Month: March 2020
#WFH – Embracing the New Norm of Working From Home
Pandemics Happen: You Can’t Predict a Crisis
A worldwide pandemic broke out, and your employer is asking you to work from home instead of coming into the office. Well, you’re not alone. This is the situation that many people have found themselves in during this Covid-19 pandemic.
Although it may seem like no big deal at first, working from home daily for an extended period of time is vastly different than going into the office every day. For some, the line of work-life balance gets even more blurred than before.
The hurdles of working from home tend to amplify in our current situation when people are trying to work from home and have their children at home (instead of at school) all day too. People try to make light of the situation they’re in by posting some really funny posts on social media like the one from Jason White:
This is truly the new normal for all of us, and there’s no certainty as to how much longer this pandemic is going to force people to work from home.
Luckily for us, today we are extremely well connected via the Internet and leveraging cloud-based software solutions/Software-as-a-Service (SaaS), Virtual Private Networks (VPN), Virtual Desktops Infrastructure (VDI), etc., makes it easy for some organizations to enable their workforce to work effectively from home.
This pandemic is also the first time many of these organizations are actually executing their Business Disaster Recovery (BDR) and Business Continuity Plans (BCP). Businesses are quickly learning from the challenges since these plans are very different when they’re being documented theoretically versus when they’re being executed in a real-time crisis.
Getting Comfortable With “The New Norm”
Let’s face it, as humans since the beginning of time, we’ve always had to adapt to different challenges. This is no different. This might be the new normal for a while, until we figure out how to get this pandemic under control.
I’ve been very fortunate at various parts of my career to have the experience of working from home or starting a consulting practice from scratch in a new geographic region – where at the beginning, there’s no office to work out of.
Here are a few things that have worked well for me and allowed me to work effectively from home, and during a time of crisis like a pandemic, how not to feel isolated.
1. Create a Dedicated Space for Work
It’s important to create a separate area for you to dedicate to work. Ideally you want a space where you can close the door and seclude yourself for taking phone calls, conference calls, video conferences, or just shutting out any distractions when you need to get some work done.
This is important as you can create a virtual boundary for when you’re working and when you’re not. Force yourself to leave this space when you take breaks (whether it be to get some coffee, go for a walk, grab lunch, etc.). This allows you to mimic some of the social norms that you’d have while at the office – like taking a bathroom break, walking to the kitchen to grab a coffee or going out for lunch with your coworkers – where you end up leaving your actual workspace multiple times during the day to let your mind take a break from work.
2. Get Your Technology Set Up Properly
Ergonomics is important, but so is getting actual equipment and connectivity that will allow you to be most effective while working from home. There are plenty of resources online discussing how to set up your workspace with proper ergonomics that fit your needs. I would like to focus on the technology side of things, where certain equipment can make your life significantly less stressful when working from home.
First, invest in a strong and reliable Internet connection. High speed Internet has become really affordable, and most organizations that require their workforce to work from home will usually subsidize some (if not all) of your Internet bill. I recommend getting a reliable and fast connection – this will pay dividends in the long run as you have more and more video conference calls and can start using your VOIP setup if your organization has one.
Second, for making phone calls, if I’m at my desk, I typically use my VOIP setup that NetSPI provides all their employees through Microsoft Teams. I have a dedicated work number where people can reach me, and I use it to make calls from my desk (and even sometimes from my smartphone if I’m somewhere with a spotty cell network but I have a strong Wi-Fi connection).
Third, make sure you get a big monitor/display if you can. You’re going to be hunkered down in a small space working, forcing yourself to work on a small laptop screen ends up being very stressful, especially today when all of us are multi-tasking, having an extra monitor is extremely helpful in reducing the amount of back-and-forth between applications. If an extra monitor isn’t viable, for Mac users, you may be able to use your iPad as an extra screen with Sidecar and have an application or window that you use most regularly on there. This will make it so you don’t have to constantly be switching windows. If you cannot have a multiple screen setup, you can still leverage your operating systems features like “Spaces” on a Mac or “Virtual Desktops” on a Windows machine to have multiple screens set up for different purposes (e.g. one screen for things you’re actively working on and a second screen for all communications, like Instant Messaging and email).
