Working from home is not something new. Many organizations have supported employees working from their homes on a regular basis for years. The work-from-home crowd was always designed to be a small percentage of the overall workforce, and the infrastructure was designed to handle that volume. Then, the COVID-19 pandemic happened, and things changed both dramatically and quickly.
Within a matter of days, millions of people, in dozens of countries, were told to work from home as part of government-instructed social distancing methods. Students of all ages were forced to finish their school years through online learning portals, Facebook messages and Zoom classrooms. Medical professionals took to offering care via video chats as opposed to physical appointments in clinics.
It isn’t just that the vast majority of us are now working from the kitchen table. Every aspect of our lives now requires an internet connection. We can’t go to theaters, so people are using streaming services to watch movies. We can’t gather in person for drinks or dinner, so we do it in large group chats.
Network infrastructure has not been built for this amount of traffic, and this puts the security of data at risk.
How COVID-19 is Impacting Security
Organizations that have not thought through their remote security programs are quickly discovering the brittle nature of traditional security controls, Ben Waugh, chief security officer for Redox, points out; especially those with “hard shell” models that place an emphasis on strong perimeter controls, while assuming devices on the internal network can be fully trusted.
“Even in a traditional setting, this means that when the corporate perimeter is breached, it becomes much easier to attack,” explains Waugh. “Likewise, when a device leaves the corporate network, it loses these corporate perimeter safety guards. The use of VPN software may protect some of the traffic and provide access to company resources, but it can leave the devices open to a number of other attacks.”
VPN use has skyrocketed since mid-March, with expectations that in the US, for example, usage will increase by more than 150% before stay-at-home orders are lifted. In Europe, similar numbers have been seen since countries were put on mandatory lockdown. To meet this new demand, organizations have been conducting stress tests to see if their VPN systems and network can handle the extra external load.
The network load might not be the problem, however. While cellular network providers are doing their part to ramp up bandwidth, organizations may not have enough VPN machines in their office to meet the demand of workers at home. Remember, remote work was always supposed to be for a limited number of employees in most companies, and now there is a scramble to provide machines for everyone who will be accessing sensitive data from home. That limit may tempt users to download free VPN options, especially for their wireless devices. While this might look like a safe option – hey, it’s a VPN! – there are a lot of risks to consider, such as information being sold to third parties (the developers have to make their money somehow), lower levels of cybersecurity offered, aggressive advertising that could possibly be loaded with malware and slower connection speeds that make productivity more difficult.
“This pandemic has incentivized companies to restructure how they work and will make remote work arrangements more permanent in some cases”
Online Meetings Aren’t Safe Either
VPN use isn’t the only technology on the rise. Organizations are relying on video conferencing to conduct regular ‘in-person’ meetings, as well as a way to provide co-workers a chance to socialize and feel less isolated. These video chats provide a false sense of security, as users think that because they are speaking, it isn’t any different than sharing ideas across a table in a conference room. Also they think because they are on their usual network, the regular security system is taking care of protecting any documents shared during these conferences.
Yet, the various security problems recently revealed in Zoom show just how insecure these video conferencing software packages are. A vulnerability in Zoom’s software allowed outsiders easy access into conferences, so businesses (and informal chat groups) have seen an uptick in ‘Zoombombing,’ where someone enters the chat room and takes over controls of the meeting or shares offensive graphics. The problems go beyond Zoom, though, as organizations have been lax about basic security protocols such as relying on passwords and passcodes for access and ensuring that all transmissions are encrypted.
The Struggles for the Security Team
Although many employees may appreciate the opportunity to work at home and are more productive working alone, this transition has been rough for security professionals.
“Since many of the security controls and tools used by non-distributed companies depend on being on the local network, they cannot do many things remotely,” explains Waugh. “These companies have found it more difficult to update and monitor logs, for example, unless the device is on the local network.”
So, with employees using machines at home, the security team is in the dark, unable to monitor logs or see what is running (or not running in terms of controls and configuration) on a machine – or push new configurations, settings or patches when needed as easily as they could on the local network.
For remote work to be secure, IT and IT security professionals must be able to exert administrative control over remote systems and infrastructure that enables remote access in the same way that they administer on-premise devices, Luke Willadsen, security consultant with EmberSec, points out.
“What this boils down to is that employees should only be able to access their corporate VPN through company-issued laptops or through tightly secured remote desktop service applications,” Willadsen tells Infosecurity. “You cannot claim that a network is secure if unknown, unauthorized devices are connecting to it.”
“You cannot claim that a network is secure if unknown, unauthorized devices are connecting to it”
Where Do We Go from Here?
At some point, people will return to their offices, but most security experts believe there will be significantly greater demand for remote working in the future.
“This pandemic has incentivized companies to restructure how they work and will make remote working arrangements more permanent in some cases,” explains Pratik Savla, senior security engineer with Venafi. “This is bound to significantly change our work and personal lifestyle landscape in ways hardly anyone would have anticipated just a few weeks ago. This is one change that is very likely to persist well beyond the pandemic itself.”
If security teams are able to meet the demands they’ve seen during the worst of the lockdowns and were able to handle the strains on the infrastructure with minimal security issues, going forward, remote working should be much easier. Savla points out that many companies already had a remote working infrastructure in place, with BYOD and people using laptops to access the network during travel or after hours.
To ensure a resilient cybersecurity posture that is able to cope with large numbers of remote workers going forward, Savla recommends that security teams need to focus on several key areas.
First, they will need to design phishing email exercises that are timely and relevant to test their employees and increase awareness. They will also need to make sure employees are practicing good cybersecurity hygiene while working from home.
They will also have to prioritize patch management activities to keep the systems that enable remote access secure. “It’s critical to ensure these systems are hardened against exploitation of security vulnerabilities,” Savla warns.
Additionally, enterprises large enough to have SecOps teams would be well advised to consider channeling some extra energy into threat intelligence.
It is vitally important to think about security in the context of every user or device to ensure they are managed and monitored safely, even on hostile networks, Waugh adds. This means organizations will need to use strong authentication mechanisms to validate users, not just the network they are on.
“That also means enforcing strong controls, such as configuration management and multi-factor authentication, for each application. Security teams must also harden the device, ensuring machines on the local network cannot access services or ports. Finally, they must be able to securely send configuration and patch updates, and monitor events and logs without needing the device to be connected to the corporate VPN,” he says.
Is cloud computing the answer to what is expected to be an increase in remote work as we move into the latter stages of 2020 and beyond? Yes and no. More of the applications used in the office on a daily basis have moved to the cloud, such as Microsoft’s Office 365 or Google Drive or Slack, which makes it easier for employees to access their work documents from anywhere. However, first there is a need to continue to promote greater bandwidth and more needs to be done to improve broadband connections in rural areas. Security is a serious issue with the cloud, as well, and even in the best of times, organizations struggle to protect data transmitted and stored in cloud formats.
However, the opportunities are there in this new frontier of mass remote working, and remote work may help companies answer a major problem – the cybersecurity skills gap and security employee shortages.
“After being part of a remote team for more than two years, the benefits of running a remote security team definitely outweigh the costs of being remote,” argues Waugh. “Although building a security team is hard, being able to open up that opportunity across the country or even the world makes it much easier to find talented and passionate security team members from a variety of different backgrounds.”