Firewalls are not enough

Firewalls are not enough

When it comes to your business security, what’s the first thing that comes to mind? Most likely the trusty old firewall. In the event of a successful cyberattack, most victimized organisations will raise the question: “Why wasn’t our firewall able to protect us?”

Even though firewalls are an essential component of cybersecurity, alone they can’t stop the flame from rising. Read on to understand why you need a total and comprehensive cybersecurity strategy and solution.

What are the limitations of a firewall?

Unfortunately, security threats are constantly evolving and are designed to circumvent common and basic security tools, such as firewalls. As a result of The Internet of Things (IoT) and increase in remote working as a result of the digital age and the most recent COVID-19 pandemic, nearly any smart device from phones, laptops, printers, tablets and televisions can be connected to the business network – creating an access point for cybercriminals.

Your firewall is pretty good at protecting your office network. After all, that’s what it was designed to do. But, what happens when an employee accesses their email or files from their phone? What about when they connect to the WiFi at a restaurant? Your network security is only as strong as its weakest link. You could have the strongest, most expensive security system on your laptop, but it won’t do you any good if an attacker sets up a fake WiFi hotspot and intercepts all the data.

Firewalls are primarily used to prevent attacks originating from outside the system. What if a threat makes it past the firewall or originates from the network itself?

Firewalls are also extremely limited in their capacity to prevent phishing, scams, ransomware and much more in addition to just typical malware. Some of these rely on tricking a user into taking a desired action like surrendering confidential information or disabling a firewall or antivirus. Unfortunately firewalls can’t stop human errors or fix poor administrative practices and security policies. Firewalls need to be consistently updated. New threats arise every day and if firewalls aren’t updated they may not protect you from the latest threat.

Traditional network security, like firewalls doesn’t extend to the mobile-first, multi-device reality that we live in today. Massive hikes in web traffic, constantly evolving threats and other dangers are not easily detected. Firewalls are a reactive method as you can only protect devices after threats have been detected.

Total cybersecurity for effective defense

Now that multi-devices and IoT are complicating secure networks with added vulnerability, increased endpoint security is a must-have for optimal protection. Total cybersecurity extends to analyse potential cyber threats to an organisation. Threat intelligence assists organisations evaluate the risks associated with rare and common risks. Security needs to be as modernized and sophisticated as potential threats. Real time protection and predictive analytics need to be in place to identify malicious behaviour and respond to emerging threats. A total cybersecurity system needs to proactively detect and neutralize advanced threats that typically evade security systems. Organisations need a first line of defense to threats you can’t see or immediately repel with a firewall. A successful cybersecurity approach has multiple layers of protection across computers, networks, programs and data and accelerates key security operations which are prevention, detection, investigation and remediation.

ACDS offers full-service Information & Cybersecurity solutions that identifies, analyzes and detects a variety of cyber threats while helping you to better respond and recover from any unwanted intrusions in your business with real-time results. Our cybersecurity resilience services cover all avenues of potential breaches through the combined efforts of key Information & Cybersecurity principles and the deployment of ACDS’ rapid detection and response system.

 

 

Cyber Protection in a world of chaos

Cyber Protection in a world of chaos

Cyber Protection in a world of chaos

In today’s digital world, and with cyber-attacks on the rise, everyone needs protection. Organizations need to protect their data and networks from unauthorized access, attacks and destruction. As with most things in today’s world, there are many options available.

Let’s take a look at cloud backups and managed backups, and some of the pros and cons when comparing the two. The one that works best for your business will help you strategically achieve your business goals while ensuring your operations continue running optimally. No two organizations have the exact same requirements in terms of cybersecurity, which is why it is important to understand the differences so that you can a package that is tailored to your business’ needs. ACDS can help you with this.

Cloud backup

Some of the pros include no need for onsite hardware or capital expenses; storage can be added as needed (this is particularly great for smaller companies where storage is sometimes an issue; you only pay for what you need; backup and restore can be initiated from anywhere – you do not need to be onsite; data can be backed up at more regular intervals. Some of the cons of a cloud-based solution include costs of data recovery that could outweigh the benefits for companies that are not as dependent on uptime and instant recovery; data limits may apply due to storage availability and cost; no internet means no access to any of your information; full data recovery could time-consuming and impact on the running of systems.

Managed backup

As with all solutions, this one too has its pros and its cons. Some of the benefits include having physical control over your backup; keeping confidential data in-house without any third parties having access to such information; accessing your backups and is not dependent on an internet connection; can be more cost-effective for SMEs.

