This presentation is primarily for small businesses interested in having their employees work from home. It provides do's and don'ts as well as short-term and long-term goals business leadership should strongly consider to better protect business data/systems. This presentation also provides home users tips they can use to help secure their home environment such as seeing what's on their network. Our team originally presented this material on a Zoom webinar on April 23rd, 2020 in conjunction with multiple business organizations. The version below is a recorded, webinar presentation without audience questions throughout.
Video presentation
https://www.treetopsecurity.com/7-cybersecurity-sins-when-working-from-home
Need help securing your business data? Please keep TreeTop Security and the Peak platform in mind for a better approach to small business cybersecurity.
1. 7 cybersecurity
Sins when Working
From Home
DALLAS HASELHORST
Founder & Principal Consultant, TreeTop Security
www.treetopsecurity.com
From the makers of Peak, the only affordable and
comprehensive small business cybersecurity solution
2. 2info@treetopsecurity.com | @oneoffdallas
# whoami
● 20+ years of IT & cybersecurity experience
● Consulted for companies all over the US
● Multiple computer-related degrees from FHSU
● Master’s degree in Information Security Engineering
from the SANS Technology Institute
● Alphabet soup of security-related certifications
○ CISSP, GSEC, GCIH, GCCC, GCPM, GPEN, GMON,
GCIA, GWAPT, GDSA, GSE #231
● Co-organizer of BSidesKC conference
● Founded an IT company in 2003, acquired in 2016
● Lead design of the Peak platform > 3 years
5. 5info@treetopsecurity.com | @oneoffdallas
43% of all cyber
attacks target
small businesses
“No one wants OUR data”
Unprepared Small Businesses
Large Businesses and Government
“Prepared” Small Businesses
Verizon 2019 DBIR - https://enterprise.verizon.com/resources/2019-data-breach-investigations-report.pdf
https://www.cnbc.com/2019/10/13/cyberattacks-cost-small-companies-200k-putting-many-out-of-business.html
6. 6info@treetopsecurity.com | @oneoffdallas
Targeted or untargeted?
•Works equally well on 1 or 1,000
•Ransomware
• Locks you out of your data
• Monetary ransom gets it back
•Cryptominers/botnets
• Uses your system resources
• To “mine” cryptocurrency
• To hack or harass others
•Nation-states
•Organized crime
8. 8info@treetopsecurity.com | @oneoffdallas
Home network
•One compromised device on the same
network can compromise your device too
•Who has access?
• Kids
• Neighbor kids
• Everyone?
•What devices have access?
• Gaming computers
• “Knock-off” products
• Internet of things (IoT) - Alexa,
Google Home, doorbells, Xbox,
refrigerators, camera systems, etc.
9. 9info@treetopsecurity.com | @oneoffdallas
Fing app
•Free, easy to use
•Available for Apple/Android
•Scan your network
•Find other devices
•Staying at a B&B???
•Restaurant guest wifi
• Printers
• Speakers
• Servers <----
• POS <--------
PCI compliance? Access to credit card info!
10. 10info@treetopsecurity.com | @oneoffdallas
Wireless/firewall
•Default username/password?
•Use WPA2 (AES) encryption setting
•Disable WPS <- “button to connect”
•Wireless key/password
• When was it last changed?
• Using your phone number?
• Hacked in under 10 mins
• More than 20 characters
• Use passphrases!!!
• Stayoffmywifi@homeplease (24)
https://linuxincluded.com/why-phone-numbers-make-horrible-wifi-passwords/
13. 13info@treetopsecurity.com | @oneoffdallas
Prying eyes
•Password on computer
• Passphrases!
• >16 characters
• Length is better than complexity
• Lock when away
• Auto-lock after inactivity
• Windows = Windows key + L
• Mac = Control-Shift-Power
• Alternative - biometrics
•PIN/biometrics on portable devices
•Keep kids away
• “Grandkids were here this weekend”
14. 14info@treetopsecurity.com | @oneoffdallas
WFH setups
•Don’t overshare!
•High resolution images
•Accidental disclosure
• Zoom meeting IDs
• What you are working on
• Client names / file names
• Applications you use (open or closed)
• Passwords on sticky notes <- NOOO!
•Hide all icons
•Don’t show toolbars/taskbars
•Resize pictures?
What could an attacker or
competitor gain?
15. 15info@treetopsecurity.com | @oneoffdallas
Staying up-to-date
•New security issues found every day
•Operating system updates
• Windows, Apple, Linux
• Still using Windows 7 - end of life
•3rd party updates
• Microsoft Office
• Browser - Chrome, Safari, Firefox
• Adobe Reader
• Zoom - new version 2 days ago
• Click profile -> check for updates
•Anti-virus - definition updates
•Mobile devices
18. 18info@treetopsecurity.com | @oneoffdallas
Scattershot storage & technology
•Unprepared for WFH?
•Then prepare for shadow IT
• Find alternatives to get things done
•Data/info coming from new sources
• No server or centralized storage
• Dropbox, OneDrive, Google Drive
• Email, Slack, Microsoft Teams
•Regulated industries - PII, PHI, etc.
• Many regulations laxed... For now
• “Left over data”
• After 6 months?
• After 2 years?
Maintain order now,
Thank me later
19. 19info@treetopsecurity.com | @oneoffdallas
Data protection
•Alexa, Google Home -> always listening
•Backups - even more important
• Hardware failure
• Accidental deletion
• Ransomware - no protection is perfect!
•Full-disk encryption (FDE)
• Lost or stolen? Only out cost of device
• Recommended for PII/PHI everything
• Windows - Bitlocker
• Apple MacOS - FileVault
• Mobile devices - tablets & phones
• PIN/passcode on boot
• Decryption often tied to PIN/passcode
20. 20info@treetopsecurity.com | @oneoffdallas
Secure communications
Example: Healthcare
Industry/regulatory approved?
Business Associate Agreement (BAA)
Video conferencing
Zoom or Zoom Business? No
Zoom for Healthcare? Yes
Free vs minimum of $200/month
Document storage/sharing
Google Drive? No
G Suite by Google? Yes
Free vs $6/month per user -------------------(additional services)
23. 23info@treetopsecurity.com | @oneoffdallas
Criminal activity - domain registrations
https://www.markmonitor.com/mmblog/covid-19-domains-whats-going-on/
New domains
registered related
to corona, COVID,
vaccine, etc.
Example:
id-covid19[dot]com
DON’T GO THERE
29. 29info@treetopsecurity.com | @oneoffdallas
Shared and recommended
at the RSA conference
Feb 2020
Downloaded in over
150 countries in < 1 year
Sept 2019 - March 2020
Slides available at
https://www.treetopsecurity.com/CAT
Awareness slide deck
30. 30info@treetopsecurity.com | @oneoffdallas
Also available at
https://www.treetopsecurity.com/CAT
Free video + other goodies
•New slide deck
• Version 1.1
• Released March 2020
•Video presentation
• Released March 2020
•Awareness quiz
•Certificate of completion
•Sign-up for our newsletter