Europe, and the rest of the world, is currently facing an unprecedented situation. Covid-19 accelerated faster than anyone expected. It went from a distant illness in a distant country to an over-arching European lockdown within the space of just over a month. The speed in which the virus progressed has caught most of the world off guard, forcing them into a reactionary position, scrambling to contain the spread.
The shift from office to recommended remote work came somewhat abruptly for most of us, and with offices closing over Finland it could just be a matter of time before remote work becomes a mandate rather than a suggestion.
And with this increase in remote work comes an increased need for security. This post will hopefully serve as a guide for those of us required to work from home, and tell you how to keep yourselves and your company safe as you function in Europe's new normal.
Phishing attack increase
A sad fact is that when a crisis happens, there will always be someone ready to exploit the concern of the masses. We saw this recently with people stockpiling items such as toilet paper and hand sanitizer, marking them up and reselling them on various online market places (seriously, search huutonet for käsidesi and check out the 250% price markup.) These are unsophisticated methods, though not the only ones being leveraged.
Recorded Future are a security intelligence company who blog about InfoSec trends, and they recently posted a blog and document of their findings regarding the use of Covid-19 information as a phishing tool. If you're a bit techy, it's worth a read.
Upwards of 90 internet domains have been registered relating to the corona virus since the start of January. Some of these may be perfectly valid. Others, such as mycoronavirus[.]world and vaccine-coronavirus[.]com could easily supply an email domain for use in phishing emails. For those unclear, phishing is an attack vector in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data or otherwise gaining leverage. In instances of these attacks, ransomware has been installed in the target computers.
Establishing email providence
One thing we should all understand: useful information regarding Covid-19 is not going to be coming from someone you know, and is unlikely to be coming to you in your email. If you're like me, you'll be getting a lot of Corona-spam from various companies, telling you how they're managing the crisis. These emails are internally focused, delivering information on their own services and functions. They contain no links, no attachments (take note, if you're planning on sending one.)
If you receive an email offering you services pertaining to you, or offering treatment or prevention options, cast a critical eye over them. Official information will always come from official sources. In Finland, the website of the Finnish Institute of Health and Welfare, Terveyden ja hyvinvoinnin laitos: thl.fi.
In addition, standard email safety applies. If something looks suspicious, check the email address. Even if the name suggests someone internal, the email address might have a different story to tell. Disregard anything vaguely suspicious with links or downloads. The language is also a tell-tale sign. Our CEO is a former copywriter, so when you get an email claiming to be him in poorly written Finnish, you know something is wrong. Check for mis-spellings in the domains, email addresses.
Safety while working remotely
Your office may have instituted a recommendation to work from home, or mandated that you have to. In these situations, there are several things you should consider for this extended duration.
1) Always use a VPN. Your company most likely provided one. If they didn't, using a VPN service is recommended. We'll discuss this more below.
2) Disable macros in MS Office tools. One of the most problematic parts of the modern operating system infrastructure is the impunity with which Microsoft Office products can execute complex VBA code. It is the entrance vector for a huge portion of malware distributed today. This should be handled on a policy level by your IT infrastructure. If it isn't a company owned computer, or if your IT policy doesn't control it, follow instructions here.
3) Maintain an up to date virus protection system. Windows Defender has, in recent years, become a passable frontline system. Failing that, BitDefender is a great personal system, and all companies should have their own standard installed on their PCs.
4) Use a router, or install a firewall. In most cases, home networks are set up with a firewall installed in your home router, and you shouldn't need to make any changes. If you plug straight into a network socket in the wall, then you'll need to handle this yourself. Again, Windows Defender does a reasonable job, but a little extra protection never hurt anyone.
5) Don't use a shared computer. The machine you use for work should be accessed only by you.
6) If in doubt, ask. We InfoSec nerds have the information you need, and if you're struggling with an aspect of remote work, you should just ask. If nothing else, it might stave off some of the loneliness associated with remote work.
Use of VPNs
Most people have a passing understanding of VPN, but their definition is something along the lines of "It allows me to access internal company infrastructure from an external location." This is actually a common misunderstanding, given that this occurs, but is a side-effect of the standard VPN function.
A VPN is a virtual private network. In the simplest of terms, a VPN allows for the creation of a private network between two computers, even if they're not connected by anything other than the internet. In the most typical use-case, this VPN establishes itself as the default gateway for traffic, and all your traffic is routed through the VPN gateway. The external service sees the VPN gateway's IP address (A computer's identifier on the network), instead of your own computer's, and thinks the traffic is coming from the gateway. In combination with IP whitelisting (allowing access only to certain IP addresses) and internal networking, this allows for the standard use-case most people know.
But the real advantage of VPNs comes from the encryption of traffic. Encryption is paramount when it comes to InfoSec. The reason we're always pushing for HTTPS over HTTP is because of encryption. If we break down the network traffic:
A HTTP request passes through to a website with a simple text string of "Hello world!" on the index page. This request is entirely visible to any network traffic sniffing happening along the route.
A HTTPS request passes through to the same website, and the "Hello world!" string is encrypted. It is visible to network traffic sniffing only as garbled numbers, letters and symbols, and (assuming modern technologies are used), it is considered safe.
VPNs allow us to go one step further. They run on the same theoretical technology as HTTPS. Establish security at both ends, allow traffic connections, and encrypt. When using a VPN, all your traffic is encrypted and handled by the gateway. In addition, HTTPS is still in effect, so even if a hacker could break VPN encryption, HTTPS encryption is still valid.
As such, using a VPN is additional protection over the measures already in place. This is why, when working remotely, InfoSec professionals will always insist on VPN use.
The old saying of "Things are going to get worse before they get better," seems like it will apply to the Covid-19 outbreak. If you're not currently forced to work remotely, prepare for the eventuality. General lockdowns are looking more and more likely, and making sure you have everything you need for an extended work period from your homes will be of the utmost importance. Regardless of if you're required to be remote or not, you should set out a specific area in which you work. Maintain a schedule. Maintain communications. It might feel like we're isolated in this, but thanks to the magic of the internet, no one is alone. Grab a microphone, dust off your webcam, (remember: at the home office, trousers are optional) and let's start working in our new shared, digital work-space.