Here’s a view of my work-setup at home:
Screens and their usage from left to right:
- I use my iPad Pro as an extra screen with Sidecar to always have my email on display. I like using a stand (Lamicall tablet stand) for the iPad to help raise it a little closer to the height of the other screens.
- The main monitor (Dell U3818DW) I use for things I’m actively working on – usually things like document creation, web browsing, news feeds, taking notes, etc. – this is basically my active workspace.
- My MacBook Pro is on a stand to bring it to an eye-level height for me, and I am usually running my virtual machines to perform scanning work, or security testing as I research new things and try to learn and keep up with new technologies as they evolve in the security space.
You’ll also notice that I have a gel-pad for my wrist that spans my keyboard and my mouse. This is because I did in the past start experiencing aches in my wrists and was worried about getting Carpal Tunnel Syndrome – this has helped tremendously to relieve a lot of stress in my hands and shoulders as well.
I also invested in getting myself a nice webcam (Logitech C920S HD Pro), with a privacy shutter. Currently I work remotely from home – even outside of Covid-19 – so I try to make sure that on all conference calls I have my video turned on. I find that it encourages others to turn on their video too making the virtual meetings feel more intimate and also makes you feel more connected with others on your team. Make sure to try and place the camera close to eye-level and at an angle where it’s facing you directly, if possible. Here are some tips on how to kick your video conferencing game up a notch and look more professional during your video calls. As we get more connected globally, and business today happens across all borders and oceans, video conferencing is going to start being more and more prominent. It’s time we start mastering video conferencing.
Here are some home-office setups from some of our other NetSPI colleagues:
3. Embrace Your New “Co-Workers”
All of a sudden, you’re co-habituating and working with some “creatures” that you would normally be away from while at the office. This may be your children, parents, significant other, cat, dog, duck, gecko, etc.
You need to accept that you’ll be “co-working” together and potentially sharing and intruding on each other’s space from time to time. The sooner you accept it, the less friction you’ll have, and you can plan to share the space peacefully. Be grateful for the extra time that you might have with your family, children or your pets – they are definitely excited to have more time with you.
With family members, make sure you have some way to signal them if you’re in the middle of working on something or if on a conference call and need to avoid distractions. For me, when the door to my home office is closed, my pets and my family members know not to bother me. When the door is open, they are welcome to share space as long as they’re not being overbearing or too distracting.
Pets can also be very therapeutic, especially at a time when you’re physical distancing from everyone and may start feeling isolated. Accept them into your space. Let them sleep at your feet (or on your lap for that lap dog or lap cat). Pet them from time to time and let them know that you appreciate the way they naturally relieve your stress and give you a sense of companionship and support that all humans crave.
At NetSPI we have created a Slack channel called #pets_of_netspi where we all share pictures and videos of our new fuzzy (and some non-fuzzy) “co-workers” that help us get through our day. Here’s just a preview of some of our #pets_of_netspi rockstars:
4. Virtual Lunch and Coffee Video Conferences
Just like you don’t always talk to your coworkers in the office about work, you need to continue harboring both a professional and personal relationship with your colleagues. We discussed how video conferences have become more prominent – not only that, but Microsoft is making Teams available for everyone to help in the face of the Covid-19 pandemic. With technical solutions being at our disposal today, take advantage of this, and schedule virtual lunch meetings or coffee meetings with colleagues. Take a break from work and discuss non-work related topics like you normally would during lunch or coffee.
5. Maintain a Routine
Even though none of your colleagues or boss would know if you didn’t brush your teeth, stay in your pajamas all day, or even shower for days, it doesn’t mean you should start getting lazy about your regular day to day activities. Make sure you still maintain a regular routine. Things like going to bed and waking up at a consistent time, making your bed, making yourself a healthy breakfast, taking your dog for a morning walk, exercising, meditating, etc. are all important factors that will make you more effective at your work.
Taking some breaks and setting aside some personal time is always healthy. Pick up meditation or take a quick walk around the neighborhood, text or call your loved ones and check in on how they are doing in this moment of crisis.
