Have you started working from home? Secure your endpoints!

April 29, 2020 | Kim Crawley

This blog was written by an independent guest blogger.

Due to recent international events, there are likely millions of people in the United States and around the world who have just started working from home. There are a lot of office jobs that could move from the company’s workplace to employees’ homes-- accountants, web designers, application developers, network administrators, lawyers, clerical jobs, stock traders, data entry people, call center agents, tech support agents, and probably many other white collar roles. I write web content about cybersecurity for a living, and I’ve always worked from home. Welcome to my world, millions of people!

Try to save watching a TV show or playing a video game for after you’ve done your tasks for the day. But if your work has frustrated you by lunchtime, a nice long relaxing shower often helps. Maybe you have young children or pets at home who want your attention. You will need to shift your attention between playing Paw Patrol for your kids and walking the dog, and getting back to your task at hand. But there’s an upside. If you make yourself a yummy lunch and put your leftovers in the fridge, your coworkers won’t be able to steal them! Maybe your kid or spouse will, but you won’t resent them enjoying your pasta casserole.

Now your home PC may be your office. And when you connect it to your company’s network, it will become one of its endpoints. Chances are your company’s network administrators and various security practitioners have taken some care to secure the endpoint (PC) that the company owns. Your user account probably has access to some files and folders on your employer’s servers, but no access to others. There’s likely some sort of information security policy that’s being enforced. If there’s some anomalous activity on your work PC, your IT department or security operations center should be investigating if it’s an indication of a cyber attack.

But you’re not in your company’s office anymore. You’re at home. And your own home PC is just as attractive of a target to cyber attackers as the PC your company provides you in your workplace. Especially if your home PC is connected to your company’s network. So even though you can eat fish at your desk without your coworkers complaining, cybersecurity should be taken just as seriously. And because you own this endpoint, you have the responsibility to security harden it. So here are my tips for you.

Only you should access your home endpoint

As I said, when your home PC connects to your company’s network, it becomes one of the network’s various endpoints. Chances are you’re authorized to access some data resources on the network that a cyber attack would love to have. Financial data, internal documents and memos, internal applications, logs, and likely other sorts of sensitive data as well. And even if you’re not an administrator, an attacker may want to access your user account and perform privilege escalation attacks until they’ve acquired admin access. But they can’t privilege escalate if they don’t have access to your user account in the first place.

Put a strong password in your user account in your operating system, whether it’s Windows 10, macOS, or even if you’re a desktop Linux-using weirdo like me. It should have more than ten characters, with upper and lowercase letters numbers, and special characters. Don’t make your password “Tabby” because that’s your cat’s name and only you and your family have physical access to your PC. Assume that an attacker could acquire remote access to your PC through the internet. But a cyber attacker is unlikely to physically enter your home. So if you have to write your operating system password on a Post-it Note in order to make it really complex and still be able to use it, so be it.

If your spouse or your kids also use your PC for whatever reason, make sure that each of them has their own account in your operating system. That way you can restrict access to your user account to you. But maybe you should buy your kid a MacBook so they aren’t using your home office PC in the first place.

Think of your user account in your operating system as being the master key to all of your other accounts that have usernames and passwords. Because once you’ve logged into your operating system, your web browser has lots of cookies stored in its cache, and the applications that are specific to your work can all be easily accessed. Once you’ve logged into your operating system, you can start using the internet and your work-specific applications with your own identity. And no one else should be emailing, Skype-ing, or Slack-ing as you.

Secure your online accounts

I’m willing to bet that your web browser has access to a mutitude of your online accounts, including your online banking, your utilities, your online streaming services, your Amazon and eBay accounts, social media, you-name-it. All of your various credentials for these services must be secured with some sort of password manager.

Credential stuffing is a type of cyber attack that’s now more common than ever. Data breaches happen all the time. We’ve all been a victim to at least a few. Often when an online service is breached, an attacker will sell a database with millions of credentials on the Dark Web for cryptocurrency. A cyber attacker may take your username and password for one particular online service and try to use them to maliciously authenticate as you to many other online services. This is the main reason why you should never use the same password twice. A good password manager will create a randomly generated unique and super complex password for each of your online services. That way there’s no limit to how complex your passwords can be, because you don’t have to remember them!

Most major desktop web browsers these days have built-in password managers. You may choose to use that, or use a separate third-party password manager that can be installed in your web browser as a plug-in. Make sure you use it. And if you learn that one of your online services has had a data breach, you can use your password manager to create a new password for your account on that service, limiting the damage of the breach to you.

I would also advise that if you need to use your online banking, keep it in your desktop web browser. I never use my phone for my online banking, and I certainly don’t use my bank’s app. I’ve secured my phone with a lockscreen and a find-my-device service, but leaving access to my bank account on the phone I take everywhere with me is still not a risk that I’m willing to take.

