Information Security Threats and Working from Home Culture: Taxonomy, Risk Assessment and Solutions
Abstract
:1. Introduction
2. Asset Taxonomy
- Employees: An employee’s personal accessories and devices which are used on a daily basis and partially form the employee’s remote workplace. These include wearable computing devices and devices used by the employee for personal needs. Usually, these are part of a domestic network that does not include the protective measures employed in the corporate network.
- Wi-Fi Segment: Components used to connect to the network from the employee’s home, such as the Wi-Fi network segment, which is usually not secured.
- External Devices: External components that are in the employee’s home but are not part of the work environment, such as Internet of things (IoT) devices located around the house and other devices that are part of the home environment and can be connected to the employee’s computer for various purposes (for example, data transferring via computer ports).
- Company’s LAN Segment and Hardened Devices: Components used to connect to the corporate network (company’s local area network (LAN) segment) in a secure manner from the employee’s home, along with hardened/secure accessories provided by the company to enable the employee to establish an authorized connection to the corporate network.
3. Threat Taxonomy
3.1. Nefarious Activity/Abuse
- Phishing: Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an adversary, masquerading as a trusted entity, tricks a victim into opening an email, instant message, or text message. With the remote work scenarios common during COVID-19, phishing attacks have become one of the most significant threats faced by Internet users, organizations, and service providers. The authors of “scam pandemic” [2] describe how attackers exploit public fear through phishing.
- DoS: Denial of service (DoS) is an attack affecting legitimate users by making information systems, resources, and devices inaccessible. A DoS attack is accomplished by flooding a service network/website with requests until the target cannot handle the load and the service is paralyzed. There are two common types of DoS attacks: a smurf attack and a syn attack. In a smurf attack, the adversary floods the target service by broadcasting a massive amount of packets to a number of different hosts with a spoofed Internet Protocol address that belongs to the target service/computer, thereby flooding the target with the hosts’ responses. In a syn attack, an adversary sends a massive amount of requests, preventing the service from handling the requests of other users [3].
- DDoS: Just like a DoS attack, a distributed denial of service (DDoS) [4] attack occurs when multiple entities are operating at the same time to attack a specific target. A DDoS attack can occur unintentionally when there is a massive increase in traffic in a short period of time. An example of such an effect is known as the “slashdot effect” [5], when a popular website links to a smaller website and directs many requests tow it.
- Malware infection: Computers within the corporate network are usually more hermetically secured and better protected than home computers, since they are surrounded by security components (e.g., firewalls), software for monitoring and blocking malicious content, and prevention software (e.g., anti-virus software installed on the client). Moreover, internal computers enforced by domain policies and constraints, ensure software updates, enforcement of password complexity, and more. In contrast, home computers are unsupervised, and therefore, the potential of malicious infection is significantly higher. When connected to the corporate network, an infected computer can pose a threat by spreading and causing damage across the network. Common examples of malware are viruses, Trojan horses, spyware, ransomware, and exploit kits.
- Identity theft: In impersonation attacks, an adversary successfully assumes the identity of one of the legitimate parties in the system and abuses the authority of the victim. By impersonating or stealing users’ identities, adversaries can manipulate both the company’s employees and its network services. There are several ways of obtaining users’ information. A phishing attack is one of the common social engineering methods. In this method, the adversary tempts the user into clicking on a malicious link, through which the adversary can damage the employee’s computer or simply steal their login credentials by impersonating a legitimate service. There are also advanced technologies, such as machine learning (ML), through which an adversary can implement a wide range of complex attacks by impersonating legitimate employees. For example, the adversary can generate a synthetic voice mimicking the victim’s manager using an ML model and trick the victim into sharing certain confidential information [6]. Recently, in order to deceive authentication systems (when risk-based authentication is applied [7]), adversaries have taken measures to resemble their targets (in terms of their web fingerprints) by connecting from the same IP address range, geographic location, and browser indicators as the target. By copying these identifiers, an adversary can connect to the corporate network without triggering an abnormal activity alert. A number of services can be found on the darknet that provide access to bundles that include these types of identifiers [8].
- Exploiting wireless communication protocols: The majority of modern smart homes utilize wireless communication protocols and as a result are vulnerable to the security threats inherent in them. The most common technology is Wi-Fi, a family of wireless protocols based on the IEEE 802.11 [9] standards, which is in use for smart bulbs, smart plugs, and more. The widespread use of these protocols makes the home router a major point of failure in the home. Moreover, Wi-Fi is vulnerable to several types of attacks, i.e., password cracking (KRACK [10]) and de-authentication attacks (WiFiphisher [11]) that can be used by disconnecting user devices from the Wi-Fi access point and then executing a man-in-the-middle attack in order to collect Wi-Fi passwords. In addition to Wi-Fi technology, Bluetooth and near-field communication (NFC) are becoming increasingly common in smart home environments, especially in low-energy and physical security systems. There are a number of known vulnerabilities in these technologies which can be used to exploit endpoint devices (e.g., the Blueborne exploit leverages Bluetooth connections to penetrate and take complete control of targeted devices [12] and remote eavesdropping attacks using an NFC receiver [13]).
- Infected trusted software/mobile applications: An adversary can reverse engineer an existing application of the company and publish a version containing malicious code, using a compromised GitHub account. This attack vector can allow the adversary to run code with high privileges and access sensitive information. An example of the use of this vector can be found in the SolarWinds supply chain attack [14], where the attackers gained access to the source code and were able to insert malicious code snippets that gave them remote code permissions.
- Infected peripheral devices: Keyboards, mouse plug-ins, and monitors can all be used for PC infection and data exfiltration. Spreading malware/a malicious payload through a signed driver represents a significant threat to peripherals. This activity requires the adversary to access the hardware manufacturer’s source code [15]. Firmware modification is another sophisticated attack vector, which relies on physical access to a target device. By interfering with a device’s firmware, it is possible to cause an infected component to infect computers connected to them. Researchers have demonstrated how a mouse can be used to infect PCs by adding malware and a utility that transfers the malware from the mouse to the target machine [16].
- Abusing ambient computing: Ambient computing is a broad term that describes an environment of smart devices, decisions, and human activity that enables computer actions alongside everyday life, without the need for direct human commands or intervention. With the use of ambient computing, companies are able to integrate technology seamlessly into many aspects of life in order to reduce the need for human attention and involvement. An example of smart home devices that try to apply ambient computing concepts are voice control systems, such as Google Assistant and Amazon’s Alexa. These high-tech remotely controlled products and technologies can be vulnerable to unwanted manipulation or activation. There have been a number of examples where third-party software (i.e., YouTube services/a TV advertisement) has been used to trigger speaker-equipped household devices to play malicious audio or perform unwanted actions, such as making purchases [17,18].
3.2. Eavesdropping/Interception/Hijacking
- MiTM: A man-in-the-middle (MiTM) attack is a general term for an attack in which an adversary secretly relays/alters the communications between two parties who believe that they are communicating directly with each other. There are several ways to perform an MiTM attack: ARP poisoning, DNS spoofing, IP spoofing, session hijacking, and Wi-Fi eavesdropping [19,20,21,22,23,24].
- Eavesdropping: In an eavesdropping attack, an adversary tries to intercept, modify, or delete the data transmitted between the devices. This type of attack leverages the insecure nature of network communications to access data in transit between devices. By sniffing, an adversary can obtain information regarding the victim’s actions and their device statistics (in real time) and apply various techniques to use stolen information (e.g., phishing attacks, detection of the operating system (OS), and installed applications) [25,26].
- Side-channel attacks: Side-channel attacks allow an adversary to infer information which is not visible, by observing non-functional and physical characteristics of a program, such as computing power, communication patterns, or resource consumption. In work-from-home environments, there are many IoT devices that are prone to side-channel attacks; e.g., home routers can be easily exploited and enable the adversary to analyze and identify traffic and infer sensitive information (even if the communication is encrypted [27,28]). Even virtual-private-network (VPN)-tunneled traffic is prone to similar attacks [29]. Advanced side-channel attacks, such as the Lamphone [30] and Glowworm attacks [31], use physical properties such as changes in a light bulb’s frequency in response to sound and optical emanations from a device’s power indicator LED to eavesdrop sound.
- Fake SSL certificates: SSL certificates are provided by a trusted certificate authority (CA). When someone applies for an SSL certificate for their business, the CA verifies the information provided. Once verified, the CA provides the SSL certificate with a signature. An adversary can generate a fake SSL certificate by self-signing and installing the root certificate on the victim’s machine (using tools such as BurpSuite) or obtaining the username and password of a legitimate CA and signing its certificate request. By using fake SSL certificates, an adversary can read transferred information and perform phishing attacks (illustrated in [32,33]).
