View by Author

Most Recent Articles

Hamish Blake Zoom for one more?

Hamish Blake, COVID-19, And The Home Office

By Published On: 13 August 2021Categories: Security

Some of us were first made aware of the technical vulnerabilities of working from home when Hamish Blake dropped into video meetings through "Is there Zoom for one more?”

Share This Article:

A ‘slam dunk’ of the technical vulnerabilities of working from home came from an unlikely source – when comedian Hamish Blake dropped into various video meetings with a cheery: “Is there Zoom for one more?”

When Hamish Blake logged into a Royal Australian Air Force flight log meeting, the seriousness of the platform’s security vulnerability was suddenly made real and Defence promptly prohibited the use of Zoom for their departmental meetings. (Perhaps also because the assembled pilots were envious of his gold bomber jacket!)

But this is not just an issue for government departments. In the private sector, the big banks and other security-conscious corporates also switched from the then-new tech-buzz of Zoom to Teams etc.

Brad Garrett, a former FBI agent, noted that Zoom has been a rich target for cyber criminals and malicious actors. Because about 60% of Fortune 500 companies use apps like Zoom, cyber criminals see an opportunity to potentially steal corporate proprietary information and sensitive information about employees.

These risks with remote conferencing existed before the Pandemic. Security blogger Graham Cluley reported back in 2012 that a conference call, between the FBI and Scotland Yard, discussing their investigation into Anonymous hackers had been secretly recorded by the hacking collective and published on the net.

‘We surmised at the time that the unknown hackers might have secretly accessed the call by compromising a police investigator’s email account. The call-in details and passcode were posted by Anonymous on their usual dumping ground – the PasteBin website.’

It is important for us to note that the original vulnerability that enabled this hack was a password. So, in addition to the technical vulnerabilities of remote working, simple factors like password security and other vulnerabilities linked to working from home can also increase security risk.

Are the vulnerabilities only due to remote working?

Some security risks associated with the home office are just a manifestation of those in the corporate office. Passwords at the workspace, over-the-shoulder viewing, devices left on, accounts open and information left out at the workspace, are all behaviours that can and probably do exist in the home office.

Particularly in shared households, the reality of who else lives in or has access to the workspace is an issue. The normal physical security controls such as recorded access security, CCTV, alarms, etc. probably aren’t available to, and hopefully not needed in, most homes.

Many corporate facilities have the additional technical protections of firewalls, antiviral updates, whitelisting, etc. The reality is that many of these protections are extended to the home office if the remote worker is using official devices, but what about BYOD or, more accurately, UYOD, using your device at home?

Culture

It is perhaps the unseen benefits of workplace culture and the positive security behaviours promoted by a shared physical workspace that don’t permeate the virtual and home office. A worker at home cannot easily ask: “What do you reckon, should I open this link?” Nor would they feel as self-conscious about inserting an unauthorised USB storage or other device into their laptop. Indeed, without someone watching, they may well be emboldened to download, print, or share information that they might not do otherwise.

The challenge for security professionals in the new home-office environment, whether eventually hybrid – remote and office – or in a series of continuous lockdowns, is how to extend the security treatments previously afforded by the corporate office to the home office.

10 tips to be more secure

  1. Do your current security plans, procedures, and induction training reflect remote working?
  2. Have your new workplace arrangements been risk assessed?
  3. Integrate IT and security professionals on tech projects, security, and IT controls.
  4. Implement the corporate BYOD security policies and guidelines for UYOD and ensure corporate security software is installed before using to connect.
  5. Review and establish corporate firewall rules for remote access and file sharing.
  6. Raise awareness of malicious phishing campaigns around areas of vulnerability e.g. relief payments. Specify what your organisation will share, what it will look like, how, and when.
  7. Support and continuously iterate threat awareness and practice malicious activity identification.
  8. If the virtual meeting will be confidential, use an alternative platform to Zoom.
  9. When using Zoom, secure the meeting with a password whether individual, group, or webinar.
  10. Once begun, lock the meeting to prevent Hamish Blake ‘bombings’ and block the more malevolent actors.

Some of us were first made aware of the technical vulnerabilities of working from home when Hamish Blake dropped into video meetings through "Is there Zoom for one more?”

Craig Petrie CSC
By Published On: 13 August 2021Categories: Security

Share This Article:

Categories

Subscribe

Subscribe to our newsletter and get the latest news and information from Anchoram.

View by Author

Most Recent Articles

Author Profiles