Teleworking policies for the Department of Defense (DoD) have been in place for more than a decade; however, the culture within the Navy has been slow in making the shift to allow civilian and uniformed personnel from making the change. The coronavirus pandemic has impacted how telework has been viewed in both public and private sectors, more so with consideration for the convenience and safety for employees but also to ensure business continuity.
We are likely going to see a major shift in how the Navy approaches telework and increased responsibilities for personnel in protecting information systems as more users access enterprise applications from home. As we quickly adapt to these changes, there has been guidance issued –from the DoD Chief Information Officer, Defense Information Systems Agency (DISA) and DON CIO regarding what we can do to collectively protect enterprise networks from cyber threats. This article provides recommendations for protecting personal devices as cyber adversaries shift attacks and campaigns, targeting users who work from home.
Maintaining Your System
System Updates. Of the most basic and simplest actions that can be conducted on an individual basis to limit cybersecurity vulnerabilities, keeping your systems up-to-date is one of the most important. Thousands of developers are constantly working to provide bug fixes, software improvements, and vulnerability remediation. This is part of the software update packages that are provided by manufacturers and is also, why DoD policy requires system updates as part of vulnerability management programs.
While complex architectures are designed to distribute updated software across the enterprise and the DoD Information Network (DoDIN), a similar concept is applied when you update your operating system (OS), software applications, and mobile applications. This includes various technologies that may be embedded in the most inconspicuous places, such as your vehicle, smartwatch, audio speakers, treadmills, and other smart-enabled devices, as well as common computing systems in your phone, tablet, laptops and desktop computers, printers, and router. Configure them to update automatically or, if you prefer, manually update them on a regular, recurring basis as patches are released.
System Reboots. Most major software updates require rebooting the system. Rebooting your system is a good practice to make as a habit at the end of the day. As you open and use applications on your system, segments of memory are temporarily allocated and the more you use various applications the more the OS allocates or deallocates memory for programs and tasks. While modern operating systems are much more efficient at managing memory, degradation of system performance naturally occurs over time – especially when you have three dozen browser tabs open.
Endpoint Security. Anti-virus programs are part of an ecosystem used to manage security on endpoint systems. Consideration should be taken to go beyond anti-virus and look for additional tools that provide enhanced capabilities that identify and mitigate ransomware, network intrusions, and malicious persistence mechanisms that may be present in registry settings, init/startup files, or scheduled tasks. These tools, typically referred to as Endpoint Detection and Response (EDR), are included in common applications, such as BitDefender, MalwareBytes, McAfee [DoD Home Use Program], and Symantec. Look for subscription services with unlimited/family licenses to monitor and protect all of your home systems.
Maintaining Your Network
Network Isolation. Most home routers have the ability to be configured to support guest networks. Guest networks isolate network traffic between hosts and their ability to communicate to your primary home network, only allowing communications to the internet. It should be leveraged for anything that doesn’t require access to other parts of your home network, such as corporate computers, most smart home devices, and computing systems your kids may use.
Higher risk technologies that connect to your primary home network, like scanners, printers, and multifunctional or peripheral networked devices, should be powered off when not in use. Powering these devices off not only conserves energy but they have been known to be used as vulnerable entry points to compromise other systems on the network.
Enterprise-Grade DNS Security. Email and web browsing continue to be the primary initial access attack vector worldwide. While we can’t afford to run our own information security departments at home, we can leverage enterprise-grade Domain Name System (DNS) security services provided for home users through services such as OpenDNS/Cisco Umbrella and Cloudflare. By signing up and configuring your router to point to these services, all DNS requests will be filtered with the latest web security features typically provided to corporate entities that pay millions of dollars for this service. In addition to blocking malicious web requests, DNS security will also provide custom web filtering for inappropriate/illegal sites based on topics, such as pornography, gambling, explicit forums, and ad-blocking, in addition to the protections from the latest ransomware that rely on web-based command and control (C2) nodes.
