As organizations and teams worldwide are thrust into remote work for the foreseeable future, leaders are paying renewed attention to issues of productivity, connectivity, and culture. But then there’s security: If you have hundreds or thousands of people who would normally come into the office now working from home – indefinitely – your security landscape has changed.
How much has it changed? Brian Wilson, CISO at SAS points out that all manner of hardware and equipment is now exiting the premises, or already has. Any client or endpoint under your purview needs the same security controls in place as on devices that were always intended for external use.
“All of the client systems we managed – be they desktop or laptop – must have the same security controls,” Wilson says. “If an employee takes a desktop home, you need the ability to protect and manage it as if it were still in the office.”
There’s another underlying truth about securing a remote workforce: There’s no turnkey solution for doing so, especially not when tasked with doing so in rapid, disruptive fashion. “There is no easy switch for work from home security, no single tool that can be bought and implemented,” says Jerry Gamblin, principal security engineer at Kenna Security.
With that in mind, let’s look at five smart security practices for remote workforces – to ensure you’re managing risks as well as possible during a historically difficult time.
1. Understand the remote work threat model – and threat actor
“The most fundamental and immediate step for CIOs, CISOs and other IT leaders to boost security in environments that have gone entirely remote or work-from-home is to understand the threat model of a remote worker,” says Isidoros Monogioudis, director of information security, Digital Shadows. “This will help systematically ascertain the risks, threats, and mitigation tactics for a given scenario.”
That model could include everything from a leaky home Wi-Fi network to highly targeted phishing campaigns to far greater distraction among end users. (None of us can really be blamed for the latter, either.) Take your pick from among countless surveys and reports that paint a long-ugly picture of router security, for example – default passwords still in place, old firmware, you name it.
Actually mapping out your new landscape “will help systematically ascertain the risks, threats, and mitigation tactics for a given scenario,” Monogioudis says, before sharing five example areas of concern to consider for modeling purposes:
- Organized cybercriminals who could exploit the use of personal devices with fewer security measures/controls in place. Bad actors have a higher probability of gaining unauthorized access to corporate services and resources as a result.
- Fraudsters who could leverage the COVID-19 outbreak to exploit workers who are not used to working on personal and/or mobile devices.
- Reckless/distracted/disgruntled users who might not be used to remote working and could generate issues with accidental sensitive data exposure, mistakes in file sharing, and so forth.
- Hacktivists who have ramped up phishing attacks to capitalize on the increased number of end users now more exposed to the Internet, where they can more easily be targeted.
- State actors who aim to target remote workers from governmental and other critical infrastructure entities who now have access to restricted resources from home.
Numerous CIOs report a rising number of phishing attempts right now, with people seeing them on work and personal email addresses alike. As Red Hat chief security architect Mike Bursell notes:
“Many phishing emails look exactly the same as a normal email from the relevant party. To be clear, it is impossible for anyone, even an expert, to ascertain at first look whether a polished and sophisticated phishing email is genuine or not. There are ways to tell, if you’re an expert, by looking in more detail at the actual details of the email, but most people will not be able to tell. I have nearly been caught over the past week, as have one of my kids and my wife.” His instruction to his family: Never click on the links in an email. Go to the appropriate website yourself, instead.
Indeed, Monogioudis expects phishing to be the top active attack vector, and that it will probably be more successful than usual.
But it’s not the only threat to watch out for. Availability-based attacks (such as denial-of-service campaigns) will be popular given the general rise in Internet traffic and massive usage of remote-work platforms, according to Monogioudis. Data leakage will be a heightened risk, whether through inadvertent disclosures, weak credentials, or other means. Software bug exploits will remain a key issue. And stolen or leaked user credentials will need to be monitored even more closely: “This will still be one of the top ways attackers can gain access to unauthorized resources,” Monogioudis says
2. Narrow your exposure as much as possible
If many of these threats sound familiar, that’s the “good” news. The other news: Your threat surface has likely expanded exponentially, and you need to act accordingly by narrowing limiting your risks as much as possible.
“As services that have not been traditionally available externally are enabled for remote access, it’s important to keep the attack surface as narrow as possible,” Jack Mannino, CEO, nVisium.
Multi-factor authentication is table stakes, and Mannino advises some other key steps for narrowing your exposure in this new paradigm, too.
“Ensure that all remotely accessible services require multi-factor authentication, whether that’s for VPN access, email access, or applications and web services,” Mannino says. “Ensure that all physical assets (laptops, mobile devices) assigned to employees are full-disk encrypted and protected at the hardware level through firmware security and Trusted Platform Modules (TPMs). With more devices in motion and in transit, the likelihood of loss through theft or misplaced devices increases, especially in logistically challenging times as we’re living in.”
Monogioudis notes that a variety of existing or expanded security tools and tactics can help manage the risks inherent in a sudden shift to a remote workforce, including:
- Endpoint detection and response solutions
- Encrypted communications via VPN
- Enhanced identity and access management (IAM) protocols (like multi-factor authentication)
- Continuous network monitoring and the application of least-privilege/need-to-know principles
- Advanced email, instant messaging, and browsing protection
- User security awareness training
It’s worth underscoring one of these, in particular: almost across the board, security experts agree that IAM tools, protocols, and practices will be more important than ever.
[ More IT organizations are baking security into the development process from the start. Read also: Security 2020: 4 trends to watch. ]
3. Communicate and educate on an ongoing basis
Training and education are security strategy stalwarts, and that doesn’t change now. What shifts is the focus: Assume most people don’t know best practices for securing their home networks, for starters.
“Provide training and education to your staff on home networking best-practices,” says Mannino from nVisium. “Ensure that employees understand how to protect their wireless networks with strong passwords, using secure encryption algorithms, and patching their home networking devices. As users access corporate assets coming from less trusted networks, it’s important to isolate and limit the exposure points for unauthorized entry into the enterprise network.”
Let's examine two more best practices: