Working From Home
choosing the most secure settings for your devices and software – Part 2/5 (Cyber Essentials)
I hope you have configured your firewalls since my last article and are ready to move onto making sure that you have configured your devices and software correctly. This series of articles are written to help you with your Cyber Essentials certification controls.
Most manufacturers ship their products and software pre-configured in a ready to use state and often these are not secure by default. This allows criminals to exploit these weaknesses and gain access to your systems. I like to say that technology’s efficiency is only as good as the people and processes you put around it. There is no point buying the fanciest software or devices on the market if you do not have skilled people to configure it correctly and according to a documented process for them to follow. This article will look at how we can configure our work and personal devices when working remotely.
For organisations who have asked their staff to work from home, you should always follow a documented build process to make sure you follow and check the settings of any new software and devices you buy for your staff. The build process should cover controls to harden the level of security by adding layers of security controls, such as disabling or removing certain permissions that these devices or apps don’t require. Example: does the Facebook app need access to your contact list, device storage and your location? Think about it, when a certain service is free to use, who do you think is the product? You are the product!
You can follow these basic steps to correctly configure all your internet-connected devices;
Remove or disable software that you do not use.
For companies - When you configure your staff laptops and other devices, make sure you have removed or disabled all the software that you do not use.
For individuals – Uninstall any apps and software that you do not need on your laptops and smartphones, additionally remove any unnecessary permissions. You can do this by looking at your app settings on your mobile phone or your laptop.
When you log in to your device, do make sure you are logging in as the correct user and that you have assigned appropriate permissions to all the user accounts configured on your machine. For example, if you are sharing a computer with different members in your family, create separate user accounts for them and you should NOT use admin accounts for day to day browsing and email activities (This can help stop malicious software escalating its privileges to infect your entire system). On Windows, you can change account settings through the control panel.
Passwords or passphrases
Your devices contain your personal data and business data, and they also store the details of the websites and online accounts that you access, therefore all your devices and your accounts should always be password protected to prevent any unauthorised access. Each organisation should have a well written and approved password policy that is enforced across the whole organisation.
Change any default passwords and make sure you do not use the same passwords for your user accounts and admin accounts. My admin passwords are at least 21 characters long and user passwords are more than 15 characters. Eight-character passwords can be cracked in seconds, so do your risk assessment!
Have unique strong passwords / passphrases for each account: At least 16 characters with a mix of numbers and characters. Having longer and complex passphrases will make it harder to guess and longer to crack. Include deliberate misspelling as well if you can (it makes it harder for dictionary attacks).
For example; “Mak3DataProtectionPersunal” is a complex passphrase and much stronger than “Chani!232<$£”. Remember, the longer the better. Then make it different for every account and do not use reuse passwords. If you have trouble remembering, get a password locker such as KeePass. Your employees will never bother to remember long passwords, so give them a password locker. This will cost you far less than having to deal with a data breach.
For important accounts, enable two-factor authentication. Example; entering a code sent to your mobile phone or authenticator app which you must enter along with your password.
If your company has any externally accessible systems, then set them to lockout after a maximum of ten incorrect login attempts. This is something app developers need to plan carefully as this could result in a denial of service if badly implemented.
Disable “auto-run" or "auto-play”
Make sure you have disabled the auto-run feature on your user devices so a prompt appears when a memory stick or a USB device is inserted, so the user can choose how to open the device. Only allow data to be copied to authorised and encrypted devices.
Turn off the notifications on the lock screen
The lock screen is the first thing that anyone sees when they open your device, and this screen can have a lot of information that you may not want strangers accessing.
Activate the webcam protection option in Antivirus
Although you do not have malware on your computer, your webcam could still be used for surveillance. Websites can access your webcam, but most browsers will ask you first to permit them. However, machines with insecure browsers can be vulnerable.
These are some very basic controls that you can apply to all your connected devices, they can potentially stop 80% of internet based attacks and can be very effective when implemented correctly together as part of your comprehensive security programme.
How Meta Defence Labs can help you?
We are an award wining team of security experts & a UK government accredited certification body for the UK Cyber Essentials and IASME framework. We can help you in gaining your Cyber Essentials & IASME with GDPR compliance certifications.
If you like some help contact us on : info@MetaDefenceLabs.com , +44 (0) 203 222 4060