7 Cybersecurity Sins When Working From Home

7 cybersecurity
Sins when Working
From Home
DALLAS HASELHORST
Founder & Principal Consultant, TreeTop Security
www.treetopsecurity.com
From the makers of Peak, the only affordable and
comprehensive small business cybersecurity solution

2info@treetopsecurity.com | @oneoffdallas
# whoami
● 20+ years of IT & cybersecurity experience
● Consulted for companies all over the US
● Multiple computer-related degrees from FHSU
● Master’s degree in Information Security Engineering
from the SANS Technology Institute
● Alphabet soup of security-related certiﬁcations
○ CISSP, GSEC, GCIH, GCCC, GCPM, GPEN, GMON,
GCIA, GWAPT, GDSA, GSE #231
● Co-organizer of BSidesKC conference
● Founded an IT company in 2003, acquired in 2016
● Lead design of the Peak platform > 3 years

WFH Fails (non-cybersecurity)

#1
I am too small to
to be hacked
Pride

43% of all cyber
attacks target
small businesses
“No one wants OUR data”
Unprepared Small Businesses
Large Businesses and Government
“Prepared” Small Businesses
Verizon 2019 DBIR - https://enterprise.verizon.com/resources/2019-data-breach-investigations-report.pdf
https://www.cnbc.com/2019/10/13/cyberattacks-cost-small-companies-200k-putting-many-out-of-business.html

Targeted or untargeted?
•Works equally well on 1 or 1,000
•Ransomware
• Locks you out of your data
• Monetary ransom gets it back
•Cryptominers/botnets
• Uses your system resources
• To “mine” cryptocurrency
• To hack or harass others
•Nation-states
•Organized crime

#2
Overindulgence of
devices
Gluttony

Home network
•One compromised device on the same
network can compromise your device too
•Who has access?
• Kids
• Neighbor kids
• Everyone?
•What devices have access?
• Gaming computers
• “Knock-off” products
• Internet of things (IoT) - Alexa,
Google Home, doorbells, Xbox,
refrigerators, camera systems, etc.

Fing app
•Free, easy to use
•Available for Apple/Android
•Scan your network
•Find other devices
•Staying at a B&B???
•Restaurant guest wiﬁ
• Printers
• Speakers
• Servers <----
• POS <--------
PCI compliance? Access to credit card info!

Wireless/ﬁrewall
•Default username/password?
•Use WPA2 (AES) encryption setting
•Disable WPS <- “button to connect”
•Wireless key/password
• When was it last changed?
• Using your phone number?
• Hacked in under 10 mins
• More than 20 characters
• Use passphrases!!!
• Stayoffmywiﬁ@homeplease (24)
https://linuxincluded.com/why-phone-numbers-make-horrible-wifi-passwords/

Next steps:
1) A properly conﬁgured
company VPN helps
2) Segment network? Likely
requires new equipment

#3
Uncontrolled
device security
Wrath

Prying eyes
•Password on computer
• Passphrases!
• >16 characters
• Length is better than complexity
• Lock when away
• Auto-lock after inactivity
• Windows = Windows key + L
• Mac = Control-Shift-Power
• Alternative - biometrics
•PIN/biometrics on portable devices
•Keep kids away
• “Grandkids were here this weekend”

WFH setups
•Don’t overshare!
•High resolution images
•Accidental disclosure
• Zoom meeting IDs
• What you are working on
• Client names / ﬁle names
• Applications you use (open or closed)
• Passwords on sticky notes <- NOOO!
•Hide all icons
•Don’t show toolbars/taskbars
•Resize pictures?
What could an attacker or
competitor gain?

Staying up-to-date
•New security issues found every day
•Operating system updates
• Windows, Apple, Linux
• Still using Windows 7 - end of life
•3rd party updates
• Microsoft Office
• Browser - Chrome, Safari, Firefox
• Adobe Reader
• Zoom - new version 2 days ago
• Click profile -> check for updates
•Anti-virus - definition updates
•Mobile devices

Next steps:
1) Separate work devices
2) Centralized, managed
updates & anti-virus

Lust
#4
Not treating
data like it’s
your data
#5
Longing to
communicate
(insecurely)
Envy

Scattershot storage & technology
•Unprepared for WFH?
•Then prepare for shadow IT
• Find alternatives to get things done
•Data/info coming from new sources
• No server or centralized storage
• Dropbox, OneDrive, Google Drive
• Email, Slack, Microsoft Teams
•Regulated industries - PII, PHI, etc.
• Many regulations laxed... For now
• “Left over data”
• After 6 months?
• After 2 years?
Maintain order now,
Thank me later

Data protection
•Alexa, Google Home -> always listening
•Backups - even more important
• Hardware failure
• Accidental deletion
• Ransomware - no protection is perfect!
•Full-disk encryption (FDE)
• Lost or stolen? Only out cost of device
• Recommended for PII/PHI everything
• Windows - Bitlocker
• Apple MacOS - FileVault
• Mobile devices - tablets & phones
• PIN/passcode on boot
• Decryption often tied to PIN/passcode

Secure communications
Example: Healthcare
Industry/regulatory approved?
Business Associate Agreement (BAA)
Video conferencing
Zoom or Zoom Business? No
Zoom for Healthcare? Yes
Free vs minimum of $200/month
Document storage/sharing
Google Drive? No
G Suite by Google? Yes
Free vs $6/month per user -------------------(additional services)

Next steps:
1) Disk encryption
start now if you’re not already
2) Solutions must be
company/regulatory approved
3) See “separate work devices”

#6
Lacking vigilance
Sloth

Criminal activity - domain registrations
https://www.markmonitor.com/mmblog/covid-19-domains-whats-going-on/
New domains
registered related
to corona, COVID,
vaccine, etc.
Example:
id-covid19[dot]com
DON’T GO THERE

Criminal activity - focus & increased attacks

Change matters
We let our guard down
•Different work schedules
•Shared spaces
•Using different software
•Communicating differently
•Consuming news differently
•Receiving money
• SBA loans
• Wire & ACH transfers
• Stimulus checks
• Unemployment?
PRIME opportunity for cybercriminals

Next steps:
1) Increase awareness now
2) Ongoing - company culture

#7
Education is expensive
Greed

Is it really?!?!?

Shared and recommended
at the RSA conference
Feb 2020
Downloaded in over
150 countries in < 1 year
Sept 2019 - March 2020
Slides available at
https://www.treetopsecurity.com/CAT
Awareness slide deck

Also available at
https://www.treetopsecurity.com/CAT
Free video + other goodies
•New slide deck
• Version 1.1
• Released March 2020
•Video presentation
• Released March 2020
•Awareness quiz
•Certiﬁcate of completion
•Sign-up for our newsletter

Questions?
https://www.treetopsecurity.com
785-370-3444
info@treetopsecurity.com
Think actual cybersecurity is expensive? Think again!
Ask us about Peak! It’s cybersecurity piece of mind for small businesses

7 Cybersecurity Sins When Working From Home

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to 7 Cybersecurity Sins When Working From Home

Similar to 7 Cybersecurity Sins When Working From Home (20)

Recently uploaded

Recently uploaded (7)

7 Cybersecurity Sins When Working From Home