Working From Home: Security Risks and Opportunity in a Challenging Time
As most of us adjust to the new reality of working from home, there has already been tremendous focus on the security impact of this new normal. And rightly so — for any business that relies on the digital world, wholly or in part, new security threats are surfacing. Hackers are reusing attacks we’ve seen for years and launching entirely new exploits and scams that take advantage of our desire to get news, buy basic supplies or take steps to avoid infection. Traditional security measures, learned behaviors and controls that have been used to protect the normal course of business for years are either not in place or can’t protect a nearly full or a fully remote staff without adaptation and without having the right mindset and approach every day.
The most important element of effective security in a time of change is to realize that while you can do anything, you can’t do everything. The job of security is not to eliminate all risks because they are not all equally dangerous or likely, and they won’t all be exploited immediately if left alone. Engage with the business early and often around risk discussions, and revisit triage on a regular basis. The risks today will not be the ones you face next week or the week after.
These are the current, main security concerns businesses need to address to get ahead in this first wave of adjustment:
VPNs can be manipulated by hackers without a view of the whole
Virtual private networks, or VPNs, have become the new lifeline for many businesses, extending encrypted lifelines to the new remote offices in our homes. However, many home networks are already home to malware or compromised hardware that can be exploited for staging attacks through machines with VPN termini.
Compromise of an identity or a machine, especially when behavioral baselining on the backend is in flux, can allow hackers to piggyback through the VPN. It’s critical to have endpoint integrity checking and strong authentication in place at this stage, once the VPN is in place and active. There are also vulnerabilities for VPNs that require really understanding and internalizing rather than blindly trusting, and many applications that are becoming the new IT critical infrastructure will see new vulnerabilities.
This is not cause for panic, but it is cause for dialog with vendors in the coming weeks and planning for patching and failover. Remember these vendors too are going through change and doing triage on their support and escalations, but seek the channels and the dialog now. Start now by contacting your hardware or software providers to ensure configurations and policies are properly configured starting with the VPN, endpoint and identity solutions.
Endpoint first, mobile next and then the long tail of the new IT environment
While there are many endpoint challenges, the first priority is to ensure critical business processes recover and that that the large, new enterprise footprint is brought into the fold from a policy and controls perspective.
Next up will be mobile, as the most pervasive and ubiquitous platform in our personal lives. When employees have new or foreign devices and applications, the phone will feel familiar and will get stretched in new ways. The adversary will start by targeting the lowest hanging fruit with identity theft and classic machine exploits, but next up will be fresh innovation and exploitation of mobile devices before subsequently moving to other targets of opportunity. Get ahead of this sooner rather than later before looking to other devices on home networks and in the new IT environment.
Misinformation and even information can be weaponised
In the last few weeks, attackers have taken advantage of human, “layer 8” weaknesses first-and-foremost. For example, there are malicious mobile applications posing as legitimate apps developed by the World Health Organization (WHO) to help individuals recover from COVID-19.
A user could easily mistake this malicious app for a real WHO app; once installed, the application downloads the Cerberus banking trojan to steal sensitive data. This could as easily be done with applications that provide real benefits too, in effect weaponizing tools and information. Where before attackers had to plan their cons for diverse interests and lures, we all now care about the same crisis. COVID-19 has become our common watering hole, and as such a lot can be done with the right awareness and education in defense.
Physical location matters again
When employees take their machines home or use a home machine — that is meant for many non-work purposes — suddenly for work, that machine is sitting in a physical and digital environment unlike any within the office. From routers and printers to foreign machines, devices, gaming consoles, home automation and more, the average home has all the complexity and diversity of communication and processing of some companies a scant decade ago. Employees might be taking conference calls within earshot of family members, being recorded by any number of devices or even within earshot of employees of other companies.
Nothing can be taken for granted in the diversity of the employee home, but some simple policies are important; and these are not just security-related but also privacy and even culturally relevant. Should employees have cameras on or off for meetings, should they wear earphones, should they take notes on paper or miscellaneous applications, how should they handle viewed or created IP or PII, what communications applications are acceptable or not and what happens when others intrude, see notes or overhear discussions? These are all non-trivial and important questions to get right up front, but above all listen and adapt when things aren’t working as you form policies.
This is far from the full punch list, and some companies will no doubt be well ahead of this list having easily and smoothly moved into a fully remote workforce. Wherever a company is, though, the most important thing is the approach and the dialog with the business. If you’ve got these under control, enumerate the risks that remain, sort them and tackle the next four and so on.
Security is never done because the opponent is never done; they are endlessly innovative and adaptive. This is a race of adaptation and, in the words of Winston Churchill, “never let a good crisis go to waste” use this as the chance to have a new, ongoing security dialog with the business and to find a new security practice that not only enables the business but that measures itself by its rate of improvement. This is not a zero-sum game; in the race between the quick and the dead, the quick are not only alive but also thrive.