Some of the cons of a solution like this include capital investment in hardware and infrastructure which can be very costly; the need for a server room on your premises along with the necessary security and dedicated IT services to manage such; no uptime or recovery time guarantees; if you do not take the data off-site regularly, you are at risk of data loss during disaster situations on your premises.

When it comes to backup, cloud solutions can be more expensive than in-house options. Cloud solutions being cheaper is a common myth, although, the benefits of being in the cloud can far outweigh the costs for some businesses. If your business is heavily reliant on uptime and instant recovery, or have a workforce that is largely mobile, it may be worth paying more for a cloud solution with an uptime and productivity guarantee. Although, businesses that aren’t as reliant on uptime or mobility may be more suited to an in-house backup. Given the current COVID-19 pandemic we are facing – and the new norm of working at home, a cloud-based solution would likely be far more beneficial to organisations. This would allow the flexibility of backing up and restoring from almost anywhere.

ACDS have launched Cyber Protect Cloud. This is a single service that combines backup, anti-malware, security and management capabilities such as vulnerability assessments, patch management, and more. You get upgraded security, with integrated AI-based defenses that protect you from modern threats, smarter resources so you and your team can focus on your core business. In the chaos we live in, who wouldn’t want a solution like this?

ACDS offers full-service Information & Cybersecurity solutions that identifies, analyzes and detects a variety of cyber threats while helping you to better respond and recover from any unwanted intrusions in your business with real-time results. Our cybersecurity resilience services cover all avenues of potential breaches through the combined efforts of key Information & Cybersecurity principles and the deployment of ACDS’ rapid detection and response system.

www.acds.io
info@acds.email
+27 87 073 9370

How secure are your employee’s endpoints – at home?

How secure are your employee’s endpoints – at home?

How secure are your employee’s endpoints

COVID-19 continues to present problems for employees working remotely. Over the past few weeks, a number of threats have been identified in the banking industry – namely, social engineering, third-party data breaches and ransomware. Across the globe fraud and cyberattacks have soared. IT News Africa says this is of particular concern for South Africa as funds are collected to uphold the economy during lockdown and new grants are implemented to ensure the wellbeing of citizens.

We’ve also seen numerous reports of cybercriminals ramping up their attacks as more and more people started to work from home. Now the Wireless Application Service Providers’ Association (WASPA) has reiterated the need for South Africans to practice good cybersecurity at home.

“With 90 million mobile connections and widespread availability of money transfer and digital banking facilities, SA is tremendously attractive to mobile fraudsters who use malware embedded in downloadable apps to gain access to passwords, user names and other sensitive data,” General Manager of WASPA, Ilonka Badenhorst said.

Exposed Services in Africa

“The way we are preyed upon by criminals has changed. We understand how to protect ourselves from physical crimes, but cybercrime is different – it is nameless, faceless and borderless. We can’t protect ourselves directly because most of us are not IT security professionals, and there is no failsafe system,” says Rohan Isaacs, who heads the technology and privacy team at law firm Herbert Smith Freehills in South Africa.

The global Cyber Exposure Index ranks SA sixth on the list of most-targeted countries for cyberattacks, with the highest concentration of exposed or smaller businesses.

“Most organisations are blissfully unaware of the degree of cybercrime that’s out there. People believe they are well-protected, and they are definitely not – they are using yesterday’s technology to protect themselves against today’s threats,” Brian Pinnock, Mimecast.

A recent study done by ShadowServer also reported an increase in malware infection statistics, which come from data collected from sinkholes, honeypots, network telescopes and other sources, operated by either ourselves or our partners. Example network report types that contain this data include: Botnet Drone Report, HTTP Sinkhole Report, Microsoft Sinkhole Report, Brute Force Attack Report and the Darknet Report.

Based on these datasets, we see in total up to 600,000 malware infected IP addresses per day in Africa. However, it should be noted that observed activity by malware family is biased towards the threats that ShadowServer and its partners are currently sinkholing or otherwise have visibility of (around 400 malware families/variants).

Perhaps unsurprisingly, the amount of infections by unique IPs tend to be higher in absolute numbers in more populous countries and/or countries with better Internet infrastructure including Nigeria and South Africa.

What endpoint protection is required?

As already established, IP addresses are vulnerable and email is the single biggest attack vector for cybercrime, accounting for about 90% of the total cyberattacks, but how do we determine what endpoint protection is required to keep our devices protected at all times?

