[Steve McGeown] Greetings, and welcome to Will [IN]Security Now Eat Your Homework? It’s been a few weeks now work at home. Maybe you’ve thrived. Many people, many people have just survived. This survival instinct well commendable isn’t really sustainable long term. It’s time to look inward at your home security so work at home can continue to work for you and your organization. This is a short presentation designed to give you a sense of your security posture within your home. My name is Steve McGeown, I lead all aspects of the security practice at QA Consultants. QA Consultants, is a leader in quality assurance to large-scale software projects and organizations. Naturally, security has a very important role to play in overall quality assurance Normally, we work on high-end security projects for organizations such as banking, energy, healthcare, and military projects. However, a lot of people have asked me about this work at home stuff and I’ve had to give out a lot of advice so I’ve put this all in a presentation format for you to use as hopefully a service that you can take away as information as we really have nothing to sell here. So, let’s start off with who this is for. If this looks like you and you’re constantly doing battle with nation-states, or handling billions of dollars with the financial records, or millions of health information records that sort of thing this may not be the right presentation for you. You may need something like a NIST framework applied and we can certainly help you do that and our contact information is at the end of this presentation. However, most of us we’re just not like that. Most of us well, we’re just trying to get 20 people into a virtual conference filled room with buttons all over the place and we have problem users who can’t get on and we have software that we’re completely unfamiliar with and we have all sorts of cloud applications like Dropbox. Am I putting something in somebody else’s Dropbox with the right permissions so that they can read it but other people who go into their Dropbox can read it What is going on with all that? And we have our infrastructure that all of a sudden now is some Wi-Fi router that we bought in 2003 on special at Best Buy and if we have problems, well, I guess the cat is the closest thing we have to local IT around here. So, now with all of this now we have security hanging over our heads. And we’re sort of overwhelmed with all of this and really it doesn’t have to be that overwhelming. So, what are we doing dealing with here in the majority? Well, as Sun Tzu likes to say, in the ancient art of war, one must know their enemy in order to defend against their enemy. What I have here is a number of residential subscribers most of them in green. The two and blue are two of your colleagues, employees, working at home and the blue building is their office. And contrary to popular mythology that somehow there are these evil mysterious masterminds in hoodies stalking you. No, the real enemy is automation. Bots, bots, will scan 365/24 looking for easy targets. Once they find easy targets, that’s where the focus will be. Once we have focus, they will attack with possibly humans involved in order to gain ransom from you, through ransomware, or to attack your organization to steal data and otherwise gain other forms of nefarious access They will even reach out to attack your fellow colleagues with the information that they’ve gathered. So, all in all, they can make things a pretty lousy day for work at home users. So, that’s kind of scary-sounding right? And you’re really busy and the IT support from your cat is sadly lacking. What to do? Well, let’s just simplify. I’m going to show you four things that I will cycle through one at a time You do these four things and I guarantee your security posture goes up to a level that the bots simply pick on someone else. Now, the first one that we’ll go through is quite simply slow down There is a lot of pressure on us to be perfect at this with virtually no training. We want our businesses to continue and we’re afraid that if we’re not perfect that somehow they won’t but as many of you are struggling with this so is everybody else. So, simply put stop

trying too hard. One sure-fire way to slow down is to make sure you embrace your company IT work at home policy. In this way you will be set free from support issues where you may be able to get some remote support once in a while for things that go wrong, as well as help you deal with potential security issues If you don’t have a company IT work at home policy here are some key pointers that should be in one. Don’t ever let family members ever use your work equipment. And do not do business on your home equipment. With your business computers make sure you lock your screens after five minutes of idle time Use all company equipment standard firewall AVS and VPN because that will allow you to get better support even if you have your own at home. Use company supply backup mechanisms if available and finally if you’re in a BYOD situation you’ll need special care to do all of the above, but there should still be a company policy that follows for BYOD So, in the long run, what you want to avoid is any urges to go get my other PC and fix whatever it is that can’t doesn’t work right now because that’s the sort of thing that lands you in all sorts of trouble. From a security point of view as well as from a support point of view, and remember your remote IT support is likely just learning how to do all of this as well. The same goes for your software tools Now, we’ll have lots and lots of different conferencing tools, file-sharing tool, SAAS based tools, etc And you may decide that you like this one over another, however, I would encourage you to always use the company best practice whatever the company has