Thanks to coronavirus, many organizations that hitherto did not give remote work any significant consideration are seriously considering the possibility of a post-covid world where remote working is the norm among members of staff. Others are now considering large scale remote working (Work-From-Home, WFH) on a more permanent basis, as a cost cutting measure.
Traditionally, security architectures are designed to have all (or most) trusted users within the high trust zone (internal company network) while VPNs, firewalls etc. are used to control and protect access from zones of lower trust. This paradigm has influenced how we approach security in very many ways -be it in security governance (policy controls), physical controls, technical controls and complimentary controls i.e. the use of one type of control to mitigate weakness linked to another type of control (e.g. physical access control to protect a system that is vulnerable to a JTAG memory extraction). Permanent, wholesale remote working will cause a shift in the tectonic plates of the threat landscape, altering known attack paths and thereby rendering known vulnerability mitigation strategies inadequate for the challenge. Companies must re-think, re-strategize and re-tool for the new realities that await. To get this conversation going, here are interesting points on some vulnerabilities that need to be re-assessed as companies adapt to this new reality.
Legacy technology is like that old pair of jeans you wore as a teenager. “They are comfortable” was always your answer to any inquiry. In a world of exponential change, legacy technology is trouble. Continuing to use outdated technology of all sorts is costly beyond the financial spectrum.
In continuing reluctance to change, companies often justify continuous use of these legacy systems by using compensating measures like preventing internet access to such systems, thus reducing the attack surface of these systems.
In the WFH workplace, some legacy systems will have to be put on the internet to allow for remote employee access. This action will widen the attack surface of the legacy systems and increase overall likelihood of an attacker infiltrating your entire infrastructure. For companies that must use legacy systems, (if you can avoid it, you should) there is a need to re-think and possibly re-design the compensating security measures to address this new reality. Examples include placing legacy devices in a separate network segment, hardening access control requirements for legacy systems, turning them on only during working hours, etc.
As WFH continues to gather steam, resilience of the enterprise network infrastructure becomes increasingly paramount as well. Managing load on the network will become an increasing challenge for CTOs. As they rapidly roll out enterprise VPNs and remote desktop solutions to give employees access to sensitive resources and internal applications, CTOs must find ways to balance the volume on the network. Plus, they need to keep it secure.
On secure communications, companies now rely on VPN technology for secure remote access. VPN services are either locally hosted by the companies or paid for as a service. However, it is not the silver bullet that solves all network security issues. Firstly, a badly configured VPN will leave you as exposed to attacks as one with no VPN. Secondly, if service availability is not carefully considered in VPN installation, you could have a serious vulnerability of a “single point of failure”.
Vulnerability to service disruptions in WFH could practically ground the entire organizations’ activities. In a scenario where all users are dependent on some server(s) to access official tools & resources while working remotely, then anything going wrong to that server(s) (e.g. DOS) means everyone loses access and work grinds to a halt. The popular D/DOS attacks create large volumes of ‘garbage’ traffic to saturate the network, but there are others such as attacking the intricacies of the VPN protocol. A flow as little as 1Mbps can knock a VPN service offline. Sadly, in D/DOS circumstances (whatever the type), reverting to paper-based activities as a backup is not practicable due to geographical separation between WFH workers. Thus, in a WFH world, the impact of availability-linked attacks is significantly higher.
Companies must re-evaluate their threat scenarios considering these new possibilities and respond appropriately with the right tools and enterprise infrastructure to mitigate this threat. Consider efficient bandwidth management, load balancing, cloud infrastructure, and prioritizing the use of trusted-vendor applications that are tested and certified to a certain degree of assurance.
(Un)Authorized Device Use
It is often said that “our true self, is who we are when no one is watching”. This statement is no less true when people work from home. People tend to default to habits, including those they would not indulge in publicly. This ranges from benign habits like working in a pyjama to less agreeable ones like using official devices for viewing pornographic content. It is well known that pornographic sites are notorious for social engineering, drive-by and watering hole attacks. Thus, such employee actions should be worrying for employers. A recent study conducted by Kaspersky indicates that “51% of workers who admit they have started watching more adult content, since working from home, say they have done so on devices they use for work-related purposes. Nearly a fifth (18%) of workers even do this on devices provided to them by their employers, with 33% admitting to watching adult content on their personal devices that they also use to do their work.”
Companies must critically reconsider what constitutes “acceptable use” policy of the organization and deploy appropriate tools that enforce these policies.
The line between personal and official devices blurs for a significant number of users in a WFH setup. For example, the company’s computers are connected to home devices like printers, scanners etc. and connect to the internet via the home network. Sadly, most of these consumer-grade devices are notoriously insecure and have very serious security design flaws. In the name of usability (ease of use), they are simplistically designed, focusing only on the device’s core functionality. Most of them do not come with security-enhancing functionalities that may be found in enterprise versions of the same device. An example is a home device that fails to notify users when firmware updates become available, even though those updates are essential to patch security holes, some other devices will not accept long or complex passwords. On the other hand, consumer-devices that come with good security features tend to be too difficult to configure for the ordinary user and as such those features are left untouched.
Thus, a vast majority of these devices are not properly maintained, not securely configured or their software might be unpatched, hence vulnerable. The increasing adoption of connected home automation (smart home) devices to the home network, further heightens the intractability of properly managing the attack vectors.
From an enterprise perspective, it is important to rethink the difference in context that WFH involves and how it impacts organizational risk posture. This should reflect on the choice of enterprise tools that must be deployed to protect devices and network communications. Such tools include endpoint protection software, secure routers/MODEMS, VPN software, etc.
Remote Access Policy
As people adopt WFH, traditional office centred security policies will serve increasingly smaller audience. Thus, policy regarding remote working environment should include prevention of eavesdropping by encouraging staff members to stay in secluded areas when participating in (sensitive) meetings where strategic company matters are discussed.
Policies regarding remote login should also be hardened. As much as possible prioritize multifactor authentication for user authentication.
Incident Response Turnaround
In the event of a cyber incident, responsiveness/turnaround time between when information is shared, to when it is acted upon becomes very difficult to predict and control. Hence a minimum responsiveness time should be defined for all WFH users to encourage active engagement and faster responsiveness.
The vulnerabilities mentioned above are by no means exhaustive but should serve as a catalyst in starting the conversations around the long-term security implications of WFH and what changes must be done to equip the enterprise of the future.
Finally, changes to the threat landscape means that companies will need to be adaptable in taking preventive steps to mitigate risks and stay ahead in the game.