To navigate these unprecedented times, many of us are working remotely or have had to make changes to our daily lives. WFA San Diego has asked LANSolutions, our IT partner, to share some guidelines to help us combat possible cyber security threats.

 

By Jeff Spate, Senior Systems Engineer II, LANSolutions LLC

May 11, 2020

 

With more employees working from home due to the Coronavirus, cyber-criminals have shifted their tactics to better exploit users and their home computers and networks. This includes Coronavirus oriented phishing attacks and attacks on home Wi-Fi routers.

Most of the traditional methods used to secure personal computers and home networks have remained the same, and those are included below. But LANSolutions has updated their home cybersecurity guidelines recently to accommodate current trends and concerns we have been experiencing while supporting a large work from at home userbase. Below are some guidelines on how to increase general cybersecurity while working from home (or remotely in general) along with some related tips such as securing Zoom meetings. Some are the same topics you’ve likely heard before and are common on most “secure your home” blog posts seen on social media and other websites but are covered in more depth to provide better guidance on implementation. Some you probably have not seen before but are rapidly becoming not only recommended but necessary.

Please note that some of these topics may require you to work with your internet provider, router, or software vendor, or your trusted home computer consultant (spouse, child, niece/nephew, neighbor, etc.) to get it properly set up. There is a broad range of brands, models, and software versions to accommodate so specific steps on performing the recommendations below are impossible to provide. Links are provided when relevant. It is also worth noting that most security software and networking devices are not properly secured when used in their default/out-of-the-box configurations. They need some tuning to utilize the features they provide.

Guidelines we’ll cover

  • Phishing attacks

  • Home Computer Updates

  • Application Updates

  • Antivirus

  • Router & Wi-Fi

  • Unique and Strong Passwords

  • 2-Factor Authentication

  • DNS Filtering

  • Zoom Meetings

 

Phishing Attacks

Phishing emails have long been the most popular method for cyber-criminals to deliver malicious links and attachments. Sending millions of emails, a day is both cheap and effective. In recent months there has been a significant rise in malicious emails under the guise of being from legitimate places like the CDC, WHO, insurance companies, etc. They are worded to appeal the general susceptibility to get information regarding the Coronavirus and changes to company policies and government guidelines and trick you into opening links and attachments to malicious content. The email protection system (spam filter) you currently have in place is likely already blocking most of these emails, but none are 100% effective in preventing them all from reaching your inbox.

The best defense against these kinds of attacks has always been to exercise heightened awareness regarding these types of emails. Do not open attachments or links unless you are certain the email is legitimate. Exercise this awareness even if the email is from someone you have exchanged emails with previously. It is very common for cyber-criminals to compromise an account, review the past emails sent, and craft a custom email to you pretending to be that person. They will often ask for you to visit a link to download a file, log into a website, wire money, or purchase gift cards. It is always best to confirm these kinds of request with a phone call, you cannot rely on a reply email asking if they want you to perform that action since the cyber-criminal Is actively watching new emails and replying.

KnowBe4 is a provider of phish testing and other security training that LANSolutions uses to test and train its customers. They provide real-world examples of phishing emails taking advantage of the Coronavirus here. It’s worth reviewing a few as most that you’ll see look very similar to the examples provided.

Home Computer Updates

Making sure your operating system has recent updates is something you will see on any list of security recommendations and for good reason. Making sure your home computer has the latest updates installed is and always has been good security practice. Many publish “security breaches” you will read about in the news exploit some piece of software that an update has already fixed but was not currently installed. The Equifax breach of 2017 that exposed personal information for 143 million Americans occurred due to an exploit of a web-application vulnerability that had a patch issued months earlier.

Microsoft and Apple issue updates monthly that include security improvements that are important to have installed.

Windows 10

Windows 10 computers are most likely updating themselves automatically (assuming you reboot regularly).

You can manually check for updates using the process below. We recommend doing so at least once per month.