selected. And this helps because one of the things that you’re gonna find is when you phone these other vendors, these third-party suppliers, their support lines are overwhelmed at this point and you’re going to get absolutely no worthwhile support whatsoever. So, it may help you that you can call someone else within the company or even get some kind of remote IT support on this stuff. The other thing is is that if there are vulnerabilities in these products and there always are and I’ll go through that in a moment, but IT can help you manage those vulnerabilities they’ll know which ones impact all of their employees and they’ll be able to help you provide assistance in how to do workarounds around them. But, one of the most important things I want to point out here, is that most of the security issues that you’re going to have and using any of these software tools really lie in this configuration. It’s how we use them that counts. So, one of the things if you’re a key producer, so you do lots of conferencing you set up the conference calls, you should really strive for a single tool to gain that kind of familiarity that you need so that you don’t misconfigure it and that will only help you. So, one key takeaway here is that you’re the greatest vulnerability when you misconfigure things and quite frankly you’re still the greatest vulnerability even when you don’t know, I will explain what I mean by that. So, here we have a confirmed Zoom security risk from last year very well known, but quite frankly, if you have enough knowledge and enough support you’ll know that you change your settings and this security risk can go away. That doesn’t negate necessarily the fact that you can exceed whole new levels of stupid simply by going into zoom and configuring your meeting ID to be your personal ID and then require absolutely no password on it and of course there’s been lots of examples of this over the last couple of weeks we’ve had cases – this one on the right went viral with somebody going to the bathroom and not realizing that their video camera was still on and the one on the left was essentially Boris Johnson having a cabinet meeting and he was very proud so he tweeted it out but in his screenshot he kind of included his meeting ID which wasn’t too swift, and make no mistake we have hacker tools out there that we can use and we can farm all sorts of meeting IDs and that can expose your company real quick Well, I wanted to avoid the topic of specific platforms largely as I feel that the issues are the same across all platforms really. The popularity of Zoom and the large amount of media coverage

that it gets over its security issues meant that a lot of people were asking me about it, so, I decided to include this as an addendum to the presentation Subsequently, what is Zoombombing? Zoombombing is when people show up on your conferences and possibly display images that you really don’t want displayed within your conference. Now, as I said in the previous slide this is squarely on you. What it comes down to is don’t share your meeting links insecurely like putting them on Twitter Don’t unclick the password requirement and if you’re going to use Zoom use the waiting-room feature that way you can admit whoever you want within your meeting and know who they are. In terms of Zoom security vulnerabilities, as of April 5th Zoom’s done a pretty good job actually in cleaning a lot of these up Where I would point out even the ones that they have fixed most of these all had reasonable workarounds quite frankly And in terms of Zoom privacy issues, yes, you might have heard that they allow a lot of information such as email addresses etc., to escape however, my particular point of view is that almost every cloud platform does this. Zoom took it to a level that was probably too much and I think they fixed a lot of these things as of April 5th, but some still exist and subsequently my verdict and recommendation is if it’s configured right it’s still pretty good to be used If it’s configured wrong, it will be a mess. Subsequently, make sure it’s configured right and if you really do require the utmost in privacy then you may want to use something else. However, I would always caution you that almost every cloud platform has some degree of privacy issues and at least these are the ones that you will know and you’ll be able to manage that. If you have any questions on that specifically please contact me with the contact me information at the end. And last, but not least, you know that saying well it’s against policy but, you know, because you’ve got some issue going on and you can’t resolve it and you want to call somebody and you call somebody but there’s been some kind of breach and somebody’s figured out how to intercept your support capability and the next thing you know you’re handing out passwords because you want to get up and going and you’re going against the exact policy that you’re not supposed to. So, all in all, what we’re saying is just slow right down, pay attention to policy, and that will keep you a heck of a lot safer. Next, we’re going to go into updating your infrastructure and platforms and what we need to look at there. Ok, so we walk into the typical home environment and what do we have here? Well, we have the router from 2003 We have machine you kind of keep in pretty good shape because you like to use it for work sometimes like email and stuff like that. Or, the kids use it for school or whatever. And then you have some nefarious thing that well it’s loaded with viruses nobody actually updates anything on it and God knows what’s going on with it at any given time So, now we drop your machine in and welcome to the new neighborhood. So, we got to deal with that because you’ve just now placed a rather pristine machine with Microsoft Windows Update, Microsoft