3.3. Misconfiguration of Systems and Technologies
- Credential discovery: Disclosure of information regarding credentials may occur due to weak security measures, implementation of the applications, or settings chosen by the user—e.g., in the Mozilla Firefox web browser, there is an option to set up a primary password to protect stored logins and passwords, and in the default settings, passwords are saved as cleartext [34].
- Successful cryptanalysis: Cryptanalysis [35] is a process of finding weaknesses in cryptographic algorithms and using these weaknesses to decipher the ciphertext without knowing the secret key. Sometimes, the weakness is not in the cryptographic algorithm itself but rather in how it is applied by the application. An adversary may have other goals as well, such as determining the secret key, finding a functionally equivalent algorithm for encryption and decryption that does not require knowledge of the secret key, or gaining information about plaintext or ciphertext that was not previously known; alternatively, they may want to distinguish the output of the encryption (ciphertext) from a random permutation of bits.
- Multi-factor authentication bypass: Multi-factor authentication (MFA) adds a layer of protection to the sign-in process. When accessing accounts or applications, users provide additional identity verification, such as scanning a fingerprint or entering a code sent to his or her phone. However, there are certain techniques among adversaries that are used to bypass MFA. Popular techniques [36] include: (i) Manipulating architectural and design flaws: In this technique, an adversary can leverage the compromised credentials of user A to access the VPN tunnel and then later try to log in to different services using user B’s credentials. (ii) Exploiting insecure token on-boarding processes: An adversary can obtain the URL from the victim’s email, which is used to pair the MFA token application of the phone with authentication server (this is usually shared when an employee joins an organization). The same link, if not expired, can be used to pair the adversary’s phone with authentication server to generate a new one-time password (OTP). (iii) Attacking browser cookies post-authentication: An adversary can obtain cookies from the compromised browser of a victim and reuse them later on a different computer to access the services whose cookies were obtained. (iv) Targeting critical assets through secondary channels: In active directory (AD) environments, remote management ports are enabled by default; other protocols, such as Server Message Block (SMB) and Remote Procedure Call (RPC), can be accessed with tools such as PsExec, Powershell, and other direct component object model (COM) objects. These protocols are exempt from two-factor authentication (2FA), as most MFA modules do not cover non-interactive communication. In this case, the adversary would be able to log in and gain access to the server using only a username and password. (v) SIM swapping/hijacking: Here, an adversary takes over the mobile phone number of the real subscriber, i.e., victim, by asking the mobile telecom provider to link that number to a SIM card under the adversary’s control. When the attack is successful, the victim’s phone will lose its connection to the network, and the victim will be unable to make or receive phone calls. The adversary takes over the account and can receive all SMS and voice calls intended for the legitimate subscriber.
- Obsolescence/maintenance: Obsolescence of software and equipment beyond its supported service life might occur unintentionally, when a user fails to pay attention to required updates or upgrades. Obsolescence may result in a lack of maintenance and lead to components that can no longer perform their function due to incompatibility; such components will also be exposed to known attacks that have been made over the years.
3.4. Physical Attack (Deliberate/Intentional)
- Sabotage: Sabotage is a set of actions performed by an adversary to intentionally interfere with the victim’s ability to perform tasks (non-fulfillment or defective fulfillment). It can include damage to digital assets, such as the computer or home router, with the aim of making it difficult for the victim employee to perform a routine task. The likelihood of attack increases when working from home, since the victim’s home is less secure than the corporate office. In this way, the decentralization of the workforce adds risk.
- Vandalism: Vandalism is very similar to sabotage, where an adversary’s intention is to harm the victim’s digital assets. In sabotage, an adversary has a particular motive for causing damage to digital assets, whereas in vandalism the motive is limited to harming the digital assets.
- Information leakage/sharing: As the home of the employee is now the office, it may contain sensitive information in the form of physical documents or on thumb drives to which an adversary may have easier access compared to the corporate office; this can lead to the leakage of sensitive information.
- Device theft: There is also a possibility that a thief can steal valuable digital assets, such as a laptop from the employee’s home for monetary gain. The likelihood of this threat is greater in a work-from-home setting than in a corporate environment.
3.5. Unintentional Damage/Loss of Information or IT Assets
- Loss of storage media and documents: When the work desk shifts from the corporate office to the employee’s home, the surrounding environment also changes. In a work-from-home setup, there are additional people, such as family members and visitors. They too gain access to the things that are placed on or near the home work desk. There is also a chance that some documents, storage drives, etc. could be misplaced by other people in the home. Even children, while playing, can misplace important items that are related to work.
- Damage caused by the employee of family members: The work-from-home culture makes employees more comfortable, and there may be more casual behavior at home, even during office hours. While working, employees might eat or drink at the same table where their laptop is placed and could spill or drop food on the laptop/documents, which might cause damage to such items.
- Maintenance errors: Corporate computers receive regular updates to keep the devices up to date. Often, due to an unstable Internet connection at home during online installation, instability in connection can cause an error that might be time consuming to address or can put the computer in an unwanted state. The chances of these kinds of errors occurring are higher at home than in the corporate office.
- Installation errors: Often, due to an employee’s lack of awareness of installation policies or limited admin privileges, an employee can attempt to install some required applications but fail to do so properly. In the corporate environment, an employee can quickly reach out to the help desk or support staff in person to resolve the issue. However, it can be difficult to explain the issue to remote support staff in the work-from-home setting, and it might take longer than usual. In addition, an error in installing unknown/untrusted software might temporarily prevent a user from performing certain activities due to suspicion.
3.6. Near-Future Threats
- Drones: Today, attacks using drones are a matter of concern due to the lack of government standards for drone use. For an adversary, drones represent an inexpensive means of getting closer to a victim while remaining anonymous and without being caught physically. There are many ways in which drones can be used by an adversary to accomplish malicious tasks. For example, a drone can be used to drop a mini computer (such as a Raspberry Pi) near the victim’s home, which could be used to hack or monitor the victim’s Wi-Fi [37,38]. A drone can also be used to hijack Bluetooth peripherals, such as mice and keyboards and IoT devices connected to Wi-Fi [39]. Keylogging would enable a drone-mounted computer to steal passwords from users. Similarly, drones equipped with a software-defined radio that are located near a TV antenna can transmit a signal that is more powerful than the one broadcasted by legitimate TV networks, overriding the legitimate signal and displaying adversary-owned video on smart TVs in order to perform phishing attacks [40]. Drones can fly in the proximity of the victim’s computer and mimic a fake wireless printer and obtain a file that a victim intended to print [41]. A drone can also be used to drop malicious thumb drives in the home of a victim, which, when inserted into the victim’s personal computer/laptop could infect it. Drones can also be used to monitor the screen of a victim’s TV/laptop; an adversary can also record the victim at sensitive times in order to blackmail them [42].
- Deepfakes: The term deepfake is typically used to refer to a multimedia item that has been edited using an algorithm in order to replace the attributes of the person in the original multimedia file with those of someone else in a way that makes the multimedia piece look authentic. Deepfakes are mainly applied to generate synthetic video, audio, and text. An adversary can leverage publicly available tools such as DeepFaceLive [43], Avatarify [44], Faceswap (https://faceswap.dev/, accessed on 21 June 2022), and others to generate a synthetic video or real-time stream of a key person within an organization and publish it on social media platforms. There are tools such as real-time voice cloning which are capable of generating any synthetic voice given a transcript with a sample as small as five seconds [45]. Tools such as voice.ai https://voice.ai/ (accessed on 21 June 2022) provide live voice-to-voice dubbing using AI. Combining such synthetic audio and video of a key person performing unintentional actions can create a more impactful video that elicits viewer trust. Similarly, AI can be used to learn the text formatting of a victim and generate synthetic text for misuse without the victim’s awareness. Various deepfake use cases are listed in Table A1.
- Smart TVs and integrated access device infection: Smart TVs are devices with great potential for cyber vulnerabilities that can be exploited to compromise a person’s privacy, since they contain built-in cameras and microphones. These devices, which are connected to the Internet directly or through an integrated access device, can be infected by a wide range of attack vectors and used for spying and leaking information. There are number of ways to infect a smart TV, locally and remotely:
- Local attacks: The operating systems of smart TVs are not very different from those of computers and are therefore, exposed to the same risks. There is already a wide range of known vulnerabilities; openLGTV https://openlgtv.github.io/ (accessed on 21 June 2022) is an example of a reverse engineering project used to find vulnerabilities. In addition, the integrated access device (IAD) connected to the TV is also vulnerable to a variety of attacks [46] and can be used as an access point to the TV and home network.
- Remote interface range attacks: In smart TVs, the broadcast interface is always on, and there is no way of turning it off. Moreover, there is no authentication of any kind, and the data coming from the radio interface are considered trusted by receivers. Therefore, an adversary can abuse lack of authentication mechanism to display any video. The relevant interfaces are the asymmetric digital subscriber line (ADSL), which is a technology that provides high transmission speeds for video and voice to homes over an ordinary copper telephone wire and the digital video broadcasting (DVB) range, which is a set of international open standards for digital television. Researchers have demonstrated such remote attacks on smart TVs in the past [47].
