Categories
CyberSecurity

Work From Home: The New Normal

Work From Home is now the new normal, and we need to consider this more than before in the cybersecurity threat landscape and security assessments. 

Most companies are forced to establish the IT infrastructure as an immediate requirement without going through the required regular risk assessment before enabling their workers to Work From Home. 

Internet of Things (IoT)

Any device is vulnerable to attack, and with the Internet of Things (IoT), this is overwhelming to all the security practitioners – and never been easy to the adversaries. 

Attacks leveraging IoT devices are growing exponentially, according to SonicWall, 32.7 million IoT attacks having been detected during the year 2018.

IoTs are prevalent in our Home and growing more without our knowledge and awareness. 

All homes have internet routers installed by Internet Service Providers (ISP). Mostly, these are managed and installed by the ISP without knowledge or access by the homeowner. Commonly, the service provider will use a common admin password for all their installations, using the old default firmware that will never be updated or upgraded unless ISP provides you a newer device due to hardware failures. 

In 2017, IOActive found 7,000 vulnerable Linksys routers in use, although it was also reported that it could be up to 100,000 additional routers exposed to this vulnerability. 

Most homes now also are adding cameras and other home automation like light and power plug control. The majority of them are connected to the Cloud – therefore connected to the public Internet. 

In 2014, ESET reported 73,000 unprotected security camera with a default password. 

New entertainment devices like TVs and Speakers are now having Internet Services built-in like Youtube, Netflix, Spotify, and TuneIn. All of them need to be connected to the Internet.

The list will go on, from Refrigerators, Microwave, Coffee-maker, Washing machine – anything with “smart” in the front – that’s a connected device to the Internet.

Our wall clock is connected to the Internet. 

Use Your Own Device (UYOD)

Typically, when users are in the offices, you have full security both in the infrastructure and on the endpoint.

Office network is usually having layered of security from different firewalls, network segment segregations. Some even have network admission control and network behavior intelligence. 

All computers used by the users are having all the endpoint protection, including Endpoint Detection and Response (EDR). IT Team also make sure that the OS version and applications installed are the one allowed and supported. IT Team can monitor the security posture of all the computers and enforce company policy to patch vulnerabilities. 

Detection, prevention, and immediate response are also active in the network infrastructure inside the company. 

When the IT Team is looking for or enforcing any block rule based on Indicators of Compromise (IoCs), they can easily search and correlate logs from Firewalls, Servers, and endpoints when all things are inside the company’s premises. 

IoTs inside the offices are also actively blocked, and proper security isolations and controls are deployed in case there’s a need to connect to the Internet. 

When you extend the access to Home and don’t have the right strategy starting from the policy to restrict which computer the users can use – as I presume this is the case for many companies – this is now the New IT Security Challenge

Home network infrastructure is impossible to secure, as I explained above, due to many unaccounted and uncontrolled IoT devices at Home. 

Once you allow users to use their own (any) device – this will compound the risk as both the infrastructure and endpoints are not secured. 

Easy Target

Home users are more vulnerable to all types of malware, spyware, and ransomware without infrastructure and endpoint security, as the general underlying security is not present to defend the home network and the user’s endpoint.  

While in the office, users are usually not allowed to browse to malicious websites even in some companies, access to personal email and other file sharing services are not allowed. 

At Home – all things are open. Phishing emails from the personal email is just a click away. Command and Controls are connected to your home network without any detection. Doing data exfiltration and keylogging is now also a new normal for adversaries. 

Solutions and Recommendations

You have to go back to the basics and must recognize that your end-users are your weakest link. 

Advise your end-users: Don’t use the same password for personal and corporate accounts. Avoid Phishing emails. Not only in the corporate emails but most notably in their personal emails. 

Provide also a 24/7 contact information that your end-users can call or communicate in case they have any questions or need to report some security incidents.

You need to do a lot of security awareness by educating and communicating to the end-users what their responsibility when they connect to the corporate resources like email, VDI, and other SaaS applications using their own devices and in their Home. 

Technologically, you can keep adding layers of security like extending the Network Admission Control to home connections and allowing only to connect the supplied or authorized (safe) endpoints. 

Two Factor Authentication must be enforced to all logins.

Use only a VPN or secure connections. 

Ideally, create a policy that will require and will only allow using the company-issued devices.

In the case of Use Your Own Device (UYOD) is allowed, ensure that EDR is installed to all endpoint connecting to the corporate network. If you can add vulnerability and patch management to those endpoints, it will help. 

Update your future risk assessment and coverage to include home users.

Update your future disaster recovery and business continuity plan to include home users. 

Update your cybersecurity liability insurance and include home users incidents. 

Stay safe. 

Categories
CyberSecurity Web-based Security

GET vs. POST: Which One is More Secure?

Both GET and POST are the most commonly use HTTP methods. Which one should you use, and which is more secure?

How the GET Method Works?

GET is used to request data from a specified resource.

The query string (name/value pairs) is sent in the URL of a GET request.

Example:
/get_form.php?variable1=value1&variable2=value2

Summary of GET requests:

  • GET requests can be cached
  • GET requests remain in the browser history
  • GET requests can be bookmarked
  • GET requests should never be used when dealing with sensitive data
  • GET requests have length restrictions
  • GET requests are only used to request data (not modify)

Never use GET for posting actual forms unless maybe you need to save the query results in the bookmark.

We have one internal Search Engine Application for Engineering Documents developed back in early 2000 that we used GET extensively in the search results. Now, our Document Controller and some savvy engineers become familiar with the URL string. They found that by directly modifying it – they can display specific results without going to the search page. When I tried to upgrade that web-app and use the POST Method – they complained, and they want the old functionality as they already used those URLs in many documentations to link to the results.

How the POST Method Works?

POST is used to send data to a server to create/update a resource.

The data sent to the server with POST is stored in the request body of the HTTP request.

Example:
POST /post_form.php HTTP/1.1
Host: strdoc.com
variable1=value1&variable2=value2

Summary of POST requests:

  • POST requests are never cached
  • POST requests do not remain in the browser history
  • POST requests cannot be bookmarked
  • POST requests have no restrictions on data length
  • POST doesn’t expose information on the URL.
  • Over HTTPS, POST data is encoded.

Which One is More Secure?

Technically, both are not secure unless you use SSL/TLS.
Both GET and POST are inherently the same – they pass information from the client and the server, although POST don’t expose information via the URL.

If you can avoid placing sensitive data in the POST or GET, it is a better solution.
Try to use server-side code to handle confidential information instead.
If you are looking to protect yourself against somebody sniffing your network activity, there’s nothing much difference between the two.

If you are only concern against stored browser history, Proxy Logs, Proxy Cache, and people looking at your URLs, then use POST.

Also, when you refresh your browser or reopen the GET URL, the server request or query will happen again without giving you any warning.
Imagine that URL is a form to submit a payment, you will be charged again without any warning.
In contrast, if you use POST, the browser will give you a warning.

Recommendations

If your website is processing sensitive information, and you have no choice but to select between using GET or POST, I recommend using POST over SSL/TLS.

If you can also use a Web Application Firewall that can handle XSS, SQL injection, CSRF, etc. it will add to your layer of defense as if you use HTTPS alone without other protections, you can still be attacked via CSRF.