Today’s new reality mandates that employees must work remotely in order to maintain business continuity. Unfortunately, many organizations didn’t handle this migration according to any documented BCP (Business Continuity Plan) or other procedure. It may have been done carelessly and in a hurried fashion.
With the move to remote work being a major infrastructure change, it must be made only after a thorough examination of the cybersecurity risks involved, taking into account the following:
- Which employees need access to which assets? (do all employees require access or it is enough to grant just a few?)
- Which technologies are required for the employees to access required assets?
- Which software will be used during remote meetings?
- Are employees who are accessing the organization’s data remotely using laptops provided by the organization or is a BYOD (Bring Your Own Device) approach being adopted?
- What is the identification and authentication method used when connecting from home?
- Is remote access allowed at any time of day or only during work hours?
- How will cybersecurity events be assessed for the new infrastructure?
Today there’s a pandemic but in all likelihood, future events such as natural disasters, for example, may force employees to work remotely so it’s worthwhile to address these issues now.
We know for a fact that malicious groups are looking to exploit unpatched known vulnerabilities (1-day attacks ) in organizations. In fact, once an asset is compromised, access to it can still be allowed even if the organization has addressed the weakness. We can assume with a very high level of confidence that malicious groups are making a big effort to take advantage of these types of temporary vulnerable situations created because of the urgent need to enable business continuity without addressing the accompanying cybersecurity risks. What that means is that even when business gets back to normal, the backdoors created by these malicious players would still provide them access to the network.
Can you allow your organization to be at risk? It’s time to act quickly and effectively in order to reduce these risks. The following are some important aspects you should be thinking about NOW:
Risk assessment and proper mitigation
It’s crucial to conduct a comprehensive risk assessment for your new infrastructure as there’s a possibility that your organization’s assets could be exposed to infection by malware. Consider also new public-facing interfaces, possible DLP (Data Loss Prevention) events, employee awareness of new risks, proper use of technologies and much more. After risk assessment is conducted, the proper countermeasures and controls must put in place in order to address these risks.
Technologies and procedures standardization and cloud computing
Evaluation and adoption of specific technologies together with clear usage procedures can help condense a few similar solutions into only one to make it easier for the organization to address the risks associated with these technologies. For example, if a video/audio conference solution is required, the different available solutions should be evaluated according to the support available, privacy policy, known vulnerabilities, free version vs. paid version, etc. After choosing the appropriate technology, it’s very important to define and enforce clear procedures for using it, including the authentication method, encryption, mandatory usage of MFA (Multi-Factor Authentication), what employees are allowed to share using the solution, and more.
Another important aspect is the usage of cloud computing and its major advantages over on-premise usage:
Manpower: With far few employees working these days, cloud technology is useful in terms of maintenance, redundancy, physical installation, upgrades and much more.
Fast delivery: Implementation in cloud environments are usually much faster due to built-in automation, the lack of physical aspects and more.
Accessibility: As the cloud is accessible from practically anywhere, fewer engineers are required for implementation and they can get the job done remotely.
Pay as you go programs: Let’s assume that during the risk assessment phase, an organization decides that an SSL VPN solution is required to connect employees remotely and in a secure manner. Thanks to the cloud, this service can now be purchased very easily and independently and, in most cases, paid for on an hourly, monthly or annual basis (in some cases one free month is even available). In this way, organizations can get the specific desired solution for just the time period it is needed, and there is the option to shut down the server during off-hours in order to further reduce costs. In addition, the organization can stop using the service at any time without committing to a long-term contract.
The endpoint issue: The need to immediately start working remotely and not as part of an organized BCP caught many organizations unprepared from the endpoint perspective. Employees were asked to access the organization’s assets from their own private devices which are, of course, far from meeting the organization’s cybersecurity standards (anti-virus software installed, patched OS, user privileges, etc.). We should keep in mind that these endpoints are now the new gates into the organization so we must treat them as such and keep them secure.
For this reason, the following points need to be considered:
- The employees need to be mapped so that those who require access to the most important and sensitive assets will be provided with the organization’s managed laptops which include all of the organization’s policies, restrictions, hardening and so on.
- For the rest of the employees, the usage of a cloud-based DaaS (Desktop-as-a service) such as Amazon workspaces should be considered. Remote desktops are located on the cloud and they can be hardened according to the organization’s standards with access to the organization’s assets allowed only from these workspaces. In addition, MFA can be implemented in order to ensure strong authentication between the employee’s private endpoints to cloud-based desktops.
- Another option is to use the “host checker” feature in the remote access solution. This is responsible for validating each remote workstation trying to connect to the organization’s assets prior to allowing the connection, according to pre-defined criteria such as unique registry key, anti-virus software installed, well-patched OS and more.
Employee awareness: Remember that employees are often the weakest link in the chain when it comes to cybersecurity, so we must improve their awareness. This need is even more vital these days as our employees have rapidly moved from their known and secure environment to a different workspace which is far less safe. So it’s extremely important to equip them with a short brief (up to one page) that explains, in the simplest terms, the new risks resulting from the new work environment and how to deal with those risks. Make sure to include explanations about phishing attacks, separation of private credentials and work-related ones, and so on. In addition, it is very effective to continuously test your employees’ alertness level with an awareness campaign such as sending them a “phishing like” email. It’s a good idea to decrease the intervals between one campaign to another in order to make the employees more suspicious and keep them on their toes.
Penetration test: A penetration test (which we recommend being carried out by an independent company) which is conducted over the new public-facing interfaces, is very important and can provide a great contribution to exposing an organization’s weaknesses from the attacker’s perspective. Make sure to include scenarios that cover all the organization’s new use cases such as compromising the employees’ private computer, attacking a newly created public interface (i.e. VPN, OWA) and so on.
Continuous monitoring: As major topology changes may lead to new cybersecurity risks, it’s very important, especially at this time, to continuously review the logs and events that are forwarded from different systems in order to identify anomalies or suspicious behavior which can indicate that someone is trying to take advantage of our vulnerable situation.
Document EVERYTHING: Although these are challenging times, it can also be a great opportunity to create procedures or improve existing ones related to working remotely. It’s important to document the difficulties we encounter during the process, the high risks resulting from the reviews and tests we conduct where there was no choice but to accept the risk because we didn’t have enough time to mitigate it properly. We should include anything else that might help us get through the next event successfully and minimize the risks associated with remote work.
These are very challenging days for everyone, and malicious groups are already trying to take advantage by attempting to execute cyber-attacks and gain access to organizations’ assets. Once they do, they will probably create a persistence mechanism that they can use even after the current situation has passed and organizations once again feel that their data is protected. Therefore, it is imperative to understand that an organizations’ actions today, and the speed at which they are executed, will have a crucial impact on reducing risks and will subsequently play a major role in ensuring that the organization is able to achieve its business goals always from everywhere.
Stay safe.