In a period of general concern about the spread of the COVID-19 virus, many companies are moving employees to work remotely. Such measures are reasonable, because it helps to reduce the likelihood of infection of employees with coronavirus, but we must not forget about the risks to business associated with information security. We are talking about the appearance of additional points of penetration of the intruder into the local network.
IT and information security services face a difficult task: how to maintain business continuity and not open the doors to criminals to protected systems. To help with this issue, we will consider the main threats that are important to consider when switching to remote control, and draw up a checklist that will allow you to check whether all the protection recommendations have been taken into account.
First of all, you need to understand how the employee will work from home – on a corporate laptop brought from the office by a work computer or through a remote connection to the organization’s network from a personal device (BYOD concept, bring your own device). The security measures that should be foreseen depend on this.
The safest option is to work on a corporate laptop. For it, you can ensure that all the organization’s requirements for the security of a remote workplace are met in advance (for example, installing a corporate antivirus required for the software to work, providing two-factor authentication, disk encryption, an adequate level of event logging, and timely automatic updates of all systems). In the case of a personal device, such measures are difficult to organize, and it is almost impossible to monitor their compliance. There is a threat of the employee’s personal device being compromised as a result of malware infection or account theft as a result of a phishing attack.
The BYOD concept is practically not used in Russia, and companies have neither practice nor regulations to ensure the security of personal devices. If organizations begin to allow workers to use their own laptops uncontrollably, the threat of an intruder into the organization’s network will become more urgent than ever. We recommend that you deny connection from such devices if they do not have anti-virus protection at least and all the latest software and OS updates are not installed. If an employee’s personal device does not meet the conditions for secure remote work, we recommend providing him with a corporate laptop.
Network Perimeter Security
The most secure remote access options should be preferred. For example, virtual private network (VPN) technologies. In the case of VPN, we recommend using secure implementations (for example, L2TP using IPSec). In addition, Remote Desktop Protocol (RDP) remote connection is widely used.
According to our statistics, the number of hosts of Russian companies with RDP available for connection in just three weeks (from the end of February 2020) increased by 9% and amounted to more than 112 thousand.Moreover, more than 10% of such resources are vulnerable to BlueKeep ( CVE-2019-0708 ).
Thus, the number of resources on the network perimeter of Russian companies, regardless of the region, begins to increase, the attack on which will allow attackers to gain control over the server and penetrate the local network. We attribute this, among other things, to the hasty transfer of some of the employees of such companies to remote work.
Regardless of the selected remote connection option, it is a reasonable solution to provide remote access through a dedicated gateway. For RDP connections, this is the Remote Desktop Gateway (RDG), for VPN – VPN Gateway. It is not recommended to use remote connection directly to the workplace.
Separately, it is necessary to identify the threat of the emergence of remote access channels to business-critical networks and systems (for example, technological networks in manufacturing and in the energy sector, ATM or card processing management networks in banks, 1C servers, confidential document flow). Such networks are usually isolated from the Internet and even from the corporate segment, and access to them is strictly controlled. However, when migrating to remote work, administrators can simplify the management and configuration tasks for these segments and set up a separate connection.
Compliance with IS regulations by administrators must be strictly controlled. Control can be achieved through constant monitoring of the organization’s network perimeter, especially its key segments. In addition, it is necessary to strictly regulate the use of software for remote administration (for example, RAdmin or TeamViewer) and track cases of their illegal use (you can track them by artifacts in traffic).
Due to the impossibility of the physical presence of third-party specialists at the facilities due to quarantine, additional remote connection channels will be created for contractors and integrator, which means the threat landscape will expand significantly. We recommend that you pay special attention to monitoring such connections, because attacks through trusted channels are one of the most likely ways to penetrate the networks of large corporations.
Segmentation of networks
The organization of VPN access can be associated with various problems. Usually, VPN is forwarded to a specific network segment on the local network, and the availability of other segments in this case is not guaranteed. The IT department may simply not be able to quickly reconfigure the equipment and provide all VPN users with the access they need, without violating the rules of differentiation. As a result, to ensure business continuity, IT specialists will have to choose the fastest and easiest option – to open access to the required subnet not to one employee, but to all VPN users at once. This approach significantly reduces security and opens up opportunities not only for attacks by an external attacker (if he can penetrate), but also significantly increases the risk of an attack from an insider.
Penetration test results show that dictionary passwords are used by at least 75% of companies to access various external services (including websites, portals, databases, teleconferencing systems). The danger is greatly increased when weak passwords are used to remotely connect to a local network. After all, attackers can pick up an account and directly attack internal resources.
