08 Apr, 2020
Certain ground rules are to be taken into consideration while working from home at the time of this pandemic crisis.
Trouble teaches us more than the times of peace.
The corona pandemic has taught us many things which would otherwise be lost under our daily rush of life.
One of them is safety, not only from the virus but also from the other invisible power in the virtual universe the presence of which is a serious threat for corporate and other entities alike.
The hackers.
Corporate employees working from home must remember and abide by certain ground rules to keep their work and company credentials untouched by the bad actors.
Safety precautions now will yield better dividends later when the emergency gets over.
Here are a number of to dos to be done by the employers and employees alike as mentioned by Mr Sandeep Sengupta, Director, The Indian School of Ethical Hacking, at the online workshop on Managing Cyber Threats and Challenges of Data Confidentiality with Work from Home for STPI/Assocham on the 7th of April 2020.
- The employee must not forget that he is NOT under the office firewall protection.
- The IT department is not there at home to bail the employee working from home out of his IT system troubles.
- The employee working from home is operating his personal laptop which is not as well equipped as the office desktop.
- Work from home can take place from any place and not always a close confine. Hence data can be lost or misplaced by any means.
- Data is backed up in unencrypted external HDDs. Hence Bitlocker or Veracrypt is advised to be used.
- Software developers 3may download the entire code. Desktop on cloud is advised.
- In case the home WIFI network password has never been changed the hacker’s job becomes easy with the help of the Wire Shark tool.
- If the software developer is uploading code using FTP, the password is visible to the hacker.
- Is there a full tunnel VPN while connecting the office server by the office admin working from home, or a remote access tool like anydesk is being used?
- What type of device is used to do the office work, mobile, tab, laptop, home desktop?
- Does the company have hardening policy to ensure minimum security settings for mobile, video conferencing etc?
- Are the devices patched with the latest anti-virus?
- Is the device loaded with any un-approved software? Using white listing is advised.
- Is the device devoid of any key-logger or Trojan.
- Employees should be made aware of the crisis.
- The device should not be used by any one other than the employee to whom it is assigned.
- Email forwarding should be disabled or at least an alarm should be installed to make you aware of the same.
- Support staff should be on high alarm, controlling password resetting.
- Staff must be reminded that they will NOT be called for password re-setting.
- 2 factor authentication should be made compulsory for all remote workers with mobiles on lock screens.
- In case of working on rented laptops etc, the hard disks must be wiped to ensure no residual data is left when they are returned. DBAN tool comes handy for that.
- Suspicious links on Corona Virus should not be clicked on.
- No official device should be used to spread rumours or infotainment on issues of national seriousness like the pandemic.
- No confidential calls or business discussions near Smart Speakers like Amazon’s Alexa, Apple’s Homepod and Goolge’s Home.
- Microphone should be mute when not on conference call or after the call is over. A tape can also be pasted on the camera with a mic jak inserted in the auxiliary with the wire cut off.
- Health data of the employees must be secured and purged after a certain period.
- A 3 minute auto lock in all devices should be installed.
- Meetings should not be recorded, if at all, no confidential data should be discussed.
- Bank EMI deferring and OTP scam are the new risks for the corporates.
- ISO 22301 should be employed which is the Business Continuity Management System.
Wishing you happy working from home.
Give yourself some time while you work and relax and wait for the ordeal to get over.
ISOEH has stood the test of time in making the world aware of ethical hacking.