A remote working security checklist: is your business protected against these risks?
If, like many organisations, your business has been forced to support mass employee remote working, it’s likely that you’ve also had to roll out new services and applications to maintain business continuity and productivity. Understandably, cyber security may not have been front of mind during this process.
Now that, to some extent, the initial panic has subsided, and people are adapting to life in lockdown, it is time to take a step back and assess the security impacts of any recent infrastructure or policy changes. With the coronavirus having likely placed a significant strain on your business already, the last thing you need is to unwittingly make it an easy target for cybercriminals and increase the risk of suffering a damaging data breach.
To help ensure your organisation’s security posture is robust through this critical period, here’s a checklist of key remote working-specific security risks you need to be aware of:
1. Exposing RDP to the internet
Remote Desktop Protocol, or RDP for short, enables a user of a computer in one location to access a computer or server in another. Most computers running a Windows Client Operating System have Microsoft’s RDP client software pre-installed.
RDP is commonly used by system administers to perform remote administration or provide technical support, but during lockdown, many more employees within your organisation could also be using it to access the tools, apps, software and files they need to be able to perform their job. This presents an increased security risk – hackers that compromise a remote worker’s connection will be able to access your organisation’s corporate network. If RDP is being exposed directly to the internet without multiple levels of access controls, your organisation’s risk is increased considerably.
Many vulnerabilities in RDP are long-standing and organisations tend to be slow to patch them. These include the critical vulnerability ‘Bluekeep’ (CVE-2019-0708) first disclosed in May 2019, ‘DejaBlue’ vulnerabilities (CVE-2019-1181 and CVE-2019-1182), as well as CVE-2019-1226, CVE-2019-0787 and CVE-2020-0611.
During the Coronavirus outbreak, attackers are targeting users reliant on RDP with far greater regularity. There have been multiple instances recorded of attackers bombarding RDP services with brute-force attacks. Researchers have also discovered variants of TrickBot, a particularly aggressive type of malware, that have been upgraded with a module for bruteforcing RDP accounts. Ryuk, a type of ransomware that is also particularly active at this time, uses RDP to spread laterally through compromised networks.
2. VPN misconfigurations
Virtual Private Networks (VPNs) are also being relied upon by organisations to support their remote workforces. If set up correctly, VPN tools should provide a secure, encrypted tunnel for employees to access to a network. However, risks can arise when they are misconfigured and not regularly patched, leading to vulnerabilities that allow attackers to obtain network access.
In the current climate, some organisations are also moving to VPN split tunnelling in order to alleviate bandwidth pressures. This is just one example of a change that, if not implemented correctly, could create additional security risks.
In October 2019, the UK’s National Cyber Security Centre issued an alert detailing the mass exploitation of vulnerabilities in VPN products developed by Pulse Security, Fortinet and Palo Alto. Weaknesses in Pulse Connect Secure (PCS) attracted particular attention, with reports suggesting that over 14,500 Pulse Secure VPN endpoints were vulnerable to CVE-2019-11510 and CVE-2019-11539.
Fears that many organisations were leaving the PCS vulnerabilities unaddressed led the United States Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA) to issue an alert in January urging organisations to apply a patch. As a case in point, a cyber-attack on Travelex, disclosed in the same month, is believed to have been facilitated by several unpatched VPN servers.
Just last month, CISA released a further update to highlight the need for all organisations, even those that patched the PCS vulnerabilities, to change administration passwords used to administrate PCS. This is in order to mitigate the risk of attackers using Active Directory credentials stolen before patching took place to subsequently access a company’s network at a later date.
Long-standing vulnerabilities in other VPN products include CVE-2018-13379, CVE-2018-13382 and CVE-2018-13383 (all Fortinet) and CVE-2019-1579 (Palo Alto). Organisations using Citrix could also be vulnerable if a patch for CVE-2019-19781, a critical vulnerability affecting its Application Delivery Controller (ADC) and Citrix Gateway products, is not installed.
As well as using VPN vulnerabilities to obtain a foothold on a network, there are also recent reports of vulnerabilities being exploited to launch distributed denial-of-service attacks (DDoS) attacks on VPN services. According to research from NetScout, there were more than 864,000 DDoS attacks worldwide between March 11 and April 11, 2020 – the largest number of attacks recorded in any month-long stretch. One recent high-profile victim was a fast food delivery service, with attackers reportedly demanding two bitcoins (around $11,000) to halt the siege.
3. Insecure use of cloud services
Cloud security misconfigurations costs businesses trillions of dollars every year. According to the Ponemon Institute, close to 33.4 billion records have been exposed due to cloud misconfigurations in the last two years – an astronomical sum that is estimated to have cost organisations around $5trillion.
In many cases, breaches occur not because of any sophisticated hacking activity, but because databases and cloud storage buckets are not configured securely and are left publicly accessible. Once company which fell victim to a cloud misconfiguration breach is Virgin Media, which is reported to have left personal information relating to over 900,000 customers accessible online.
Whether your organisation has been using cloud-hosted services and applications for a while, or has recently migrated workloads to environments such as AWS and Azure, it’s important ensure that cyber security remains front of mind. Contrary to popular belief, cloud platforms are not inherently secure and appropriate steps must be taken to protect public and private cloud environments.
Most cloud vendors operate a shared responsibility model, whereby they are responsible for the security of their host operating systems and data centres, but customers are responsible for protecting the data and applications they use.
During the COVID-19 pandemic, many organisations have turned to Microsoft 365 and G Suite, as well as conferencing and collaboration tools such as Zoom and Slack, to support business continuity and employee collaboration. Again, many of these platforms are not secure out of the box and must be appropriately configured and monitored. Many SaaS vendors are currently enticing new customers with the offer of free trials, but beware of such offers which may only apply to freemium versions of software which can lack adequate security features.