It is imperative that you increase the stringency of your password policy when working remotely, at least in terms of the length and complexity of passwords. We recommend using passwords of at least 12 characters for unprivileged accounts and at least 15 characters for administrative accounts for remote connections. You should use different types of symbols at the same time (small and capital letters, special characters, numbers) and exclude the use of easily guessed passwords. For example, as part of penetration testing of financial institutions in 201948% of all guessing passwords were composed of a combination of a word for the season or month and four digits for the year (September 2019 or in the Ctynz English keyboard layout, hm2019). Such passwords are selected from dictionaries in a matter of minutes, although formally they comply with the password policy.
The risk of penetration into the local network also increases due to the large number of employees who have not previously been provided with remote access due to the critical importance of their tasks. Such employees (for example, accountants, engineers, technologists, and even top managers) are often poorly trained in how to defend against a cyber attack and what precautions must be taken when working on the Internet. You need to be prepared for a sharp increase in the number of accounts with simple passwords at the network perimeter. A significant tightening of the password length requirements can be an effective measure on the part of the IT department. It is also possible to check the complexity of passwords: for this, it is enough to unload the hash database from the domain controller (file ntds.dit) and try to guess passwords using these hashes using dictionaries.
Using two-factor authentication using hardware tokens will help reduce the risk of compromising the company’s network if an employee’s dictionary password is brute-force.
Criminals are already actively using the topic of the pandemic and sending phishing emails with text about protection against coronavirus, creating fake websites, and distributing Trojans under the guise of mobile applications. Professional APT groups (including SongXY, Gamaredon, Higaisa) have quickly adjusted to the shift of companies to remote work and are attacking employees’ personal email addresses. The phishing campaign was also carried out by unknown attackers against our company: the criminals tried to steal credentials.
Employees must understand the severity of the threat and be prepared to distinguish legitimate mail from phishing. For this, it is necessary to conduct explanatory conversations, distribute short visual training materials and reminders on the topic of information security and social engineering. In addition, it is important to provide dynamic scanning of all files received by corporate mail using sandbox systems.
In order to take into account the main factors affecting the security of the organization when transferring employees to a remote mode of work, we have compiled a small checklist. We recommend using it for self-test.
|What to fear||What to do|
|Selection of passwords and penetration of an attacker into the organization’s network||Check and enforce password policies|
|Theft of confidential information||Differentiate access rights to internal resources strengthen control of access to information and its transfer|
|Infecting employees’ devices and distributing malware to company resources||Protect personal gadgets check email attachments increase information security awareness of employees|
|Attack through unprotected remote access services that appeared on the perimeter||Monitor the network perimeter exclude direct connection to a separate workplace, use gateways for remote connection|
|Inability to identify and respond to illegal actions of employees and attacks||Log information security events, including on remote devices of employees keep copies of network traffic monitor information security events analyze network traffic|
|Untimely response to incidents, inability to quickly stop the attack||Organize a SOC (security operation center) 24x7Monitor security systems 24×7|
|Compromise of key business systems of an organization as a result of an attack||Segment internal networks control access to key segments and systems|
|Disruption of business continuity due to failures when employees remotely connect to internal resources||Reserve communication channels for remote access use several independent methods of remote access (for example: VPN and RDP)Reserve remote access servers and distribute the load between them|
|Failure of business systems due to increased load or as a result of a denial of service attack||Technical support from the IT departments of the company 24×7|
What to prepare for
The topic of the spread of coronavirus is at the peak of its popularity; criminals will actively use it in phishing mailings not only to organizations, but also to the personal addresses of employees and their pages on social networks. Transferring employees to remote work will create additional difficulties in ensuring security, and therefore increase the chance of successful penetration. We forecast a significant increase in the number of attacks on the network perimeter of organizations and on remote workplaces of employees.
There are many companies in Russia that have never used remote work (for example, various government organizations, research institutes). These organizations are at high risk. A hasty transfer of employees “to remote locations” will inevitably lead to administrative errors and the emergence of unprotected systems. Employees who are accustomed to working only in the office and not knowledgeable about information security are an even more vulnerable link in protection. In addition, the likelihood of information leakage through the fault of an insider increases. The criminals are aware of this and will actively use it. The consequences for the company can be disastrous. We recommend organizations that are not ready for a quick transition to a remote mode of operation to abandon hasty actions and build the process as responsibly and consistently as possible, taking into account all possible information security threats.
Enhanced control over the actions of employees in the network and all remote connections, monitoring security events on key business systems, control over the security of the network perimeter and the employee’s mobile workplace will significantly reduce the risks of an external intruder. The willingness of employees to resist phishing will prove to be equally important for effective protection.