Protecting Your Business From Your Remote Workforce

Protecting Your Business From Your Remote Workforce

Remote Attackers

A significant portion of your workforce is currently moving to perform full- or part-time remote work as a result of COVID-19.  As you modify your business processes and workflows to accommodate this change, it’s important to understand how remote work affects your cybersecurity posture and what openings and opportunities exist for cybercriminals to take advantage of you.  We would like to take this opportunity to provide advice on how to orient your security posture to account for this increased threat vector and illustrate several common patterns of weakness.

VPNs

Long touted as the safest and most-reliable way to enable remote work, Virtual Private Networks (VPNs) allow a user to access internal enterprise resources and applications from any internet connection.  VPN connections are encrypted, preventing untrusted network operators (such as your local coffee shop) from snooping on sensitive traffic, but they don’t solve every security problem.

Risks:

  • VPNs weaken the network boundary by allowing additional devices into the most vulnerable part of a company’s IT infrastructure – its internal network
  • Compromised user accounts can give attackers direct access to many internal resources
  • Granting VPN access to untrusted devices is equivalent to plugging that device directly into your network, along with any infections it might have

The more users which utilize your VPN, the more likely it is that you are giving an attacker access to your internal network by way of a compromised user device.  When VPN is allowed on non-corporate provisioned machines, this risk is even greater.  If an attacker does gain this access, it can be devastating because frequently internal enterprise networks are the most vulnerable parts of an enterprise network.

Solutions:

  • Create a separate User Account specifically for VPN access for each user
  • Place VPN user accounts into a restricted Organizational Unit with as few privileges as possible. For example, if you run Citrix, only allow VPN user accounts to sign onto Citrix desktops.
  • Set up Two-Factor Authentication (2FA) for all users and VPN user accounts to increase difficulty for attackers
  • Install a Honeypot on your internal network to help identify suspicious network activity coming from one remotely connected device

A Note on VPN Configurations:

VPNs also have the option to perform Full or “Split” tunneling.  Full tunneling forces all network traffic to go over the VPN connection including traffic unrelated to the corporate network such as YouTube or Skype.   In a split tunnel VPN, only traffic destined for internal corporate services directly would travel over the VPN connection.

Split tunnel is therefore less secure than a full tunnel configuration because in a full tunnel your remote users will still be protected by your existing network security appliances such as content filters and/or next-gen firewalls.  This comes with an expensive tradeoff, though – you must have enough bandwidth to serve all your users browsing habits!

Two Factor Authentication (2FA)

It’s extremely important that you have 2FA deployed within your organization.  It helps prevent compromise when user credentials are leaked as a part of a breach and makes it more difficult to obtain user credentials through phishing attacks.  With that said, you should be aware that 2FA is not a silver bullet for protecting user credentials on all services because 2FA can be bypassed when user devices have been compromised.

Risks:

  • Compromised devices which are used to prompt the user for a 2FA token may relay the token to an attacker
  • Compromised devices may allow an attacker to steal session information and impersonate affected users

As an example, by stealing/intercepting a session cookie for a service to which the user has already authenticated, an attacker may gain direct access to the application without needing to authenticate. Many applications (e.g. Cloud-Based email, Collaboration tools) do not tie their session cookie to a single device/source IP/location because if they did, roaming mobile users would have to reauthenticate as their device switches from WIFI to 4G or 5G connections. As a result, it is usually possible for an attacker to reuse the same session as a legitimate user.

Solutions:

  • Monitor your application logs for access from suspicious geographical locations unrelated to your typical user or business locations
  • Do not share sensitive information such as passwords in email or chat
  • Train your employees to report suspicious activity such as disappearing incoming email, email switching from read to unread without explanation, or password reset emails

EndPoint Security

When your users work from home, they have a greater exposure to cybersecurity threats because inevitably they will be using their devices for both business and pleasure.  This increased usage is even more dangerous when paired with a split-tunnel VPN which does not force browser traffic to flow through enterprise security appliances and controls.

Risks:

  • Antivirus/Antimalware solutions can be bypassed more easily as users are outside of the protections of enterprise networks
  • Traffic visibility may be significantly reduced
  • Users will use their devices for personal browsing/activities which increases their exposure

Since your users will be using their devices more (regardless of it they are corporate or personal) they will be more likely to encounter more threats, making patching and antivirus updates critical but potentially unreliable if you do not use a VPN or allow personal devices on the network.

