Talk is cheap, and web advice is plenty and free on how to secure your IT and digital assets when employees work from home, due to the COVID-19 pandemic. But what's that "wisdom" worth in practice? Larry Loeb takes a closer look.
Ultimately, it will be the CIO, CTO, CISO, and the security team who are left holding the bag if something goes wrong. So before rushing into remote access expansion in ways we may come to regret, let's examine the finer points.
When legacy infrastructure is reviewed by management, capacity levels tend to be evaluated in the aggregate. The overall structure of a network may have the bandwidth and response time that seems to be adequate to conduct business.
But looking at aggregates alone ignores any segmentation that may occur inside a legacy resource. For example, the pre-allocation of resources for centrally located and those for remote users occurs within the overall aggregate.
Gregg Siegfried, Gartner Research Director for Cloud and IT Operations, was recently quoted by Diginomica. He reminded us that "many organizations use traditional, 'thick client' enterprise applications that were never designed to operate with anything slower than 100Mbps LAN between clients and servers." These will not be able to operate over high-latency remote connections and "may simply be unusable remotely."
Anti-Virus software looks for static data associated with a file or process to determine if it's malicious or not. That static data is updated in the latest AV versions to reflect code characteristics of malware that has been changed or discovered since previous updates.
It may catch transgressions, or it may not, in which case it will often be too late to prevent further damage. The malicious code may have taken hold within the organization's defense perimeter already and is spreading through the network.
Lack of reliability and effectiveness aren't the only problems with relying on AV tools to keep remote workers safe. Did you know that leading anti-virus packages, due to their tight integration with the operating system, have actually been found by researchers to introduce additional risks [PDF]?
Plan instead to prevent web-borne exploits from even reaching employer-issued or BYOD devices. AV software, for example, only looks at a small portion of the possible threats that can be encountered. The threat model for a specific situation will always be more complex than just the (documented) threats that are posed by malicious files.
Relying on one kind of tool or mechanism alone - other examples: VPN, web filtering, CASBs, password managers - often creates a false sense of security and leaves more complex threats still able to cause systemic damage.
Research shows that around 80% of cybersecurity incidents are browser-related. With Zero Trust Application Access, IT doesn't have to rely on the traditional cocktail of point solutions, which are mostly aimed at shoring up the browser.
With the browser now being the lifeline between the remote worker and your organization, Zero Trust Application Access separates the resources and processes you need to protect (such as company apps, data, and devices), from environments you cannot trust like public websites, external users and unmanaged devices.
Because Silo executes all web code in a secure, isolated cloud environment, no code from the web can touch the remote worker's device, or a pre-existing malware infection spread from there to your corporate environment.
Umh, no. Most remote work policies were already functionally broken left and right even before the COVID-19 pandemic struck. For various reasons, businesses keep them limited and high-level, without specific consideration for particular situations.
Companies that create an RWP for the first time tend to overestimate the impact of this positive control effort. Is it really effective as a tool to ensure comprehensive data security and protection when remote workers go online? No.
And yes, you'll need an RWP regardless - if mostly as a document that corporate counsel can produce for insurers, litigators, or regulators after a data breach.
Prevent exploits from reaching the endpoint in the first place by taking active prevention measures. The approach and method may be different, based on the situation's threat model, but it is a direct method that is called for, not merely a general policy.
In addition, central auditing capabilities of remote workers' online activities may be required, for example to ensure compliance in regulated sectors.
Different strokes for different folks; I recommend reading the post IT Fire Drill: Remote Access Expansion Under COVID-19 on this blog to get a better idea of what's possible, without getting held back by (perceived) legacy IT limitations.
Many remote work guides recommend "use a VPN" for protecting your organization and its remote workforce. One recent report points out that VPN usage in the US and Canada has increased by 36% during the Coronavirus pandemic.
While a VPN can be useful to shield work-from-home employees from casual eavesdropping, it will not, by itself, provide truly secure access. For the bigger picture, read VPN: A Big Misunderstanding? on this blog.
2019 saw a variety of VPN vendors, like Palo Alto's SSL VPN, FortiGate VPN, and Pulse Secure VPN, releasing advisories and updates due to critical vulnerabilities in their devices.
These alerts and patches were prompted by the discovery of several vulnerabilities in these VPN products by security researchers Orange Tsai and Meh Chang from the DEVCORE team. The NSA even directly responded to these problems with a set of mitigations.
Security researchers reported that more than 14,000 Pulse Secure VPN endpoints were still vulnerable more than three months after the vendor patch for a reported vulnerability (CVE-2019-11510) was released. Such delays are often due to how VPNs are updated, as explained in an article published by Carnegie-Mellon's Software Engineering Institute.
It seems that VPNs are rarely patched, as they are expected (and needed) to be operational at all times to assure communications availability.
And that's just on the IT end. Now consider the implications of overwhelming newly minted remote workers with setting up their VPN clients at home, literally left at their own (BYOD) devices.
In short, VPN is not the cure-all that many remote work manuals make it out to be. As public interest technologist and security expert Bruce Schneier writes on his blog, "[h]anding people VPN software to install and use with zero training is a recipe for security mistakes, but not using a VPN is even worse."
Bottom line: VPN without a comprehensive deployment strategy and the resources to execute on it may well increase the risk for your organization.
CISA has issued a special alert about VPN use in the new remote work environment that makes some valuable points. While the agency leaves mitigating specific vulnerabilities to the manufacturers, the alert looks at how to best use a VPN in the enterprise.
