How to Defend Against Digital Surveillance when Teleworking
As companies throughout the world turn to teleworking as a way of continuing operations in the face of COVID-19, employees and security teams alike have understandably faced growing pains in adjusting to this new reality. In the mad scramble to enable employees with secure ways of accessing enterprise systems, the threat of digital surveillance can easily get lost in the shuffle, even as board meetings and sensitive conversations that used to take place behind closed doors at the office now occur digitally from a series of less-fortified home offices.
Here, I’ll provide five easy-to-follow tips that remote employees can follow to mitigate the risk of digital surveillance while working from home.
Tip #1: Stay Vigilant against Social Engineering
Because spyware typically requires user interaction to get installed on a user’s laptop or smartphone, social engineering – typically in the form of phishing – is nearly always a prerequisite. As with any large-scale crisis, threat actors have been capitalizing on the fear and uncertainty surrounding COVID-19 to trick users into installing spyware on their devices. We’ve already seen coronavirus-themed phishing attempts disguised as COVID-19 guidance from official sources and as pleas for donations from non-governmental organizations. In one case, a threat actor weaponized an otherwise legitimate coronavirus tracking app to deliver spyware known as SpyMax, which is capable of remotely activating the compromised device’s cameras and microphones to capture audio and video.
Your best bet is to stay vigilant against covert attempts to infect your devices with spyware. Don’t open links or download files or apps from unknown sources. As a habit, it pays to study URL names before opening links and to double-check the email addresses of senders. When in doubt, give the purported sender a call to verify an email’s authenticity. Also, stick to trusted sources of information, like the official CDC website, for the latest information on COVID-19.
Tip #2: Keep Your Personal Devices out of Earshot of Work Discussions
While the hacking of Amazon CEO Jeff Bezos’s iPhone – possibly for corporate espionage purposes – has received its fair share of attention, targeted smartphone hacking at the hands of a determined adversary can happen to anyone. It’s a good idea to act as if your personal smartphone has already been compromised and then act accordingly. Unless you have a special audio-masking device for your smartphone or can physically disable your device’s cameras and microphones, keep your mobile device out of your workspace, at least during teleconferences.
Listening devices in the home are also an eavesdropping risk. There’s no shortage of stories about baby monitors being hacked, for instance. When it comes to smart speakers, these devices are designed to capture random audio snippets, and these snippets can be pieced together to draw important conclusions; such was the case with an Amazon user in Germany – a neutral party listening to the person’s interactions with the Alexa virtual assistant was able to piece together a detailed picture of the customer. A law firm in the UK recently issued advice to staff to mute or shut off listening devices when discussing business at home, and I suggest you do the same.
Tip #3: Practice Good Teleconferencing Hygiene
Conferencing apps, like any software, are vulnerable to buggy code. Zoom, for example, has had a couple of well-publicized vulnerabilities recently. One allowed any website to forcibly and imperceptibly join a user to a Zoom call with their video camera activated, while another gave threat actors a way to join random Zoom meetings based on the predictability of ID numbers associated with each call.
The moral of the story: Avoid sharing high-value and confidential bits of information if at all possible. Though threat actors can piece together bits and pieces of captured information to form an understanding of a company’s operations and strategies, dancing around the juiciest bits will limit the damage. Use code names for projects when appropriate, and consider using out-of-band channels (such as end-to-end encrypted messaging apps) to share sensitive information, denying hackers important context for any information they are able to capture. Also consider covering your laptop’s webcam with a slide cover or sticker when not in use.
Tip #4: Lock Down your Home Network
A move from an office work environment to a home environment can represent a serious security downgrade. One issue is that the home network simply doesn’t have the same defenses, like firewalls or network-based intrusion detection. Another issue is that home WiFi networks may have a number of consumer and IoT devices connected, and these devices aren’t usually built with the level of security we expect in our work laptops and smartphones; it’s possible that threat actors can hack into these consumer devices and then use them as a pivot point for lateral network attacks against work devices, potentially installing spyware.
To lock down your home network, you should, at a minimum, change the default name of your WiFi network and create a strong WiFi password. Choose WPA2 security for your router (or WPA3, if your router supports it). And if possible, segregate your home network, with your work devices connected to one segment and your personal devices connected to another, to minimize the chance of cross-contamination.
Tip #5: Don’t Mix Professional and Personal
When working from the comforts of home, it can be a natural inclination to drop one’s defenses. Activities we normally wouldn’t do in the office, like checking social media accounts on our work devices, seem like less of a big deal at home. This is especially true if you’re new to teleworking or haven’t yet been given access to the full suite of tools you usually use; it can be tempting to use workarounds to get your job done, whether that’s forwarding a work email to your personal email account or using a personal device to do work-related tasks.
I probably don’t need to tell you that doing these things creates yet another entry point for threat actors to install spyware on your devices. So avoid the temptation to use personal accounts on your company-issued laptop or smartphone. Conversely, don’t access company resources from an unmanaged device. And finally, don’t let family members or others in your household use the devices you use for work.
COVID-19 is a global crisis that we’ll be dealing with as a society for some time to come. But by being smart about how we adapt to this new world of fully remote work, we can minimize the headaches for ourselves and our coworkers. Stay safe out there.