Another thing you may want to consider is picking up a new skill or hobby. Now that you have all that extra time from not commuting back and forth from the office, you have no excuse. Always wanted to be able to pick up a guitar and play some sick tunes? Well, now is your chance to start learning and practicing. Want to complete your New Years’ resolution of losing those 15 extra pounds you gained over the holidays? Well, maybe now it’s time to start some workout programs that you can do at home. Maybe you always wanted to better yourself with more education? I’ve actually been spending time taking some free Ivy League courses online on topics that I’ve always been interested in delving into deeper.
6. Organize Virtual Social Events with Your Company or Team
Little things can make a big difference in a team’s morale and also help build camaraderie and a sense of togetherness. Organizing a virtual happy hour or just a video conference call to check-in with everyone and hang out helps reduce the feeling of isolation that everyone is facing from physical distancing.
Last Friday evening right at the end of business hours, we organized a virtual video happy hour event at NetSPI. It was wonderful to see everyone join in, with their favorite beverages in hand, and enthusiasm to see and connect with rest of the team. Some did the video conference from their deck in their backyard, some took it from their home office setup, and one even joined from their kid’s bedroom where he was assembling furniture for his kids. The most amount of excitement actually came when pet owners started showing off their pets to each other, and the pets got to greet their new friends during the video conference. There were various topics that were discussed (completely non-work related) as everyone was facing similar circumstances. People even shared ideas they had for activities they were going to attempt over the weekend while trying to practice social distancing.
7. Over-Communicate
You’re not going to get the opportunity to run into your boss or coworker in the hallway and mention all the cool things you’re working on or the amazing meeting you had with a client or the really amazing discovery you made while doing an assessment – so make sure you’re over communicating and keeping everyone looped in. Send regular status updates to your managers and your teams. As a manager make sure you communicate regularly with your team members to make sure they’re all on track and try to understand if they’re facing any challenges early and try to help sooner rather than later. Keeping your team and your management updated regularly is key to making sure everyone’s on the same page. If you have customers that you interface with regularly, at times like this, the need for regular communication with customers is even more important since your business probably depends heavily on the customers’ current state of business.
Putting It All Together
Remember, you’re not in this situation alone. This working from home situation is turning out to be the new normal. Create a separate workspace dedicated for working. Make sure you get the right technology or accessories to be efficient and effective at your job. Embrace the fact that you’re going to be sharing space and spending more time with your family and pets at home while you’re working. Maintain a routine and stay active both mentally and physically. Set aside time for virtual social activities over video conference. Lastly, make sure you over-communicate and keep everyone looped in on necessary updates.
Hopefully you find these tips helpful as you try to adjust and get acclimated to working from home. If you have comments or other tips that have worked well for you, we would love to hear from you. Share them with us via Twitter by tweeting to @NetSPI with #WorkFromHome.
Recent Posts
Linux Hacking Case Studies Part 5: Building a Vulnerable Linux Server
Recent Posts
Linux Hacking Case Studies Part 4: Sudo Horror Stories
Recent Posts
Keeping Your Organization Secure While Sending Your Employees to Work from Home
Enabling Employees to Work from Home
All of a sudden, the world is facing a pandemic, and you are asking all your team members to work from home. Have you really considered all the security implications of moving to a remote workforce model? Chances are you and others are more focused on just making sure people can work effectively and are less focused on security. But at times of crisis – hackers are known to increase their efforts to take advantage of any weak links they can find in an organization’s infrastructure.
I travel significantly for work and have always been fortunate to have a good setup to be able to effectively work from anywhere with a reliable Internet connection. Not everyone is this fortunate, nor do many people have the experience of working remotely until now.
Managing Host-Based Security
Host-based security represents a large attack surface that is rapidly evolving as employees continue to become more mobile. Let’s discuss some key things organizations need to keep in mind as they migrate their teams to be effective while working from home.
