Beerleagueringer.com

Catering to over forty beer league players.

Working from home comes with new Cyber Security risks and considerations

Many organizations have shifted their workforce to 100% work from home and this is creating some unique Cyber Security risks and considerations. If yours is one of the many businesses that have shifted your daily work model from in office to work from home, how do you know that your Cyber Security is up to the task? In this article we’ll unpack a few key risks and things to think about when your entire organization has shifted to a work from home model.

One of Cyber Securities guiding principles is “you’re only as secure as your weakest link”. In other words, you can have robust security controls throughout your applications and infrastructure but if you share data with someone who lacks these controls, you’ve inherited all their risks and they represent your weakest link. This is conceptually referred to as the “Extended Enterprise”. Common examples of security risks that are outside the sphere of control for most businesses or present challenges include, but are not limited to:

  • Vulnerable WiFi routers and other infrastructure
  • Weak or lacking access controls
  • Increased risk of data exfiltration
  • Unintentional information leaks
  • New, unhardened ingress / egress points
  • Lack of monitoring and alerting

So now that we have a short list of common cyber risks and considerations, let’s take a closer look at each one.

Vulnerable WiFi routers and other infrastructure

It should be no surprise that many commercially available WiFi routers have security vulnerabilities that present significant security risks. Vulnerabilities can include default admin credentials, enabled backdoor ports, lack of passwords and multi-factor authentication, lack of encryption and more. These vulnerabilities independently and collectively open the user to security risks that can be exploited by ever more sophisticated hackers for nefarious purpose. It is not the intent or purpose of this article to provide an in depth analysis of router vulnerabilities but you can find more information on the many router vulnerabilities at nvd.nist.gov or alternatively, you should be able to get a list of vulnerabilities from your router manufacturer. This article will discuss some important considerations to focus on when it comes to WiFi routers your staff may be using in their home office.

The nirvana of WiFi security is a completely hardened configuration where your business has selected one of the most secure WiFi router products, properly assessed the security configuration and made necessary changes such as changing default admin credentials, enabling encryption and multi-factor and more. Ideally the router configuration has been appropriately pen tested to identify any residual security vulnerabilities and weaknesses. Deploying hardened routers to all your staff can be time consuming and costly and may be unachievable for many businesses, but that does not mean you need to just accept risks.

If it is not feasible for your organization to have fully hardened WiFi devices deployed to all your staff in the field, then you should consider ensuring your remote work policies address minimum security standards for home office routers. Your home office WiFi security policy should link to a security configuration guide that instructs staff to, at a minimum, ensure the following:

  • Default admin access has been changed using strong password convention
  • Access control configured to only allow known MAC addresses (new device connections blocked)
  • Encryption enabled
  • Unused / unneeded ports disabled

If possible, it is advisable to assess or even pen test the WiFi configuration of select staff who’s jobs include access to confidential or otherwise highly sensitive data such as payroll and HR files. It is dangerous to simply ignore this “last mile” in your now expanded and distributed remote enterprise network as it can easily become a very relevant attack vector.

Weak or Lacking Access Controls

We covered default admin credentials on WiFi routers, but the same holds true for applications and systems your staff may be using. Does your organization have a policy for leading access management practices for home offices? Again here, the ideal scenario is that your organization has robust Identity and Access Management (IAM) capabilities that your staff are required to authenticate to prior to gaining access to any of your organizations business applications, systems, platforms or data. Yet even with robust IAM, there may be weak access controls on your staff’s home office devices such as printers that can potentially put your business at risk. Setting clear policy on access dos and don’ts is the minimum your organization should do to make staff aware of leading access practices.

In addition to having clear policy, it is advisable to educate staff on steps they can take to ensure their home office technology configuration is minimizing security risks to your business. These steps include, but are not limited to the following:

  • Frequently changing admin credentials
  • Regularly changing passwords using strong password convention (more on this can be found here: NIST 800-63)
  • Multi-factor authentication
  • Disabling unnecessary access points (e.g. turn off and disconnect printer at night or after business hours)
  • Regularly monitoring access logs

The majority of access control improvements are simple changes that do not require deep technical knowledge of the device, application or system in question. Ensuring your organization is aware and following access leading practices will further fortify your remote enterprise network and reduce risk.

Increased Risk of Data Exfiltration

With more staff working remotely than ever before, the volume and frequency of attacks has increased dramatically. There is a huge number of articles and reports out there that show the increase in malicious cyber activity ranging anywhere from 25% to 500%+ depending on the attack vector (a recent security magazine report had DDoS attacks up 542% compared to Q4 2019). With increased attack activity comes increased risk that your organization’s sensitive data will be exfiltrated by bad actors. Here the most common culprit is stolen access credentials that are obtained through a variety of hacker methods, but often through fairly simple phishing attacks.