Windows Defender, for your firewall and AVS, in a pretty insecure environment all around. So, how do we address this? So, in terms of stepwise order, the first things first, we gotta deal with that router. So, if you haven’t upgraded your router in quite some time chances are the firmware is very out of date and Wi-Fi routers have had notorious problems with security in the past, so we want to make sure we upgrade that firmware first thing. The second thing is is we want to remove any default credentials to the admin access So, a lot of the manufacturers ship their routers with admin user ID admin password and we want to get rid of that, because everybody knows that in the dark community. Third thing we want to remove a remote admin access. Hey, let’s face it we’re ridden to the house (as in house-ridden) what the heck do we need to access the administrative panel on the router for in a remote mode? We just don’t. Just turn it off there’s no reason to have it. Make sure there is a hard to guess SSID password. We have tools that can crack routers right wide open if you use anything even close to a word in the English language or one of the common

first one-thousand passwords that a lot of people often use and you may want to actually obfuscate the SSID name that’s the name that’s broadcast that you look up on your phone and you see this is the name of the router. There’s no reason to have your last name or your address there as that just shows everybody where that device is actually associated to. So, once we’ve done that and then we want to go to your work device. Make sure your auto updates still work, because they may actually go back to your corporate server. Some organizations like to control their own Windows Update. Make sure if you want to have any relationship between this device and say a printer or another device, update your firewall rules to only allow those devices, so, you have to think about the new threats in your new environment that’s no longer so corporate. And, the third thing is, is think about backups Because, you may have been in an environment where you could do a backup over the Internet or I’m sorry over the corporate LAN, but here that may not be a thing that you want to be doing here. So, you might have to have some other mechanism or you might have to come up with your own because there really was none before, but running without backing up your computer is a nasty, nasty, problem waiting to happen. And then finally, we might want to go to these other machines that you might want to collaborate with. Maybe we’ve already said that you shouldn’t be doing business on your home computers however, we recognize the fact that you might have printers off print servers, you might have to go back and forth between email. You might want to do remote desktop because you’ve got this great big monster screen that you want to use. Just make sure that you now update it up to that new standard of having automatic operating system updates firewall and AVS mandatory if that’s what you want to do. And as far as this thing over here on the left, yeah, we we just want that thing firewalled off Anything, colloquially speaking non-managed? Yeah, internet only. Don’t let it touch anything that is within your home Secondly, in terms of VPN, in terms of upgrading and and changing your access, you want to make sure you install VPN clients on your work machines if you haven’t done so already. Now, there are two different types of VPNs, there’s a full tunnel mode VPN, which takes all of your traffic no matter what it is and sends it to terminate at corporate which then it will you route it to the right place. So, if you’re watching Netflix, Netflix is actually going to go through corporate and the split tunnel mode which only sends a corporate traffic to headquarters and all the internet traffic goes out through the normal internet access point. So, the difference being full tunnel gives you some advantages. If corporate has any tools for detecting malicious traffic they’ll still be in the game. If you use a lot of Microsoft Windows applications there’s going to be a lot of Microsoft Windows legacy headaches involved where you just want to tunnel everything to it and essentially it’s like you’re pretending you’re part of the building Whereas, on the other hand, in split tunnel mode, one of the things that it gives you is a bit more privacy. So, effectively all the connections that you go outside for you’re going to go outside as per normal not through corporate and secondly, that’s going to give you generally speaking a better kick in performance as well. You may or you may not have that as an option to select which one and all you really want to make sure that you’re cognizant of here is that if you’re doing private stuff and you’re on this you probably want to disconnect the VPN end when you do it. So, that brings us to the next one of the really four important points and that is passwords Passwords are screamingly important, probably the most important of these four things and I’ll tell you why. So, now we’re on to the topic of passwords and passwords are one of my favorite topics to discuss because they’re the most wonderful attack vector for automation So, it’s really not uncommon for bad guys to set up databases of two million password attempts in terms of brute forcing against a particular system, very, very, easy to do with an army of botnets In fact, in one instance where we were being asked by a client to penetrate a system, we found out that the that there was no actual quality control

