A significant portion of your workforce is currently moving to perform full- or part-time remote work as a result of COVID-19.  As you modify your business processes and workflows to accommodate this change, it’s important to understand how remote work affects your cybersecurity posture and what openings and opportunities exist for cybercriminals to take advantage of you.  We would like to take this opportunity to provide advice on how to orient your security posture to account for this increased threat vector and illustrate several common patterns of weakness.

VPNs

Long touted as the safest and most-reliable way to enable remote work, Virtual Private Networks (VPNs) allow a user to access internal enterprise resources and applications from any internet connection.  VPN connections are encrypted, preventing untrusted network operators (such as your local coffee shop) from snooping on sensitive traffic, but they don’t solve every security problem.

Risks:

  • VPNs weaken the network boundary by allowing additional devices into the most vulnerable part of a company’s IT infrastructure – its internal network
  • Compromised user accounts can give attackers direct access to many internal resources
  • Granting VPN access to untrusted devices is equivalent to plugging that device directly into your network, along with any infections it might have

The more users which utilize your VPN, the more likely it is that you are giving an attacker access to your internal network by way of a compromised user device.  When VPN is allowed on non-corporate provisioned machines, this risk is even greater.  If an attacker does gain this access, it can be devastating because frequently internal enterprise networks are the most vulnerable parts of an enterprise network.

Solutions:

  • Create a separate User Account specifically for VPN access for each user
  • Place VPN user accounts into a restricted Organizational Unit with as few privileges as possible. For example, if you run Citrix, only allow VPN user accounts to sign onto Citrix desktops.
  • Set up Two-Factor Authentication (2FA) for all users and VPN user accounts to increase difficulty for attackers
  • Install a Honeypot on your internal network to help identify suspicious network activity coming from one remotely connected device

The Vexing VPN - in a split tunnel, security solutions only see traffic destined for the enterprise.
A Note on VPN Configurations:

VPNs also have the option to perform Full or “Split” tunneling.  Full tunneling forces all network traffic to go over the VPN connection including traffic unrelated to the corporate network such as YouTube or Skype.   In a split tunnel VPN, only traffic destined for internal corporate services directly would travel over the VPN connection.

Split tunnel is therefore less secure than a full tunnel configuration because in a full tunnel your remote users will still be protected by your existing network security appliances such as content filters and/or next-gen firewalls.  This comes with an expensive tradeoff, though – you must have enough bandwidth to serve all your users browsing habits!

Two Factor Authentication (2FA)

It’s extremely important that you have 2FA deployed within your organization.  It helps prevent compromise when user credentials are leaked as a part of a breach and makes it more difficult to obtain user credentials through phishing attacks.  With that said, you should be aware that 2FA is not a silver bullet for protecting user credentials on all services because 2FA can be bypassed when user devices have been compromised.

Two Factor Hangover

Risks:

  • Compromised devices which are used to prompt the user for a 2FA token may relay the token to an attacker
  • Compromised devices may allow an attacker to steal session information and impersonate affected users

As an example, by stealing/intercepting a session cookie for a service to which the user has already authenticated, an attacker may gain direct access to the application without needing to authenticate. Many applications (e.g. Cloud-Based email, Collaboration tools) do not tie their session cookie to a single device/source IP/location because if they did, roaming mobile users would have to reauthenticate as their device switches from WIFI to 4G or 5G connections. As a result, it is usually possible for an attacker to reuse the same session as a legitimate user.

Solutions:

  • Monitor your application logs for access from suspicious geographical locations unrelated to your typical user or business locations
  • Do not share sensitive information such as passwords in email or chat
  • Train your employees to report suspicious activity such as disappearing incoming email, email switching from read to unread without explanation, or password reset emails

EndPoint Security

When your users work from home, they have a greater exposure to cybersecurity threats because inevitably they will be using their devices for both business and pleasure.  This increased usage is even more dangerous when paired with a split-tunnel VPN which does not force browser traffic to flow through enterprise security appliances and controls.

Risks:

  • Antivirus/Antimalware solutions can be bypassed more easily as users are outside of the protections of enterprise networks
  • Traffic visibility may be significantly reduced
  • Users will use their devices for personal browsing/activities which increases their exposure

Since your users will be using their devices more (regardless of it they are corporate or personal) they will be more likely to encounter more threats, making patching and antivirus updates critical but potentially unreliable if you do not use a VPN or allow personal devices on the network.

Solutions:

  • Provide up-to-date devices configured with more aggressive security profiles to high-risk individuals such as Executives and Executive Assistant staff
  • Closely monitor inbound and outbound connections on your remote devices
  • Step up social engineering defense training to help combat COVID-19 related scams
  • Educate your employees not to store or share credentials outside of password safe solutions such as 1Password, Keepass, Lastpass, or Dashlane.

Final Words:

Even when lockdowns and restrictions around the coronavirus are lifted, the volume of remote workers is likely to increase.  As we’ve shown, remote users are under an increased risk because they are outside of enterprise security appliances, encountering more threats by utilizing the same devices for both business and pleasure, and aren’t necessarily covered by existing security controls.  With this in mind, it’s important to be proactive and set up increased logging, provide updated and secured devices to high-risk individuals within your organization, and limit the access that users have through VPN connections.

We hope that you stay safe, both online and off, and that you keep us in mind if you’re seeking to audit your remote worker security solutions.  In the coming week, we will be providing pricing packages specifically designed around auditing remote work solutions.