Tips for an Information Security Analyst/Pentester career - Ep. 82 -Coronavirus and remote work security challenges
All over the world, the pandemic outbreak caused by the coronavirus is forcing organizations to radically rethink their work structure, allowing employees to work remotely, whereas the nature of their business allows it.
Some companies were already implementing remote work solutions to a certain extent before the virus outbreak, while others weren't prepared for this change or weren't considering it at all.
The challenges created by the pandemic are a typical example of why a disaster recovery strategy is so important for the survival of an organization. Organizations will need to respond quickly to this new scenario, or they'll be soon out of business.
As it often happens, though, making strategic decisions when pressed by time can lead to catastrophic consequences.
Incorrect and hasty VPN implementations can lead to a higher number of security breaches than it would be otherwise. A VPN (Virtual Private Network) gives access to an organization's internal network. When remote employees connect to a VPN, they access the internal network the same way as if they were sitting at their desks using a device physically hooked to it.
The scenario we're currently living will push more and more organizations to implement VPN networks over short time frames, so the underlying question is: how can this be done securely and how can organizations implement the solutions they need without jeopardizing their business and their customers' information?
Challenges in working from home
The primary benefit of VPN is that network traffic is routed through a secure tunnel between the user and the organization.
However, the use of a VPN may also present some underlying risks and challenges.
If the VPN service used is configured incorrectly, it could cause all users' network traffic to connect over VPN, slowing down connectivity. Additionally, if a VPN is configured with a split-traffic set up, then users have access to internal apps/resources but are not routing all web traffic. If so, an endpoint getting compromised could cause those internal resources to be exposed to potential attackers. Under this scenario, no logs would be available with regard to the incident, so attackers could be allowed to persist within the corporate network for a long amount of time.
ALWAYS use VPN when working remotely. The spread of the so-called Internet of Things (IoT) devices and of smart devices connected to the Internet (TVs, security systems, washers, dryers, printers, etc.) has gradually increased the attack surface. Often times these devices are inherently insecure or are configured with standard credentials, which could allow an attacker to move laterally across the network and compromise the corporate home-based device.
Additionally, Multi-Factor Authentication (MFA) should also be enabled whenever available. MFA makes it more difficult for hackers to access company assets, as they must typically also have access to a user's smartphone or security device in addition to their username and password to login.
Make sure the specific VPN solution implemented is constantly updated against the most recent threats. I recently had the chance to pentest some endpoints running Fortinet, affected by two CVEs related to critical vulnerabilities (directory traversal and reflected XSS), and I was able to successfully access sensitive files on the web server.
A failure to install the patches related to these and other vulnerabilities can easily lead to a complete compromise of the VPN and, along with it, of the whole corporate network.
For a more thorough analysis of this topic, please refer to the following links:
Updating the underlying software, along with using strong passwords and MFA solutions, minimizes the risks related to password spraying attacks, brute force attacks, dictionary attacks and other TTPs (Techniques, Tactics and Procedures) that could lead to a partial of complete corporate network compromise. It's a cat-and-mouse game and organizations need to be on top of it. For each dollar spent in information security, one dollar is spent in developing new malware and exploits by the bad guys.
Endpoint security
Most users who work from home will typically use a laptop computer as an endpoint. However, some organizations use tablets, smartphones, and other devices as well. Regardless of the specific devices used, endpoint security for home-based corporate devices is paramount, as endpoints often store corporate files and can access sensitive data stored elsewhere by the organization. Securing endpoints goes beyond just installing antivirus. For organizations who already have a mature cybersecurity stack and have a routinely tested and patched golden image, these processes will be much smoother.
Some of the most important considerations to keep in mind when choosing from different endpoint security solutions are the following:
- Ensure all endpoints connecting into your organization meet a minimum set of security requirements. If your organization needs to comply with HIPAA, PCI DSS, or other forms of governance, regulation, and/or frameworks, your endpoint security solutions need to abide by them, as well.
- Endpoints should run an effective antivirus and firewall solution. If your organization has the budget for it, a Malware Prevention solution, like AppGuard, and an Endpoint Detection and Response (EDR) solution, like Carbon Black or CrowdStrike, would be good to have as well. Endpoints should be configured to log events (ideally by sending them to a controlled dedicated system, like Elastic).
- Mobile Device Management (MDM) policies should be enforced, if applicable.
- Enforce Full Disk Encryption (FDE) whereas possible.
Physical Security
If your organization or your users deal with sensitive data or have to comply with certain regulations, physical security should be taken into consideration for home-based work environments, too, other than for corporate locations.
The organization should enforce the following best practices to this regard:
- Keep company assets in a locked drawer or similar when not in use.
- If an employee lives with other people, make sure they understand that company assets are for company use only and that their family, friends, and others cannot have access to them.
- Have employees set up their home offices in a part of their home not very exposed to prying eyes whenever possible – computer and mobile screens should never face uncovered windows and doors.
- Depending on regulations that may need to be followed for your industry, certain locks and procedures may need to be implemented.
- Users could end up having their devices lost or stolen as a reaction to the cabin fever, induced by the pandemic. Make sure employees understand their responsibilities for securing company assets. If they choose to work from a location other than their homes, they should be using a privacy screen and laptop locks, in addition to FDE and VPN.
Wrap-up
The world (and the information security scene with it) is facing an unprecedented scenario leading to a new industrial revolution, that all organizations will be forced to face. Such scenario will bring radical changes to the way we lead our lives, to the global economy and to our daily habits but, most importantly, will pose and is already posing new challenges and threats for organizations, to be faced head-on and as soon as possible, as their very survival is threatened.
Will your organization rise to the occasion?
How will you do faced with these new challenges?
A famous old movie quotation goes, "When the game is tough, the tough gets going".
This is time for all security professional to step up and help.
Now is time for all of us to give all we got and even more.
I feel very motivated by these new challenges and I'm trying to work harder and smarter than I did so far, to keep our clients safe and do our share.
I'm lucky enough to be part of a penetration testing company dealing with these challenges day and in day out, and I know how hard my coworkers and I are working to go the extra mile for our clients.
If we can help you in any way to face these new challenges and to remediate any incidents your organization might be experiencing as a result of an incorrect VPN implementation, you can directly contact our team at Polito, Inc.
Comments
Post a Comment