Antivirus software is no longer viable as it works on a detect and respond basis which is proving to be more inadequate to protect more common cyberattacks. We have moved into a modern time and technology to rather prevent than only detect as this can save a company a lot of time and money. But you may still ask yourself is this even possible?

 

Here are  8 key security considerations(5) for protecting remote workers as many security and IT teams suddenly have to support and protect employees who must work remotely so make sure these areas are covered too.

 

The endpoint protection you need

Cybersecurity Resilience Services cover all avenues of potential breaches through the combined efforts of key InfoSec principles and the deployment of rapid detection and response systems. Professional teams of engineers and analysts go through rigorous training programmes, developed by and for the military on real world scenarios and situations. They are trained to analyze, understand and recognize patterns presented by cybercriminals, and it is their responsibility to identify a threat before it happens with their extensive knowledge and understanding of cyber warfare and the determination to intercept a cyber-attack before it takes place.

As most cybersecurity firms base their defenses on the assumption that all attacks will occur from an endpoint or human vulnerability, ACDS’s intercept product knows that sophisticated cybercriminals can enter your network through other avenues linked directly to your perimeter or different network components, skipping endpoints altogether. Intercept covers all aspects of your endpoint, perimeter and network through a variety of tools to detect and defeat any unauthorized entry with speed and accuracy, to not only detect but protect!

ACDS offers full-service Information & Cybersecurity solutions that identifies, analyzes and detects a variety of cyber threats while helping you to better respond and recover from any unwanted intrusions in your business with real-time results. Our cybersecurity resilience services cover all avenues of potential breaches through the combined efforts of key Information & Cybersecurity principles and the deployment of ACDS’ rapid detection and response system.

The Shadowserver Foundation Threat Report: A Spotlight on Africa

The Shadowserver Foundation Threat Report: A Spotlight on Africa

Here at The Shadowserver Foundation, we like to regularly drill down into our datasets to provide our global partners with a wider and deeper insight into our scan and threat visibility for their regions. This insight can then be used to better drive our outreach activities. Most importantly, it can hopefully allow National CSIRTs in the region, as well as numerous other authorities/partners and private enterprises, to enhance their incident response coordination and share information from our public benefit victim remediation network reports with local communities in a more effective manner. There is also a significant, direct benefit to us: through feedback and collaboration with our report recipients, we get to see how useful our reports are at ground level and gain a better understanding of the local challenges faced in combating Internet security threats. In the long run, this allows us to improve our public services to the Internet defender community.

This blog is the first in a series in which we will take a look at different world regions in order to demonstrate what taking a more holistic view of our data can reveal – starting with the African continent.

Over the past few years, we have taken a particular interest in Africa as we seek to increase our reporting services, especially to the continent’s National CERT/CSIRTs and ISP communities. In order to look at the African threat landscape and to achieve the above objectives, we have partnered with our good friends at AfricaCERT. In doing so, we open up the opportunity to engage with multiple nations and ensure that these countries make the best possible use of our free reporting services. We are also happy to attend training events to share our understanding and insights with the community as a whole, once the global COVID-19 situation allows!

Key findings

In order to paint the current threat picture for Africa, we collated various IPv4-based datasets held within our repository, including an analysis of malware infections (primarily through sinkhole data); exposed services (some of which may be vulnerable) discovered by our daily scanningamplification DDoS attacks (obtained from honeypots); as well as reputation IP blacklists.

MALWARE INFECTIONS IN AFRICA

Our malware infection statistics come from data collected from sinkholeshoneypotsnetwork telescopes and other sources, operated by either ourselves or our partners. Example network report types that contain this data include: Botnet Drone Report,  HTTP Sinkhole ReportMicrosoft Sinkhole ReportBrute Force Attack Report and the Darknet Report.

Based on these datasets, we see in total up to 600,000 malware infected IP addresses per day in Africa. However, it should be noted that observed activity by malware family is biased towards the threats that Shadowserver and its partners are currently sinkholing or otherwise have visibility of (around 400 malware families/variants).

Absolute number of malware infections per day by counted daily IP addresses in Africa – March/April 2020

The graph above shows the absolute numbers of infections seen over the past month. Different colors represent different countries – for ease of understanding we have only labelled “Egypt” and “Algeria” above (as the most infected in absolute numbers), with the rest of the countries grouped into “Other African States”.

