Securing a Remote Workforce: Top Five Things to Focus on For Everyone
Deploying a remote workforce is uncharted territory for some organizations, while others have been perfecting the model for years. Most security programs have different ways to handle their workforce. For on-premise users, which has traditionally used more of castle mentality where you attempt to prevent outsiders from penetrating the network perimeter (similar to a castle with walls and distinct egress/ingress points). This rationale of thought is a relatively old concept, however, as most organizations and security teams recognize that our perimeter continues to expand with services such as Bring Your Own Device (BYOD), mobile workforces, and the remote employee. A number of concepts have evolved over the years, including the zero trust model, which is a great idea conceptually, but a number of organizations struggle with how impactful a complete redesign of an architecture can be and most fail during implementation.
With cloud adoption, starting with an architecture design prior to moving to the cloud is most desirable and the flexibility of designing and building an infrastructure that reduces the risk toward the organization is much more obtainable. In this post, we look at what a remote workforce entails, how it can be challenging for organizations, and the top five (5) things you need to focus on in order to ensure your risk is reduced. With the majority of the workforce (both essential and non-essential) now working from home worldwide, businesses must now contend with a new list of challenges and exposures.
Understanding the Risks
With a remote workforce, many of the controls in place for your organization are no longer available. Things like packet inspection, monitoring and detection capabilities, incident response, content proxies, and more are all in place to prevent internal users from accidently causing harm to your business. When a remote workforce is stood up, the individuals in your companies connect through a number of different networks. With everyone home, you now have more online connected devices, which a business has no control over, with direct access to corporate assets. With the Internet of Things (IoT), personal computers, children, and significant others, the number of devices on home networks is astounding. Most users have little to no security experience, and the home network is often an extremely vulnerable pivot point.
In addition, the lack of security controls in the home network make it even more challenging for companies to place adequate controls on the endpoint to prevent unauthorized access. Just recently, we have seen a massive influx in COVID-19 phishing websites, drive-by attacks, and even a flaw on a Health & Human Services website that allowed for website redirects, which makes phishing campaigns even more real (Note: This vulnerability has since been addressed). There is no question that the threat and risk are real for the remote workforce, more now than ever before.
What are the top five (5) things that you need to focus on during these times to protect your remote workforce?
#1 Authentication and Authorization
How your remote workforce authenticates to the services they need in order to perform their daily jobs is critical. Centralizing single sign-on with multi-factor authentication (MFA) is probably one of the most important elements here. A recent post from Microsoft's Incident Response team concluded that 99.9% of all account compromises could have been prevented by implementing MFA: https://www.microsoft.com/security/blog/2019/08/20/one-simple-action-you-can-take-to-prevent-99-9-percent-of-account-attacks/.
If you are a business that has not implemented MFA, it is typically embedded into your Virtual Private Network (VPN) software and as part of your third-party applications. For example, Office 365, Google G-Suite, Azure, AWS, Facebook, Twitter, and more have the ability to enable MFA relatively easily. TrustedSec's recommendation for MFA is either leveraging a hardware token (which is the best solution but is hard to manage) or an authenticator app such as Microsoft Authenticator. The process for authenticator apps is when a user first signs in with their account, they will be prompted to use their mobile device to scan a QR code—once scanned, it will provide a one-time password to login. Most products have a remember timeframe so that if the device is not new, it will allow logging in for a period of time without having to re-enter a one-time pin.
MFA is so important because it requires the attacker to not only compromise the username and password, but to have physical access to the worker's mobile device. This change alone can have a substantial impact on the overall security of the workforce.
#2 Endpoint Visibility and Response
What schools have been able to accomplish in many areas is standardizing what their students need access to, baselining that, and only allowing exceptions through a formal approval process. We could actually learn a lot from school districts in how they leverage minimal operating systems and focus heavily on application control and whitelisting. An example is that most students work off of Chromebooks, which are very difficult to compromise based on how minimal the application surface is and what users have direct access to. In addition, the ability to lockdown Chromebooks allows for very granular control over the device to reduce the threat even more.
In the workforce, especially remote, we recognize that we are placing devices in hostile networks that have little to no security controls. This means that the controls on the endpoints need to be enhanced and we need to have visibility into our endpoints. In the event that an asset becomes compromised, we need to have the ability to identify that the asset is compromised and to respond to minimize the threat. This relies heavily on a monitoring and detection capability within the organization (or outsourced) to help identify intrusions into the system. A number of organizations have leveraged virtualization technology such as Citrix, which places you into a virtual machine that is segmented from the rest of the network and locked down to only provide what services are necessary.
The endpoints themselves need to be monitored for unusual and malicious activity in the event that a user falls prey to a specific exposure or vulnerability. Remember, having a remote workforce does not mean that attackers do not have access to your infrastructure. Your users are directly connected to your organization in some shape or form, and the same attacks that existed inside are now amplified externally.
