The global coronavirus outbreak is having a profound effect on the way we work, travel and go about our daily lives. As organisations we all have complex tasks we need to fulfil, and over the past few weeks many of us have implemented measures that enable us to fulfil them in the most efficient way possible.
Many organisations have focused on the logistics involved in ensuring people and departments can carry on functioning with minimal disruption to their clients. However, now that we’re adapting to this new reality, we have a chance to make longer term considerations around our remote working strategies.
Although the UK Government has announced its plans for easing the national lockdown, we expect the changes to working practices brought about in recent weeks to stay around for some time. Some organisations may elect to remain virtual, and we may see an acceleration in transitions to cloud technologies for both infrastructure and corporate and back office staff. For examples of this, look no further than Facebook and Google extending their remote working policies until 2021, and Twitter announcing staff will be allowed to work from home “forever”.
This means we should all be focusing not just on making quick decisions, but on making the right long-term decisions, quickly. And in today’s increasingly hostile threat landscape, cybersecurity will be a significant factor informing organisations’ go-forward remote working strategies.
With this in mind, which are the key remote working strategy decisions organisations should be making today to secure their transition towards the new normal?
As with all things cybersecurity, projects that are rushed or not adequately planned have the potential for error. In recent weeks we have seen cases of opening remote access ports such as RDP and SSH to the internet or to dynamic home IP addresses to allow continued remote access; the firing up and use of outdated or unsupported VPNs that have been dusted off the shelf; access given to users on non-company equipment; and for some the roll-out of cloud-based solutions without multi-factor authentication.
If your organisation has mobilised a remote workforce and is considering the security implications of a more permanent remote workforce, here are six ways to ensure your organisation delivers secure remote access.
1. Set up a management zone
If you need remote access to internal systems/servers for management purposes, set up a management zone and block access from the internet. Limit access to a management VLAN, which you can connect to via a jump box, a dedicated management VPN or both. Avoid the temptation to expose RDP, Telnet, SSH, SNMP or any other remote management ports to the Internet or your ‘home’ IP addresses.
2. Review VPN technology
If you have VPN technology that was rarely used and is now being swarmed on by a large number of users for the first time:
- If you have VPN technology that was rarely used and is now being swarmed on by a large number of users for the first time:
- Check crypto settings are not outdated i.e. running 64/128-bit ciphers – bump these all the way up to 256 and above where you can.
- Use certificates – don’t just rely on simple passwords and usernames.
- Use multi-factor authentication.
- Keep your network design simple. Many people over-complicate what should be a simple setup, and most vulnerabilities we find in VPN connections are simple oversights due to complexity, usually around the scope of what connecting clients can and cannot connect to from the VPN connection versus the standard internal office network.
3. Always use multi-factor authentication
With more people working from home it will of course mean internal systems and cloud systems alike will be operating without the trusted barrier of being inside the network. If you don’t already, ensure cloud-based solutions such as Office 365, AWS and Azure use strict multi-factor authentication. Multi-factor authentication is now the industry expected default configuration, and anything less should be seen as misconfiguration. Without it you run the ongoing risk of falling victim to simple brute force or credential stuffing attacks. Don’t give attackers the chance.
4. Ensure users are working from approved devices
If you are thinking about letting users use their own personal devices, don’t forget they won’t have corporate anti-virus or group policies to help you control their devices. Provide them with a decent sandboxing technology to access your business applications from. This will protect your business network from any home-brewed nasties their devices may be harbouring. Our cybersecurity professionals recommend only allowing access from corporate-approved devices that fall under your internal IT security policies.
5. Consider the security implications of free software
There’s some great free and freemium remote working technology that has enabled many organisations to get on their feet when it comes to staying productive and communicative whilst away from the office. But is this fit for purpose in the long-term? You’ve probably read about the security issues users have experienced with the likes of Zoom and other teleconferencing solutions. Expanding your working environments increases the threat vectors cybercriminals can attack you through. Consider reviewing free software applications and replacing them with secure, feature-rich paid for versions.
6. Plan users’ return to the office carefully
Depending on your organisation’s operational requirements, you may now be looking at pathways to returning some users to your operating locations. Depending on their remote device setups, there are a number of potential cybersecurity risks and controls to consider implementing – including multi-factor authentication, the removal of admin rights and the reiteration of acceptable usage policies. As users return to the corporate network, also consider implementing a remote device ‘car wash’ to ensure any malware accidentally picked up whilst working from home is not transferred to the corporate network.
Adapting to the new normal together
In today’s fast-moving world, the ability to communicate, collaborate and work efficiently, anywhere really can be the catalyst that drives your organisation’s success. However, be wary of making rushed, poorly thought through decisions that has the potential to render your organisation vulnerable to cyberthreats. Carrying out a comprehensive review of your remote workforce security will put your organisation in the best position to ensure security postures are maintained as we transition towards the new normal.
Andy Swift, Head of Offensive Security, Six Degrees