Top 20 Most Malware Infected Countries in Africa by Counted Daily IP addresses – 16th April 2020

Perhaps unsurprisingly, the amount of infections by unique IPs tend to be higher in absolute numbers in more populous countries and/or countries with better Internet infrastructure. In Africa, we see that, currently, most malware infections are in North African countries (such as Egypt, Algeria and Morocco). South of the Sahara, the countries with the greatest number of infections include Nigeria and South Africa.

Top 20 Threats Seen in Africa by Daily Unique IP addresses – 16th April 2020

Top infections within the scope of our visibility include very well known and current Crimeware-As-A-Service and botnet infrastructures such as Andromeda (which was taken down as part of the international Avalanche operation) and Mirai. Instances of infection with both of these malware strains were observed across the whole continent, which is consistent with global trends. The recently disrupted Necurs spam botnet also features in the Top 10. An Illustration of the top threats seen per African country for a given day (16th April 2020) is given below.

Northern Africa: Top Threats Seen Per Country (where top is understood as most unique IP addresses seen daily) – 16th April 2020

Southern Africa: Top Threats Seen Per Country (where top is understood as most unique IP addresses seen daily) – 16th April 2020

Relative Ratio of Avalanche Andromeda Malware Distribution in Africa – 16th April 2020

Relative Ratio of Necurs Malware Distribution in Africa – 16th April 2020

Relative Ratio of Mirai Malware Distribution in Africa – 16th April 2020

However, what makes Africa stand out in comparison to other regions is the relatively high prevalence of Android threats vs other Windows x86 infections.

We see Android trojan malware infections, such as android.backdoor.prizmesghost-push and android.iop, in quite substantial volumes.

Relative Ratio of Android Prizmes Malware Distribution in Africa – 16th April 2020

Like virtually everywhere else in the world, devices infected with legacy malware, for example VirutConficker and Lethiccontinue to be observed, which indicates that multiple African victims have been suffering from long-term infections.

EXPOSED SERVICES IN AFRICA

Aside from collecting data about infected machines, for example, via sinkholing, we also scan the entire IPv4 Internet on 48 services/protocols each day in order to find exposed services (i.e. services that can be accessed externally). This does not mean that these services are necessarily vulnerable to attack. Our scans are, rather, a combination of searching for accessible services, identification of misconfigurations or specific vulnerabilities, finding services that can be abused or misused in some way (for example for amplification scans), detecting (but not exploiting) backdoors, etc. Our goal is to alert network defenders to the fact that services are exposed or abusable in some way and could be used to harm either their own networks, or those of the wider public Internet. We do not generate reports from all of our scans, as in some cases, we do not think that having a service exposed immediately signals danger – so, for example, we refrain from reporting on SSH servers listening on TCP port 22. We generate 43 different types of reports based on our daily IPv4 scans out of 77 reports in total.

Our scan statistics for Africa total 1.4 million IP addresses daily. A range of IPv4 devices are revealed each day with multiple services exposed externally, which could therefore potentially be vulnerable to cyber crime exploitation.

 

Absolute number of Exposed Services per day by counted daily IP addresses in Africa – March/April 2020

The graph above shows the number of exposed services seen over the last month. Different colors represent different countries – for ease of understanding we have only labelled “South Africa”, “Tunisia”, “Egypt” and “Morocco” above (as the most exposed in absolute numbers), with the rest of the countries grouped into “Others”.

Top Exposed Services Per Country without SSL and SSH services (where top is
understood as most daily unique IP addresses seen) –
16th April 2020

Top Exposed Services Per Country without SSL and SSH services (where top is
understood as most daily unique IP addresses seen) –
16th April 2020

Our scan statistics which include also general population scans  (see below) show that the services most exposed by unique IP addresses in Africa include CWMP (port 7547/TCP and 30005/TCP), SSL (port 443/TCP) and SSH (port 22/TCP).  As we explain below, this does not mean these are all vulnerable!

CWMP (CPE WAN Management Protocol – a protocol used by ISPs to auto-configure their customer-premises equipment devices, such as DSL routers and cable modems) has had flaws in the past that have been exploited by IoT malware (such as Mirai Botnet #14 and a TR-069 zeroday vulnerability). There is no reason to have CWMP services exposed publicly to non-trusted, potentially hostile IP addresses.

