While it would be nice to think that we all accounted for a pandemic in our Business Continuity and Disaster plans, the reality is that few of us were prepared to shift, almost overnight, to having all our employees work at home. As we scramble to deploy and scale our remote access solutions for our employees, cyber criminals will certainly take advantage of the situation and attempt to exploit the seams created in our defenses by the rapid rollout of new remote access solutions and our distributed workforces. As we implement our Business Continuity plans and reset our corporate priorities to deal with the pandemic, it is important to keep cybersecurity in the forefront. We will be relying more heavily than ever on our IT systems to keep our businesses moving forward and cybersecurity plays a critical role in keeping those systems up and running.
Below are a few things to consider as you roll out work at home solutions and fine tune your work at home operations. I mention Endpoint Detection and Response (EDR) several times throughout this post as I believe it should be a critical component of your work at home strategy. If you don’t already have EDR as one of the tools in your toolbox, I strongly suggest you research EDR and consider adding EDR as part of your work at home IT architecture to give you remote insight and manageability of the endpoints (laptops) being used by your employees working at home. EDR goes well beyond Anti Virus capabilities, giving you the ability to perform digital forensics and incident response of remote devices – which is critical in a distributed work at home environment. There are numerous EDR solutions on the market including Fidelis Endpoint.
There are many ways to provide remote access for your work at home employees. I’ll focus on a Virtual Private Network (VPN) based solution where your employees are accessing corporate resources through a corporately provided laptop (vs. a personally owned device or a cloud-based “virtual desktop” service) as I believe that VPN remote access is the most prevalent solution out there. There are lots of tradeoffs between performance, security, and reliability that need to be considered when standing up or reconfiguring a VPN to support your work at home employees. The biggest consideration is whether or not to route all traffic from your remote endpoints back to the corporate Infrastructure or operate using split tunneling, where some traffic is routed to the corporate infrastructure and some traffic bypasses the VPN and takes a shortcut directly to the Internet. Routing all endpoint traffic back to the corporate infrastructure certainly has its security benefits as all corporate cyber security and compliance monitoring capabilities are in play. However, it essentially doubles the traffic flowing through your corporate network boundaries as all end user traffic flows in through the corporate boundary over the VPN, Internet bound traffic flows back out the corporate boundary, and all return traffic flows through the corporate network and back through the VPN.
Split tunneling provides many benefits in performance and availability by not requiring traffic destined for the Internet to flow through your corporate infrastructure; however, split tunneling exposes your endpoints directly to the Internet. With more of our corporate services shifting to the cloud (e.g., Office 365, cloud-based video/tele conferencing, CRM services, cloud-based storage, etc.), split tunneling becomes very attractive from a performance and reliability standpoint but certainly raises the hairs on the back of the necks of security practitioners. If you are implementing a split tunnel VPN, you will want to look at the VPN routing policy carefully to ensure that you understand what traffic is authorized to bypass your corporate infrastructure/monitoring. You also need to ensure that your endpoints are robustly protected against Internet-based threats due to their direct exposure to the Internet – and once again I would suggest you take a look at EDR capabilities to address this gap. Zero Trust architectures are also gaining lots of popularity for these types of hybrid corporate/cloud environments but can be complex to put in place, particularly if you are under a time crunch to deploy a remote access solution.
A few final thoughts on VPNs – Depending on the size of your organization and the availability requirements for your remote workers, geographically dispersed VPN access points using diverse Internet providers are something to consider. Additionally, it is ultra-critical that you keep your VPN servers/services up to date and well patched. There are numerous Common Vulnerabilities and Exposures (CVEs) related to VPNs and these are regularly exploited by cyber criminals and nation state actors to gain remote access to your corporate infrastructure. It is also recommended that you turn up the cybersecurity and performance monitoring of your VPN servers a notch to enable you to quickly detect attacks against your VPN infrastructure. Finally, it is strongly recommended to deploy Two Factor Authentication (2FA) for VPN access to prevent stolen, lost, or guessed logon credentials from being used to gain remote access to your corporate infrastructure.
We have already seen examples of cyber criminals and nation state actors using the confusion and concern caused by the COVID-19 pandemic in Phishing attacks. While Phishing is certainly not a new cybersecurity concern, employees working at home will be spending more time online, which increases their exposure to Phishing attacks. Additionally, depending on your remote access architecture (e.g., split tunneling), the technologies you have in place to filter/detect Phishing attacks on your corporate networks may not be in the communications path for remote workers, leaving them more vulnerable. An EDR solution deployed to your remote user laptops fills that gap by allowing your endpoints to detect and respond to malicious activity, including Phishing attacks. EDR also helps with Incident Response should a device become infected (see incident response below).
As you shift to a work at home posture, it’s a good time to remind employees of your corporate policies related to online activities, your expectations for proper online behavior/etiquette, and tips for staying safe online. For instance, don’t click on links in an e-mail or open e-mail attachments from an unknown or untrusted source. You will also want to reiterate what they should do if they receive a suspicious email – delete the message, forward to your security operations team, etc. Try and make it as easy as possible for employees to report suspicious e-mails and activities to increase the likelihood that they will reach out to your security operations team if something does not look right to them.
