Author: John Santana, CCSFP | Principal Consultant
The remote working revolution may not be in the headlines as much anymore with the COVID pandemic in the rear-view mirror, but the need to secure our work-from-home networks against business compromise is more important now than ever before. This is especially true for the remote worker in the healthcare industry where a cybersecurity misstep can open the door to a debilitating attack.
It matters not how much a healthcare entity spends to harden its corporate network when the home network a remote employee works out of is wide open to attack. Insecure home networks and devices put you and your organization at heightened risk of falling prey to social engineering and ransomware.
According to Fortinet’s 2023 Work-from-Anywhere Global Study, in a survey of 570 companies affected by a security breach, 62% of respondents attributed remote work as at least a partial culprit to their breaches. Maintaining strong controls on your home network and non-company-issued (‘bring your own’ or BYOD) devices is critical to extending and hardening your organization’s cybersecurity footprint. Your typical remote work acceptable use policy will require you to keep your devices ‘secure,’ but seldom do they provide specifics on implementing best practice controls. This article offers some practical network security controls and endpoint-level controls for the BYOD user to harden your work-from-home ecosystem.
Network-Level Controls
Change Defaults & Use Strong Passwords
When you unbox and set up a router for the first time, it will include a default service set identifier (SSID) and password; it is critical that these are both immediately changed. A default SSID indicates to a potential attacker that the rest of the network may operate on standard defaults, painting a target on your back. Furthermore, default passwords are not complex and are easy to crack. It is important to use a long, complex password utilizing a healthy mixture of character casing, numbers, and complex characters (i.e. ~|{&^%)). In addition to setting a password/network key for accessing the network, you will also need to provision a password for the router’s administrative account; this password should be even more robust than the network key password.
Set up a Guest SSID
When it comes to your friends and family, there is simply no way of knowing, short of them consenting to full system scans, that their devices are free of malware. Introducing a guest’s infected device onto your main network allows that device to communicate freely with the other devices on your network, creating an attack vector for said malware to spread. Creating a guest network segment creates a degree of separation between the guest’s devices and your devices, preventing this direct communication and the potential spread of malware. Don’t forget to protect the Guest SSID with a password, and make sure it is different than your main SSID!
Update your router as diligently as your workstations
You get notifications on a seemingly daily basis between your smartphone, laptop, and desktop devices requiring security patches and firmware updates. Your router is no different from these devices and requires regular updates for optimum function and security.
Ensure the firewall and encryption are enabled
Firewalls and traffic encryption are typically enabled by default, but it is worth checking for peace of mind. Firewalls block inbound malicious traffic, while encryption secures outbound traffic.
Network-level Antivirus and Vulnerability Scans
Network-level antivirus (AV) and vulnerability scanning provide security at the gateway for all your network traffic. This extends a layer of protection by filtering traffic across all devices connected to your network (i.e., IoT devices like your smart doorbell, cameras, and mobile devices), not just workstation endpoints with AV clients installed.
Endpoint-Level Controls
Keep your OS and browser up to date
It is critical to regularly check and keep your devices patched to stay current with the latest security updates and features. Microsoft typically releases a monthly security update on the second Tuesday of every month, nicknamed “Patch Tuesday.” Furthermore, it is important to keep your internet browsers up to date to stay one step ahead of any browser-based vulnerabilities.
Encrypt your hard drive
Microsoft’s BitLocker and Apple’s FileVault drive encryption are typically enabled by default nowadays and must be implemented on all devices. Hard drive encryption protects your files and folders from unauthorized access by protecting your drives. The information is decrypted and made available to the user upon authentication.
Ensure local firewalls and other OS-level security tools are enabled
Modern browsers come equipped with a suite of security tools and functionality that should be taken advantage of fully. Ensure your local firewall is enabled and take full advantage of the Windows Defender scanning and optimizing utilities to identify deficiencies.
Endpoint-level Antivirus and Vulnerability Scans
It is important to run recurring antivirus and vulnerability scans on your workstation. Vulnerability scans will identify out-of-date applications and system utilities, allowing you to patch and stay updated on the latest configurations and keeping your device hardened.
Leverage a Virtual Private Network (VPN)
Utilizing a VPN on your home network is useful if you value your privacy and do not want your Internet Service Provider (ISP) to track you as easily as possible. However, as a method for traffic encryption, it is rendered slightly redundant if your network traffic is already encrypted due to your robust network configuration.
The real value add and necessity of a VPN come into play when using a workstation anywhere outside the purview of your secure corporate and/or home network. VPNs will anonymize and encrypt your traffic, securing your experience on otherwise insecure and easily manipulated public networks.
Disable USB drives
USB drives containing malware continue to be a popular attack vector even today. Your devices can be configured to block USB drives while maintaining the necessary functionality to power your peripheral devices, such as your mouse, keyboard, monitor, camera, and microphone. This control is especially important to have implemented when traveling with your device.
Geolocation and Remote-wipe capability
Many third-party consumer-level cybersecurity companies, such as Bitdefender, provide geolocation and remote-wipe capabilities in the event of device theft. In the worst-case scenario, remotely wiping your device of your sensitive data may be the difference between a successful breach and a thwarted one.
Stay Vigilant
Cybersecurity is a game of measures and countermeasures, with cyber criminals constantly seeking innovative methods to compromise security. By implementing the controls above, you will at least cover the basics.
If you are concerned about the security of your organization’s endpoint and network security or that of your remote employees, Clearwater’s robust security risk assessments and technical MSSP solutions are here to identify and remediate any gaps.