Solutions:

  • Provide up-to-date devices configured with more aggressive security profiles to high-risk individuals such as Executives and Executive Assistant staff
  • Closely monitor inbound and outbound connections on your remote devices
  • Step up social engineering defense training to help combat COVID-19 related scams
  • Educate your employees not to store or share credentials outside of password safe solutions such as 1Password, Keepass, Lastpass, or Dashlane.

Final Words:

Even when lockdowns and restrictions around the coronavirus are lifted, the volume of remote workers is likely to increase.  As we’ve shown, remote users are under an increased risk because they are outside of enterprise security appliances, encountering more threats by utilizing the same devices for both business and pleasure, and aren’t necessarily covered by existing security controls.  With this in mind, it’s important to be proactive and set up increased logging, provide updated and secured devices to high-risk individuals within your organization, and limit the access that users have through VPN connections.

We hope that you stay safe, both online and off, and that you keep us in mind if you’re seeking to audit your remote worker security solutions.  In the coming week, we will be providing pricing packages specifically designed around auditing remote work solutions.

Blog Posts

Karen Huggins

Chief Financial, HR and Admin Officer
Karen joined the Netragard team in 2017 and oversees Netragard’s financial, human resources as well as administration functions. She also provides project management support to the operations and overall strategy of Netragard.
 
Prior to joining Netragard, she worked at RBC Investor Services Bank in Luxembourg in the role of Financial Advisor to the Global CIO of Investor Services, as well as several years managing the Financial Risk team to develop and implement new processes in line with regulatory requirements around their supplier services/cost and to minimize the residual risk to the organization.
 
With over 20 years of experience in finance with global organizations, she brings new perspective that will help the organization become more efficient as a team. She received her Bachelor of Finance from The Florida State University in the US and her Master of Business Administration at ESSEC Business School in Paris, France.

Philippe Caturegli

Chief Hacking Officer
Philippe has over 20 years of experience in information security. Prior to joining Netragard, Philippe was a Senior Manager within the Information & Technology Risk practice at Deloitte Luxembourg where he led a team in charge of Security & Privacy engagements.

Philippe has over 10 years of experience in the banking and financial sector that includes security assessment of large and complex infrastructures and penetration testing of data & voice networks, operating systems, middleware and web applications in Europe, US and Middle East.

Previously, Philippe held roles within the information system security department of a global pharmaceutical company in London. While working with a heterogeneous network of over 100,000 users across the world and strict regulatory requirements, Philippe gained hands-on experience with various security technologies (VPN, Network and Application Firewalls, IDS, IPS, Host Intrusion Prevention, etc.)

Philippe actively participates in the Information Security community. He has discovered and published several security vulnerabilities in leading products such as Cisco, Symantec and Hewlett-Packard.

He is a Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), PCI Qualified Security Assessors (PCI-QSA), OSSTMM Professional Security Analyst (OPSA), OSSTMM Professional Security Tester (OPST), Certified in Risk and Information Systems Control (CRISC)and Associate Member of the Business Continuity Institute (AMBCI).

Adriel Desautels

Chief Technology Officer
Adriel T. Desautels, has over 20 years of professional experience in information security. In 1998, Adriel founded Secure Network Operations, Inc. which was home to the SNOsoft Research Team. SNOsoft gained worldwide recognition for its vulnerability research work which played a pivotal role in helping to establish today’s best practices for responsible disclosure. While running SNOsoft, Adriel created the zeroday Exploit Acquisition Program (“EAP”), which was transferred to, and continued to operate under Netragard.
 
In 2006, Adriel founded Netragard on the premise of delivering high-quality Realistic Threat Penetration Testing services, known today as Red Teaming. Adriel continues to act as a primary architect behind Netragard’s services, created and manages Netragard’s 0-day Exploit Acquisition Program and continues to be an advocate for ethical 0-day research, use and sales.
 
Adriel is frequently interviewed as a subject matter expert by media outlets that include, Forbes, The Economist, Bloomberg, Ars Technica, Gizmodo, and The Register. Adriel is often an invited keynote or panelist at events such as Blackhat USA, InfoSec World, VICELAND Cyberwar, BSides, and NAW Billion Dollar CIO Roundtable.