Digital security at home: A practical guide

Nowadays, security is a top priority. In current times, when working from a remote location has become predominant, performing our job alone and collaborating effectively with colleagues remotely are competences that we all had to learn or master quickly. The result however, is positive: we now connect, interact and get the job done no matter where we are. 

Although businesses enforce robust technological defenses, we should be aware that cybercriminals are constantly looking to find a door left open for them to pull scams off and steal sensitive data. We should take proper care to secure our wireless home networks and devices. 

Following, there is a set of best practices that have been confirmed to be adequate to maintain our digital security at home and protect our personal assets and data. Often, working from home feels more casual, but security measures cannot be relaxed. The more we incorporate devices like mobiles, tablets, and webcams into our home networks, the more we need to ensure that everyone safeguards them.

Each and every one of us should be vigilant for personal assets and data. No matter where we work – at home, or at the office – here’s what we need to do:

  • Use secure Wi-Fi and make sure that you are connected to the virtual private network (VPN)  of the business.
  • Don’t write down or share passwords or credentials.
  • Double check email addresses and attachments to avoid sharing confidential information with any unintended recipients.
  • Promptly install all firm provided software updates.

Home-based work is here to stay. Keep you and your family secure while working from home. This handy guide offers the tips you want to know.

 
Shut the door! It’s all about minimising risks.

As we already mentioned, there are several steps to follow in order to work in a secure environment. We already provided the baseline in the introduction. In this section, we will deepen several topics.

Security IT
1. Create strong unique passwords

Creating strong unique passwords is of critical importance.  Attackers use software which can break weak passwords in a few seconds! Once attackers have a password, they will attempt to use simple variations of it to access other accounts and devices which belong to you.

Click here to expand or collapse our tips

1) Always choose passwords that are at least eight characters long made up of upper and lower-case letters, symbols and digits.
2) Always choose a password that is not recognisable as a dictionary word even with ‘clever’ substitutions. For example, Pa55w0rd is a poor password. We recommend you to tie three random words together with symbols and digits between them. E.g. Gold#Shard88Vegas is a good password.
3) Always choose the strongest authentication option available to you. If multi-factor authentication is available, then go for it!
4) Always look for and change the default password of devices and gadgets you buy. For example, security cameras, broadband routers, wireless devices, baby monitors, firewalls, games consoles, etc.
5) Never reuse passwords for different devices and accounts. If one of your accounts is compromised, then all of them would be compromised.

 
2. Install updates, security patches, firewalls and anti-malware.

This represents essential digital security hygiene that all of us need to do. 

Attackers exploit vulnerabilities in devices and software to gain access to them and take them over. Firewalls and anti-malware attempts to stop attackers before they can exploit vulnerabilities need to be up to date and configured correctly.

Click here to expand or collapse our tips

1) Always run the latest version of software and firmware available, once you get the “go” from the business’ IT security team.
2) Always install recommended security patches as soon as available. Ensure though that these security patches are from expected and legitimate sources before allowing them to run.
3) Pay particular attention to your operating system and the browsers you use, as these are especially vulnerable to attackers.
4) Always run anti-malware software and ensure it is up to date with the latest signatures. If new signatures can be pushed to your machine as soon as they are available, then choose this option otherwise set the update schedule to be as often as possible.
5) Always configure firewalls to protect your devices and networks by default so that you have to explicitly allow the traffic you want.
6) Never assume that a device is fully protected because it has a firewall in front of it. It is safer to have multiple layers of security, therefore, treat all devices as if they were connected to the Internet directly, and keep them up to date and patched with strong unique passwords.
7) Configure your wireless network with secure authentication and encryption protocols. WPA2 is a good choice but you should take advice from your internet service provider and always choose the strongest option. You shouldn’t use WEP and WPA protocols.

 
3. Be suspicious and careful when clicking links, running software or giving away information

Regardless of how well you follow the guidelines we have just suggested, you can undermine your efforts if you make the wrong choices. 

Attackers use social engineering tricks to try to persuade you that they are genuine by means of landlines, cellphones, emails, and on the web. 

They aim to extract passwords or sensitive information from you which, in turn,  will be used to gain access to your accounts. They could also try to persuade you to run software or to click on links which will enable them to install malicious software on your systems to, for example, access your bank accounts and medical records.

Be suspicious! 

Click here to expand or collapse our tips

1) Never enter your username and password into a web page unless it is encrypted with https⁠ – the ‘s’ is the important part and there should also be a closed padlock image next to the web site address⁠ – and that indicates the domain you expect and not a close variant of it.
2) Be especially careful of links in emails and only click on them after you have assessed if they take you to where you expect them to. Here is a precautionary tip to go about it: hover the mouse cursor over the link and read the url address in the bottom left corner of the web-browser.
Similarly, be very suspicious and careful with email attachments. Even if they seem to be from someone you know, it may be that the sender’s system has been compromised. Always verify they are legitimate before clicking on them.
3) Never ignore warnings provided by your browser about insecure sites and certificates which are invalid. The site may have been compromised and could try to install malicious software onto your machine.
4) Do not share usernames, passwords or PINs with anyone. Attackers pretend to be from banks’ fraud departments or IT help-desks and may directly ask for sensitive information. A legitimate person will never ask you your password through the phone or in an email.
5) Think carefully before posting pictures and personal information on social media and other sites as this information could become publicly available on the Internet beyond your control from that moment onwards.
6) Only install software when you are absolutely sure it is from a legitimate source. Most free software on the Internet contains unwanted components which are harmful and difficult to remove. Seemingly, innocuous and helpful free software like games, screensavers and security software can be hiding malicious threats such as ransomware and keystroke loggers.
7) Be especially careful if visiting Internet sites with adult themed content including gambling, etc. as they are more likely to contain malicious software.

