Secure remote access in the age of home working
Almost overnight, the COVID-19 pandemic and resultant global lockdowns have made remote work virtually the norm for many businesses. In the scramble to support this new generation of home workers, existing security infrastructure has been stretched. Now is the time to re-address that balance.
At the beginning of 2020, IT managers and network administrators needed to rapidly onboard virtually their entire workforce as remote workers. Key to the rollout was better communication infrastructure backed by the growth of cloud-hosted solutions. However, this scramble to work remotely and get it done as soon as possible could have resulted in some technical and security shortcuts. There are plenty of risks, as highlighted by the Telework guide published by CISA.
One of the most significant issues is the intractable fact that the user’s home internet router facilitates their connectivity to the internet and corporate networks. However, this essential component of the enterprise connectivity stack is not under our direct control and therefore needs to be considered “untrusted” at best or “malicious” at worst.
The critical question to answer is how do we ensure the security of the remote workforce in the light of insecure home network routers? And what role do secure remote access or virtual private network (VPN) technologies play in mitigating potential threats that may arise because our users are connected from home?
To address these questions, we have written a comprehensive paper [click here] that outlines a holistic strategy complemented by a complete set of technical controls. Our approach can be used to achieve an appropriate level of security for home users in the face of a diverse group of old and new threats. In this blog, we summarize the key findings.
“Anticipate” the latest cyber threats and prevent digital risk
Anticipate that you might be a victim and understand what forms an attack might take to assess your readiness and prepare accordingly. The key is to take an intelligence-led approach to understand attacker tactics, techniques, and procedures (TTPs). Typically, attackers are opportunistic and will stumble upon a vulnerable device or an exposed remote access service.
You will also need to prepare your people with training based on real and current threats. This will help them identify attempted phishing emails or social engineering attempts. Establish a documented incident response process that all employees are aware of and know how to initiate. And finally, test your remediation and recovery plans, with an emphasis on supporting remote workers.
“Identify” your critical assets, data and vulnerabilities to prepare your security strategy
Identify all hardware and software assets to understand your attack surface, including remote and office workers. Compromising an end-user via phishing or social engineering is the most common approach for attackers. However, secure remote access services are also increasingly being accessed or compromised through password spraying or brute-forcing techniques.
Put in place a robust vulnerability management program to identify and patch vulnerable systems. This should cover all internet-facing systems, internal devices and must include remote workers. Carry out regular penetration testing on the home worker, internal, internet and cloud environments. This will help identify any other weaknesses besides vulnerabilities, such as misconfigurations.
“Protect” your organization with the right technology and skills
There are several tools and techniques available to protect your remote and office workers. For example, an email security system is vital to detect and prevent phishing campaigns and other email-borne threats. Also, enable multifactor authentication (MFA) on all internet-facing services, where feasible. At the very least, MFA should be implemented on email, VPN and exposed RDP services.
Use an automated patching solution to ensure that vulnerabilities can be addressed at scale. It is not practical or feasible to perform manual patching when you have an estate that consists of thousands of machines.
Other useful security techniques include enforcing the concept of “least privilege” to only give a user account or process those privileges which are essential to perform its intended function. Segment networks as much as possible to slow down lateral movement after any kind of compromise. And consider deception technology that uses traps mixed among existing IT resources to tempt an attacker to interact with them.
Specifically for home workers, protect the home router by using Remote Access Point (RAP) devices or deploy a complete solution with fixed-line access, such as fiber to the home (FTTH), with a managed device. In addition, strengthen your VPNs by prohibiting any service or application on the portal computing device from interacting with any other device on the local network until the VPN tunnel is properly established.
“Detect” cyber-attacks through analysis of alerts and behaviors
The most obvious place to detect and disrupt malware and ransom activities is on the endpoint. This has strengthened the role of endpoint protection, detection and response (EDP/R) tools, also known as “next-generation” anti-virus. Choose a solution that uses multiple detection techniques, including signature-based, static IOCs, and behavioral analysis capabilities.
Complementary to EDR, we would also suggest deploying a network threat detection solution. By analyzing the network traffic at certain choke points in your network, these solutions can identify threats that otherwise may fly under the radar.
“Respond” to an incident knowing you have prepared and are ready to restore business operations
If the worst should happen and you do fall foul of an attack, the first key thing is to remain calm and not panic or make rash decisions. Now is the time to initiate your incident response plan and get control of the situation. Ensure you and your CSIRT partners have a plan for dealing with incidents on one or more remote endpoints, where you may not be able to get physical or even remote access to the endpoint.
Clear, open, and honest communication is vital, both internally and externally. Internally, staff need to be made aware of what has happened, what is being done about it, and how they can help. If staff understand what’s happening, they will be less likely to work around measures you put in place to recover and improve security, which may otherwise appear obstructive to their work.
This blog is just a short summary of our plan that is inspired by the CIS Top 20 controls and the NIST cybersecurity framework. We’re in a war against threats, not a battle, and every additional control you implement will raise the cost for an attacker and improve your resilience.