SSL – number 2 on our list – is the name tag that we apply to all HTTPS services exposed on port 443. While most of these are, of course, not vulnerable by default, and their exposure is usually necessary for business reasons, the statistic does give an overview of web-enabled services in Africa. In general, the more advanced the Internet infrastructure, the greater the number of enabled Web services.

There is nothing inherently wrong with having SSH enabled and exposing the service publicly on TCP port 22. Nevertheless, misconfigurations in SSH, or the use of default or weak passwords, could lead to the compromise of devices (which could include servers, routers or IoT devices). Indeed, password brute-forcing attacks against SSH are very common, as they also are for telnet. Both services are regularly targeted by IoT malware. Unlike SSH, there is usually no good reason to have non-encrypted telnet services exposed publicly.

A number of UDP-based services that can be exploited for amplification DDoS attacks , such as DNS or NTP (see our NTP monitor and NTP version reports) were also found to be prominent.

Top 20 Exposed Services Seen in Africa by daily unique IP addresses – 16th April 2020

In general, we observed that countries with greater quantities of IPv4 space tended to harbor more infections and to have a greater number of exposed/accessible services. This trend is much the same throughout the entire world, and is not unique to Africa.

Top 20 Countries in Africa with Exposed Services by counted daily  IP addresses – 16th April 2020

To provide some further  insight into the above distribution by country, we took the top 3 scan results (without SSL and SSH) and mapped them to specific countries in Africa.

Top 3 Open or Vulnerable Services Seen By Country

In this analysis, we focus on the Top 3 services whose exposure we consider problematic – that is, these are unnecessarily open or vulnerable to abuse. For this reason, we skip SSL and SSH, which commonly must be exposed as is also often the case with FTP.

CWMP

Top 10 Countries in Africa with CWMP exposure

Clearly, Tunisia currently has the greatest number of accessible  CWMP servers. As already mentioned, this can unnecessarily provide  an attack vector for malicious actors should a vulnerability be found in CWMP server implementations.

(Open) DNS

Top 10 Countries in Africa with (abusable) Open DNS exposure

Morocco, South Africa and Tunisia have the greatest quantity of exposed open DNS servers. These services can be abused for amplification DDoS attacks. It is important to fix the configuration of these services if possible. More information on amplification DDoS attacks can be found in the paper “Amplification Hell: Abusing Network Protocols for DDoS” by Christian Rossow and on our open resolver scan page.

Telnet

Top 10 Countries in Africa with telnet service exposure

South Africa has the greatest quantity of exposed telnet services, with larger amounts seen also in Kenya and Egypt. Using telnet is a dangerous security practice, as the traffic can be sniffed and credentials along with all the traffic content exposed. Additionally, the telnet service is very often the target of brute force attacks carried out by various variants of malware. It is likely most of these services are actually running on home routers or other IoT devices. If remote access is necessary, a properly secured SSH service should be configured instead.

AMPLIFICATION DDOS OVERVIEW IN AFRICA

Together with our partners, such as CISPA, we monitor amplification DDoS attacks across the world using honeypots, see for example, our joint participation in the EU H2020 SISSDEN project. These attacks primarily exploit UDP-based services – including DNS and NTP services that have been highlighted in the discussion of  our scan datasets above.

We found that these types of attacks are currently, reasonably uncommon against African infrastructure compared to the rest of the world. This does not mean that such attacks do not happen. When they do occur, they can have devastating effects on the target infrastructure, potentially even felt at a country level (as was the case, for example, in the infamous Mirai Botnet #14 attacks that affected Liberia in 2016/2017).

Our statistics currently show roughly 20 to 60 IPv4 devices being targeted by amplification DDoS attacks in Africa per day.

Amplification DDoS Targets in Africa in March 2020 (Unique IP per day)

The highest number of attacks in a single day in March 2020 was seen on the 27th of March – 54 IP addresses were targeted, with most being located in Morocco.

Country breakdown of DDoS amplification attack targets on March 27th 2020

AFRICAN IP ADDRESSES ON PUBLIC BLACKLISTS

One other category of sources Shadowserver monitors are public blacklists (we currently draw upon over 110 different sources) of malicious IP addresses. We bundle all of the data from these sources into our blacklist report. Over the past few months, we have typically seen 2 million to 3 million entries for African IP addresses per day present on these types of blacklists.  Note that sudden zero entries appearing on the charts is usually the result of a data collection failure on our side.

Number of IP entries geolocated to Africa on public blacklists – March/April 2020. Note that an IP may appear on multiple lists and thus be counted more than once.