1. Education/Employee Training
Before we start talking about technical controls that are important to consider, it’s necessary to start with the people factor. All the technical controls can easily be rendered useless if your team members are not properly trained on security. People need to be trained on how to securely access and manage the organization’s IT assets. With a rise in phishing attacks, it’s important that training not only cover secure ways to access different systems, but also how to avoid potential scams. Education is paramount in making sure that the organization is safe, and people in the organization are not making decisions that can have adverse effects from a security and privacy perspective.
2. Workstation Image Security
Most organizations deploy laptops using a standard set of system images and configurations. The problem with using standard images and configurations is that it becomes challenging to secure a workstation in the event that the laptop is lost, stolen, and/or compromised by a threat actor.
Here are some things to consider while trying to secure laptops and mobile devices:
- Ensure all workstation images are configured based on a secure baseline.
- Make sure the secure baselines are managed and updated based on business needs.
- Track critical operating system and application patches, and ensure that they are applied.
- Review application and management scripts for vulnerabilities and common attack patterns.
- Enable full-disk encryption.
- Perform regular security testing for each workstation image – typically organizations have multiple images that are in use – e.g. Windows 7, Windows 10, MacOS, etc.
3. Virtual Desktop Infrastructure (VDI) Security
Many organizations are moving away from physical laptops and are having their employees access applications and desktops through solutions leveraging VDIs. A common solution that is used widely is provided by Citrix. This allows employees to connect to an organization’s systems by remotely connecting to a virtual desktop server (from their personal computer or mobile device like a tablet or a smartphone) working directly from where the virtual desktop is hosted.
The following are some things that are important to consider in this type of a scenario:
- Enforce multi-factor authentication (MFA) for all VDI portals and VPN access.
- Ensure that the VDI is configured so that users cannot exfiltrate data through shared drives, the clipboard, email, websites, printer access, or any other common egress point.
- Proper access control so users cannot easily pivot to critical internal resources like databases, application servers and domain controllers.
- Lock down applications to prevent unauthorized access to the operating system resources and ensure that they have the least amount of privileges enabled to function properly.
4. Windows and Linux Sever Security
Unlike laptops/workstations and VDI portals which are directly exposed to the Internet, once an attacker can pivot into the environment, they usually find it trivial to identify Windows and Linux servers on the network to target. Server Operating Systems need to be configured, reviewed and hardened to reduce the attack surface. Vulnerability scanning by itself is usually not enough since it won’t expose vulnerabilities that could be used by authenticated attackers.
5. z/OS Mainframe Security
Windows and Linux servers are typically deployed using standard images, but z/OS mainframe tend to be more unique. In most environments, the mainframe configurations are not centrally managed as effectively as their Windows and Linux counterparts, which is why there are many inconsistencies in how mainframes are configured, leading to vulnerabilities that are often accessible to domain users.
It’s important to consider the following:
- Check for missing critical application and operating system patches on a regular cadence.
- Centrally manage and implement z/OS mainframe configurations based on a secure baseline.
- Check if Active Directory domain users can log into z/OS mainframe applications or have direct access through SSH or other protocols.
- Periodically perform penetration testing and security reviews of your deployed z/OS mainframes.
Recent Posts
Linux Hacking Case Studies Part 3: phpMyAdmin
Recent Posts
Linux Hacking Case Studies Part 2: NFS
Recent Posts
Staying Safe Online During the COVID-19 Pandemic
Similarities Between Computer Viruses and Medical Viruses
There’s a reason why a computer virus is called a “virus” – they have many similarities with medical viruses (like COVID-19) that have a severe impact on your personal health. Just like Coronavirus can hide its symptoms and be contagious for long periods of time before causing any visible damage, a computer virus operates no different.
With how interconnected we are in today’s digital world, a computer virus (a “wormable” remote code execution vulnerability like EternalDarkness that affects Microsoft Server Message Block SMBv3) can start infecting and spreading in a matter of minutes. Typically, these types of virally distributing malware can also keep symptoms hidden, like a real virus, until the exploit payload is executed causing damage to computer systems.