Again here it is important that your organization have robust policies and guidelines for how your staff assist the organization to protect sensitive data. It is highly advisable to have information sharing agreements (ISA) and/or data exchange agreements between your organization and third parties to ensure sensitive data is treated with the proper level of care and security controls. Your staff and business partners should be aware of phishing, what it is, how to detect and prevent it. Ideally your security team is conducting regular phishing awareness campaigns to educate and train staff on how to respond to these types of attacks.

Stolen credentials are very serious because it can lead to a bad actor getting powerful access to sensitive data such as financial records or intellectual property, but remote work models introduce new and unprecedented risk too. For example, simply displaying a document with sensitive information during a Video Conference, could result in data exfiltration. Conference participants could screen capture the data or take a photo with their mobile device and then share the data with others who you don’t want the data to be shared with. This is just one method through which data exfiltration could occur but there are many others, making it imperative that your cyber policies and procedures account for these unprecedented risks and inform your staff how to prevent them. For example, your organization may choose to clearly disseminate dos and don’ts for video conferences including, but not limited to requiring participant pass codes, tracking attendees and only displaying necessary content or requiring participants to access content from a secure document management systems (DMS).

The punchline is 100% remote models introduce unique risks of data exfiltration that must be properly assessed and addressed through your cyber policies, procedures and controls. Your staff should be educated and aware of how to protect data and prevent exfiltration.

Unintended Information Leak

Related to data exfiltration is the risk of unintentional information leaks. This occurs when sensitive information (e.g. financial records) is viewed or shared with someone inadvertently or by mistake. A recent example someone told me about is a couple who worked for competing companies. While each of them had signed their respective company’s policies, the one individual accidentally left a very sensitive pricing document up on their laptop screen while taking a “bio break” and their partner inadvertently viewed it while on the way to the kitchen to fetch a glass of water. The sensitive data could not be unseen and it was virtually impossible not to take business advantage with the information. How many times over is this scenario playing out across the World? This same scenario is common when individuals are working from public locations such as a coffee shop, although this is understandably less likely during the current global health pandemic.

The good news is preventing these scenarios of inadvertent or mistaking information leaks is relatively simple to address. As with other cyber risks, having clear policies regarding locking devices when leaving them unattended, even for very brief periods, and using physical controls such as screen protectors is a good first step. These measures coupled with tips on leading practices such as proper guidelines on how to securely view and work with documents can be an effective approach to significantly reducing risk of unwanted information leaks.

New and / or unhardened egress / ingress points

As your organization shifted to 100% remote work from home, if any portion of your organization started using new services such as Microsoft Teams or Docusign, this may have introduced new potential egress / ingress points. These technology solutions may now be repositories of your organization’s sensitive data and there may be new user / service accounts with new access credentials that present previously non-existent cyber security risks. With the proliferation of Cloud services and solutions available today, it is a daunting task for any IT and security team to stay on top of everything being using throughout the organization, and more importantly, to have effective policies, procedures and controls.

If your organization has started using technology solutions that it was previously not using, then at a minimum, the vendor’s recommended cyber security services should be utilized. Most Cloud vendors will provide their customers with more details on their cyber security capabilities such as their SOC2 report or summary. Using additional security layers such as Virtual Private Network (VPN) and multi-factor authentication (MFA) will augment the cyber security effectiveness of the vendor’s solution and help reduce risk to your organization.

Lack of Monitoring and Alerting

Lastly, remote work from home models can make monitoring and alerting more challenging for your IT and security teams. Since the remote enterprise network is now so distributed and can consist of multiple endpoints that previously did not exist, it is important to have a well defined monitoring and alerting strategy and approach. At a minimum it is important to have monitoring enabled on all the Cloud services your organization is using. Security Information and Event Management tools (SIEM) or network monitoring tools can be effective when monitoring rules and alerts for the highest risk use cases are implemented. Even with the best training and awareness among your staff of remote working leading security practices, monitoring and alerting will provide your organization with critical visibility to security activity across your remote enterprise network. This level of visibility is essential to establishing a solid policy of “trust but verify”.

Summary

If having 100% of your organization working 100% remotely was not your business model until recently, then it is important that you assess cyber security risks that may be new or different. Equally as important, your organization requires clear, well defined policies on minimum security standards for home offices, remote work access and acceptable uses of sensitive data. As with traditional office work models, your organization’s cyber objectives should include reduction / elimination of risks and vulnerabilities, implementing robust access controls, protect and encrypt sensitive data and have transparent monitoring and alerting. It is dangerous to assume that your previous cyber security posture is sufficient for addressing all the new and potentially different risks and vulnerabilities that a remote enterprise network present. A more prudent approach is to assess your organization’s remote work model, identify any new risks and vulnerabilities, and ensure that your organization has well defined policies, procedures and controls in place. Of course there are many more potential risks, threats, vulnerabilities and things to consider for your 100% remote workforce, but we’ve covered a selection of them in this article. For others, there are several great articles and sources out there and good starting points include the Center for Internet Security’s Home Office Security Guide and Akamai’s State of the Internet Report. Safe remote working everyone!

ekuhrman

, , , , , , ,

Leave a comment