Top Countries in Africa Blacklisted IP addresses (by unique daily IP addresses) – 16th April 2020

As can be seen on the tree map above, Mauritius and Seychelles IPv4 addresses have a very high profile presence on these lists, unlike in the previous datasets we explored.

A breakdown of the top observed IP blacklist source per country is shown on the maps below:

Top Blacklist presence per country by unique daily IP addresses – 16th April 2020

Top Blacklist presence per country by unique daily IP addresses – 16th April 2020

Recommended Actions

The following is a list of actions we believe may have an impact on the state of operation security on the African continent.

First and foremost, we want to continue to deliver – and to extend – our public benefit remediation network reports to more of the right kind of defender entities in Africa. This includes not only National and Government CSIRTs, but also ISPs/Domain Registries operating within the continent, as well as other private or public enterprises and network owners. As our reporting maps show below, our current National CSIRT report coverage could be improved. The number of network owners that directly receive our feeds is also low in comparison to other continents.

Secondly, we believe that a data-driven approach to improving the resilience of the African Internet is a good way to move forward. For example, dedicated malware awareness and eradication campaigns focused on threats like Andromeda or IoT-related malware, could be effective in leading to an increase in resilience of African networks. Focusing on Android malware and general Android security awareness would also be beneficial. However, these initiatives would require a collaboration with a large set of stakeholders. We are happy to explore any options in this regard. If you can help, or know someone who can, please reach out on social media and help get the message out, or get in touch by email.

Thirdly, collaboration with ISPs on reducing the footprint of exposed services (for example, focusing on CWMP or Open DNS or  telnet) would also be a step forward in terms of improving network resilience.

Conclusion & Next Steps

As with nearly every region around the world, Africa has its own specific threat profile. There is much work that can be done both against legacy-threat malware and newer variants to make the region more secure for the benefit of all Internet users. Spambots, such as Necurs, and malware droppers, such as Andromeda, have powered waves of past attacks against many global targets, while Mirai-infected devices have powered huge DDoS attacks. Infected systems are likely to also be infected by (or become infected with) similar current and future threats too.

Much the same can also be said of the exposed protocols and potentially abusable services that are most at risk of cyber exploitation uncovered by  our scans. Our ultimate goal is to improve the resilience of African network security and thus see our map and time series charts reflect a reduction in volumes of detected devices. We can only achieve this goal by working together, through continued and expanded collaboration between ourselves and our ever growing constituent base.

In terms of National CERT/CSIRT coverage (reflected in our coverage map below), only a small number of these organisations subscribe to our public benefit daily feeds. In total, we have 13 National CSIRTs in Africa receiving our feeds at a country level and 139 network owners that subscribe to our feeds directly, out of 109 National CSIRTs in 138 countries and 4900+ network owners that receive our data worldwideWe would encourage all  African network owners to subscribe and act on our reports, and stand ready to supply any National CSIRT  in the region with data.

As a community appeal, if you hold any contacts in Africa, we would be most grateful if you could help us out with an introduction in order to enable us to build new relationships with the right partners!

National CSIRTs in Africa subscribing to Shadowserver public benefit feeds – April 2020

Direct recipients of Shadowserver reports in Africa – April 2020

Whether in Africa or not, if you are not already a subscriber to Shadowserver’s public benefit daily network reports but would like to receive our existing 77 report types, then please sign up to our free daily remediation feed service.

Making Remote Work Secure: Five “Must Do” Steps

Making Remote Work Secure: Five “Must Do” Steps

Since COVID-19 became a global pandemic and steps were put in place to contain its spread, more and more
people have been forced to work from home. This transition requires many changes in how individuals and
organizations operate and communicate, especially in terms of using computers, personal devices, and
specific software that enables remote work.

 

At the same time, cybercriminals recognize that attacking home users is much easier as they are typically less
secured outside their office, where security policies and measures are enforced (at least at some level). Yet to do
their jobs, these remote workers need to connect to various servers and access and create confidential, sensitive
documents and data from their less-secure home office environment.

The risk of losing important data or being compromised becomes much greater at home. That is why every remote
worker should be prepared to secure his remote workspace. Here are five recommendations for securing a home
office.

1. Use a VPN
Whether you are connecting remotely to company resources and services, or you are just browsing web resources
and using telecommunication tools, use a Virtual Private Network (VPN). VPNs encrypt all of your online traffic to
prevent hackers from capturing your data in transit.
If your company has a VPN practice, you most likely will get instructions from your admin or MSP technician. If you
have to secure your working place yourself, use a well-known, recommended VPN app and service – they are
widely available in different software marketplaces or directly from vendors.

