As the world has shifted to a remote workforce during the coronavirus global pandemic, security professionals are working hard to ensure this move does not result in huge vulnerabilities for an organization’s security posture. While moving to a remote workforce has changed many things about how corporations are conducting business, security fundamentals have stayed the same but the threats are growing. There are still bad actors looking to take advantage of any opening we give them. Thus, since we have now moved some employees to work at home, it is important to remind them of some responsibilities we need to perform to keep ourselves, companies and families in the loop on how to keep everyone’s technology safe.
Personnel Emotional Vulnerabilities:
What is happening: Phishing and attempts to get information are up. The bad actors are playing on our fears and emotions. Phishing attacks can lead to a simple password loss or ransomware being downloaded and allowed into our networks. These change with the times so the current ones revolve around your stimulus check, small business loans, refinancing your car to 0% interest, and other things along those lines. The goal is for you to make an emotional decision versus a logical one.
What employers should do: Ensure all systems in use, not just onsite but including remote, have proper anti-malware software. Something like a Sentinel One or Carbon black will help the most but the traditional Microsoft Defender, McAfee or Symantec Endpoint protections will work for a majority of protection needs on endpoint systems. Educate your users and remind them, no one will ask for their password and if it seems too good to be true, it is.
What employees should do: Be vigilant. Do not click on that email to get your stimulus check faster. Do not enter your bank account information. Don’t believe the email when it says that by logging in here, the company will pay your stimulus for you. Remind family members, especially teens, no one will ever ask for a bank account or username and password information from them. Additionally, don’t enter your password in webforms (online in a browser) unless you have confirmed with your IT department you should be doing so.
What is happening: E-mail and chat programs like Teams, Zoom, Skype and Slack are becoming vital communication tools since we still need to communicate with other employees. Not all of these tools are created equal from a security perspective. Recent news about Zoom’s lack of security has escalated the need to be vigilant in this area. Many of these programs have the option to turn on higher levels of security.
What employers should do: If you are on Microsoft 365 (Office 365) or Google Business Mail, you should turn on 2-factor authorization requirements for your user’s accounts. This will enable your organization to lock down the ability for a lost password to become an inroad for a hacker to walk in the front door. Believe it or not, from my experience, lost passwords could be so much worse if attackers knew more about our environments. Make sure to instruct our employees on what you are doing and how to get 2 Factor Authentication on their phones or computers. Microsoft and Google try and make this as simple as they can but do a test with your IT team and give them a quick instruction sheet a day before you make the changes.
What employees should do: Provide a level of understanding. Employees should be open-minded to new security solutions and steps that are designed to help protect not just an organization but their personal information.
VPN Access Vulnerabilities:
What is happening: VPNs are becoming a critical tie to our corporate information and access to do some daily jobs. With the immediate need to add users to our VPNs, we don’t always consider what access an end-user really needs to do their job. VPN access can be tied to AD that can govern access. Bad actors are hunting the internet for open VPN access requiring only user names and passwords. If you haven’t been diligent in setting up your VPN, you may be leaving your organization vulnerable to a lot of attack vectors.
What employers should do: Consider how we create VPN groups. Not all employees need access to the VPN and all resources. For example, the accounting department may need access to accounting systems but legal does not. Using the DNS and Active Directory, you can create groups for them to manage system permissions. By creating VPN groups with least privileges, we can protect our resources. Don’t just give VPN users full access to the network. If ransomware were to get on a user’s system and VPN access was not controlled, it can infect an entire corporate network. Ensure we have the ability to turn on protections on our VPN tunnels for IPS and malware. This enables watching inbound VPN traffic and block inbound malicious connections. Additionally, if 2-factor passwords are available for your firewall, turn it on or consider purchasing the option.
What employees should do: Ensure you are not doing anything on your corporate system that would compromise your network security. Don’t download files or programs that are not authorized for your organization or that are not approved by your IT department. Protect your passwords. If you feel it has been compromised, reach out immediately to have IT change it for you. Employees should be open-minded to new security solutions and steps that are designed to help protect not just the organization but personal information as well.
Delayed Time Bomb Vulnerabilities:
What is happening: As part of what is going on in society, our anxieties and emotions are heightened. This can lead to some simple things causing major issues with our corporate security. Since we have an unprecedented amount of individuals working from home, we need to consider our environments and what is happening to their systems when they are disconnected from the corporate network and security solutions. Working from home exposes us to security compromises that could happen outside our network then bleed in when the side door is open (the VPN is connected). We need to ensure we have our work at home employees talk to their families about personal hygiene on the internet and ensuring they don’t compromise their home network.
What employers should do: Remind our employees their work computer now resides on their home networks and they should pass along security tips to their spouse, children, and roommates. Employers should also ensure that adequate protection is in place to address the risk that may be brought it by returning employees. Their systems may have time-delay bombs on them that can wake up days, weeks or months later. Protect your corporate assets. Assume infected machines will be coming onto your network when employees return to the office.
What employees should do: Pass along security tips to their spouse, children, and roommates. A unified defense is critical to our future security hygiene.
Last but not least, we need to communicate, more than we normally do. We don’t want our employee’s mental health and work experiences to be negatively affected by what is going on in the world. Remind your remote workforce you are there to help them. Remind them what they can do to protect our systems, networks, and families. The more we communicate, the better our security hygiene will improve.
It may be time to take things up a notch to protect our security needs. These are a few things we can do together that have minimal costs but could reap huge benefits.
Paul Underwood, CISM, CRISC Emagined COO