A Working From Home – Pentest People Guide

Liam Follin

Senior Consultant

Liam is one of the senior consultants at Pentest People, with a wide range of skills and experience from Web Applications to Social Engineering he's able to give great comments and opinions on cybersecurity matters.

A Working From Home – Pentest People Guide

Working from home isn’t something we’re all used too, but with the continuing COVID-19 global pandemic it seems many of us will be making the move back home and that will likely be our 9-5 for the foreseeable future. Although working from home may feel great to begin with there are risks relating to cybersecurity you need to be aware of.

Today I’ll offer you advice on how to reduce cyberattack risks on your deployed devices including laptops, mobiles and tablets as well as a few warnings for catching out Phishing scams (which have seen a spike since the COVID-19 outbreak).

Communication

The first subject we’ll cover fits under communication. Working from home requires a lot of it, sometimes more so than when you are on-site. Therefore its highly likely that many organisations will implement some form of team messaging platform to help keep workflow at its most efficient (if you need a platform set-up we highly recommend Slack). With all-new apps you’ll likely need to make a new account, considering the information that may be sent across these channels it’s crucial to follow strict security procedures around each account.

All passwords should be randomised and saved in a password manager such as 1Password and we highly recommend using Multi-Factor Authentication if possible within the said application. Multi-Factor Authentication reduces the chance of cybercriminals accessing data by an incredible margin and should be used where available.

Software

With many jobs, it’s important to use specific software and applications. It can be easy to think that using these at home will bear the same consequences but this isn’t always the case, you may have to install new programs and software to do your job while working from home. Its important that your company is aware of this and writes guides for all the new functions you will need to carry out.

With the current lockdown at hand, even the team here at Pentest People have had to implement new software to allow a continuous business flow. We’ve implemented the SecureGateway that allows our consultants the same internal access to a clients system without the need for them to be on site. As you can imagine this then requires us to set up procedures and risk factors surrounding this new system, just as your business should with new software or applications.

Data Storage & Encryption

Its no myth that you’re more likely to lose or have your devices stolen when out of the office. Considering the amount of time we may have to stay working from home it is recommended that you allow devices to encrypt data whilst at rest. Encrypting data allows it to stay safe even if lost or stolen. I will add that many modern devices have encryption built-in but you may need to turn this function on or configure the settings to allow the encryption.

Looking Out For Cyber Attacks

As COVID-19 is the most popular thing in the media, many cybercriminals will attempt to use it for their own personal gain. We’ve already seen a huge spike in activity revolving around fake malicious websites, phishing scams and fake news articles. Considering the sheer amount of people now using home computers/laptops and other devices for work while at home there are certain things you need to look out for.

E-Mail Phishing – How to Spot COVID-19 Email Scams

Although we have a full blog post on email phishing, what it is and how to watch out for it (which can be found here: https://www.pentestpeople.com/what-is-phishing/) we wanted to talk through some known scam attempts relating to the coronavirus.

The first things to focus on is the content of the email, due to COVID-19 you’ll likely receive many emails claiming to have found a vaccine, offering you financial help and also for donating to help fund a cure. Rule of thumb would be to simply ignore emails such as these. The endgame of such emails will be to make you click on a malicious link that leads to the download of malware onto your computer or steals passwords.

A few Quick Tips to Remember Are:

  • Look out for incorrectly spelt domain names (anything after ‘@’) if the email seems like it’s from a valid source e.g. your bank, WHO, NHS etc. as they may include random letters in an attempt to catch you off guard.
  • Be aware of poor grammar throughout the email. If you happen to open the email make sure you to check the content thoroughly, any high standing organisation will have clear, well-punctuated content. With phishing, scammers don’t need to monitor inboxes and send tailored responses. They simply dump thousands of crafted messages on unsuspecting people. Hence it is more likely for them to lack correct grammar. Remember to look out for grammatical mistakes, not spelling.
  • Watch for suspicious attachments or links. In many phishing scams, the end goal is for you to download malware or click on a malicious URL. For this reason, if you ever do find a suspicious email make sure you don’t click on any URLs or any generic attachments (invoice.pdf, newsletter.pdf etc.).
  • Flag any suspicious email to your IT manager. There’s no safer way to avoid phishing scams than making sure you tell your IT manager if you’re suspicious of an email. Regardless of how suspicious. An IT manager would prefer you to send them anything you find than deal with the consequences of a successful phishing scam.

Although it seems there’s a lot to focus on the key theme throughout is to stay vigilant. Not just employees but business owners also. This is an interesting time for everyone remote working but we hope the information we’ve provided in this guide will help you. Whether you’re new to working from home or simply don’t know the full extent of what to look out for!

Video/Audio Transcript