- Impersonation as a service: In order to authenticate users remotely, risk-based authentication is widely adopted as a means of evaluating whether the authenticating user has already connected to the service with the same identifiers and trusted connection (e.g., same device, IP address, location, and browser). During the authentication process, the risk-based authentication technique monitors suspicious login attempts and raises an alert triggering the multi-factor authentication (MFA) process in the case of suspicious login attempts. Recently, in order to bypass the MFA utilities, adversaries began trying to impersonate legitimate customers/employees in order to connect to the company network by using behavioral identifiers that characterize those customers/employees. A popular service described by [8] showed that a paid service can be used to acquire an accurate set of profiles of legitimate employees in a large number of companies. These profiles have been collected by malware. The service provides bundles including all of the relevant identifiers of the employees, thereby enabling an adversary to bypass the risk-based authentication model.
- Connected devices (peripherals): Peripherals include both internal and external devices. Internal peripherals are built into a computer by the manufacturer (e.g., video and sound cards, internal modems, and hard disk drives). External peripherals are connected either by cables, such as a universal serial bus (USB) cable, or directly to the host device’s port, or even wirelessly using Wi-Fi or Bluetooth. There are a variety of options available to an adversary interested in exploiting these components to intrude on a computer system.
- Drivers: The OS uses programs called device drivers to manage connections with peripherals. By altering the driver’s code, which is installed when the device is connected to the computer, various malicious operations can be performed using the high permissions of these drivers. Since all drivers running on Windows must be signed before Windows will load them, the adversary has to infiltrate in the supply chain and compromise this software while it is still at the manufacturer. In the past, gaming mouse-maker, Razer, was the victim of such an attack [15].
- Firmware: Threat actors can use the device firmware (the software that controls the device hardware) to run rootkits, a type of software that masks itself and hides malware on a device. This type of software enables threat actors to remotely control devices. “Mousetrap” [16] is an example of a firmware rootkit used to infect PCs.
- Cable manipulation: Smart connection cables (e.g., lightning and USB-C) have small microcontrollers embedded in them. Adversaries can program these microcontrollers, enabling them to attack a device when it is plugged in.
- Virtual Desktop Interface (VDI): Many users believe VDI offers much stronger security than it actually does; common misconceptions include the notion that hackers cannot launch an attack into a virtual session, since no data are stored locally on an endpoint device and that ending a session (in a non-persistent VDI) sanitizes any threats present in that session. Once an adversary breaches or takes control of a node, they can potentially compromise the application underlying the workload on the VDI or even get a foot in the door to the enterprise network and data center. VDI has three weak spots:
- Exfiltration: VDI desktops typically have fast (10GB+) access to network resources, including internal file shares and databases. As these desktops are non-persistent and are randomly assigned at logon, it can be harder to track and record the data exfiltration, as it might be occurring across multiple desktops, IPs, and user accounts, rather than a single compromised workstation.
- Persistence: Malware can leverage a user’s roaming profile or a mapped network drive to allow itself to persist across reboots by reloading itself each time a user logs back in to his desktop.
- Exploitation: Non-persistent VDI does little to actually prevent exploitation from occurring. The only requirement limiting exploitation is that the initial exploit has to occur within the life of the VDI session before the desktop is rebooted.
4. DREAD Threat Model
- Damage potential: How great is the damage to the assets?
- Reproducibility: How easy is it to reproduce and replicate the attack?
- Exploitability: How much time and energy are required to exploit the threat?
- Affected users: How many people, either inside or outside of the business, will be affected by the cyber threat?
- Discoverability: How easy is it to discover the cyber threat?
- Five to seven: Low-risk threats.
- Eight to eleven: Medium-risk threats.
- Twelve to fifteen: High-risk threats.
5. Threat Mitigation
- Risk acceptance: Although risk acceptance does not reduce the effects of an attack, it is still considered a strategy. This strategy is a common option when the cost of other risk management options such as avoidance or limitation may outweigh the cost of the risk itself. A company that does not want to spend much money on avoiding risks that do not have high likelihoods of occurring will use the risk acceptance strategy.
- Risk avoidance: Risk avoidance is the opposite of risk acceptance. In this case, any exposure to the risk is avoided. It is important to note that risk avoidance is usually the most expensive of all risk mitigation options.
- Risk limitation: Risk limitation is the most common risk management strategy used by companies. This strategy limits a company’s exposure by taking some action. It employs a bit of risk acceptance and risk avoidance in some combination of the two. An example of the use of this strategy is when a company accepts that a disk drive may fail but aims to prevent a long down time if that occurs by having backups.
- Risk transference: Risk transference is a strategy in which the risk is passed to a willing third party. For example, numerous companies outsource certain operations such as customer service and payroll services. This can be beneficial for a company when the area involved and potentially at risk is not one of its core competencies. This strategy is also used to enable the company to focus more on its core competencies.
5.1. Drones
5.2. Deepfakes
- Authentication of media via provenance: Microsoft proposed the “AMP” (authentication of media via provenance) framework [51] to ensure the authentication of media by certifying provenance. The framework allows publishers to create signed metadata for a media instance. This metadata are stored centrally in a database by a trusted authority that can be queried by browsers and applications to check the media’s authenticity. The media’s authenticity can be communicated to the user via visual elements in the browser, indicating that an AMP manifest has been successfully located and verified. Similar to this is a framework known as "PROVENANCE" [52], which aims to help by warning users when the content they are looking at may be misinformation or disinformation. The PROVENANCE browser plugin checks the content that users see on the Internet and social media and provides warnings in their browser or social media feed regarding the authenticity of the media. In the future (when widely adopted), these frameworks will help build trust among viewers regarding the content and counter deeepfakes used to spread misinformation.
- Artifact-based detection: Deepfakes often generate artifacts that are difficult for humans to detect. Researchers have proposed a few techniques that use ML and AI to identify those inconsistencies and detect deepfakes. One such technique is based on the observation that current deepfake algorithms only generate images of limited resolution, which need to be further warped to match the original faces extracted from the source video frames. The warping techniques leave distinctive artifacts in the resulting deepfake, which can be adequately captured by convolutional neural networks (CNNs) [53]. Similarly, in a paper titled "FakeCatcher" [54], the researchers’ key assertion is that biological signals hidden in portrait videos can be used as implicit descriptors of authenticity, because they are neither spatially nor temporally preserved in fake content; various biological signals, such as a heartbeat, pulse, and blood volume patterns hidden in portrait videos, were used to verify authenticity. In another study, the authors released an “in the wild” dataset http://cs.binghamton.edu/~ncilsal2/DeepFakesDataset/ (accessed on 21 June 2022) of fake portrait videos that they collected as a part of their experiment. The authors proposed a face X-ray technique for the detection of forgery in face images. The face X-ray of an input face image is a grayscale image that reveals whether the input image can be decomposed in the blending of two images from different sources. They showed the blending boundary for a forged image and the absence of blending boundary for a real image. The algorithm for computing a face X-ray can be trained without fake images generated by state-of-the-art face manipulation methods. The proposed method remains effective when applied to forgery performed by unseen face-manipulation techniques [55].
- Inconsistency-based detection: Several techniques for identifying inconsistencies in media can be used for deepfake detection. Inconsistencies between audio speech patterns and mouth motion, speaker features, and visual facial features (e.g., a voice change but no face change) can help achieve the confidence score required for deepfake detection. In another study [56], the authors were able to detect manipulations of video by searching for and combining the evidence of multiple types of inconsistencies between the audio and visual channels: inconsistencies among the type of scenes detected in the audio and visual modalities (e.g., audio indoors, small room versus visual outdoors, and urban) and inconsistencies in speaker identity tracking over a video given audio-speaker features and visual face features (e.g., a voice change without any face changes). A temporal-aware pipeline for the automatic detection of deepfake videos was proposed [57], in which an algorithm leverages a CNN to extract frame-level object features. These features are used to train a recurrent neural network (RNN) that learns to classify by finding temporal inconsistencies that indicate if a video has been subject to manipulation or not.
- Semantic detection: Algorithmic detection techniques that rely on statistical fingerprints and anomalies can be fooled with limited additional resources (e.g., algorithm development, data, or computing power). In the current media generation, deepfakes rely heavily on data-driven approaches, so they are prone to making semantic errors. Given this, a forensic technique was proposed in which facial expressions and movements that reflect an individual’s speaking pattern are modeled for deepfake detection [58]. Although not visually apparent, these correlations are often violated given the way that deepfake videos are created.
5.3. Multi-Factor Authentication Bypass
5.4. Smart TV Data Leakage
- Privacy setting: Turn off the camera and microphone in the TV’s settings.
- Trusted applications: Only use trusted applications from the original application store.