on passwords and people could put anything they wanted in there like one, two, three, four, five. And, it turns out that we cracked over twenty thousand subscriber accounts while only using a database of about a thousand or so passwords. So, that’s how much of a vector passwords are to penetrating systems, and why you have to take very, very, special care of them in my point of view There are only two acceptable means of setting passwords. One is the passphrase and the other one is the password manager. So, passphrase is simply that it’s a phrase not just a word that you can remember easily, but it can be very, very, complex. So, even though I tell you that my password is, I’m glad my password is good is a good one. It would probably take you a thousand attempts to even be able to come up with that, so, that is regarded as very, very, strong by the algorithm that determines password quality. The other method is of course the password manager which will store a bunch of passwords for each individual system that will be a cryptic set of characters that nobody could ever guess in a zillion years and that’s all controlled by a single user ID and password to the password manager. Chrome is sort of an example of this and essentially the difference is is that the passphrase it’s easier for multi devices. So, I’m I find it much easier to remember this passphrase across my phone, across my tablet, across my my computer, without that much of an effort, whereas, the password manager it’s very good, but you have to ensure that the device itself is secure. AKA, back to that comment I made about putting screen lock on your business device even though it’s now in the home and protecting its use. In terms of password credential use, so, password frequency change if you have quality passwords it’s just really not a thing anymore it’s not something that any of the professionals are recommending Hopefully your IS/IT organization doesn’t use that anymore because it just creates more problems than it’s worth, but, the one point I really like to make is never, ever, ever, share and reuse home and business credentials. So, anything out here you want to make sure has credentials that can never access in here. Because out here on the consumer side, that’s where we’re going to get the big thefts of five million sets of credentials from these consumer-grade systems and we do not want these coming back to be able to haunt us in here and if you have something that’s super critical that you want to really take really solid care of, you should really consider multi-factor authentication. It really is simple to use and it and it supplies so much security to your risk profile. So, it’s based on the concept of something you know basically a passphrase, which we just described in something you have which is basically a phone. So, the idea is this, you log in as per normal, no big deal, then the system in the backend issues a token or a number to your computer, to your phone, I’m sorry, and then you get to say either put in a number or click the checkmark Is this you? And that validates that your password was actually entered by you, not just that your password was entered, and that’s very, very, secure and something to be considered for say your VPN. So, now I want to talk to you guys about the fourth really simple thing to do and that’s social engineering and in particular being aware of phishing. Now, phishing is nothing new and it’s always been sort of scary. Actually, it’s been really scary, but in this particular instance with all of us working at home this is going to take on a whole new meaning in terms of scariness, largely because we’re so physically separated working in our basements across the country, that we’ll have absolutely no idea what each other is actually doing on a given day. So, we won’t be able to detect weird patterns of when things are sent to us and what people are looking for and the traffic and email for us to interact will increase greatly over things we would normally just talk about, and that creates a whole new attack surface and our diligence is going to be tested. So, what is spearfishing specifically? Well, it’s it’s not the Nigerian princess scam, right, or the

FedEx scam. This is where bad guys go mine LinkedIn and other social networks and figure out, ok, well this is this guy and I know what he does for a living and he works for that guy or that guy works for him and that’s their relationship so what is it between those two that would make sense from the concept of context? So, for instance you know, these are two people in marketing, so the context of a marketing budget makes sense and so then you put in the text some sort of contextual amount of information that says, hey, you should be interested in this and then we just spoof the email addresses, which are easy to get as well, and as part of the attachment, or the payload, we insert something that can easily run executable code on your machine and then poof, everything’s done where you’re owned, and ransomware ensues and all sorts of bad things happen So, this is very, very, difficult to actually detect and to stop in any sort of proactive way. The other or second scariest phishing thing out there, is the dreaded office 365 credentials phsh, so this is an actual one but there are dozens of variants on this from 2017, where we spoofed the office 365 team and send you and your office 365 account members some kind of nefarious email that looks like an official warning of your mailbox being full. So, this account is almost full and if you want to prevent your incoming outgoing mail from getting errors, which in this world order, that we’re in would be very, very, bad click here and we’ll add another ten gigs for free. And a lot of people click on this this particular one actually has the URL most of them have the URL hidden by some text in the URL as link to that text, so when you click on that, what happens is you get of course a wonderful office 365 sign in portal except that it’s not actually office 365. It’s some website on some nefarious server someplace and