The period of self-isolation and remote work will end sooner or later. Companies will start bringing employees back to their offices. Most likely, this process will be gradual, because there will be no special rush, as when switching to remote work.
Business continuity will be a priority, as always. At first glance, it seems that it will be easier to provide it – it will be enough to restore the processes that existed earlier. But what about information security? What threats must be considered to keep attackers out of the infrastructure?
We will answer these questions and consider the main threats that will become relevant when employees return to the office. And of course, we will give recommendations on how to make such a return as safe as possible.
Filled laptops
Consider a case when an employee was given a corporate laptop to work remotely, or he took his workstation home from the office. The first and most obvious threat to consider is the presence of malware on these devices.
At home, employees are left to their own devices, and it will not be possible to control their actions on the Internet. It is almost impossible to check the security of your home wireless network. In the face of such an urgent transition to remote work, the provided control measures for the actions of an employee on a corporate laptop might not be sufficient to minimize the risk of device infection. An employee might not even have noticed how malware infection occurred after he visited phishing sites or after opening another letter, allegedly from a client or partner of the company.
Therefore, in no case should the devices returned after remote operation be connected to the organization’s network without prior verification. Each such device carries a potential risk of infection of the entire infrastructure of the company. Therefore, the first step is to scan the devices with corporate antivirus. And we recommend carrying out additional dynamic checks of suspicious files on sandbox-class systems, because modern malware is not always detectable by signatures.
Leaked passwords
It’s no secret that employees use simple passwords. They try to choose a password that is easier for them to remember. Unfortunately, their accounts become prey to cybercriminals, for example, through brute force attacks. In addition, there is a risk of a phishing attack, which means that even a complex password can be leaked to a criminal.
According to our 2019 external penetration testing (pentest) research , 30% of all successful attacks on companies were associated with brute-force credentials.
We recommend that you reset all employee passwords when returning from a remote location. This will minimize the risk of compromising company resources using already leaked accounts.
It is also worth revising the password policy. If, when working remotely, concessions were introduced in the form of an increased number of password attempts, it is worth tightening this requirement for local connections from the office.
Confidential data on personal devices
Earlier, we conducted a special survey in Russian companies on the organization of remote access in Russian companies. Four out of every five respondents indicated that their organization uses, among other things, employees’ personal devices to work remotely. Obviously, this approach carries the risk of confidential information leakage. The employer will not be able to control which files were saved on a personal device, which documents were copied to a flash drive. In the event of malicious file theft by an insider, all that remains is to accept this risk. But a disloyal employee is not always the cause of a leak. Many workers may not appreciate the importance of the copied files or understand the threats posed by storing work files on a personal device.
We recommend that you send out reminders to all employees about the dangers of storing confidential documents on personal devices, explaining how to ensure that such files are removed from your personal computer.
We recommend conducting separate outreach interviews with employees who perform the most important business tasks and have access to business sensitive information. It is important to help employees, because they may simply not be able to clear their computers of corporate information on their own.
The perimeter is not the same
It is extremely important to take control of all the resources that were withdrawn at the perimeter of the organization’s network during remote work. In the survey mentioned above, every third respondent confirmed the conclusion to the perimeter of the corporate e-mail service, every fifth noted the opening of access to corporate portals, and another 16% of respondents mentioned the ability to connect from the Internet to internal web applications.
Regular monitoring of the security of the network perimeter is necessary regardless of the working conditions of employees. However, in the period of mass remote work, the very concept of the perimeter becomes very blurred. Many internal resources have become available from outside the company. Services, access to which was previously prohibited from the Internet, had to be opened outside. All this leads to a loss of control.
We recommend taking an inventory of the systems to which you can connect from the Internet. Determine the need for remote access to each such system after employees return to the office. Implement traffic filtering in such a way as to block external access to resources that should be accessible only from the local network. For systems that it was decided to leave on the perimeter, conduct a security analysis, install all relevant updates, organize constant monitoring of remote connections.
If this practice did not exist before, we recommend organizing a process of constant monitoring of the emergence of new services on the network perimeter, as well as regular security checks of such services.
Our 2019 external penetration test showed that 77% of successful local network penetrations involved web resource vulnerabilities. Web applications need to be protected, and to do this, use a web application firewall in anti-attack mode.
Event logs
While working remotely using corporate devices, employees can install various unregulated software, including unlicensed or designed for entertainment. Such software may contain malicious code and various backdoors that can be used by an attacker to compromise not only the mobile workstation itself, but subsequently other company resources.
We recommend collecting event logs from all mobile workstations after employees return from a remote location. This will allow not only to check what actions the employee performed in the system and what unauthorized software was installed, but also, if there is a suspicion of compromising devices, to conduct a retrospective analysis and restore the entire chain of events that led to the incident.
In the absence of event logs, investigation of cyber incidents may not be possible.
Segmentation of networks
To ensure the continuity of business processes when working remotely, the IT service could go to adjust the usual network segmentation. Traffic filtering between some networks could be significantly changed or even absent. When returning to business as usual from the office, it is important to rethink the segmentation. Where it did not exist at all, it should be organized. Where it was broken – to restore.
It’s done what’s next
Before restoring information security processes, you should make sure that these processes are not built on the basis of an already compromised infrastructure. If the attacker has already penetrated, there is no point in building a new “fence”. We recommend conducting a retrospective analysis of security events. Only after making sure that the systems have not been previously compromised should the following steps be taken.
Not all will return
The period of self-isolation brought not only restrictions to the workdays of employees, many people liked this experience. For some, the opportunity to work in a comfortable home environment became a plus, while others stopped spending several hours on the road. In any case, not everyone will want to return, and some will want to alternate telecommuting with work from the office. This can also be beneficial for business, you can reduce the budget for renting premises, create new distributed teams.
For companies considering further remote work of employees, it is important to consider the possible risks. Without proper control over mobile workplaces, without sufficient monitoring of security events, without reliable comprehensive protection of the network perimeter, the risk of leakage of confidential information and cyber attacks through the devices of such workers will be significant. We recommend that you leave remote access only to those employees who need such access in their workflows. At the same time, it is important to provide a full range of information security measures for remote workplaces.
Do not forget about the channels of remote connection from the side of contractors and integrators who have been granted such access for a while. We recommend closing those channels that are no longer needed. In case of further use, ensure the proper level of monitoring and protection.
The world won’t be the same
The experience gained by organizations during the coronavirus epidemic can be used to work on bugs. It is worth determining which processes were previously not flexible enough and what did not allow to quickly respond to external factors and quickly ensure the company’s safe transition to a remote mode of operation. It is important to assess whether the previously established approach to information security is effective in the new realities.
If something like the coronavirus happens again, employees’ workstations will again find themselves in an untrusted environment outside the controlled area of the organization. Attackers will again get unprotected entrances to the corporate network. We recommend switching attention from protecting endpoints to protecting key systems within the infrastructure, monitoring them, controlling access, and segmenting networks. The more flexible the new IS processes become, the less financial losses will be due to unforeseen external factors.