TrustedSec's recommendation here is ensuring that you have good visibility through your endpoints and a centrally stored and logged infrastructure where you can perform monitoring and detection capabilities on those assets. If you look at how attackers gain access to an organization, it is rarely the initial entry point. Attackers look to expand their presence in a network until they gain access to their objectives. An example is ransomware, which start as a handful of systems and file shares. We have seen the evolution of ransomware expand to where attackers will manually penetrate into your network and get as much access as possible and then focus on inflicting the maximum amount of damage (most usually go after backups as well).
Having a monitoring and detection program and the ability to identify intrusions in the earlier stages will ensure you minimize the overall impact to your business. Even some basic controls, such as ensuring that the Windows Firewall is enabled when off the network, can have some drastic improvements on security.
#3 Network Architecture and Segmentation
The long debate and challenge of network architecture and segmentation have long been the subject of debate. It is unequivocally harder to hack into an organization that employs network segmentation. Normally when an attacker compromises an endpoint or server, they use the information on the system to perform a task called lateral movement. Lateral movement is taking resources from one (1) system and using them to connect to other systems. Often, the compromised system does not have the data an attacker needs and spreading to other systems must occur in order to meet the attacker's objectives. Network segmentation isolates systems on the network and compartmentalizes them in a way that does not allow for ports and protocols to work.
This is commonly employed between workstation and server networks as well as workstation to workstation communication. For remote workers, having solid network segmentation for VPN users or your virtualization environment such as Citrix is very important. If an asset becomes compromised, the ability to spread to other systems is drastically hindered with network segmentation. When connecting to the network, each device should only have access to the systems that are absolutely necessary.
Your architecture also plays a key role in how to handle the remote workforce. Understanding how your infrastructure is designed, regardless of whether it is on-premise or cloud-based, is drastically important to protecting your infrastructure and organization.
#4 Cloud Services
Companies deploy a varying amount of cloud services within their organization. Some have fully adopted cloud services while others still remain on-premise. One of the biggest challenges we see with many companies is not first looking at the overall architecture design, vulnerability management, and monitoring and detection capabilities within cloud environments. Just because you are using a different infrastructure does not mean you can stop focusing on protecting your data and services.
For cloud services, it is important to ensure that the infrastructure and/or applications are configured properly and are secured in a manner that reduces your risk. TrustedSec frequently performs cloud security assessments for customers, and we commonly find large misconfigurations that allow for the direct compromise of an organization’s infrastructure. Having a cloud security strategy that dictates how you enable services in the cloud is very important.
For some, the cloud has allowed for zero trust architectures, in which you become more of a service provider for assets than an entire infrastructure support design. Zero trust is often painful for existing infrastructure, but when starting from scratch, the ability to develop an architecture that allows you to scale and properly secure your critical assets is an amazing thing.
#5 Education and Awareness
Organizations, especially during times of crisis, often do not look at the ramifications of what a full remote workforce entails. Technology is often implemented without focusing on the human element. Employees who are not used to working remotely often struggle to accomplish the same types of tasks with the same level of efficiency as before. Having an education and awareness program that continually updates the remote workforce and offers guidance can help reduce major IT problems as you continue to focus on this longer term.
In addition, with the rise of the COVID-19 issues, it has never been more important to warn users of the risks associated with phishing campaigns as it pertains to working from home. In addition to communicating how to best handle phishing campaigns, users at home have a number of other risks. There are so many different topics here, such as how to secure your home wireless (Wi-Fi) and ways to protect your home can also benefit the company in ensuring that home networks are protected from attack.
It is important to educate users on what being remote entails and how to best ensure the protection of the company’s well-being and intellectual property. There are many online trainings available for free that you can incorporate into your education and awareness program if you do not already have them (see references section). StaySafeOnline.org has some great and free resources you can use to help educate your employees:
https://www.youtube.com/channel/UCEPV7NQpkCLeK66gT--cIsg
In wrapping things up, these are the top highlights we see most organizations struggling with today. Many companies have had to substantially shift to a work-from-home model based on the quick challenges we had to face with COVID-19, and the hope is that you can continue to have a remote workforce for the time being and that it is done in a secure manner. The threats we face are real, especially with a remote workforce. By reducing your risk while working from home, you can face security challenges head on to protect your business.
References
https://docs.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide
https://support.microsoft.com/en-us/help/4026727/microsoft-account-how-to-use-the-microsoft-authenticator-app
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html
https://support.google.com/a/answer/175197?hl=en
https://www.youtube.com/watch?v=JktkUpQIKcQ
https://www.youtube.com/watch?v=0Wd3JoUHXno
https://www.youtube.com/watch?v=hsNRrEnB_aM
https://www.youtube.com/watch?v=QiaIL-J9Vds
https://staysafeonline.org/wp-content/uploads/2020/03/NCSA-Remote-Working-Tipsheet.pdf
https://staysafeonline.org