Had he been detected and stopped earlier while re-selling short twitter handles, the hack would have been prevented.

This story shows that no one is immune to attacks. If even well resourced global tech companies are vulnerable, what can be done?

Security is a process

The following best practices do not cost much, are not too difficult to adopt and can significantly improve your cyber security.

  1. Password distancing: use a unique password for every site you use, personal and professional. Do not share passwords with anyone. There are many free and high-quality password managers. Google Chrome browser even comes with one.
  2. Two factor authentication: identify your most critical online systems (the main email account can very often be used to reset passwords on other platforms for instance) and enable two factor authentication. Google Authenticator or Authy apps are very convenient and very secure 2FA tools. These are preferable to phone text messages as phone numbers can be cloned. A hardware 2FA key is also a great solution.
  3. Need to know: reduce access to IT systems and functions based on a need to know basis. This is true both for the list of users who have access to critical systems as well as from where they can access them. Whitelist your home IP address if the system lets you do this. Never sharing passwords is also part of a good need to know policy.
  4. Always login manually: never connect to sensitive applications by following a link received by text message, email, social media or other communication platform. Instead, open your web browser on your personal computer and type the address yourself. Many attackers use very similar URLS and it is all too easy to get tricked by a safe-looking green lock account and not notice a missing letter in the domain: facebook.co. If a message feels wrong, double check through another communication channel with the source (Whatsapp after a LinkedIn message for instance). Such attacks can trick you into revealing both your password and 2FA code, so this is critical.
  5. Use experienced, reputable hosting providers: cyber security is a complex problem. When choosing a cloud provider, focus on the most established brands as they deal daily with attacks from government sponsored hacking teams. Google, Microsoft, Amazon AWS have a very strong track record here.

Whether on the beach with a cocktail or from the comfort of your kitchen, we hope you enjoyed this article. Let us know if you have any feedback or questions.

Subscribe to our low volume newsletter to get quarterly updates.