- Data collection: Disable data collection from third parties (e.g., LG LivePlus service, Samsung viewing information services, Vizio viewing data services, and TCL/Roku information from other inputs.
5.5. Impersonation as a Service
5.6. Peripheral Infection
5.7. Exploit Virtual Desktop Infrastructure
- Persistent VDI: the user always logs into the same desktop image, with all changes to applications and data retained.
- Non-persistent VDI: in this type, no changes are saved; a clean image is loaded in every connection.
5.8. Network Misconfigurations
- Restrict access: Restrict access to endpoints using an operating system firewall (e.g., Windows defender firewall or anti-virus firewalls).
- Virtual patching: Implement a web application firewall (WAF), which is an application that protects web applications from a variety of application layer attacks, such as cross-site scripting (XSS), SQL injection, and cookie poisoning. Virtual patching refers to the rapid development and short-term implementation of a security policy meant to prevent an exploit from occurring as a result of a newly discovered vulnerability. Virtual patching is usually supplied by WAFs.
- Configuration monitor: Use home monitor configuration services that check the router configuration template (e.g., F-Secure router checker) or automatic template inference, as suggested by Kakarla et al. [66]
5.9. Phishing
5.10. DoS on Both Network and Application Services (Amplification/Reflection Methods)
5.11. Malware Infection
5.12. Identity Theft (Identity Fraud/Account)
5.13. Exploitation of Wireless Communication Protocols
5.14. Infected Trusted Software/Mobile Applications
5.15. Man-in-the-Middle (MiTM)/Session Hijacking and Fake SSL Certificates
5.16. Side-Channel Attacks
5.17. Obsolescence
5.18. Network Reconnaissance, Network Traffic Manipulation, and Information Gathering
5.19. Eavesdropping, Interception, Hijacking
5.20. Credential Discovery
- Disable the WDigest store credentials in the memory (legacy challenge/response protocol) using the SecurityProviders registry key.
- Ensure that both LM and NTLMv1 are disabled using the Local Policies/Security Options registry key.
- Set the Local Security Authority Subsystem Service (LSASS) to protected mode.
- Limit credential caching using the SECURITY/Cache registry key.
5.21. Cryptanalysis
5.22. Physical Attack (Deliberate or Intentional)
5.23. Physical Attack (Unintentional Damage or Loss of Information or IT Assets)
6. Discussion
Author Contributions
Funding
Conflicts of Interest
Appendix A
Threat Categories | Possible Scenarios/Attack Vectors | D | R | E | A | D | DREAD Rating | Time Horizon |
---|---|---|---|---|---|---|---|---|
Drones | A small computer, such as a Raspberry Pi, could be dropped in the vicinity of a victim’s building using a drone. It could mimic a Wi-Fi network in order to steal data from tablets and smartphones, or hijack Bluetooth peripherals, such as mice and keyboards. Keylogging would enable a drone-mounted computer to steal passwords from users. | 2 | 3 | 2 | 1 | 2 | Medium | 1–3 years |
Drones equipped with a software-defined radio located near a TV antenna can transmit a signal that is more powerful than the one broadcasted by legitimate TV networks, overriding the legitimate signal and displaying their desired video on the TV. It can lead to phishing attacks. | 1 | 2 | 1 | 1 | 2 | Low | 1–3 years | |
Drones can fly into the range of the victim’s computer such that it can mimic a fake wireless printer and obtain the file that a victim intended to print. | 1 | 2 | 1 | 1 | 2 | Low | 1–3 years | |
Drones can be used to drop malicious thumb drives in the home of the victim so that when the thumb drive is plugged into the personal computer/laptop, it infect the computer, leading to the adversary’s presence on the home network. | 3 | 3 | 2 | 2 | 2 | High | 1–3 years | |
Drones can also be used to record the intimate moments of the victim which can help the adversary blackmail the victim. | 2 | 2 | 2 | 1 | 2 | Medium | 1–3 years | |
Drones can fly near the victim’s window to monitor a screen/TV containing confidential data. | 2 | 2 | 2 | 1 | 2 | Medium | 1–3 years | |
Deepfakes | An adversary can make a synthetic video of a senior manager asking an employee about sensitive information. | 3 | 3 | 2 | 2 | 3 | High | 1–3 years |
Call-based spear phishing attacks can be enhanced using real-time deepfakes of someone whom the victim trusts. For text-based phishing, tweets and emails can be generated to attract a specific victim, or style transfer techniques can be used to mimic a colleague. Similar approaches can evade email spam filters. | 2 | 3 | 2 | 2 | 3 | High | 1–3 years | |
Deepfakes can be used to make a synthetic video of a key person that can be played on a online meeting platform, firing their employees or playing it before a crucial event to disrupt it, similar to what occurred to the CEO of better.com. | 2 | 2 | 2 | 1 | 3 | Medium | 1–3 years | |
A synthetic video of the victim employee could be made and shared with his/her senior manager by another employee to foster distrust among them. | 1 | 2 | 2 | 1 | 3 | Medium | 1–3 years | |
The CEO or any employee can send synthetic voice mail over email asking employees to donate to his/her charity. | 3 | 3 | 2 | 2 | 3 | High | 1–3 years | |
A synthetic video of a key person could be made and published on the Internet in which the speaker is speaking poorly about the company’s policies, announcing fake offers, etc. | 2 | 2 | 2 | 2 | 3 | Medium | 1–3 years | |
An adversary can create fake images/videos of the victim employee in a compromising positions, drinking, smoking, or even naked. Thus, the victim employee can be blackmailed. | 3 | 2 | 2 | 1 | 3 | Medium | 1–3 years | |
An adversary can use deepfake technology to steal the identity of a deceased person for financial gain. An adversary can open a new account using the identity of a deceased person by using a synthetic video in the online verification process. | 1 | 1 | 1 | 1 | 1 | Low | 1–3 years | |
An adversary can make a fraudulent insurance or other claim on behalf of a deceased person. Claims can successfully continue to be made on pensions, life insurance, and benefits for many years after a person dies; this could be done either by a family member or professional fraudster. Deepfakes could be used to persuade an official that a customer is still alive. | 1 | 1 | 1 | 1 | 1 | Low | 1–3 years | |
An insider adversary can create relevant fake accounting transactions, i.e., journal entries of the ‘Enterprise Resource Planning’ (ERP) systems to evade anomaly detection in an audit performed by ‘Computer Assisted Audit Techniques’ (CAATs). | 1 | 1 | 1 | 1 | 1 | Low | 1–3 years | |
AI can be used bypass the fingerprint locks of secured mobile phones/laptops by generating a masterprint that helps the adversary unlock the devices to gain access to critical information. | 2 | 1 | 1 | 1 | 2 | Low | 1–3 years | |
Adversaries can build fake personas on online social networks (OSNs) to connect with their targets. To evade fake profile detectors, a profile can be cloned and slightly altered using AI so that the fake profiles will appear different yet reflect the same personality. The adversary can then use a number of AI techniques to alter or mask the photos from detection. To build connections, a link prediction model can be used to maximize the acceptance rate, and a deep-learning-based Chabot can be used to maintain conversations with the fake profiles. | 2 | 2 | 1 | 1 | 1 | Low | 3–5 years | |
Multi-Factor Authentication (MFA) Bypass | An adversary can use the credentials and soft token from the stolen laptop of victim A to connect to a VPN and then use the credentials of victim B to log into other services thus bypassing MFA for victim B. | 3 | 2 | 2 | 1 | 2 | Medium | Present |
An adversary could gain access to the victim’s email and discover the MFA URL responsible for pairing the MFA soft token of a victim’s phone with the victim’s user identity in the company’s MFA server. The MFA URL obtained could contain a cryptographic seed that can be leveraged by the adversary to generate OTP codes after breaking the PIN and using the timestamp with it. | 2 | 2 | 1 | 1 | 1 | Low | Present | |
Having access to the victim’s laptop, an adversary can exploit DPAPI, i.e., the Windows API responsible for encryption and decryption of the credentials, to obtain the domain backup key that is capable of decrypting an encrypted blob and hence can escalate the attack to other users in the domain. | 3 | 2 | 1 | 3 | 2 | Medium | Present | |
An adversary can exploit other ways of connecting to critical servers (like SMB, RPC, etc.) to bypass MFA. | 2 | 2 | 2 | 1 | 2 | Medium | Present | |