Virtual Private Network (VPN) Tunneling. There are plenty of free and reliable information security service offerings on the market and made available to individual consumers today. Along with EDR capabilities, the reputation of VPN services is something that is of the utmost importance. With reputation and privacy comes money, and it is something you should examine closely. Don’t select the cheapest or free version. These services don’t have to be expensive but they do need to be validated through independent reviews. VPN services should be used at home, as well as on the move, across untrusted networks and when connected to or tethered across cellular networks. There is a surprising amount of information that can be collected from your network activity, even when connected through secure websites so VPNs provide additional layers of security and privacy.
Emails and Phishing. Web browsing and deceptive emails continue to be the most prevalent initial access method for threat actors. Do not click on links, download attachments, or access websites that are unsolicited or sent from unknown contacts. Malicious actors are known to access frequent and saved contacts once an email account has been compromised and this is more likely to be successful because it looks like the message is sent from a known contact, such as a family member or friend.
Short Messaging Service (SMS) and Smishing. Malicious links are not limited to emails and are now a common occurrence in SMS texts. This includes downloading attachments, images, and links sent and received from known contacts stored in the phone. Having reliable EDR capabilities across your mobile devices will help identify most malicious links but layering security measures with web DNS security and proxy services will also provide additional protections.
Communicating at Home. Engage your household (roommates, family members, friends) in conversations about cybersecurity best practices, protecting passwords (wireless networks, shared accounts, streaming services, and others), and how to handle security incidents. The Cybersecurity and Infrastructure Security Agency (CISA) and US Computer Emergency Readiness Team (US-CERT) provides additional guidelines and considerations for working from home. Additional resources from the Center for Internet Security (CIS) and US Department of Education are also provided to discuss cybersecurity issues and challenges for children.
Advanced Home Security
Firewalls. The open-source community lends a powerful capability for home users with the knowledge and ability to employ infrastructure security capabilities. Firewalls such as ipFire, OPNsense, and pfSense provide detailed controls and logging beyond the limited protections that home routers can provide. Home routers are known for their increasing number of vulnerabilities and pose a significant threat from the increasing sophistication of known and emerging threat actors.
Web Proxies. Utilize web proxy services as an additional layer of security to web DNS security. Configure internal controls to prevent requests from ever leaving your network in the first place by implementing proxies like Privoxy and Squid/SquidGuard, which provide Access Control Lists (ACL) and web cache services. This capability allows you to block IP addresses that can’t be filtered by web DNS security and won’t limit the number of domains that can be blocked. A web proxy can also redirect all web traffic across your home network through a single VPN connection.
Have I Been Pwned (HIBP) . Information released and publicized from data breaches include personal account information and passwords. HIBP provides regular updates for the general public to see if their information has been compromised. Accessing their database, via Application Programming Interfaces (API’s), will allow integration and alerts for passwords or emails which have been compromised.
Threat Intelligence. Newsfeeds, RSS feeds, and social media platforms can be helpful tools in providing updates pertaining to the latest cybersecurity threats and trends. Useful data points and access to databases, such as HIBP, can be automated to provide a robust and dynamic home security program with the latest technical information without having to maintain security configuration. Over time, you’ll find useful resources, such as Talos IP Blacklist, and be able to integrate the latest cyber threat intelligence information into various security applications at home.
Lt. John Paramadilok is a Naval Cryptologic Warfare Officer with over 22 years in the Department of Defense across various roles as a civil servant, government contractor, and military service member in the areas of network engineering and operations, information security, workforce development, intelligence, Electronic Warfare, and Computer Network Operations. He has a Bachelor of Science degree from the University of Illinois in Computer Science; a Master of Science degree from Johns Hopkins University in Information Systems Engineering; an MBA from Seattle University; and is a graduate of the Naval War College. He has various professional certifications like the Certified Information System Security Professional (CISSP).
The views expressed here are solely those of the author, and do not necessarily reflect those of the Department of the Navy, Department of Defense or the United States Government.