you’re gonna enter your credentials in here and if they did it really well they’re gonna then take your credentials and send them to office 365 and then actually sign you in, so, to you everything looks as per normal, but they’ve managed to get your user ID and password and they can then rifle through your email looking for contacts, looking for passwords, looking for all sorts of crazy things that bring risk, massive amounts of risk to your personal life, and to your company. So, how do you stop this stuff, right? Well, really there’s just one golden rule. I’ve heard people say well, here’s how you spot phishing emails. No, don’t even fool around with this. Don’t click on even a known URL in a link, in an email, ever. Don’t click on any links in emails. There’s just no point. If the email is from a reputable source use your browser and just directly navigate to the content that the email points to that’s all. If it’s some kind of internal link to file stores, etc., like that sort of stuff, at least it’s very hard for the nefarious actor to simulate what that internal link is going to look like, so you can be a little bit more confident in it, but I might just copy and paste that link into an incognito or a private mobile browser anyway. Be vigilant about this, so if you put and click to that link and it goes to some crazy place, that you’ve never seen before, quit the browser and then because it’s in private or incognito mode all the cookies will, will be not kept and we won’t have any history of the URL whatsoever and will likely be okay as long as we didn’t follow through on anything that it was asking us to do. And if it seems fishy at all, don’t click, just close the window. It’s just not worth it Secondly, know your organization’s password change policies. So, if an email is asking you to do something weird that you’ve never done before, you know, like right now, with this work at home regimen we’re all under, do you think it makes sense to do a global password change? No, probably not Does it seem like this is the normal password change process that your organization uses on a regular basis? If no, well then probably not If you suspect anything, call the IT organization, they might be remote, but you should be able to call them and ask them, hey, what’s going on? Is this normal? Should I be doing this? Believe me, they will be thrilled that

you called rather than the subsequent call of trying to tell them, look, I think I’ve been hacked, I know you’re remote, but we got to do something to wipe my machine, and I’m completely off the air here, so don’t be shy about calling and asking for help if you think something is out of order Now, if we have suspicions, verify those suspicions out-of-hand, so this actually happens all the time, so the nefarious actor sent and spoofs an email, sends to Sally here, hey, I really need that budget report, Sally, and that seems like a normal thing. Except, Sally goes, yeah, that seems a little weird because Bob, you know, I sent it in a month ago and Bob goes well geez, I can’t find it, please update again. So, you’ve accomplished two things, right. You’ve, ensured to the hacker that, in fact, this spoof actually worked and he can try again until he gets to where he needs to go on you. He can work you over essentially, and secondly, you’ve just validated that your email exists and you’re a worthwhile and easy target. Whereas, if you would have just picked up the phone and texted Bob and said, hey, you know I got this totally weird email from you about budget stuff. Didn’t we do that last month? And Bob goes, hey, I have no idea what you’re talking about Sally. I haven’t emailed you today at all and then you then, you know, that you know this was basically a an attack vector. Last, but not least, beyond the four issues, the four keys that I mentioned, if you do detect anything, make sure you know in advance who to contact for security incident reporting. Somebody responsible for IT security remote or not, needs to know that you’ve been penetrated, or somebody’s tried to penetrate you, because we need to protect not just you, but your colleagues from similar attacks and of course the reason they’re going after you and your calleagues is is to get at company assets in the first place. So, it’s important for them to know so that they can be aware that this is an attack vector that’s ongoing against their organization. So, finally work at home summary. Well, the bad news is that I’m really only scratching the surface and the time allotted here that I can give you. There are more detailed security risk postures that we can address with frameworks such as NIST 800-46 Quite frankly, we’re happy to help if you require such a thing. We have contact information at the end The good news is, is that most attacks are actually automated against residential subscribers So, and they’re relatively unsophisticated So, when people get penetrated, it’s because they really didn’t really deal with these four things all that well So, if we do deal with these things all that well, very well, we should address 80/20 rules very, very simply You’ll have big gains in your home security posture, and your confidence, and there’ll be huge benefits for your companies if you all do this as well So, Just a total win win for really not that much work So, last but no least, if you have questions, comments, concerns, if you were looking for a checklist for higher complexity environments, by all means please register at our website and that information will get back to me. Or, you can send me an email directly and I’ll be happy to respond, but I hope you’ve got some benefits out of this and I hope you all stay safe out there. Thank you very much

You Want To Have Your Favorite Car?

We have a big list of modern & classic cars in both used and new categories.