During the Coronavirus era surfing the Internet has become one of our day-to-day activities. You may even call it a necessity, whether it is logging in to Facebook or Instagram to upload a photo or even logging in to our bank account, especially when not having the ability to reach the bank branch physically. It is crucial to understand, particularly now, that surfing over the web can be dangerous. When we work from home, we often use our private computers and sometimes connect to the workplace through VPN connections. Alternatively, we use a laptop we got from work, which at times also serves our personal purposes. It requires us to pay attention to anomalies, and equally important, it should motivate the CISO - the person in charge of information security in the organization - to maintain the highest security standard without compromising our day-to-day work. While working from home, the threats aimed at the private user become relevant to the corporate user since the same computer is used in both cases. Lately, we often receive messages from our organization about actions we should take to surf the global network more securely and prevent possible damage. To ensure the highest level of security possible, we have prepared a document that you can deliver to employees. It contains the main tips for the proper conduct of employees, to protect sensitive information of both the user and the organization.
1. Password management.
Today most protection mechanisms are based on passwords. To increase your security level, try to meet the following conditions:
• Set passwords that contain at least twelve characters and include both numbers, letters, and special characters.
• Use more complicated passwords for sensitive accounts and less complicated ones for occasional accounts.
• When setting complicated passwords, do not use details that are personally related to you, so that people who may know you will not be able to guess your password so easily.
Ideally, we would set a different password for each account, although this is not the typical method. The occasional attacker would be well aware of that, and it may constitute a security breach. Once an account is penetrated, other accounts are at risk as well. If your organization does not implement the requirements mentioned above, you should alert the CISO in the organization.
2. Surfing the web securely. Today, many people set their sights on accessing sensitive information. While working from home, access to our personal information may easily result in the exposure of sensitive organizational data, as methods become more sophisticated. A popular method of unauthorized data access is the phishing attack, a technique whose popularity has increased during the Coronavirus era. An attacker sends something that aims to intrigue us after researching our interests and building a profile of us based on information from social networks. For instance, we may receive an email message informing us that we won a vacation or an electronic product. In a different scenario, the email may include a link to a shopping site offering significantly lower prices. These days, attackers can also fake workplace emails that may for example contain an invitation to participate in a lottery. Thus we are tempted to fill in our credit card details or any other sensitive information the attacker is trying to obtain. In other cases, this can lead to theft of confidential information to which the computer is exposed, such as organizational reports. Caution! In most cases, if an offer looks too good, it is probably not real. 3. Surfing via Wi-Fi networks. Wi-Fi networks are routinely used in our daily lives. Once we reach a certain place, we immediately look for an access point to connect to. However, these access points are sometimes dangerous since user information may be disclosed through them. It is advisable not to access sensitive areas such as bank accounts, and certainly not to work from home via unfamiliar Wi-Fi connections.
4. Surfing through non-private computers.
It is not recommended to access sensitive content on a regular basis. In most cases, the information security officer in an organization will not allow you to do so, but there are instances in which there is no other choice. To keep such data safe, you should act according to the following guidelines:
• Browse “secretly”, without saving web cookies and other elements.
• Do not use the "Save Password" service for reconnection.
• Log out of the account at the end of the activity, to make sure it is not accessed later by other users.
• Delete the browsing history.
5. Which browser is recommended?
This is a question that has no clear answer. Each company declares that its browser is the best. Currently, popular browsers are Edge, Chrome, and Firefox. According to online reports, Edge is considered less secured than the other two mainly due to less frequent security updates. In that respect, Chrome and Firefox have an advantage. It is important to note that certain organizations require the usage of a specific browser, and even restrict access to resources if the wrong browser is chosen.
6. Protecting the operating system. There is a justifiable reason why the Windows operating system “annoys” us with system update notifications. The notifications are for essential updates that are required to close security gaps in our operating system and prevent their exploitation by attackers. Since many people ignore the security updates, they are more likely to be unprotected when an attack occurs. Every organization should ensure its employees are aware of the need to keep the OS safe and updated. 7. Protecting the personal computer and home network. Our workplace invests a lot in security resources and policies. As home users, we should similarly perform specific actions to provide an additional layer of protection. It is advisable to install a security product on the personal computer, such as Anti-virus software. Additionally, it is worth setting a strong password for the access point in your home network, which will make it difficult for an attacker to penetrate your home and in some cases compromise your organization. It should be stated that the person in charge of information security is obliged to provide training for employees regarding safe surfing, and to constantly update them with new and emerging dangers in the cyber world.
To conclude, although we may consider the Internet our best friend these days, we must always remember the risks it entails as well, risks that have increased during the Coronavirus era. Pass the tips mentioned in this letter on to your employees and make sure everyone in the company understands their significance. By Roman Senko, Head of Cyber Training