Here are eight tips to help security organizations in securing their remote workforce
The novel coronavirus COVID-19 is causing global health and economic crises and profoundly impacting the way we live and work. Its effects will no doubt be long-lasting. In the near-term, it will require CISOs to update and prioritize work from home security practices and policies as offices are temporarily shut down. We don’t know how long the coronavirus emergency measures will be in place, so CISOs would be wise to develop long-term plans to ensure employees are as secure working from home as they are in the office.
The remote worker phenomenon started long before coronavirus, but this epidemic may be the watershed moment that makes remote work a regular part of most companies’ cultures, including those with any lingering hesitation. For the last decade or so, flexible work and work from home policies have become standard across businesses as they looked for ways to offer more perks in a competitive hiring market. And it has allowed companies to find talented workers who are located outside the high-rent locations of many corporate headquarters. This flexibility benefits both companies and employees, but for security teams, it can be a major headache. However, in the age of coronavirus, the number of work from home employees has jumped exponentially by the day, and security teams are rushing to ensure the efforts to enable online collaboration solutions are safe and secure with employees off the corporate network. Now, they also have to address the challenges of tracking and securing a multitude of off-premises devices.
Historically, VPNs were the answer for remote workers. But they pose security issues of their own, particularly when so many employees are using them at once. Recently, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Association (CISA) issued an alert warning about the security risks of remote workers relying on VPNs. “As organizations use VPNs for telework, more vulnerabilities are being found and targeted by malicious cyber actors,” the alert said, noting that the need to keep VPNs in operation 24/7 means organizations are less likely to patch them. From a risk standpoint, many enterprises have a generally “flat” network. In years past, there may have been various business applications (email included) that required a connection back into a central, internal environment. With the steady migration from on-premises to SaaS in recent years, the risk of bringing users back into the network for one or two apps may also now be significantly higher than the value being realized by keeping the outlier app/capability on-premises and enabling remote access into the entire network through VPN.
Home WiFi networks represent another challenge. Everyone knows that most home WiFi networks aren’t secure. Many home networks aren’t password-protected, use easily guessed or default passwords, or may be configured without encryption, thus allowing an attacker to easily compromise the network. The modem or router used to access the internet is likely missing its latest security patches and updates (being that they are difficult to apply). In addition, we will see attackers taking advantage of the huge increase in remote network traffic and targeting individuals at a higher rate than usual, especially since they can now more obfuscate their actions in all the additional noise. Unfortunately, due to limited visibility into what’s on our home networks and what we should consider normal versus potentially malicious, many home networks and the personal devices connecting to them may already be compromised.
Meanwhile, the internet of things (IoT) has invaded homes, filling them with connected devices that can be accessed remotely but which have very little to no security. From smart TVs and webcams to Ring doorbells, Amazon Echos and Pelotons, they are in millions of homes. Putting corporate assets on the same WiFi networks as these devices create new entry points for attackers to reach corporate targets. In addition, they can be exploited by attackers to snoop on not just home activities but now work conference calls and sensitive corporate communications. Most companies are not prepared for this new type of insider-outside threat.
Securing a Remote Workforce
There are eight things security teams can do to transition employees to a remote workforce, which includes securing not only corporate assets, but strengthening home network security as well:
1) Multifactor Authentication. Ensure multifactor authentication (MFA) requirements are being enforced for the privileged users accessing the most sensitive and critical internet-facing services consumed by your enterprise. Be careful that enabling MFA doesn’t prevent anyone from working remotely. Pro-tip: test this approach with a small subset of the target audience before rolling out broadly.
2) Use a Secure Application Gateway. To address the security issues with VPNs, I recommend using an application gateway that serves as a proxy, acting on behalf of the employee’s computer and protecting it behind the firewall. It provides better security visibility and offers one place for security teams to see what’s happening with computers being used at home, what apps they are using, what they are doing with them, etc.
3) Virtual Desktop Environments. Require remote staff to access legacy apps and services through a virtual desktop environment where relevant (or a modern secure access gateway). VPN use has been the traditional method of secure access, but for many industries and enterprises in 2020, it’s highly likely that most staff members—whether in business functions or IT—use online apps for work, and very few apps cannot be accessed securely over the internet. If this applies to your environment, consider testing and bolstering your virtual desktop environment as required to provide a great user experience while preventing the need to connect users to a flat network to access a small number of internal-only apps.
4) Track Anomalous User Access. Set up alerts on anomalous user access and actions by monitoring identity and permission usage patterns. If the security team is not yet monitoring for events pointing to potential account compromise (e.g. account being used from more than one host and geography simultaneously) and triggering corresponding alerts or additional actions, prioritize this effort. At a minimum, consider investing time and effort into optimizing this capability in relation to IT administrator and PI/PII handler (e.g. HR staff) roles.
5) Track Endpoint Activity. Validate that the enterprise tools required to detect, protect against and respond to malicious activities on the endpoint (wherever it may be physically) are fully installed on all company-issued staff devices, to the extent possible. At the risk of stating the obvious, this includes capabilities such as endpoint protection, EDR and DLP.
6) Force HTTPS. Force the use of HTTPS on all sites, when available through the use of existing solutions in your stack or by enabling the widely used and trusted “HTTPS Everywhere” extension in Chrome to ensure that all web browsing is conducted securely.
7) Home Security Tips. Provide employees with tips and tricks on improving home network security. For instance, they should configure network equipment and computers to use a secure DNS service like Quad9 or OpenNIC, and install endpoint protection on all computers. Also, they should check common modem and router settings to confirm optimum security settings and enable the HTTPS Everywhere extension in the home computer’s browser, as well as update home WiFi passwords if not changed in the past year. Last but not least, it rarely hurts to share easily consumable best practices around how to keep software and operating systems up-to-date and to guide staff on the best home-use AV solutions on the market and why such tools are important, particularly at home.
8) Beware of Phishing. Remind staff to be incredibly wary of COVID-19 related emails and social networking posts. Most emails will be either spam or malicious with the intent of preying on folks in a time of crisis or will impersonate senior staff requesting illegitimate bank transfers, gift card purchases or the like. Remind staff of the actions to be taken when receiving potentially malicious emails and of the training available should they want to take a refresher.
Coronavirus will end one day, hopefully soon, but its influence on our notion of “workplace” could be long-lasting. We’ve never had to migrate millions of employees from the office to a remote workforce in such a fast time frame. This brings incredible security challenges, but security leaders who are able to manage it well will be able to turn a business operations disruption into a future flexibility advantage.