An adversary can fool a telecom company in order to get a SIM and steal the employee’s number, performing a SIM SWAP attack. | 2 | 2 | 2 | 1 | 2 | Medium | Present | |
An adversary can take advantage of an existing trusted connection to hijack the session token and re-use it without authentication. | 2 | 2 | 2 | 1 | 1 | Medium | Present | |
Ambient Computing Devices (Smart TVs and Integrated Access Device Infection) | An adversary can leverage a compromised mobile device of the victim placed near the keyboard to recover the keystrokes that were typed on the keyboard. A similar threat may arise from other IoT devices. | 2 | 2 | 1 | 1 | 2 | Medium | 3–5 years |
An adversary can use an approach that can recover the keystrokes from the victim’s eye movements. The attack’s likelihood of success increases in home offices where employees use the camera of a laptop or connect the screen to smart TVs that have a built-in camera. | 2 | 2 | 1 | 1 | 2 | Medium | 3–5 years | |
Compromised IoT devices present on the home network can aid in performing attacks that can be performed on the local network like ARP poisoning, sniffing, DNS poisoning, etc. | 2 | 2 | 2 | 1 | 2 | Medium | Present | |
An adversary can use smart TVs in order to capture data presented on the TV screen (i.e., a Teams meeting). | 2 | 2 | 2 | 1 | 2 | Medium | 1–3 years | |
An adversary can control a smart TV camera/microphone to record the home environment. | 2 | 2 | 2 | 1 | 2 | Medium | 1–3 years | |
An adversary can control the screen content in order to provide fake content or execute phishing attacks. | 1 | 1 | 2 | 1 | 1 | Low | 1–3 years | |
An adversary can use the TV as an entry point and pivot in the network or gather information about available services and open ports. | 1 | 2 | 2 | 2 | 1 | Low | 1–3 years | |
An adversary can steal sensitive data (i.e., cookies) from smart TV services. | 1 | 2 | 2 | 2 | 1 | Low | 1–3 years | |
An adversary can corrupt smart TV firmware in order to take control of the TV. | 2 | 2 | 2 | 1 | 1 | Medium | 3–5 years | |
An adversary can craft a DVB signal to take control of the TV browser application. | 1 | 2 | 2 | 1 | 1 | Low | 3–5 years | |
An adversary can take control of smart streamers and infect connected PCs and smart TVs using a Bluetooth connection. | 2 | 2 | 2 | 1 | 1 | Medium | 1–3 years | |
An adversary can use smart streamers to record the environment using a built-in microphone. | 2 | 2 | 2 | 1 | 1 | Medium | 1–3 years | |
Impersonation as a Service | An adversary can purchase the profile of the targeted employee to gain his/her profile and perform certain activities or avoid MFA. | 2 | 2 | 3 | 2 | 2 | Low | Present |
Connected Devices (Peripherals) | An adversary can infect a peripheral device driver with a malicious payload. | 2 | 2 | 2 | 1 | 1 | Medium | 1–3 years |
An adversary can replace the peripheral device’s firmware. | 2 | 2 | 2 | 1 | 1 | Medium | 1–3 years | |
An adversary can utilize a peripheral device to perform data extraction. | 2 | 2 | 1 | 2 | 1 | Medium | 3–5 years | |
Virtual Desktop Interface (VDI) | An adversary can hijack a remote session to the VDI console. | 2 | 2 | 1 | 1 | 1 | Low | 1–3 years |
An adversary can spread within the network from the VDI console. | 3 | 1 | 1 | 2 | 1 | Medium | 1–3 years |
Threat Categories | Threats | Possible Scenarios/Attack Vectors | Impacted Devices | D | R | E | A | D | DREAD Rating | Time Horizon |
---|---|---|---|---|---|---|---|---|---|---|
Nefarious Activity/ Abuse | Phishing | Phishing emails regarding an online meeting or some new offer introduced by the company can be used to lure an employee. | Company’s laptop | 2 | 2 | 2 | 1 | 1 | Medium | Present |
Based on network activity reconnaissance, spear phishing emails can be crafted in a more effective way. | Digital devices connected to home router, home router | 2 | 2 | 2 | 1 | 1 | Medium | 1–3 years | ||
DoS on both network and application services (amplification/reflection methods) | An adversary present on the employee’s home Wi-Fi network can flood the remote machine and can cause a DoS attack. | Company’s laptop, home router Wi-Fi segment | 1 | 1 | 2 | 1 | 1 | Low | Present | |
Malware infection | Infection can occur from an external device plugged into the employee’s PC (e.g., a smartwatch, etc.). | Company’s laptop | 2 | 2 | 1 | 1 | 2 | Medium | 1–3 years | |
An advanced phishing attack performed via email may infect an employee’s PC (e.g., asking an employee to download updated video conferencing software). | Company’s laptop | 2 | 2 | 2 | 1 | 1 | Medium | Present | ||
Identity theft (identity fraud/account) | An adversary can impersonate an employee’s manager and ask the employee to pass on certain confidential information. ML can be used to generate the synthetic voice of the manager. | - | 3 | 3 | 2 | 2 | 3 | High | 1–3 years | |
An adversary can purchase the profile of a targeted employee to obtain his/her profile to perform certain activities or to avoid enabling MFA. | - | 1 | 1 | 2 | 1 | 1 | Low | 1–3 years | ||
Exploitation of wireless communication protocols | An adversary can remotely monitor an NFC connection. | Company’s laptop | 1 | 2 | 1 | 1 | 1 | Low | 1–3 years | |
An adversary can remotely control and spread the components in the network using a malicious Bluetooth connection. | Digital devices connected to home router, home router, company’s laptop | 2 | 2 | 1 | 1 | 1 | Low | 1–3 years | ||
An adversary can crack Wi-Fi passwords using bruteforce or KRACK exploits and monitor network activities. | Home router | 1 | 2 | 2 | 1 | 2 | Medium | Present | ||
Infected trusted software/mobile applications | An adversary can reverse engineer an existing app of the company and float a version containing malicious code. | Personal/company’s phone | 2 | 2 | 1 | 3 | 2 | Medium | Present | |
Eavesdropping/ interception/ hijacking | Man-in-the-middle (MiTM)/session hijacking | An adversary can set up an MiTM box to sniff and actively alter data accessed by the victim; this can be relevant for mobile traffic if not applicable on a laptop due to proxy tunneling. | Digital devices connected to home router, home router, IoT devices | 2 | 2 | 1 | 1 | 2 | Medium | Present |
Side-channel attacks | Side-channel attacks can be performed on the home router of the employee to understand the applications used by the employee and perform the targeted attack. | Company’s laptop, home router, IoT devices | 1 | 2 | 1 | 1 | 1 | Low | 3–5 years | |
Fake SSL certificates | Tools like BurpSuite can be used to inject a fake certificate that can help an adversary peek into the encrypted traffic (this attack also applies to the employee’s mobile phone); this can be relevant for mobile traffic if not applicable on a laptop due to proxy tunneling. | Digital devices connected to home router, home router | 2 | 2 | 1 | 1 | 2 | Medium | Present | |
Misconfiguration of Systems and Technologies | Obsolescence | If an employee is using old equipment, he/she may not be able to perform the required or recommended updates. | Company’s laptop | 1 | 2 | 1 | 1 | 1 | Low | Present |
Smart Devices (IoT Devices) | Network reconnaissance, information gathering | An adversary can use a compromised camera to take photos of the employee and then blackmail him/her. | Digital devices connected to home router, home router, IoT devices | 2 | 2 | 1 | 1 | 1 | Low | 1–3 years |
An adversary can use a compromised camera to map an employee’s keystrokes on the company’s laptop to obtain credentials or understand the communication taking place by email. | Digital devices connected to home router, home router, IoT devices | 2 | 2 | 1 | 1 | 1 | Low | 1–3 years | ||
An adversary can use compromised IoTs to record voice and video conferences. | Digital devices connected to home router, home router, IoT devices | 2 | 2 | 1 | 1 | 1 | Low | 1–3 years | ||
An adversary present on the home network can quickly check for weaknesses in the network and scan for vulnerable devices. | Digital devices connected to home router, home router, company’s laptop, IoT devices | 2 | 1 | 2 | 1 | 2 | Medium | Present |
Threat Categories | Threats | Possible Scenarios/Attack Vectors | Impacted Devices | D | R | E | A | D | DREAD Rating | Time Horizon |
---|---|---|---|---|---|---|---|---|---|---|
Eavesdropping/ Interception/ Hijacking | Eavesdropping (DNS poisoning/DNS spoofing/DNS manipulation) | An adversary can use a compromised home router to sniff HTTP and DNS requests for reconnaissance; thus he/she can perform a targeted phishing attack (spear phishing) which will be aligned with the current actions of the employees. | Home router, Wi-Fi segment, IoT devices | 2 | 2 | 1 | 1 | 2 | Medium | Present |
