Remote work in the age of corona – best practices for maintaining security

By: Ofir Even - Citadel Information Security Officer   |   Updated: 4/6/2020

As the COVID-19 virus spreads around the world, governments and organizations are scrambling to respond to the challenges of maintaining business continuity, while employees are required to maintain social distancing and work remotely. To add to that, there is an increase in the number of cyber-attacks and phishing attempts taking advantage of the situation – exploiting uncertainty, misinformation and people’s anxieties. 

Best case scenario - you’ve prepared beforehand. You have the required infrastructure in place to support mass migration to working remotely, and have been cultivating a culture of security awareness among the employees. Yet one must not rest on laurels, even in the best-case scenario there are several unknown variables at play. Read on to learn more on how to increase your organizational security, reduce the risk and mitigate damage.


Remote infrastructure 

Recent studies show that since the COVID-19 crisis started, there has been a linear increase of 600% in cyber-attacks. This, of course, means that the cyber-attack surface has significantly increased.

To maintain business continuity, many employees have to connect to their organizations’ resources remotely - this possess a significant challenge for the IT department as well as the organization's CISO, who has to keep a high standard of security, (particularly during this time of elevated risk).


Remote connections are inherently less secure than local, wired connections – there are various network components and policies that keep the networks safe and segmented, limiting the damage any one incident can cause.

Best-case scenario for remote connection is to have a dedicated computer, with all the security components, software updates, and secure connection tools that’ll allow the user to fully comply with company security policies when connecting. This scenario only works for those who thought ahead, as the infrastructure for remote connections must be in place before the crisis starts. A hastily configured remote connection system will likely leave gaps and holes that might not be discovered well into the future, and without adequate time for testing the organizational systems will be exposed to threat actors. It’s important to plan ahead and set up a secure VPN connection that’s easily scaled up if needed, allowing for as many employees to keep working remotely and securely in a crisis.

Even in the best-case scenario there are still several unknows that might be used as a point of entry into the company systems. Companies have very little control over what happens on the employee’s home network; Other devices on the network might not be as secure as one would want (with weak default out-of-the-box passwords) and constitute an easy point of entry. Other users on the network might not be very technologically literate and unintentionally pollute the home network with malware. Moreover, some Wi-Fi encryption standards are themselves unsecure, and security updates must not only be implemented by both the router and the network card manufacturers, but also installed by the end user.

What about my personal computer/laptop? When the best-case-scenario is not an option, using an employee’s personal computer should be the last resort. Home computer are often used by multiple people, including small children that are not always computer literate. This solution compounds the problems with remote connection mentioned earlier, with a lack of control over users, their habits, the operating system and its components. While it is possible to prep a personal home computer to be used for remote work, this requires installation of several security components and other segmenting solutions like remote connection to a virtual desktop. Setting up this type of workstation is not a small task at the best of times and might very well not be feasible in the current climate of cost cutting and staffing shortages. 

When crisis hits, and an organization finds itself in the worst-case scenario of having to quickly set up remote connections for many employees, one important mitigating move would be performing an infrastructure scan. The operation checks and communicates with the company assets on many different protocols and interfaces, to look for unsecure channels, vulnerabilities and check permissions for each remote profile. An audit can identify weaknesses before a malicious entity exploits it, and mitigate possible damage caused by a mis-configured system.

Six steps that should be mandatory these days: 

  1. Strong Authentication (2FA) 
  2. Building RBAC (Role-Based Access Control) Model for each application 
  3. Minimize the ability of the remote computer to upload/download documents from the internal network, if necessary, do it with secure a connection and sanitize each incoming file 
  4. Do not allow direct access to your internal network from remote computers and prefer to connect to it with dedicated tools (SSL VPN for example) 
  5. In order to minimize the attack surface, limit the session for the remote user to working hours and terminate inactive sessions 
  6. As much as possible, distance the remote user from the organizational infrastructures by using virtual desktops environments and mediating components while limiting available resources. 


New tools

So much of our workflow has changed, including the way we collaborate and communicate. We don’t meet face to face anymore, and many have switched to video conferencing software, which poses a challenge in its novelty. Besides the challenge of employees having to learn a new piece of software, how it works and integrates into existing tools, there are also new security features and best practices that need to be solidified into the workflow. New tools also pose a risk – a rapidly popularized app might have undiscovered vulnerabilities and bugs that could allow a threat actor to carry out an attack (collect private or secret information, or even connect to the organization systems). The more popular a new piece of software becomes, the more incentive an attacker has to find existing vulnerabilities and exploit them. On the other hand, the more popular a platform becomes, the more eyes there are on it and more likely that exploits will be discovered and patched. It’s better practice to use a widely popular app or platform as it is more likely to get patched and more likely to be secure than an obscure one. The challenge then becomes chasing the updates – installing patches, notifying all employees of new vulnerabilities and how to mitigate or avoid them. This is where awareness training helps immensely. When workers are aware of the risks and dangers, they are more likely to be cautious and vigilant, treating unfamiliar and new tools with a healthy dose of suspicion.


Weakest Link

Perhaps the biggest challenge companies face in these uncertain times is securing the weakest link of InfoSec – the human factor. The rapid switch to working from home creates an ambiguity in the work-life balance that blurs the lines where works ends, and home life starts. As workers adjust to this new setting, the weakest link is becoming weaker; stress and financial worries will cause absentmindedness, rapid change will bring about mistakes before new habits get cemented in, and valid questions might go unanswered as support teams are downsized – all these increase the chance of clicking on a malicious link or accidentally downloading a dangerous file. The biggest concern is the least technologically capable employees, that will have the hardest time switching to remote connection and new work setup. In addition to all the stressors mentioned above they are less likely to recognize an attack (like a phishing email) and are more susceptible to attacks that will take advantage or their lack of technological confidence. They might be less likely to raise “dumb” questions and especially now, might not get the answers they need in time. This is where security awareness in employees is essential to lowering the chances of a successful attack.


Awareness 

There is a limit to what the IT department and CISO can do remotely with many unknown variables, so every individual in a company has is a greater responsibility to stay aware even in ambiguous environment like working from home. Each person must know what the threats are and how to protect oneself and the company network from these threats. Employees now become the first line of defense against threat actors, and so this is where continuous communication with employees is vital for business continuity.

Inform employees of new or common attacks strategies like COVID-19 themed phishing emails. Distribute a list of guidelines with relevant updates emphasizing the importance of private/corporate separation in data and device use. Restate policies for AV software and 3rd-party app updates, password resetting, and security best practices. Refresh InfoSec policies, appropriate remote connection methods, how to get in touch with IT support and the biggest DON’T’s like sharing passwords or identifying information.


Conclusions

There is no doubt we are finding ourselves in a reality exceeding all scenarios we planned and trained for. The world has changed and with it the way we all look at the world of business in general and cyber security in particular.

The recently much-discussed Zero-Trust model can and should take its place in managing the overall risks of accessing enterprise assets along with exploring all the processes that allow remote access.


In the hopes of better and healthier days.


Back
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Ariel-university