Plenty of Phish in the Sea – Hackers Taking Advantage at a Time of Fear and Uncertainty
It seems like during any time of a disaster, phishing emails increase as well. Hackers take advantage of the human element, especially at a time of fear and uncertainty – like during the major pandemic that we are currently facing. Naturally, due to people’s fears and the seriousness of the pandemic, people are actively seeking as much information as they can to keep themselves, their families, and their loved ones safe. Preying on the human element, hackers are actively sending various types of phishing emails related to the Coronavirus. The volume of these phishing emails have reportedly increased significantly over the last couple of weeks. Some of the most common examples of these phishing emails are fake emails:
- From a doctor with attachments that claim to have certain steps to avoid Coronavirus and encourages the recipient to share the attachment with family and friends.
- From business partners with attachments that supposedly contain FAQs regarding the Coronavirus.
- From company management, a link to a meeting recording discussing Coronavirus and how it’s being handled by the organization – with a malicious link embedded in the email instead of a recording.
- From a fake employee claiming that an employee in the company has contracted the Coronavirus and attached is an advisory that all employees are encouraged to read.
- From an organization that is giving away free equipment and protective gear (like masks) and needs the recipient to click on a link to confirm the delivery address.
- From HR talking about how they are giving extra money to their employees available only during the next few hours.
- From the IT service desk asking employees to follow a link and take a survey.
- From the CDC with a malicious link about new confirmed cases in the recipient’s city.
An Ounce of Prevention Goes a Long Way
Taking a little bit of precaution, especially when it comes to getting infected by malware or having your personal data stolen, goes a long way. The headache and hassle of having to deal with a personal data breach or ransomware attack can easily be avoided, if people are vigilant and well informed about determining whether an email is a phishing email or not.
Common Symptoms of a Phishing Email
1. Requesting Private and Personal Information
Just like you don’t expect the prince of some African country to need your banking information to help them move money around, if you’re receiving an email about a pandemic or issue related to a topic focused on the public health, there’s absolutely no reason why they would need to ask you to click on a link to log in with your user credentials or personal details. Just by using some common sense, you should be able to determine that there’s something very phishy about that email. This should be a clear sign that the email is malicious.
2. Unnecessary Sense of Urgency or Fear Mongering
When it comes to sharing information about a pandemic or any crisis, any given agency or legitimate source of information would most likely use language that’s calm and credible. The subject of the email or the body will typically not be something that sounds extra alarming. In the case that the email is actually necessary to convey an urgent message, it won’t require the recipient to click on a link or require the recipient to open an attachment to get the information. Instead a legitimate email would contain the relevant information in the email body itself.
3. Sender’s Email Address is Unfamiliar or Suspicious
Many phishing emails claim to come from organizations that work in an official capacity during the time of the crisis (e.g. World Health Organization or Center for Disease Control). Emails claiming to be from these organizations with multiple attachments or links to additional resources and information regarding the crisis at hand but coming from email addresses ending in @hotmail.com or @aol.com makes absolutely no sense. Hopefully these will be caught by your email spam filter. Unfortunately, some do slip by those filters, and it should be very clear to you that these emails are clearly phishing attempts.
4. Companies Will Usually Use Your Name to Greet You in Emails
Most companies or organizations where you might be a customer, or your doctor’s office for example, will typically have access to some basic information like your name. When they send out communications to you, they will address you with your name instead of a generic salutation like “Dear Client” or “Dear Subscriber.” There are also many cases where hackers will just avoid salutations, especially if they are sending emails offering special deals or requesting the recipient to click on links to go somewhere to potentially get something for free or win something.
5. Poor Spelling and Grammar
Criminals on the internet or fake royal family members from different continents don’t necessarily have the best education, and in many cases, the language in which they are sending out phishing emails may not be their primary language. Therefore, it’s very common that phishing emails will be riddled with spelling errors or poor grammar. Finding oddly structured sentences, weird capitalizations, or just the usage of a completely wrong word or phrase are clear signs of phishing emails.
6. Low Resolution Graphics in Emails
Cybercriminals will often copy and paste graphics for logos in emails from different parts of the Internet. An email claiming to be from the CDC with information about the Coronavirus, but the logo looks a little fuzzy, or tiny, should be a clear red flag that the email is malicious or fake – it’s a clear sign that the sender of the email doesn’t work for the organization they are claiming to be from.