Unsecured Wi-Fi can enable an adversary to perform reconnaissance and examine the network to identify the OS, applications, etc. running on the connected digital devices to target them. | Company’s laptop, home router, IoT devices | 2 | 1 | 2 | 1 | 2 | Medium | Present | ||
Side-channel attacks | Using the physical properties of a lamp in the home or the LED of a speaker, an adversary can record the conversation happening in a room in the house. | - | 3 | 2 | 2 | 2 | 2 | Medium | 1–3 years | |
Eavesdropping (network reconnaissance and information gathering) | An adversary can use DNS queries to identify the version of the OS or software installed on the device in order to use the most suitable CVEs. | Home router, IoT devices | 1 | 2 | 2 | 1 | 1 | Low | Present | |
An adversary can break into the employee’s house when no one is home (as ascertained by cameras) and steal sensitive data and equipment. | Digital devices connected to home router, home router, IoT devices | 1 | 2 | 3 | 1 | 1 | Medium | 1–3 years | ||
Corporate espionage | Home offices provide ample opportunities for the insider adversary to perform corporate espionage (e.g., extract data from a hard disk drive, record a meeting (at which sensitive information is discussed) on a mobile phone and share it with a competitor. | Company’s laptop, IoT devices | 3 | 1 | 1 | 3 | 1 | Medium | Present | |
Misconfiguration of Systems and Technologies | Credential discovery | Software can unintentionally reveal employee’s credentials (e.g., computer registry), or an adversary that has compromised a victim’s system can obtain the credentials in cleartext. | Company’s laptop | 2 | 1 | 1 | 1 | 1 | Low | Present |
An adversary can crack and obtain weak local administrator credentials by dumping lsass.exe (with software such as Mimi Katz) to obtain credentials in cleartext. | Company’s laptop | 2 | 2 | 1 | 1 | 2 | Medium | Present | ||
Other misconfigurations | An adversary can misconfigure an employee’s mobile phone to accept and run untrusted APKs in order to compromise the phone. | Personal/company’s phone | 2 | 2 | 1 | 3 | 2 | Medium | Present | |
An employee could set his/her AV client to run with low privileges or to a limited folders, leaving it vulnerable to infection by malware. | Company’s laptop | 1 | 2 | 1 | 1 | 1 | Low | Present | ||
Changes made to an application or its configuration due to an employee’s lack of appropriate knowledge can create issues related to authorization or may leave a device in a vulnerable state. | Company’s laptop | 1 | 2 | 1 | 1 | 1 | Low | Present | ||
Physical Attack (Deliberate/ Intentional) | Sabotage | Anyone with a grudge against a victim employee can intentionally destroy or damage digital devices or network communication to interfere with their normal functionality. | Company’s laptop, company’s documents, home router | 1 | 2 | 2 | 1 | 1 | Low | Present |
Vandalism | Anyone with a grudge against a victim employee can deliberately destroy or damage the company’s assets in the employee’s home or assets that are accessible via devices in the employee’s home. | Company’s laptop, company’s documents, home router | 1 | 2 | 2 | 1 | 1 | Low | Present | |
Information leakage/sharing | An adversary can steal sensitive printed documents from an employee’s home. | Company’s documents | 1 | 2 | 2 | 1 | 1 | Low | Present | |
An adversary can steal sensitive information, like passwords, from the RAM of a stolen laptop. | Company’s laptop | 1 | 1 | 1 | 1 | 1 | Low | Present | ||
Theft (devices, storage media, and documents) | Any thief can steal a company asset from an employee’s home for monitory gain. | Company’s laptop | 1 | 2 | 2 | 1 | 1 | Low | Present | |
Unintentional Damage/Loss of Information or IT Assets | Loss of storage media and documents | Children in the home can damage or destroy sensitive documents or devices owned by the company. | Company’s documents and removable devices | 1 | 1 | 3 | 1 | 1 | Low | Present |
An employee could lose his/her soft token or mobile phone hence might be unable to authenticate while using MFA method. | Personal/company’s mobile phone | 1 | 1 | 1 | 1 | 1 | Low | Present | ||
Damage caused by the employee or his/her family members | Liquid spilled on a company device in an employee’s home could damage the device. | Company’s laptop | 1 | 1 | 3 | 1 | 1 | Low | Present | |
Maintenance errors | Disruption in the network or some other actions (performed by an employee or by background software services) might cause operational errors that could lead to a loss of information. | Company’s laptop | 1 | 2 | 1 | 1 | 1 | Low | Present | |
Installation errors | Employees working at home may have a hard time installing an application, and it could be difficult for them to obtain remote assistance. | Company’s laptop | 1 | 2 | 1 | 1 | 1 | Low | Present | |
Hardware failure in a digital device takes time to recover from in home offices. | Company’s laptop, home router | 1 | 2 | 1 | 1 | 1 | Low | Present |
References
- Gartner Survey 2020. Available online: https://www.gartner.com/en/newsroom/press-releases/2020-07-14-gartner-survey-reveals-82-percent-of-company-leaders-plan-to-allow-employees-to-work-remotely-some-of-the-time (accessed on 21 June 2022).
- Bitaab, M.; Cho, H.; Oest, A.; Zhang, P.; Sun, Z.; Pourmohamad, R.; Kim, D.; Bao, T.; Wang, R.; Shoshitaishvili, Y.; et al. Scam pandemic: How attackers exploit public fear through phishing. In Proceedings of the 2020 APWG Symposium on Electronic Crime Research (eCrime), Boston, MA, USA, 16–19 November 2020; pp. 1–10. [Google Scholar]
- CISA. Understanding Denial-of-Service Attacks. Available online: https://www.cisa.gov/uscert/ncas/tips/ST04-015 (accessed on 24 December 2022).
- Allot. Glossary of Common DDoS Attacks. Available online: https://www.allot.com/ddos-attack-glossary/ (accessed on 24 December 2022).
- Halavais, A.C. The Slashdot Effect: Analysis of a Large-Scale Public Conversation on the World Wide Web; University of Washington: Washington, DC, USA, 2001. [Google Scholar]
- Jia, Y.; Zhang, Y.; Weiss, R.J.; Wang, Q.; Shen, J.; Ren, F.; Chen, Z.; Nguyen, P.; Pang, R.; Moreno, I.L.; et al. Transfer learning from speaker verification to multispeaker text-to-speech synthesis. arXiv 2018, arXiv:1806.04558. [Google Scholar]
- Wiefling, S.; Iacono, L.L.; Dürmuth, M. Is this really you? An empirical study on risk-based authentication applied in the wild. In Proceedings of the IFIP International Conference on ICT Systems Security and Privacy Protection, Lisbon, Portugal, 25–27 June 2019; pp. 134–148. [Google Scholar]
- Campobasso, M.; Allodi, L. Impersonation-as-a-service: Characterizing the emerging criminal infrastructure for user impersonation at scale. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, Virtual, 9–13 November 2020; pp. 1665–1680. [Google Scholar]
- IEEE Computer Society LAN MAN Standard Committee. Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications. ANSI/IEEE Std. 802.11, 1999 Edition. 1999. Available online: https://cir.nii.ac.jp/crid/1570291225409685248 (accessed on 12 February 2023).
- Vanhoef, M.; Piessens, F. Key reinstallation attacks: Forcing nonce reuse in WPA2. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, Dallas, TX, USA, 30 October–3 November 2017; pp. 1313–1328. [Google Scholar]
- Heartfield, R.; Loukas, G.; Budimir, S.; Bezemskij, A.; Fontaine, J.R.; Filippoupolitis, A.; Roesch, E. A taxonomy of cyber-physical threats and impact in the smart home. Comput. Secur. 2018, 78, 398–428. [Google Scholar] [CrossRef] [Green Version]
- Seri, B.; Livne, A. Exploiting Blueborne in Linux-Based Iot Devices; Armis: Palo Alto, CA, USA, 2019. [Google Scholar]
- Kennedy, T.; Hunt, R. A review of WPAN security: Attacks and prevention. In Proceedings of the International Conference on Mobile Technology, Applications, and Systems, Yilan, Taiwan, 10–12 September 2008; pp. 1–8. [Google Scholar]
- Wolff, E.D.; Growley, K.; Gruden, M. Navigating the solarwinds supply chain attack. Procure. Lawyer 2021, 56, 3–11. [Google Scholar]
- Razer’s Driver Infected. Available online: https://www.computerworld.com/article/2527857/gaming-mouse-maker-razer-hit-with-infected-firmware.html (accessed on 21 June 2022).
- Maskiewicz, J.; Ellis, B.; Mouradian, J.; Shacham, H. Mouse trap: Exploiting firmware updates in {USB} peripherals. In Proceedings of the 8th {USENIX} Workshop on Offensive Technologies ({WOOT} 14, San Diego, CA, USA, 23 August 2014. [Google Scholar]
- Burgerking Havon on Google Assistant. Available online: https://www.engadget.com/2017-04-12-burger-king-wreaks-havoc-on-google-assistant-with-whopper-ad.html (accessed on 21 June 2022).
- Rogue Payment Warning—Alexa. Available online: https://www.telegraph.co.uk/news/2017/01/08/amazon-echo-rogue-payment-warning-tv-show-causes-alexa-order/ (accessed on 21 June 2022).