2. Be wary of phishing attempts
As a topic, COVID-19 is already being widely used in all types of phishing attempts – and the number of such
malicious activities will only grow. Every remote worker needs to prepare for the increase in phishing attempts by
understanding and recognizing the threat.
Themed phishing and malicious websites appear in large numbers every single day. These typically can be filtered
out on a browser level, but if you have a cyber protection solution installed on your work laptop or your company’s
MSP delivers that protection with a solution like ACDS Cyber Protect Cloud, you are also secured by dedicated URL
filtering. The same functionality is also available in endpoint protection solutions, although in ACDS Cyber Protect
we have a special category related to public health which is updated with higher priority.
Of course, those malicious links have to come from somewhere, and they are typically delivered in instant
messages, emails, forum posts, etc. Do not click any links you don’t need to click on, and always avoid those that
you did not expect to receive.
These attacks also use malicious attachments to emails, so always check where an email really comes from and ask
yourself are you expecting it or not. Before you open any attachment, be sure to scan it with your anti-malware
solution, such as ACDS Cyber Protect Cloud.

To be sure that all phishing and malicious websites are blocked by security solution with embedded Web/URL
filtering functionality like ACDS Cyber Protect Cloud

It also helps to remember that the information you really want regarding COVID-19 or similar pandemics can be
found from official sources like the World Health Organization (WHO), your national ministry of health, and
state/local government agencies. Refer to those official agencies rather than opening links or emails from unknown
sources.

3. Be sure to have good anti-malware up and running properly
Having a good anti-malware solution installed is a must nowadays. With Windows, where the majority of threats are
targeted, the built-in Windows Defender makes it easier. It does a good job of stopping threats, although it still
cannot match the top anti-malware products from security vendors. ACDS Cyber Protect Cloud delivers many
well-balanced and finely tuned security technologies, including several detection engines, so we would
recommend it to use instead of an embedded Windows solution.
Simply having an anti-malware defense in place is not enough, however. It should be configured properly, which
means:

  • A full scan should be performed at least once a day
  • A product should be connected to its cloud
    detection mechanisms, in the case of ACDS Cyber
    Protect to ACDS Cloud Brain. It is active by default
    but you need to be sure that the internet is available
    and not accidentally blocked by anti-malware
    software.
  • A product need to get updates daily or hourly, depends
    how often they are available
  • On-demand and on-access (real-time) scans should be
    enabled and adjusted for every new software installed or
    executed.It is also important that you do not ignore
    messages coming from your anti-malware solution. Read
    these carefully and, if you use a paid version from a
    security vendor, be sure that license is active.

4. Patch your OS and apps
Keeping your operating system (OS) up to date is crucial, as a lot of attacks succeed due to unpatched
vulnerabilities. With ACDS Cyber Protect, you’re covered with embedded vulnerability assessment and patch
management functionality. We track all identified vulnerabilities and released patches, which allows an admin or
technician to easily patch all their endpoints with a flexible configuration and detailed reporting.
ACDS Cyber Protect not only supports all embedded Windows apps, but also more than 40 third-party key popular
apps including all telecommunications tools like Zoom or Slack, and a lot of popular VPN clients that are used to
work remotely. Be sure to patch high-risk vulnerabilities first and use success reports to confirm that patches were
applied properly.
If you don’t have ACDS Cyber Protect and do not use any patch management software, it is much harder. At a
minimum, you need to be sure that Windows gets all the updates it needs and they are quickly installed – users
tend to ignore system messages, especially when Windows asks for a restart. Ignoring these requests is a big
mistake.
Also, be sure that auto-updates to popular software vendors like Adobe are enabled and such apps like PDF
Reader are also updated promptly.

ACDS Cyber Protect Patch Management supports all the popular collaboration, conferencing and messaging tools

5. Keep your passwords and workspace to yourself
While this step has been mentioned many times as the top piece of security advice, during the response to
COVID-19 it is doubly important to ensure your passwords are strong and known only to you. Never share
passwords with anyone, and use different and long passwords for every service you use. Password management
software makes this easier. Otherwise, an effective approach is to create a set of long phrases you can remember.
And when we say long, we mean long, since the old eight-character passwords are easily opened by brute-force
attacks now.
Also, even working from home, do not forget to lock your laptop or desktop and limit access to it. There are many
cases when people can access sensitive information on a non-locked PC from a distance. Don’t assume you are
protected simply because you are not inviting anyone you don’t know or trust into your home oce.

