This episode talks about Home Working Cyber Essentials.
After listening to this podcast please visit National Cyber Security Centre, Action Fraud, Take Five and the West Midlands Cyber Protect Websites for more guidance on all things relating to online Security.
Our host today is Patrick, a Detective and Cyber Protect officer for the Regional Cyber Team part of the Regional Organised Crime Unit for the West Midlands.
Also covering the West Midlands is Sean Long – WMPDigitalPCSO, Warwickshire and West Mercia is James Squire - cyberpcso and Staffordshire Police area is Mathew Hough-Clews and can be found at sp_digitalpcso.
To contact us please email us at firstname.lastname@example.org.
Hello and welcome, my name is Patrick and I'm a detective and cyber protect officer from the West Midlands Regional Cybercrime Team.
Today's date is Monday, the fifth of October 2020.
Just one subject this week, and that is working safely at home an item that we have spoken about previously, but with the unfortunate uncertainty of the Covid pandemic continuously looming, working from home has become the new norm, as they say and may continue to be into the foreseeable future.
In a recent survey carried out by Marsh commercials, 38% of employees claimed to have not received information about the security risks of working at home from their employer. As ever and with most things in our lives, education is key, you can't know what you don't know, maybe listening to this podcast will assist a little bit with gaining and improving or increasing your knowledge.
The one thing I will say before we start, if employees listening to this podcast, have laptops issued from work, and they're only things like ours, then a fair few of the things that I'm about to talk about will be out of your control to change. But employers who may be listening, then it's not for me, obviously, to instruct anybody to do anything, of course, but these are from our professional experience, the things that it's important to be aware of. Employees, please don't turn off straightaway, because some of these items may be out of your control, fortunately, some of them are within your control, and are extremely vital. When maintaining good levels of cybersecurity.
I'm going to focus on six areas. The first five are going to be the five key controls from Cyber Essentials, which are Boundary Controls, Secure Configurations, Access Control, Malware Protection, and Patch Management. The sixth one will be a overarching item which has connections to everything in anything can when it comes to cybersecurity and protection.
When we talk about Boundary Controls, we are talking here about firewalls. Firewalls effectively create a buffer zone between your IT network or device and other external networks. In the simplest case, this means between your computer or computers and the Internet. There are two types of firewall, you could use a personal firewall on your internet connected laptop, normally included within your operating system at no extra charge. Or if you have a more complicated setup, with many different types of devices you might require a dedicated boundary firewall, which places a protective buffer around your network as a whole. Some routers will contain a firewall, which could be used in this boundary protection role, but this can't be guaranteed
Secure Configurations, this is possibly an area as an employee that you have less control over. However, employee and employer it is worth bearing in mind that manufacturers often set the default configurations of new software and devices to be as open and multifunctional as possible. They come with everything on to make them easily connectable usable. Unfortunately, these settings can also provide cyber attackers with opportunities to gain unauthorised access to your data, often with great ease. So it's important that you check the settings. So you should always check settings of new software and devices where possible, make changes, which raise your security level. For example, by disabling or removing any functions, account or services which you do not require your laptops, desktop computers, tablets and smartphones contain your data, but they also store details of online accounts that you access. So both your devices and your accounts should always be password protected, and even better would be encryption passwords, when implemented correctly, are an easy and effective way to prevent unauthorised users accessing your devices.
Passwords should be easy to remember, and hard for somebody to guess not the other way around, which is sadly often the case that they're hard to remember and easy to guess. The default passwords which come with new devices such as admin and password are the easiest of all for attackers to guess so you must change all default passwords before devices are distributed and used. The use of pins or touch ID can also help secure your device. If you would like more information on choosing passwords. Look at the National Cyber Security Center's NCSC password guidance for important accounts such as banking and it administration you should always use two factor authentication also known as 2fa, and multi factor authentication. Common and effective example of this involves a code sent to your smartphone which you must enter in addition to your password.
An additional issue that's worth being aware of is when connecting to a home router, please be aware that if you haven't already changed your default password when you were issued with your router, you should do so immediately for your own personal use and for any potentially commercially sensitive information that you may be dealing with at home whilst using your home broadband.
Further security measure here could be the use of a Virtual Private Network VPN. This allows you to have an increased layer of security when using World Wide Web. It is our advice that without exception, you never ever use public Wi Fi without the use of a VPN.