- Pingle, B.; Mairaj, A.; Javaid, A.Y. Real-world man-in-the-middle (MITM) attack implementation using open source tools for instructional use. In Proceedings of the 2018 IEEE International Conference on Electro/Information Technology (EIT), Rochester, MI, USA, 3–5 May 2018; pp. 192–197. [Google Scholar]
- Chordiya, A.R.; Majumder, S.; Javaid, A.Y. Man-in-the-middle (mitm) attack based hijacking of http traffic using open source tools. In Proceedings of the 2018 IEEE International Conference on Electro/Information Technology (EIT), Rochester, MI, USA, 3–5 May 2018; pp. 438–443. [Google Scholar]
- Green, I. DNS Spoofing by the Man in the Middle. 2005. Available online: https://www.sans.org/white-papers/1567/ (accessed on 1 February 2023).
- Tripathi, N.; Swarnkar, M.; Hubballi, N. DNS spoofing in local networks made easy. In Proceedings of the 2017 IEEE International Conference on Advanced Networks and Telecommunications Systems (ANTS), Bhubaneswar, India, 17–20 December 2017; pp. 1–6. [Google Scholar]
- Hastings, N.E.; McLean, P.A. TCP/IP spoofing fundamentals. In Proceedings of the 1996 IEEE Fifteenth Annual International Phoenix Conference on Computers and Communications, Scottsdale, AZ, USA, 27–30 March 1996; pp. 218–224. [Google Scholar]
- WiFi Eavesdropping: Attack Overview and Challenegs. Available online: https://www.ukessays.com/essays/computer-science/wifi-eavesdropping-attack-overview-and-challenegs.php (accessed on 21 June 2022).
- Acar, A.; Fereidooni, H.; Abera, T.; Sikder, A.K.; Miettinen, M.; Aksu, H.; Conti, M.; Sadeghi, A.R.; Uluagac, S. Peek-a-boo: I see your smart home activities, even encrypted! In Proceedings of the 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks, Linz, Austria, 8–10 July 2020; pp. 207–218. [Google Scholar]
- Zhao, F.; Hori, Y.; Sakurai, K. Analysis of privacy disclosure in DNS query. In Proceedings of the 2007 International Conference on Multimedia and Ubiquitous Engineering (MUE’07), Busan, Republic of Korea, 24–26 April 2007; pp. 952–957. [Google Scholar]
- Velan, P.; Čermák, M.; Čeleda, P.; Drašar, M. A survey of methods for encrypted traffic classification and analysis. Int. J. Netw. Manag. 2015, 25, 355–374. [Google Scholar] [CrossRef]
- Kotak, J.; Elovici, Y. Iot device identification using deep learning. In Proceedings of the 13th International Conference on Computational Intelligence in Security for Information Systems (CISIS 2020) 12, Burgos, Spain, 27 September 2021; pp. 76–86. [Google Scholar]
- Tang, J.; Yang, L.; Liu, S.; Liu, W.; Wang, M.; Wang, C.; Jiang, B.; Lu, Z. Caps-LSTM: A Novel Hierarchical Encrypted VPN Network Traffic Identification Using CapsNet and LSTM. In Proceedings of the International Conference on Science of Cyber Security, Shimane, Japan, 10–12 August 2021; pp. 139–153. [Google Scholar]
- Nassi, B.; Pirutin, Y.; Shamir, A.; Elovici, Y.; Zadov, B. Lamphone: Real-time passive sound recovery from light bulb vibrations. Cryptol. ePrint Arch. 2020. Available online: https://eprint.iacr.org/2020/708 (accessed on 21 June 2022).
- Nassi, B.; Pirutin, Y.; Galor, T.; Elovici, Y.; Zadov, B. Glowworm Attack: Optical TEMPEST Sound Recovery via a Device’s Power Indicator LED. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, Virtual, 15–19 November 2021; pp. 1900–1914. [Google Scholar]
- Callegati, F.; Cerroni, W.; Ramilli, M. Man-in-the-Middle Attack to the HTTPS Protocol. IEEE Secur. Priv. 2009, 7, 78–81. [Google Scholar] [CrossRef]
- Pateriya, P.K.; Kumar, S.S. Analysis on Man in the Middle Attack on SSL. Int. J. Comput. Appl. 2012, 45, 43–46. [Google Scholar]
- Mozilla. Use Primary Password to Protect Stored Logins. Available online: https://support.mozilla.org/en-US/kb/use-primary-password-protect-stored-logins (accessed on 21 June 2022).
- Matsui, M. Linear cryptanalysis method for DES cipher. In Proceedings of the Workshop on the Theory and Application of of Cryptographic Techniques, Lofthus, Norway, 23–27 May 1993; pp. 386–397. [Google Scholar]
- Nahari, S. Best Defense? Our Red Team Lead Reveals 4 MFA Bypass Techniques. 2021. Available online: https://www.cyberark.com/resources/threat-research-blog/mfa-bypass-techniques-from-red-team-research (accessed on 21 June 2022).
- Tassey, M.; Perkins, R. Wireless aerial surveillance platform. In Proceedings of the DEFCON Conference, Las Vegas, NV, USA, 8–11 October 2011. [Google Scholar]
- Reed, T.; Geis, J.; Dietrich, S. {SkyNET}: A {3G-Enabled} Mobile Attack Drone and Stealth Botmaster. In Proceedings of the 5th USENIX Workshop on Offensive Technologies (WOOT 11), San Francisco, CA, USA, 8 August 2011. [Google Scholar]
- Ronen, E.; Shamir, A.; Weingarten, A.O.; O’Flynn, C. IoT goes nuclear: Creating a ZigBee chain reaction. In Proceedings of the 2017 IEEE Symposium on Security and Privacy (SP), San Jose, CA, USA, 22–24 May 2017; pp. 195–212. [Google Scholar]
- Greenberg, A. Watch a Drone Take over a Nearby Smart TV. 2019. Available online: https://www.wired.com/story/smart-tv-drone-hack/ (accessed on 21 June 2022).
- Toh, J.; Hatib, M.; Porzecanski, O.; Elovici, Y. Cyber security patrol: Detecting fake and vulnerable wifi-enabled printers. In Proceedings of the Symposium on Applied Computing, Marrakech, Morocco, 3–7 April 2017; pp. 535–542. [Google Scholar]
- Nassi, B.; Shabtai, A.; Masuoka, R.; Elovici, Y. SoK-security and privacy in the age of drones: Threats, challenges, solution mechanisms, and scientific gaps. arXiv 2019, arXiv:1903.05155. [Google Scholar]
- Iperov. Real-Time Face Swap for PC Streaming or Video Calls. Available online: https://github.com/iperov/DeepFaceLive (accessed on 21 June 2022).
- Alievk. Avatars for Zoom, Skype and Other Video-Conferencing Apps. Available online: https://github.com/alievk/avatarify-python (accessed on 21 June 2022).
- CorentinJ. Clone a Voice in 5 Seconds to Generate Arbitrary Speech in Real-Time. Available online: https://github.com/CorentinJ/Real-Time-Voice-Cloning (accessed on 21 June 2022).
- Aafer, Y.; You, W.; Sun, Y.; Shi, Y.; Zhang, X.; Yin, H. Android {SmartTVs} Vulnerability Discovery via {Log-Guided} Fuzzing. In Proceedings of the 30th USENIX Security Symposium (USENIX Security 21), Virtual, 11–13 August 2021; pp. 2759–2776. [Google Scholar]
- Goodin, D. Smart TV Hack Embeds Attack Code into Broadcast Signal—No Access Required. 2017. Available online: https://arstechnica.com/information-technology/2017/03/smart-tv-hack-embeds-attack-code-into-broadcast-signal-no-access-required/ (accessed on 21 June 2022).
