In light of the current pandemic outbreak of Coronavirus, code-name “COVID-19”, I’ve put together some key pointers, as well as things you can do to protect you, your colleagues and your families – especially with the recent news and advice of working from home. I think it goes without saying this is from a Cyber perspective, and not a “don’t forget to wash your hands for 20 seconds” hygiene tabloid, nor is it a chance to literally work from home *insert tarmacadam joke here*. Working from home does have benefits, but it does have downfalls. It can become an isolating time, and we’ve gone in to a virtual setting, but try not to distance yourselves at the same time.
So let’s start by first outlining a common issue among anything in the media or political limelight. Cyber criminals thrive off this and attempt to brandish their campaigns around the topics in order to get the victim’s attention and information. You will see this around common events of the year such as Valentine’s day and romance fraud, Black Friday deals, Christmas and so on. Further political motivation is known such as elections, voting and so on. The seller is that it is already in the news and people are talking about it, so emails and phone calls are prominent in response as a method of getting your attention further with something too good to miss. My advice, ultimately it to be cautious and don’t be naive to it.
Overall, with the media’s amplification and input, I mean “heightened interest in the news“, it has ultimately caused an increase in the social engineering tactics used by cyber criminals. A lot of fake and targeted emails have been noticed in the wild whereby they are purporting “IMPORTANT” information when in fact you will most likely be hitting a credential harvester or malware deliverer. Common lurers are Cyber criminals in general but also Nation states.
Common things include:
1. Urgent need for information
2. Coronavirus themed campaigns
3. Click here for… xyz
4. Anything personal – including email addresses. Your work email will be a target but you would not receive this level or personal information to it, the same way you won’t be getting Netflix subscription emails to your work email when you’re using someone else’s account anyway!
Common organizations being used:
1. World Health Organisation (WHO) emails – the WHO does not have your email!
2. UK Government offering you money in compensation – This would only ever come via the post.
3. U.S. Center for Disease Control & Prevention (CDC)
This technique is done to build trust and credibility thus tricking the user to proceed further. If you want news and updates, go to the trusted source directly! WHO / CDC / BBC / UK GOV
Things you should already be doing, but if not, start:
1. Using different passwords for different accounts
2. Use a password manager
3. Not clicking on links willy-nilly
4. Reporting suspicious looking things to your security team
5. Using Multi-Factor Authentication (MFA)
Things you can do (Cyber perspective):
1. Don’t click on any COVID-19 related links or attachments you receive via email or messaging apps. This includes messages to personal email providers like Gmail.
2. Don’t be fooled by legitimate-looking branding on messages you receive, there are good fakes doing the rounds. Cybercriminals will also often use language that conveys a sense of urgency, so be alert.
3. Report malicious looking emails to your security team.
4. Don’t put your credentials into third-party sites unless you’re 100% sure you’re on the correct site. If you’re unsure, ask a security professional.
5. Hover over any links to see the domain before clicking. If you have a email filter solution I would advise you double check with the security team to be on the safe side.
6. General checks and common sense – check the sender email, email subject, does it have urgency?, spelling and grammar mistakes, it’s too good to be true, it’s unsolicited, is it for something you wouldn’t use your work email for? etc. etc.
Check my other blog here for general good practice and staying safe online!
Things you can do (working from home):
1. Maintain your regular working hours
I feel this goes without saying but think of it from the other angle of human error from overworking. There’s different disciplines from working from home and extra measures should be taken as it is a different environment. Structure may change, comms may be affected, different “tracking” methods (progress) applied, and lastly; its not for everyone so work with others to make it smoother.
2. Staying focused
Attempt to set yourself goals on what you want to achieve by the end of the week, by the end of the day or whichever suits your needs. Isolate from distractions where possible such as shutting doors, muting conversations, moving your phone, putting your headphones on etc. Take regular breaks. Communicate regularly with colleagues and do it via voice/video call to keep the human element and not just IM.
3. Keep your space and limitations where possible
This is more on the angle of distractions as well as sensitive material (client info etc.). Although they’re family, there’s nothing to stop them telling someone else who’s data is what or who you look after and this could be confidential – especially in government agencies. Don’t forget the isolation aspect so not to get symptoms!
4. Home security
It’s not really something you would think of ordinarily, or at least prioritise as you rely on the provider anyway, but keeping your home equipment secure when working from home is just as important. You don’t want weak passwords on your routers, IoT devices as someone could connect and do malicious activity as a result. Change SSID’s and broadcasts, even hide it so you have to manually input it on devices. Definitely change the password as some routers have default passwords applied which are exploitable in the wild. Privacy is another segment such as who is looking through your window, what can they see, is that computer left unlocked and so on. Don’t be paranoid by any means but be aware.
5. Encryption
Encryption is a must anyway, and most likely administered via your organization’s sys-admins but if you are one of these people with the responsibility, double check it! The last thing you want is a Man in the Middle attack occurring due to lack of, or no encryption on things like online browsing or email etc. and someone taking advantage of an otherwise secure environment. Also, do not use insecure WiFi as it can be tempting for whatever reason your internet is not working.
6. MFA/2FA
If you don’t have this, what are you doing? GET IT! Working in a SOC I have seen a significant drop in SIEM alarms being created as a result of clients introducing MFA to their users as a mandatory policy. The use of a second or third authentication method after a password has been beyond noticeable, as well as boosting the security posture of the client. It is also a requirement to have certain things like this if going for accreditation’s such as ISO.
7. Personal to professional overlap
This is vague and can cover many topics, but the main thinking was to give a reminder that although you’re at home, you’re still working. You can check personal emails in most places anyway, but as I say, remember you’re most likely on a work device so it could be monitored or it could cause damage! Same goes for browsing….
8. Fresh air.
I said I wouldn’t go all personal health and all that but please take regular breaks and get some fresh air. Just because you’re home doesn’t mean you can’t go outside for some air. Keep yourself sane and not a hermit. Avoid eating at your desk as a result.
Enjoy the time you have working from home, and use it wisely. If it means getting up slightly later than normal due to no travel then do so, it’ll refresh you. Don’t lose track of what is important and who are around and spend quality time with those around you where possible.
All feedback is welcomed and I hope to hear from you. If you have any questions or concerns, or pointers then please do reach out to me.
Dan
Steel Cyber Security 
Great read, thanks Dan! Your posts are coming along nicely; keep it up!
LikeLike