Let’s say that despite your awesome Phishing awareness campaign, one of your employees clicks on a malicious link in an e-mail and has now infected their laptop. In turn, that laptop is connected through your VPN and has infected other assets. You need to plan for how you will be able to remotely respond to the incident, perform digital forensics to determine the extent of the infection, and remediate the infected devices. This is where an EDR solution really shines. The EDR agents deployed to your remote worker devices will enable your security operations personnel to quickly determine the extent of the infection, quarantine and clean-up infected machines, and bring those machines back online – all remotely. EDR solutions should also provide automation features to enable your security operations team to remotely and globally change device configurations and deploy updated cybersecurity detection and response rules to your EDR agents, allowing you to deploy synchronized changes across your distributed assets in response to an intrusion and/or emerging cyber threats. If you are interested in seeing a demo of these incident response capabilities in action, I encourage you to watch our recent on-demand webinar, Speed Your Incident Response Capability.
Building on the previous item, you need to ensure that your SOPs are updated to support work at home and remote monitoring/management of your infrastructure. If you already had a large mobile/remote workforce then your SOPs may already cover work at home and remote management of your infrastructure – but now is a good time to verify that. The test is to ask for each SOP – “how would we do that remotely?” If the SOP doesn’t cover work at home and remote management of your infrastructure, then you need to extend your procedures so that you have clear and repeatable processes for supporting your remote operations. This is especially important now as your security operations team is no longer sitting side by side in the office where they can work out a solution on the fly.
Cyber threats will undoubtedly evolve over the coming weeks and you need to be aware of those changes to make corresponding adjustments to your cyber defenses. That is where threat intelligence comes into play. Having a good source of threat intelligence allows you to be more proactive in preventing and detecting attacks. Most threat intelligence also includes updated detection rules (STIX, TAXII, YARA, etc.) for emerging and evolving threats that can be automatically deployed within your network and to your EDR agents to keep defenses for your remote employees up to date.
Even though the office doors are locked, the equipment in your data center is still humming away (hopefully) and needs care and feeding to ensure the systems stay up to date and are properly patched. Unpatched systems continue to be one of the top attack vectors used by cyber criminals and nation state actors. This makes cybersecurity hygiene more critical than ever as we are now completely dependent on our IT systems to keep our employees and customers connected and business operations moving forward. Cyber criminals are opportunistic and are taking advantage of the situation. We can’t let that happen, so I encourage you to continue to be diligent with your updates and patches. Once again, EDR can assist by generating an inventory of software loaded on your endpoints, comparing that against CVEs, and reporting the update and patch status of each endpoint. In addition, EDR can be used to report other threat indicators such as reading and writing to USB devices and excessive processor and disk utilization. This reporting enables your security operations team to track your exposure to threats in real time and coordinate remediation of unpatched devices. I’ve focused primarily on addressing challenges related to work at home; however, the same cybersecurity hygiene guidance applies to our business-critical systems, websites, VPNs, and supporting infrastructures that enable us to continue to support our customers throughout the quarantine.
I lumped a bunch of stuff together here but it’s somewhat related. You need to think through how your sensitive data and your customer’s sensitive data is protected from a confidentiality and integrity sense as you move to remote operations. That data is now created, copied, and maintained on mobile endpoints scattered across your employee’s homes and is a prime target for cyber criminals. Once the quarantines are lifted, those mobile devices will become mobile again, potentially exposing that sensitive data to loss or theft. Some things to consider: Is the data encrypted at rest (or preferably encrypted at the individual data record level) on your remote employee’s device(s), is the data automatically backed up to your corporate servers or to the cloud so that you can maintain a corporate record of all critical data, do you have adequate monitoring on your endpoints to detect misuse by your employees or data exfiltration by an attacker? Not to sound like a broken record but once again, an EDR solution can help by flagging/alerting your security operations team to anomalous activity occurring on your endpoints and allowing your security operations team to investigate before it’s too late. Many EDR solutions include behavioral analytics backed by Machine Learning, which can significantly increase your ability to detect employee misuse (e.g., unusual employee work patterns) and/or exfiltration of sensitive data. A suggestion would be to review your business workflows (particularly those related to work at home employee accessing sensitive data) and validate that the workflows continue to meet your compliance and data protection rules/regulations.
Last but not least, your work at home employees will likely be getting their Internet access via a home network, so it certainly helps to ensure your remote workers are securing those networks with best practices. There is plenty of good guidance out there for securing home networks (SANS just released a nice guide for example). In my opinion, changing the default passwords on all the devices connected to your employee’s home network (routers, WiFi access points, video game consoles, Internet of Things devices, etc.) gives the biggest bang for the buck. Locking down those home networks adds another layer of protection between your corporately managed work at home devices and the Internet.
Hopefully this was useful to you as you roll out and fine tune your work at home solutions (or at least thought provoking)! As always, comments and suggestions welcomed.