And finally, go through your various online services, including social networking platforms like Facebook, Twitter, and Instagram, and set up two-factor authentication wherever you can. If you have the option to use a dedicated app such as Google Authenticator as your second factor rather than SMS text messages, use that instead. Otherwise using SMS as your second factor is at least better than no second factor at all.

Patching and antivirus

Your operating system and applications are only as secure as their latest security patches. Application developers are constantly discovering and patching vulnerabilities, and your endpoint should benefit from all of their hard work. On the PC that your company owns, patch management is the responsibility of your IT department. But your home PC is your responsbility!

Apple Support has tips to make sure your Mac automatically installs software updates as they become available. Windows Support has tips for keeping your Windows 10 PC updated here. Ubuntu and its forks are the most popular Linux distributions in the home office, so here’s Ubuntu’s documentation for making sure your PC stays up-to-date. If you’re using something more niche than Ubuntu, you probably don’t need my help.

Whether you use Windows, Mac, or Linux, all operating systems can get malware. You must have some sort of antivirus software on your home endpoint, no exceptions. As your home endpoint connects to your company’s network, malware on your computer can be used to cyber attack it. Just as we must wash our hands more often these days to stop the spread of biological viruses, you must have antivirus software to keep your endpoint clean of computer viruses! It’s the responsible thing to do.

If you would rather not pay for your antivirus, Windows Defender built into Windows 10 is actually pretty good these days. Go to your Windows Defender settings through the Control Panel to make sure it checks for updates and scans your hard drive every day. If you install another antivirus solution in Windows, make sure Windows Defender antivirus is disabled. You should only have continuous protection from one antivirus application.

If you’re not using Windows Defender, I would recommend a paid antivirus solution regardless of your operating system. Do your own research online so you make an informed decision before you spend your money. And make sure you configure whatever you buy so that it automatically updates and scans everyday.

Use a VPN and Secure Your WiFi

The connection between your home endpoint and your company’s network must be secured against man-in-the-middle attacks. That’s when a cyber attacker acquires access to the data your endpoint is sending through the internet or any other type of network. It’s a very, very bad thing and you must do what you can to prevent it from happening.

First, make your your home WiFi is well secured. If your wireless router is five years old or older, I strongly recommend that you buy a new one. An old wireless router won’t support WPA3, the strongest form of wireless encryption, and it also may not receive firmware updates to keep it secure on the internet. If all the computing devices in your home, desktops, laptops, phones, tablets, video game consoles, and Internet of Things devices support WPA3 and your new router also supports WPA3, I recommend that you use it. Otherwise your WiFi should use WPA2. And don’t leave the default password on your WiFi. Cyber attackers can find default passwords for pretty much all router models on the internet. Come up with a WiFi password that’s as strong as the operating system password that I would recommend. But make sure that your WiFi password is different! If you must write your WiFi password down on a Post-it Note in your home in order to make it complex, do so.

Finally, the connection between your home endpoint and your company’s network must be routed through a VPN. A VPN will encrypt your network traffic through the internet as it’s sent back and forth between your endpoint and your company’s network. You may need to set up a VPN connection through your company’s IT department. Your company may have it’s own VPN. If that’s the case, you must use it. Your company may have to provide your home PC with a VPN client specifically for accessing your company’s network.

If that’s not the case, a third-party VPN service for consumers is better than nothing. Research which VPN services are available for consumers to choose a paid service that’s best for you. You may be able to ask your company’s IT department for advice about this. A third-party VPN service will also have client software that you’ll need to install on your PC and your mobile devices.

So there you go. Those are simple things you can do so that your work from home is acceptably cyber secure. There’s no such thing as perfect security, but you can reduce the likelihood of many cyber attacks by following my tips. Securing your home PC for work is just as important as securing your PC in your company’s workplace. But now you can enjoy working in your pyjamas!

Kim Crawley

About the Author: Kim Crawley, Guest Blogger

Kim Crawley spent years working in general tier two consumer tech support, most of which as a representative of Windstream, a secondary American ISP. Malware related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. Her curiosity led her to research malware as a hobby, which grew into an interest in all things information security related. By 2011, she was already ghostwriting study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. Ever since, she’s contributed articles on a variety of information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine. Her first solo developed PC game, Hackers Versus Banksters, had a successful Kickstarter and was featured at the Toronto Comic Arts Festival in May 2016. This October, she gave her first talk at an infosec convention, a penetration testing presentation at BSides Toronto. She considers her sociological and psychological perspective on infosec to be her trademark. Given the rapid growth of social engineering vulnerabilities, always considering the human element is vital.

Read more posts from Kim Crawley ›

‹ BACK TO ALL BLOGS

Watch a demo ›
Get price Free trial