Also be aware that the use of popular applications could make your organisation a more attractive target. Phishing attacks that target remote workers have increased substantially since the coronavirus outbreak and use platform notifications such as file sharing as a hook to bait recipients into sharing credentials and installing malware. Over 160,000 suspicious emails were reported to the UK’s National Cyber Security Centre in just two weeks.
Shadow IT, a term used to describe the use of software not pre-authorised by IT departments, is also an increased risk at this time, particularly if employees are using their own personal devices for work purposes.
4. Firewall misconfigurations
The sharp rise of homeworking means that a sudden and sustained increase in external web traffic is likely to be having an impact on perimeter security. In such circumstances, it may be tempting to relax firewall security controls to maintain availability and limit disruptions. However, this is likely to lead to exposures such as open ports, misapplied port forwarding rules, a failure to keep an accurate inventory of services and applications and policies that don’t adhere to the principle of least privilege.
According to Gartner, 99% of all firewall breaches that occur between now and 2023 will be caused by misconfigurations. Despite this, firewall application patching remains essential. To demonstrate this point, a recent zero-day vulnerability in Sophos’ range of XG firewalls forced the company to release an emergency hotfix to prevent attackers from exploiting it and using Trojan malware to exfiltrate credentials and hashed passwords.
5. Lack of endpoint visibility
When your employees work outside of the office, the traditional network security controls that they would otherwise benefit from are less effective. The network perimeter is diminished and criminals suddenly have a much larger surface area to attack.
A consequence of remote working is that endpoint devices are suddenly more vulnerable and without appropriate controls in place, visibility of these devices can be reduced significantly. Rather than being connected to the internet via secure corporate networks that are routinely monitored, devices are now attached to home networks which are less robust and create security blind spots. Organisations that lack the ability to proactively identify endpoint focused threats are open to the risk of compromised devices being used as an access point to instigate network breaches.
As a base level of protection, all your organisation’s endpoint devices used by employees should have antivirus software installed. Be aware that many off-the-shelf AV solutions are only effective at detecting threats that have a known, static signature. Many of the latest threats, including polymorphic and fileless malware, can only be detected with more advanced endpoint security solutions, such as Endpoint Detection and Response tools, that use behavioural analytics to perform a deeper level of protection.
During the Coronavirus outbreak, an ability to swiftly detect and respond to endpoint-focused threats is imperative. Coronavirus-themed phishing campaigns are spreading many advanced forms of malware to steal user passwords and banking information. Threats to be aware of include TrickBot, Maze, Ryuk and Zbot.
6. Use of BYOD
Bring-your-own-device (BYOD) is the practice of allowing employees to use personal devices to access company networks. If managed correctly, through the use of use remote access technologies, application containers and application wrapping, BYOD can offer many benefits, such as boosting employee satisfaction and productivity.
During the COVID-19 pandemic, many organisations have been forced to relax their approach to device management. In some cases, this is due to employees not being given the opportunity to take home company-owned equipment. In others, the rollout of SaaS services such as Microsoft Teams may have had the effect of encouraging users to install applications on their own smartphones and laptops. In both cases, it’s unlikely that personal devices have been security-hardened, and there is often a lack of controls in place for these to be centrally managed and monitored.
A sudden increase in the number of extra endpoints with access to corporate networks can also create additional challenges for identity and access management. Which access requests are from users and devices that can be trusted and how can unauthorised attempts to connect to company assets be swiftly identified and shut down? If your organisation doesn’t already have a formal BYOD policy then now is a good time to put one in place. A basic policy focused on employee education and application whitelisting would be a good start, with a view to considering what controls may be needed to better enforce requirements in the future. Cloud Access Security Brokers (CASBs) and Zero-trust network access (ZTNA) are solutions which may warrant consideration.
7. Unsafe user privileges
As a rule, employees and any third parties with access to your organisation’s network should only receive rights to access the systems, applications and data they need to perform their job. However, within many organisations, privileges are not sufficiently locked down or reviewed regularly enough. Privileges need to be reviewed in line with job changes and quickly rescinded when employees cease employment.
With more people working from home than ever and many at an increased risk of being targeted, user privileges should be reviewed to ensure that the policy of least privilege is adhered to. This will help to ensure that in the event of a user’s account being compromised, the ability of an attacker to move laterally through a network and access sensitive assets and data is hindered.
During the COVID-19 pandemic, it’s possible that your organisation has had to place employees on furlough. While this is the case, it is a sensible precaution to temporarily suspend the accounts of furloughed users until they return to work.
How to stay on top of these and other remote working security risks
In many cases, the key to addressing the security risks of remote working is to adopt a layered approach. The controls needed to achieve this vary from one organisation to the next, but in most cases start with good cyber hygiene (including the use of multi-factor authentication), regular security and risk assessments, and a combination of controls to prevent, detect and respond to threats.
Vulnerability scanning is a useful first step to identify core vulnerabilities such as unpatched systems, use of default passwords and open ports. For a more comprehensive assessment, we’d also recommend commissioning a remote working security assessment – a specialist type of penetration test that goes beneath the surface to identify vulnerabilities that automated scanning tools will miss. Conducted by an experienced security professional, a remote working pen test isn’t just designed to identify hidden vulnerabilities, it will provide the support and guidance needed to remediate them.
Many of the remote working security risks identified in this article can also be mitigated with proactive network and endpoint monitoring, which will help to swiftly identify threats targeting your organisation’s entire IT estate, including user workstations, applications such as VPN and RDP tools, and at-risk data.