 
4. Spot security issues and know how to respond and recover

Being a victim of some security incidents is not always immediately apparent. 

While ransomware encrypts all data indiscriminately rendering it unusable, other malicious software may be operating silently in the background, collecting private information (including passwords) and sending them to the attacker or streaming your webcam and microphone to the attacker’s server. 

1) Your system may have been compromised if you experience one or more of the following situations
– System is slower than normal;
– There are additional pop-up windows or dialog boxes which may appear and disappear quickly;
– Your camera light is on when you are not specifically using it;
– Files are missing;
– Your mouse cursor moves by itself;
– There are new icons on the desktop;
– The search engine has changed;
– The home page is different;
– Your web browser has new toolbars.

 2) If you suspect your system is compromised, then isolate it from your network (to avoid a potential malware to spread in your network) and other devices, and seek professional advice and help.

3) Ensure you backup your data on a regular basis and know how to restore it in the event of an incident. Backups should be stored in such a way that they cannot be compromised when the system they are backing up is compromised.

For example, a USB connected drive which the backup software uses for backups would be found by ransomware software and encrypted too. Consider cloud services for offsite backup as well.

4) It’s also critical to be suspicious of where your products are made from. Whether it’s siphoning text messages, gathering information from wearables or IoT devices, or obtaining call records, there’s a serious risk.

5) Some useful recommendations

– Place the router and/or access point safely. Also, to minimise leakage, place devices near the central parts of the house rather than near windows.
Wireless signals typically extend beyond the barriers of a house. It is easier for others to detect and exploit wireless signals the farther out they reach. The position of the router or access point determines the signal’s extension.

– Turn off your wireless network during extended periods of non-use (e.g. vacation, business trips, etc.)

 
Examples of digital security threats and personal consequences
1. Ransomware and cyber-extortion

The term ‘Ransomware’ refers to a family of malicious software (malware), used by cyber-criminals to extort money from victims. It can work like this: 

  1. A user ends up with the malicious ransomware software running on their system. They may have opened an infected email attachment, visited a website which compromised a vulnerability in their browser and delivered the malware to them, or downloaded and run a free game which actually was a Trojan with the malware hidden inside it.

  2. This malware uses state-of-the-art encryption to silently encrypt all files it has access to. This will comprise all drives that are physically connected to the local system, such as USB connected thumb drives, as well as those files that are accessible on shares across the network.

  3. Once all files are encrypted, the ransomware will display a notice demanding that the victim must make a payment within a short time period (three days, for instance), in return for a key to decrypt the files. Otherwise, the files are irretrievably lost.

  4. Paying the ransom is no guarantee of getting the decryption key, and often the attackers will attempt to extract more money once they realise someone has lost something of value that gives them sufficient incentive to pay.

People have lost years of family photographs, partly finished dissertations, rare digital music collections, irreplaceable research, critical source-code and much more.  Even for the people that were diligent in taking backups, some found they were unusable as they were also encrypted by the malware because they had been continuously connected to the infected system.

 
2. Identity Fraud

Identity fraud occurs when cyber criminals have collected enough private information about a person to be able to impersonate them and fraudulently make money.  

For example, they could obtain genuine documents such as birth certificates, passports and driving licenses as well as open bank accounts, obtain credit cards, take out loans, order goods, etc.  

Sometimes people aren’t aware that their identity has been stolen and used fraudulently until they start to receive bills or invoices they haven’t ordered, or even when debt collectors attempt to recover monies owed.  It can take months or years to repair credit ratings and good standing amongst potential future creditors, immigration agencies, employers, etc.

 
3. Internet of Things (IoT) Distributed Denial of Service (DDoS) Attack

An example of such an attack is a significant outage caused by a DDoS attack on a domain name system service provider. 

Attackers have been able to hack into hundreds of thousands of vulnerable IoT devices to use to amplify the attack. The string of malware to hack the IoT devices used the standard/out of the box username and passwords. E.g. username: “admins”, password: “password” to get access into hundreds of thousands of IoT devices. The attackers have used IoT devices including routers,wearable, etc. This led to numerous websites to be down for several hours including some social networks.

 

What we think
Milena Tomova
Milena Tomova, Senior Information Security Officer at PwC Luxembourg

Information security provides an adequate secure environment in which any business service can function properly and operate uninterruptedly.

Leave a Reply

Your email address will not be published.

Back to Top