Cyber Risks of the Digital Nomad

As we all know, the COVID-19 pandemic turned the world and the workplace upside down, making remote work not just a mere option but an absolute necessity. Businesses scrambled to pivot, and employees were thrust into the new reality of home offices and Zoom and Teams meetings. But along with these major changes came an unexpected yet fascinating side effect – the rise of ‘digital nomadism.’ This shift has allowed many people to break away from traditional workplace commute, into merging their personal wanderlust with professional responsibilities.

We’ve all seen these Digital Nomads post photos on social media with their laptops cracked open from trendy cafes and beach clubs on opposite ends of the world, and of course this meme was on everyone’s LinkedIn feed for just about all of 2021 and 2022:

With working outside the office comes the risk of working outside the network firewalls. While Hollywood studios would make us think that hackers are hiding in the dark corners of aforementioned international cafes and beach clubs wearing hoodies and sunglasses launching attacks on unsuspecting corporate “wander-lusters”, these types of in-person occurrences are extremely rare.

The absolute highest risk of remote work would be, you guessed it, joining public WIFI networks. While the hackers probably aren’t there in person, they are omnipresent through the devices that they were able to previously infect on any given public network; especially when a mechanism of persistence is successfully installed by the hacker. More often than not, these previously infected machines are just regular peoples’ personal or work laptops that have poor security. The large numbers of infected machines become a hacker’s botnet to orchestrate further attacks through.

The overwhelming majority of public network attacks we see are being proxied through the, aforementioned, previously-infected machines within a botnet, and more often than not, these attacks are fully automated and scripted. On the low end, we’ll see machines that have been infected by malware try to self-propagate to other machines, thus growing the botnet. On the high end, we’ll see devices on a network that have been successfully attacked by hackers, and have established persistence (via backdoor) on the machine that can be used to proxy future attacks through. Hackers continue to hack devices to grow the size and reach of their botnets to find ways into high value business targets.

Here’s how it works, from a technical perspective. When an infected device joins a network, all the other devices on that same network will show up in the devices ARP table. Hackers have millions of tricks up their sleeves, but they will likely set up a network proxy on the compromised device to be able to send attacks directly to neighboring devices on that network and hide their true IP address and location. Many scripted attacks will wait for a new device to join the network (and show up on the compromised machine’s ARP table), then they will have automated ways of scanning that machine for vulnerabilities which could include open ports on the device’s host firewall as well as software vulnerabilities. In either an automated or manual attack chain, the hacker will deliver an attack to new devices on the network through the compromised machine that exploit misconfigurations and vulnerabilities on these other devices to gain initial access, followed by privilege escalation. At that point, the new device is now part of the hacker’s botnet and can be used in future attacks.

Once a hacker gains access to a remote worker’s device, the amount of damage they can do to their company is enormous. Hackers may be able to monitor keystrokes, view live desktop, watch through webcam, etc. If a hacker is able to establish persistence in a worker’s device, and that worker connects over VPN to a corporate network (or returns to the office), then the hacker will undoubtedly use that machine to attack corporate resources, which is the ultimate goal.

So, what can remote workers do to secure their devices.

How to Keep Your Data Secure as a Digital Nomad?

The easiest thing that everyone can do to for $0 to protect their machines would be to enable the embedded Windows and MacOS host firewall on their devices and implement the native stealth mode functionality.

DISCLAIMER: Please check in with your IT Department before making any changes to your device. For those that are BYOD and have admin access to their own machine, here are step by step instructions you can follow (again, after first consulting your IT department!)

SECOND DISCLAIMER: These are instructions written in July, 2023. Future changes in your systems settings may make these instructions incorrect or obsolete. I will try to remember to update these instructions to keep them current, but I can’t make any promises

1. Click on the “Start” button, which is the Windows logo at the bottom left corner of the screen.
2. Type “Control Panel” into the search bar that appears and press Enter. Click on the Control Panel app to open it.
3. In the Control Panel, click on “System and Security”.
4. Click on “Windows Defender Firewall”.
5. On the left-hand side, you should see an option for “Turn Windows Defender Firewall on or off”. Click on it.
6. You’ll be prompted for an administrator password or for a confirmation. Type the password or provide the confirmation.
7. In the Customize Settings window, select “Turn on Windows Defender Firewall” for both private and public network settings.
8. Click “OK” to apply the changes.
9. Click on the “Start” button again
10. Click on “Settings” (the gear icon).
11. In the Settings window, click on “Network & Internet”.
12. Click on “Wi-Fi” in the left pane, then click on your connected network.
13. A window will pop up with more information about your network. Find the setting for “Network profile”.
14. Click on “Public”. This will set your network profile to public, which means your PC will be hidden from other devices on the network and file and printer sharing will be turned off.

1. Click on the Apple menu in the top-left corner of the screen and select “System Settings”.
2. In the System Settings window, click on “Network”.
3. Click on the “Firewall” tab.
4. If the firewall says “Active” you’re good to go, but if inactive, click into the firewall settings and flip the toggle to the right.
5. Below the Firewall Toggle, click on the “Options” button. This is where you can choose which incoming connections to allow or block.
6. Move the toggle that says “Enable stealth mode” to the right. Stealth mode makes your Mac less visible by not responding to probing requests. This can help protect your Mac on public networks.
7. Click “OK” to save your changes.

These steps will significantly reduce the vulnerability of your device on public networks. But, by no means does it make you anywhere close to bulletproof.

For better protection when working remotely, you’ll want to install a modern Endpoint Protection software on your machine to protect against attacks, an Endpoint management and patching solution, as well as a VPN or Security Service Edge (SSE) network software. These are tools of varying price and sophistication, so if you are a remote worker, please inquire with the IT and Information Security leaders within your organization about these types of technologies (also, encourage them to reach out to Defensive Networks!)

If you are an IT or InfoSec engineer or leader who is looking to improve the security posture of your remote workforce, please, don’t hesistate to reach out, we’re here to support you and design a highly bespoke solution that will fit your needs and budget.