CISA points out that as organizations use VPNs for telework, more vulnerabilities are found and targeted by malicious threat actors. It also notes that organizations may have a limited number of VPN connections, after which point no other employee can telework. With decreased availability, critical business operations may suffer - including IT security personnel's ability to perform cybersecurity tasks.
CISA also advises businesses to implement Multi-Factor Authorization (MFA) on all VPN connections to increase security. If MFA is not implemented, then requiring teleworkers to use strong passwords may provide some - basic - level of protection.
If you're still using one, that makes sense. Now here's a question: What does the label "secure" really mean for traditional browsers?
Not much, if you take a closer look. I've written about this topic previously on this blog.
All major browsers still allow - potentially malicious - code from the web to get stored and executed on the remote worker's machine, from where it can infect the corporate network and apps.
As long as that's still a practical reality, the mantra "update the browser" will ring hollow. "Free" browsers are inherently unsafe, designed to share user data and to sell user "eyeballs" to online advertising networks, which frequently also distribute malvertising.
Updates cannot cure the underlying malaise. Even if they did - they often come too late or, when available, are postponed by IT, according to research: 81% of CIOs and CISOs defer critical updates or patches.
With the increased workload that has been heaped on your IT department under the COVID-19 regime, is your team willing to take chances?
Shodan, the search engine for internet-connected devices, determined that the number of RDP endpoints had jumped to almost 4.4 million by the end of March, from only 3 million at the start of the year.
That's roughly a 40% jump during the initial COVID-19 work-from-home ramp-up period. It looks like many organizations rely heavily on RDP to expand remote access.
One problem with that is that relying on the powerful RDP protocol in Windows can easily lead to expanding an organization's attack surface, because it is notoriously difficult to deploy, manage and scale, even under better circumstances.
While RDP clients are available for almost all operating systems, devices, and browsers, newly minted remote workers cannot be expected to configure them themselves.
Will your IT be able to support the configuration needs of most RDP solutions?
The padlock in a user's URL window shows either "locked" or "unlocked". What does that really mean?
All that indicates is that a certificate of some sort was used, or not, during communications between a website and a browser.
The problem here is that the browser has no idea if the underlying certificates were properly validated or issued. This issue has been previously addressed on this blog, for example here.
No cute icon-changing can ever cover the security needs of the average organization and its remote workers. Both IT and users must internalize that if it's on the web or in a third-party app, it has some discrete potential of being either false or harmful or both, and cannot be trusted.
The current pandemic isolation is changing how America works, and the Zero Trust model goes a long way towards relieving IT and remote workers of the impossible burden of having to figure out which online resources to trust or not to trust.
Combined with the web isolation approach, the Zero Trust model makes it easier for IT to accommodate even complex remote work scenarios than it was before the pandemic.
An organization may think that it's too small or insignificant to attract an attacker's attention. The fallacy here is thinking that it is only your organization that could be the target.
What about your customers/clients, vendors, and contractors? And what about their business partners?
By focusing only on the most obvious scenario, you risk losing sight of the effects of the digital supply chain your organization is connected to.
Supply chain attacks are not novel, and I have written about various flavors of this problem on this blog before. Adversaries leverage what opportunities they can exploit, wherever and whenever they find them.
Prevent giving a foothold to attackers who may be on a broader mission. Implement additional barriers, such as 2FA for sign-on, and require credential verification when switching between resources.
What could go wrong? An all-too-common theme is that Joe or Jane User searches the web for "Microsoft Support" and ends up dialing right into a hotline scam.
Or a pop-up may take over their browser, directing them to call a fake "emergency support" number. This rarely ends well, especially when the scam artists manage to get remote access to the user's computer.
The Federal Trade Commission has published a comprehensive overview of the classic helpline scams and how to recognize them. Though the article is a bit dated, the techniques it describes are still very much in use. Bleeping Computer detailed how some Google Search results were redirecting users to a scammer.
Password use has been a recurring topic on this blog. Their role in authentication has changed over the years.
The National Institute of Standards and Technology (NIST) recently released the official NIST Special Publication 800-63-3 guidelines for 2019.
While there haven't been extreme changes from the original NIST 800-63 password guidelines published in 2017, one difference is striking, as it reflects a distinct shift in thinking.
The main change is that NIST now recommends that well-formed passwords should not "retire", which means changing them is no longer a requirement (for federal government users). Frequent password changes were found to be counterproductive, by unnecessarily adding to overall complexity.
Though I mentioned the concept earlier in this blog post, 2FA can be a very effective method of increasing security. But, the way it is used can be as important as enabling it in the first place. For example, the responses to the 2FA challenges can be full sentences that can be easily remembered without the need for storing them elsewhere. In short, they should be routinely used.
Remote work has been around for a while. But recent events have greatly increased the numbers of those that need to rapidly adopt its use. In the rush to facilitate WFH, don't lose sight of the principles that have worked well for organizations in the past and can be modified to fit the "new normal".
This blog was authored by guest contributor Larry Loeb.
Larry Loeb has been online since uucp "bang" addressing (where the world existed relative to !decvax) and served as editor of the Macintosh Exchange on BIX and the VARBusiness Exchange. He wrote for BYTE magazine, was a senior editor for the launch of WebWeek, and authored books on the Secure Electronic Transaction Internet protocol and "Hack Proofing XML" (his latest). Larry currently writes about cybersecurity for Security Now.