Coronavirus Puts Remote Work Security to the Test

Coronavirus Puts Remote Work Security to the Test

As authorities worldwide work to contain the deadly coronavirus and try to keep it from spreading, the travel
restrictions put in place are causing many organizations to rethink their operations. Rather than traveling to a region
where their return flight might be at risk of being quarantined, many are turning to videoconferencing, file sync and
share, and other remote work solutions to keep their businesses going. In China, where the disease started and
where remote work policies are historically uncommon, the remote collaboration tool Zoom saw a single-day
increase in downloads of 15%.

Remote work can certainly benefit a company, encouraging more collaboration and knowledge sharing. That’s why
its adoption has grown significantly in the last several years. In fact, the global enterprise file synchronization and
sharing (EFSS) market is expected to reach $24.4 billion by 2027, up from $3.4 billion in 2018.

Yet the wrong solution can put organizations at risk if they don’t address data security and privacy. To combat this
predicament, businesses need to implement secure file sync and share technologies so that employees can work
from home while also being able to access and transfer data in a manner that is both secure and safe.

What is file sync and share?
File sync and share technology is designed with the modern professional landscape in mind; a landscape where
workforces rely on multiple devices and location flexibility in order to maximize productivity. File sync and share
gives organizations the power to share files across multiple devices and with multiple people using file
synchronization – allowing files to be stored in any approved data repository and accessed remotely by employees
from any of their IT provisioned devices.

Security risks associated with remote work
Historically, remote work policies have been a sensitive topic for organizations. While some employers might fear
that remote work creates a dip in employee performance, the larger concern is actually securing the proprietary
and business-critical data modern companies rely on.

On a corporate network, IT teams can easily secure employee devices, but this becomes much more difficult to do
once an employee accesses the system from outside the network.

Outside of the corporate network, devices are easily susceptible to attacks from third parties and cybercriminals.
Attacking these unsecured endpoints can reveal the employee’s login credentials to cybercriminals so they can
access the company’s system, or even use ransomware to lock company data – which happened to the NextCloud
service last fall.

Benefits of secure file sync and share
Solutions that are built to deliver secure file sync and share give organizations the flexibility to enable employee
collaboration and productivity while giving the IT department control over the protection of company data. Here are
some of the ways that secure file sync and share technology protects and empowers businesses:

Secure File Sharing – It’s well known that when a file sync and share solution isn’t provided, employees will
often resort to using their own personal devices and tools. Because these tools and devices exist outside of
the control of IT departments, they’re inherently not secure and put sensitive company data at risk. With
secure file sync and share, employees can easily share and access company files while IT maintains the
privacy and security of the data.

Easy Anywhere, Anytime Access – Organizations are beginning to see the workday less as a clock-in/clock-out
office environment, and have adopted an environment that supports the various schedules and lifestyles of
their employees. With secure file-sync and share, employees are no longer constrained to a single
corporate-owned device to be productive.

Data Loss Prevention and Disaster Recovery – When corporate data is centrally stored, it’s better protected
against data leakage. This includes data lost to a cyberattack, employee error, or a lost or stolen device. With
an enterprise-grade file sync and share solution, sensitive corporate data is kept secure and protected.

Easy Collaboration – File sync and share services are adapting to not only protect company data but to aid in
remote workplace collaboration. Some file sync and share tools now provide users with tools to preview and
edit files in-browser, search and find specific company documents and versions, and keep all employees on
the same version of a document.

Final Thought
While global emergencies such as the coronavirus outbreak may highlight the benefits of having a secure remote
work policy in place, the use of secure collaborative tools should be understood as part of a larger cultural shift. As
more organizations adopt remote work policies, the IT teams, and MSPs that service these companies should adopt
secure file sync and share solutions.

To help organizations introduce remote work policies in a way that is safe and secure, MSPs can offer their business
customers ACDS Cyber Files Cloud, a secure enterprise file sync and share solution that features end-to-end
encryption, user controls, and an audit trail.

Similarly, organizations that do not rely on an MSP can choose ACDS Cyber Files Advanced, an easy, complete, and
secure enterprise file sharing solution that makes users more productive and gives IT complete control over
business content to ensure security, maintain compliance, and enable BYOD.