Official Microsoft page with Windows 10 update instructions

Click on the Start/button, and then go to Settings  > Update & Security  > Check for Updates

Support for Windows 7 ended on January 14, 2020, and as a result, is no longer receiving security updates. If you have that OS you should consider replacing the computer or upgrading to Windows 10

MacOS

A common misconception about Mac computer is that they don’t need updates or aren’t susceptible to viruses. This is simply not true. If you use a Mac, update it regularly and take security seriously.

macOS computers can be updated from the Apple menu   > System Preferences, then clicking on Software Update

Official Apple page with instructions to update and setup update schedule

Application Updates

In addition to updates to your operating systems (Windows or MacOS), it is also important to update your installation of Office, Adobe Acrobat, and internet browsers. Viruses and other malicious software take advantage of weaknesses in those applications and updates limit your risk of infection.

Luckily, by default Microsoft Office, Adobe Acrobat, and most internet browsers (Edge, Chrome, Firefox, and Safari) are configured to update automatically. You can confirm they are updated by going to the appropriate area in each application. This should only take a few minutes to perform.

  • In recent versions of Office, you can update by opening File > Account > Update Options > Update Now

  • In Adobe Acrobat, open the Help menu then Check for Updates

  • Most browsers display the update status in the Settings > Help > About

Antivirus

This is another basic step to securing your home PC. Make sure you have an antivirus installed and it is working. I also recommend implementing a firewall along with it. Windows 10 has antivirus built-in (named Windows Defender) which is a sufficient product and can be combined with the built-in Defender firewall.

Most people and IT professionals recommended adding a 3rd party antivirus and we do as well. Bitdefender has a free edition and is an excellent product. Paid versions of BitDefender and ESET are also excellent choices as they can provide additional security features such as firewalls, webcam, and browser protection. BitDefender’s Total Security product is one example, ESET’s Smart Security is another. Since these products contain additional security features and options, they do require more setup than a traditional antivirus product, but the time is well worth it.

 

Router & Wi-Fi

This is a topic you likely won’t see on most home security lists.

Your home router is what allows multiple computers/devices in your home to have internet access. It may be the same physical device as your modem or maybe a second device. It may also be leased from your internet provider or may have been purchased separately. It is likely the same device that provides your Wi-Fi.

There are three things to consider regarding the security of your home router/Wi-Fi:

  1. Make sure your wireless network is password protected. This ensures a password (also called a network security key) is required to connect to your Wi-Fi. Some brands/models do not do this by default.

You should also make sure that WPA2-AES encryption used, and not an older and insecure type such as WPA2-TKIP or WPA or WEP. This is configured in your router settings in the same area as requiring a password.

  1. Disable any “remote management” option of the router, which allows someone to log into the device from outside of your home. Unless you have a specific need to do this there is no reason to leave that option on.

  2. Reset the default password to log into the router. It should not be the same password that the device shipped with such as “admin” or “password”

  3. Update the firmware – This is equivalent to installing updates to Windows. Newer versions of firmware may include security updates. As a bonus, they may also include performance or reliability improvements that may provide a better Wi-Fi experience.

Unique and Strong Passwords

It is critical that the passwords used in any important account be both unique and strong.

By unique we mean that you shouldn’t use the same password in any two accounts. Doing so opens the possibility that the password will be compromised (widely available on the black market of the internet) if that website or service is “hacked.” Consider that you use the same password to log into Spotify as you do your email account. If the Spotify system is compromised and the email addresses and passwords exposed, then there are no stopping cyber-criminals from logging into your email account (unless you have 2-factor authentication enabled, see next topic).

All passwords should be unique to each account to prevent this occurrence.

You can check to see if an account of yours has been included in a known breach (such as LinkedIn, Facebook, Experian, etc.) by entering your email address here – https://haveibeenpwned.com/Passwords. This is a website that keeps a database of all information released in such breaches. 

Strong passwords are also necessary, and if created properly, also easy to remember.

