Welcome to fall 2020. At the time of this writing we are seven months into the COVID-19 crisis, and the environment for work and education has shifted dramatically. This comes with an increased risk of cyber threats old and new, and a call to attention for broader awareness of information security.

Though much has changed, one thing has not: the highest percentage of cyber attacks are a result of human error. As of March 2020, cybersecurity firm Kaspersky has identified human error to be the cause for 90% of public cloud infrastructure breaches, and data from the UK’s Information Commissioner’s Office reflects the same number for cyber breaches in general. With such a large number of people who have not previously attended work or class remotely, it is important to think about how to operate safely and securely while navigating this new landscape. In this article I will highlight some security tips and guidelines as they pertain to the remote experience of the student or employee.

 

Home Network & Personal Security

The cyber attack scope has shifted to more home environments, heightening the importance of home network and device security.

The following are some guidelines to help better secure your home tech life.

Change default passwords on all devices. This includes home router logins, IP cameras, and any “smart” devices used in the home. In addition, make sure “remote management” is disabled by default on your home router, unless you plan to use this feature with a strong password on the admin account.

Use WPA2 encryption with a strong passphrase for wireless networks. WEP and WPA use outdated encryption standards and can be easily broken for unwanted access.

Use a password manager. This will allow you to have a different password for every account you own, with the ability to query for it easily via an application or browser plug-in. There are a number of services for this including LastPass, Bitwarden, 1Password and more.

Disable automatic logins wherever they might occur. This could be at the desktop/laptop login, smartphone lock screens, or credentials saved and stored in web browsers for particular sites. It is important to make authentication a habitual part of your life. The password managers mentioned above can help ease this step by allowing you to access any stored site with one click and allow it to auto-fill the form for you.

Enable Find My Device and Remote Wipe. Mobile Device Management is not implemented in all organizations due to restrictions surrounding data separation and privacy, but there are plenty of options for the home user. Tracking can be enabled through Google accounts on an Android phone, iCloud accounts on all Apple devices, and Windows also has the feature built in for PCs now. Most platforms will also give you the option to remotely wipe and lock the device if it is stolen or lost.
You can find more on this topic and other security checklist items at Goncalo Silva’s blog.

 

Video Conferencing

There have been significant concerns with the default security posture of video conferencing.  Back in March and April, Zoom users were experiencing “zoom-bombing” in which unwanted guests would join and severely disrupt meetings. The good news is that much of this has been adjusted with software updates, changes to default controls, and heightened user awareness and education. Here are some security guidelines to review as you host or participate in Zoom meetings:

 

• Check security options at the account level. If you are an account owner, you can access your account via the zoom website. Sign in and visit the “Admin Panel” on the left of your screen.
• Check security options at the meeting level. You should disable default screen sharing, require a meeting password, enable the “waiting room,” turn off “join before host,” turn on “mute upon entry,” and avoid using your Personal Meeting ID. For more information on security options, take a look at this article: https://blog.zoom.us/keep-uninvited-guests-out-of-your-zoom-event/
• Use the latest version of video conferencing software. As we have seen, Zoom has rolled out numerous updates to improve their security posture.
• Allow the browser instance of Zoom to be used. In most cases, the browser instance receives updates faster than the application.

 

VPN, Remote Access and File Sharing.

Students across the country were sent home abruptly in March, and colleges continue to face either a hybrid or totally remote education experience. Some resources such as lab machines or network shares still need to be accessed from home, and should only be done so behind a VPN or “Virtual Private Network.” Having a robust VPN system has allowed Connecticut College’s network and desktop teams to provide access to these resources, while adding an additional layer of security to VPN connections with Duo Multi-factor Authentication. We recently implemented technical controls requiring students to use MFA as another layer of protection to the VPN while accessing lab machines on campus via Remote Desktop or Apple’s VNC. We have also stood up Microsoft’s “RDGateway” as a secure alternative to the VPN for certain departmental servers.

In addition to Remote Desktop and VNC, some machines are best accessed via the SSH protocol, especially in the Linux environment. In this scenario it is good practice to use a public and private key pair for user authentication. If this is not feasible, be sure that any passwords used to authenticate have strength in complexity and number of characters, and that SSH is configured properly. You can learn more about SSH security at HackerSploit’s free tutorial.

File sharing is most commonly done via network shares or cloud services such as Google Drive. Network shares in the organization should only be accessible via a VPN connection with proper security patches and backup plans applied to the share servers. When it comes to cloud file sharing, the end user is much more in control. Google Drive, for example, has share permissions that should be carefully implemented and reviewed on a frequent basis. Review your organization’s policies regarding file sharing for both on-premise and cloud solutions.

 

Phishing

Phishing had been a growing and evolving risk before the pandemic struck, but the current situation breeds opportunity for more flavors of this attack. Though the college has implemented and required multi-factor authentication for all users to help prevent these attacks, it is still important for users to remain vigilant and aware of “tone” as it applies to the messaging world. Some attacks don’t involve links, such as the ‘gift card scam’ in which users were asked to purchase and provide codes to someone purported to be a colleague or supervisor. Our information security team is working to implement methodical mock-phishing campaigns for users in order to help educate and improve messaging security awareness.

Phishing is not limited to email. Users have reported malicious links shared in the chat space, whether that is a standalone messenger solution, or within video conference software. Zoom is now able to better validate the contents of files, and account owners also have the option to whitelist or allow sharing of particular file types. Google has also amped up phishing detection in its Chat application, checking links against real-time data from Safe Browsing. Nonetheless, remain vigilant in text conversations and only click links that are confirmed to be safe.

 

Backup, Backup, Backup!

It is imperative that you back up systems frequently in order to protect yourself in today’s tech world. Everyone should have a Disaster Recovery Plan (DRP for short), whether you are managing your own personal data or that of a large organization. There are plenty of solutions available to do this, whether they are “onsite” (stored in the same physical location), or “offsite (in the cloud or somewhere outside of your local network).

We recommend a combination of both but if you choose only one, go with an offsite solution to reduce the impact of an attack such as ransomware.
Whichever you choose, automating this process is a great way to make it a passive task and save time.
Google Drive offers a “computer” component that will let you schedule automated backups through their “Backup and Sync” application.
Windows will also let you automate this process with the built-in backup feature under Settings, while Apple offers automation through its Time Machine and iCloud backup solutions. For more information on backing up personal devices, check out Chris Hoffman’s article on HowToGeek.

Security is a constant pursuit, and although the above is not an exhaustive list, it should provide you a positive shift in mindset and a path to better protect yourself.  We encourage you to do more research and share information with others on this topic. If you have more questions surrounding cybersecurity at Connecticut College or at large, please feel free to contact the IT Service Desk at 860-439-HELP (4357) or email help@conncoll.edu