- Meier, J. Improving Web Application Security: Threats and Countermeasures; Microsoft Press: Unterschleissheim, Germany, 2003. [Google Scholar]
- Nassi, B.; Ben-Netanel, R.; Shamir, A.; Elovici, Y. Drones’ cryptanalysis-smashing cryptography with a flicker. In Proceedings of the 2019 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA, 19–23 May 2019; pp. 1397–1414. [Google Scholar]
- Nuss, B.; Sit, L.; Fennel, M.; Mayer, J.; Mahler, T.; Zwick, T. MIMO OFDM radar system for drone detection. In Proceedings of the 2017 18th International Radar Symposium (IRS), Prague, Czech Republic, 28–30 June 2017; pp. 1–9. [Google Scholar]
- England, P.; Malvar, H.S.; Horvitz, E.; Stokes, J.W.; Fournet, C.; Burke-Aguero, R.; Chamayou, A.; Clebsch, S.; Costa, M.; Deutscher, J.; et al. Amp: Authentication of media via provenance. In Proceedings of the 12th ACM Multimedia Systems Conference, Istanbul, Turkey, 28 May–1 June 2021; pp. 108–121. [Google Scholar]
- Yousuf, B.; Qureshi, M.A.; Spillane, B.; Munnelly, G.; Carroll, O.; Runswick, M.; Park, K.; Culloty, E.; Conlan, O.; Suiter, J. PROVENANCE: An Intermediary-Free Solution for Digital Content Verification. arXiv 2021, arXiv:2111.08791. [Google Scholar]
- Li, Y.; Lyu, S. Exposing deepfake videos by detecting face warping artifacts. arXiv 2018, arXiv:1811.00656. [Google Scholar]
- Ciftci, U.A.; Demir, I.; Yin, L. Fakecatcher: Detection of synthetic portrait videos using biological signals. IEEE Trans. Pattern Anal. Mach. Intell. 2020. [CrossRef] [PubMed]
- Li, L.; Bao, J.; Zhang, T.; Yang, H.; Chen, D.; Wen, F.; Guo, B. Face x-ray for more general face forgery detection. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, Seattle, WA, USA, 19–20 June 2020; pp. 5001–5010. [Google Scholar]
- Bolles, R.C.; Burns, J.B.; Graciarena, M.; Kathol, A.; Lawson, A.; McLaren, M.; Mensink, T. Spotting Audio-Visual Inconsistencies (SAVI) in Manipulated Video. In Proceedings of the CVPR Workshops, Honolulu, HI, USA, 21–26 July 2017; pp. 1907–1914. [Google Scholar]
- Güera, D.; Delp, E.J. Deepfake video detection using recurrent neural networks. In Proceedings of the 2018 15th IEEE International Conference on Advanced Video and Signal Based Surveillance (AVSS), Auckland, New Zealand, 27–30 November 2018; pp. 1–6. [Google Scholar]
- Agarwal, S.; Farid, H.; Gu, Y.; He, M.; Nagano, K.; Li, H. Protecting World Leaders Against Deep Fakes. In Proceedings of the CVPR Workshops, Long Beach, CA, USA, 16–20 June 2019; Volume 1. [Google Scholar]
- Marra, F.; Gragnaniello, D.; Verdoliva, L.; Poggi, G. Do gans leave artificial fingerprints? In Proceedings of the 2019 IEEE Conference on Multimedia Information Processing and Retrieval (MIPR), San Jose, CA, USA, 28–30 March 2019; pp. 506–511. [Google Scholar]
- Xuan, X.; Peng, B.; Wang, W.; Dong, J. On the generalization of GAN image forensics. In Proceedings of the Chinese Conference on Biometric Recognition, Zhuzhou, China, 12–13 October 2019; pp. 134–141. [Google Scholar]
- Tolbert, M. Vulnerabilities of Multi-factor Authentication in Modern Computer Networks. Ph.D. Thesis, Worcester Polytechnic Institute, Worcester, UK, 2021. [Google Scholar]
- Künnemann, R.; Steel, G. YubiSecure? Formal security analysis results for the Yubikey and YubiHSM. In Proceedings of the International Workshop on Security and Trust Management, Pisa, Italy, 13–14 September 2012; pp. 257–272. [Google Scholar]
- Ren, J.; Dubois, D.J.; Choffnes, D.; Mandalari, A.M.; Kolcun, R.; Haddadi, H. Information exposure from consumer iot devices: A multidimensional, network-informed measurement approach. In Proceedings of the Internet Measurement Conference, Amsterdam, The Netherlands, 21–23 October 2019; pp. 267–279. [Google Scholar]
- Mohammadmoradi, H.; Gnawali, O. Making whitelisting-based defense work against badusb. In Proceedings of the 2nd International Conference on Smart Digital Environment, Rabat, Morocco, 18–20 October 2018; pp. 127–134. [Google Scholar]
- Microsoft Inture—Restrict USB. Available online: https://docs.microsoft.com/en-us/troubleshoot/mem/intune/restrict-usb-with-administrative-template (accessed on 21 June 2022).
- Kakarla, S.K.R.; Tang, A.; Beckett, R.; Jayaraman, K.; Millstein, T.; Tamir, Y.; Varghese, G. Finding network misconfigurations by automatic template inference. In Proceedings of the 17th USENIX Symposium on Networked Systems Design and Implementation (NSDI 20), Santa Clara, CA, USA, 25–27 February 2020; pp. 999–1013. [Google Scholar]
- Harikrishnan, N.; Vinayakumar, R.; Soman, K. A machine learning approach towards phishing email detection. In Proceedings of the Anti-Phishing Pilot at ACM International Workshop on Security and Privacy Analytics (IWSPA AP), Tempe, AZ, USA, 21 March 2018; Volume 2013, pp. 455–468. [Google Scholar]
- Gangavarapu, T.; Jaidhar, C.; Chanduka, B. Applicability of machine learning in spam and phishing email filtering: Review and approaches. Artif. Intell. Rev. 2020, 53, 5019–5081. [Google Scholar] [CrossRef]
- Smadi, S.; Aslam, N.; Zhang, L. Detection of online phishing email using dynamic evolving neural network based on reinforcement learning. Decis. Support Syst. 2018, 107, 88–102. [Google Scholar] [CrossRef] [Green Version]
- He, Z.; Zhang, T.; Lee, R.B. Machine learning based DDoS attack detection from source side in cloud. In Proceedings of the 2017 IEEE 4th International Conference on Cyber Security and Cloud Computing (CSCloud), New York, NY, USA, 26–28 June 2017; pp. 114–120. [Google Scholar]
- Yuan, X.; Li, C.; Li, X. DeepDefense: Identifying DDoS attack via deep learning. In Proceedings of the 2017 IEEE International Conference on Smart Computing (SMARTCOMP), Piscataway, NJ, USA, 29–31 May 2017; pp. 1–8. [Google Scholar]
- Trusted App Protection (TAP). Available online: https://www.beyondtrust.com/docs/privilege-management/windows/admin/policies-and-templates/templates/trusted-app-protection.htm (accessed on 1 February 2023).
- Lee, P.S. ONP: Man-in-the-Middle Attack Prevention (Early Availability). 2019. Available online: https://community.checkpoint.com/t5/Mobile/ONP-Man-in-the-Middle-attack-prevention-early-availability/m-p/41710 (accessed on 21 June 2022).
- Mirsky, Y.; Kalbo, N.; Elovici, Y.; Shabtai, A. Vesper: Using echo analysis to detect man-in-the-middle attacks in LANs. IEEE Trans. Inf. Forensics Secur. 2018, 14, 1638–1653. [Google Scholar] [CrossRef] [Green Version]
- Gupta, A.A. Length Hiding VPN to Mitigate Compression Side-Channel and Traffic Analysis Attacks. Ph.D. Thesis, University of Minnesota, Minneapolis, MN, USA, 2017. [Google Scholar]
- Panda, S. Experience a Faster and More Private Internet in Library and Information Centres with 1.1. 1.1 DNS Resolver. Int. J. Smart Sens. Adhoc Netw. 2022, 3, 41–50. [Google Scholar] [CrossRef]
Rating | Low (1) | Medium (2) | High (3) |
---|---|---|---|
Damage potential | The attacker subverts the system and can inflict minor damage. | The attacker subverts the system and can inflict moderate damage. | The attacker subverts the system and can inflict serious damage. |
Reproducibility | The attack is very difficult to reproduce, even with full knowledge of the security hole. | The attack can be reproduced but only in limited settings. | The attack can be reproduced every time. |
Exploitability | The attack requires an extremely skilled operator with in-depth knowledge of the system in order to exploit it. | The attack requires a skilled operator with fundamental knowledge of the system in order to exploit it. | The attack requires little or no knowledge of the system in order to exploit it. |
Affected users | A very small percentage of everyday users will be affected by the attack. | A good-sized portion of everyday users will be affected by the attack. | The majority of everyday users will be affected by the attack. |
Discoverability | Vulnerabilities are difficult to find and, if found, are very difficult to weaponize. It is extremely difficult to attack applications and systems. | Vulnerabilities are not common and are found only in certain applications and systems. The attack requires specific skills to discover exploitable weaknesses. | Published information readily explains the attack. Vulnerabilities are found in the most commonly used applications and systems. |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2023 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Kotak, J.; Habler, E.; Brodt, O.; Shabtai, A.; Elovici, Y. Information Security Threats and Working from Home Culture: Taxonomy, Risk Assessment and Solutions. Sensors 2023, 23, 4018. https://doi.org/10.3390/s23084018
Kotak J, Habler E, Brodt O, Shabtai A, Elovici Y. Information Security Threats and Working from Home Culture: Taxonomy, Risk Assessment and Solutions. Sensors. 2023; 23(8):4018. https://doi.org/10.3390/s23084018
Chicago/Turabian StyleKotak, Jaidip, Edan Habler, Oleg Brodt, Asaf Shabtai, and Yuval Elovici. 2023. "Information Security Threats and Working from Home Culture: Taxonomy, Risk Assessment and Solutions" Sensors 23, no. 8: 4018. https://doi.org/10.3390/s23084018