Access Control to minimise the potential damage that could be done if an account is misused or stolen. Staff accounts should have just enough access to software settings, online services and device connectivity functions for them to perform their role. Extra permission should only be given to those who need them. Check what privileges your accounts have. Accounts with administrative privileges should only be used to perform administrative tasks. Standard accounts should be used for general work, you could cut down on the chances that an admin account will be compromised. This is important because an attacker with unauthorised access to an administrative account can be far more damaging than one accessing a standard user account. Maximum access can cause maximum damage. Also, if you work in an area, which is accessible by any person other than yourself, locking your device is essential in reducing the access control to personal and professional accounts and data.
Malware protection. All devices, including laptops, PCs, phones, and tablets, unless protected are open to attacks, using malware, malicious software, viruses and malware, like the ones used in the Wannacry attack in 2017, can infect devices and software and can quickly infect any other devices or software that is connected to it. Malware is software or web content that has been designed to cause harm. For example, the recent Wannacry attack used a form of malware, which makes data or systems unusable until the victim makes a payment. Viruses are the most well known form of malware. These programmes infect legitimate software, make copies of themselves and send these duplicates to any computers which connect to their victim.
There are various ways in which malware can find its way onto a computer, a user may open an infected email browser compromised website or open an unknown file from removable storage media, such as a USB memory stick. Three ways to defend yourself against malware.
One, antivirus software is often included for free within popular operating systems, it should be used on all computers and laptops. For your office equipment, you can pretty much click enable, and you're instantly safer. Smartphones and tablets might require a different approach, and if configured in accordance with the NCSC guidance, separate antivirus software might be necessary.
Two, you should only download apps for mobile phones and tablets from manufacturer approved stores like Google Play or Apple App Store. These apps are checked to provide a certain level of protection from malware. You should prevent staff from downloading apps from unknown vendors, as these will not have been checked.
Three, for those unable to instal antivirus or limit users to approved stores, there is another more technical solution. Apps and programmes can be run in a sandbox, this prevents them from interacting with and harming other parts of your devices or network.
Patch management. It is important that all phones tablets, laptops or computers are kept up to date at all times. This is true for both operating systems and installed apps, or software. Manufacturers and developers release regular updates which not only add new features but also fix any security vulnerabilities that have been discovered happily doing so is quick, easy and free. Applying these updates is one of the most important things you can do to improve security. Operating systems, software devices and apps should all be set to automatically update whenever this is an option. This way you will be protected as soon as the update is released. However, all it has a limited lifespan when new updates cease to appear for your hardware or software, you should consider a modern replacement.
To put this into a bit of perspective, it is worth bearing in mind that Windows 10 is made up of 50 million lines of code. The suspicion is that within 100 lines of code, there could be as many as five errors and these errors can cause functionality issues, that would be best case scenario. Worst case scenario is that it results in a security vulnerability. These errors get discovered routinely, and often the reason why the updates are required or the patches.
The very last point I want to make is about phishing. Phishing is I'm sure you all have heard the expression. however, it's worth bearing in mind also that there's five different types of phishing.
Phishing can be the type of email whereby you get an ex member of royal family sending you an email saying got loads of money, I want to put it in someone's account and give them the interest. Our spam folders tend to look after such emails these days, thankfully, not hundred percent of the time, of course, but mostly, however, the issue occurs on the second and third, or even fourth and fifth type of phishing.
The second one on the list is spear phishing. This is where an email is sent to often a very specific person, whereas the ex member of our family themed email would go to as many people as possible to a lot fewer people will be spear phishing email.
Which takes me very quickly onto Whale phishing. Whale phishing is often the type of email very, very, very similar to the spear phishing email in that it's sent to a specific person. However, this tends to target somebody in a very senior position, either in terms of rank structure, or in terms of important position within an organisation.
The fourth type is Smishing comes from the term phishing and SMS messaging, people can get a text message and there'll be a link within it to be your bank or Amazon you click on the link provide various information.
Last one is called Vishing, which is voice solicitation, it's more of a social engineering tactics so somebody would call using a false identity and pretend to be from your bank or something like that and then try and extract information it could be Amazon it could be various other delivery or organisations could be virtually anything that you may or may not have contact with.
So the reason why I wanted to finish with that is because it has been found that around 90% of malicious software is delivered via spear phishing emails. So no matter what control you have over your networks, or your devices, whatever control you have or your IT departments have phishing is something that everybody needs to be aware of and I can't emphasise the risk that phishing can pose enough.
For additional guidance, please visit the National Cyber Security Centre (NCSC) Action Fraud, Cyber Aware and the Take Five campaign websites. Also please don't ever hesitate to contact us for education, awareness and guidance on how to protect prepare yourself and your business online.