At the beginning of January 2020, COVID-19 started to hit the world in full force and by the end of March, almost every country on the planet was in some sort of lockdown. Business tried to continue running nonetheless and they had no choice but to accept the reality of telework. At that time, most businesses had some kind of system already set up but this transformed from the “Nice-to-have” to the “Must-have” category. With that massive spike in teleworkers from all around, this brings a very interesting challenge to the cyber security field.
A lot can be written on the subject of telework and protecting a business network that extends in the homes of employees. This Rallypoint will briefly expose some of the risks inherent to that type of architecture, the specific attack surface that is expanded in that environment and some basic mitigation strategies.
When a business expands its network over infrastructure which it ford not control, like home networks, consumer Internet Service Provider or personal computer devices, it loses a lot of control over the environment. This is where the essential risk resides in enabling teleworking. As long as the network is solely under the control of the business, it is within the power of that business to enable security controls in order to prevent security issues. When that control is handed over to each and every one of its employees, network security becomes a shared responsibility and the attack surface expandings.
When an employee has, like now, access to work from home, or anywhere for that matter, he is opening up the business attack surface quite a lot. At its basic level, there are two types of access for teleworkers, - either with business provided endpoint or on the employees own personal devices. If your employees are using their own devices, the risk is even higher as you do not have, at the beginning, any control on their own actions on the device. With a business provided device, the business has a higher degree of control but you will never have the level one similar to on-premises. For example, you will never be able to tell if you have an adversary trying to intercept signals from within the employee home wireless network bubble. Although this seems all gloom, it is not completely bleak. There are a few mitigations that can be put in place to enable the flexibility and necessity of telework.
Awareness training: Awareness Training should be the top business priority in a security program. Ensuring that employees are aware of the risks involved in working from home and the common pitfalls involving the individual is essential. Validating the level of awareness through internal and external cyber assessment would be a logical next step following initial training. Security training is just as important for employees working on premises.
Virtual Private Network (VPN): In order to solidify the chain of trust, establishing a VPN between the employee device and the network will increase the level of privacy and security of the infrastructure. Although this will add a small layer of complexity for the employee, the advantage of doing so outweighs the disagreements in most cases. It must be noted that having a VPN can bring a false sense of security, hence returning to the essentiality of having a strong cybersecurity awareness program.
Local antivirus (AV) and antimalware solutions: Providing an employee with suitable AV software that they can install on their own endpoint devices for protection is a process that will bring a layer of automation to this defence mechanism. Having a centralised monitoring console for those endpoints would be an even better solution. This would enable proactivity from the security team, as opposed to waiting for a call from an employee that might never come because he misses the pop-up warning from his unmanaged AV program.
Security suite software: Many companies have solutions that take over security on endpoints, being personal or company owned. Great care must be taken on an employee owned system as there is a fine line to not cross between the company security posture and the personal privacy of the employee themselves. Always wise to seek professional advice in these cases.
There is no turning back now that the Pandora’s Box of work from home has been opened and accelerated because of the COVID-19 pandemic crisis. The reality of telework for business is here to stay. Businesses that won’t embrace that reality will suffer as more and more employees are likely to ask for Work From Home arrangements. As security professionals, we must ensure that sufficient security controls are in place in order to keep the whole of our infrastructure (including employees' personal devices and anywhere where there is a Wi-Fi connection) secure. This Rallypoint is not meant to be all-inclusive and is only the tip of the iceberg of the different mitigation measures that could be implemented in an environment.
The essential point to keep in mind is that employee awareness is the best line of defence as most of the techniques behind compromising (or cracking) security systems nowadays involve human-error or social engineering.