Strong Password Guidelines

Password Should (in order of importance)

  • Be unique – NOT used in any other website, system or service inside or outside the firm

  • Be at least 14 characters in length

  • Be easy to remember but hard to guess

Password Should Not (in order of importance)

  • Be used in any other website, system or service inside or outside the firm, ever (repeated for emphasis)

  • Contain sequential or repetitive characters (e.g. 12345 or aaaaaa)

  • Be a commonly used password, including anything “trending” in pop culture (e.g. P@ssw0rd, GameOfThronesIsGreat, IlovetheOlympics!, etc.)

Tips for Selecting a Strong Password

  • Use a phrase mixed with initials, numbers or punctuation

Example:  620firstdayofSUMMER!

Example:  JSworksforthemoney$

Example:  WhendoesMARYSdayend?

  • Use the first letter of every word in a phrase, song lyric or quote as part of the password, such as “TRISFMOTP” for “The Rain In Spain Falls Mainly On The Plain”

Example:  TRISFMOTP22*law

This password uses the first letter of every word in the phrase “The Rain ISpain Falls Mainly OThe Plain” followed by a favorite number, special character, and a keyword

  • You may also include the entire lyric in the password (but not as the whole password)

Example:  TheBeatles1969CTRNOM

 

The first letter of The Beatles + 1969 + First letter of the lyric “Come Together Right Now Over Me”

 

2-Factor Authentication

Also missing from most home security lists is adding 2-factor authentication to any website or service of any importance. 2-factor authentication is rapidly becoming a requirement instead of a recommendation. 2-factor authentication (also called 2FA, Multifactor or multistep authentication) is the system that requires you to enter a code or accept a prompt in a cell phone app before being able to log into a website. That code could be delivered via text message or displayed in the cell phone app. When 2-factor authentication is used, anyone wishing to access your account would need your username, password, and access to that code or app to log into your account. This greatly reduces the likelihood that anyone will gain access to your account.

This feature is now commonly available in most websites for banks, credit cards, Gmail, Facebook, etc. Check with those sites and enable them when possible.

DNS Filtering

Also missing from most home security lists is adding a DNS Filter to your home computer. This is a free and very easily implemented layer of protection that is recommended for all home computers, phones, and tablets.

Do not recommend adding to any company-owned devices as it may conflict with services provided while inside your company’s office.

DNS Filtering is a method that blocks access to URLs and IP addresses known to be malicious. This can happen automatically and for free by modifying the IP addresses used for DNS on your computer. Several companies offer this service for free with additional options with a paid subscription

Free services from Cleanbrowsing and Quad9 are excellent choices. To implement, you’ll simply need to enter the proper IP addresses of their DNS servers into your computer, no software installation required. After you do that you’ll automatically be receiving their protection against their list of known malicious domains (phishing, malware, etc.) and optionally adult sites or forcing Google Safe Search and YouTube Restricted Mode.

A good comparison of various services was recently written by GeekFlare.com.

 Cleanbrowsing’s different options for filtering can be found here: https://cleanbrowsing.org/ip-address

You can follow Microsoft’s guide or Cleanbrowsing to change the IP addresses of your DNS servers in Windows 10.

 

Zoom Meetings

As Covid-19 pushed many users to work from home web conferencing products like Zoom saw a rapid increase in adoption. Zoom had several public incidents where non-invited attendees joined meetings and some other publicized security issues. They’ve updated their software recently and posted this blog “How to Use Zoom to Securely Host a Virtual Board Meeting” which provides excellent information. We recommend both ensuring your Zoom software is up to date and following their guidelines to create a secure and successful Zoom meeting. Zoom is configured to auto-update itself by default but you can manually check for updates here.

 

Home Security Checklist

Last but certainly not least schedule yourself to run through a quick home security checklist at least every three months to keep everything up to date and re-orient yourself to be security conscious. Security is an ongoing effort and unfortunately performing a one-time update today isn’t enough to keep your devices and home network safe.

  • Be aware of phishing emails – they may appear to be from legitimate addresses or be from people I have communicated with before

  • Install operating system updates

  • Update Office, Adobe Acrobat, browsers, Zoom and other critical applications

  • Update firmware on the wireless router

  • Verify 2-factor authentication is enabled on all important accounts

  • Verify that antivirus is installed and updating

  • Verify that firewall is enabled