What to Consider About Remote Work Security

Back in 1985, the following quote began to appear in various articles, books, and even inspirational posters:

The same applies to corporate security. The world is full of "lions" such as fraudsters, phishers, malicious hackers, and ransomware attackers. Most of the time, they are after your organization's funds, data, or both. Sometimes, they just want to ruin your day.

If your job is to protect your organization's funds, data, and intellectual property from these lions, the COVID-19 pandemic has likely made your job even harder. Users who had long been safe behind your organization's protective fences are now starting to work from home one after another. The trend suggests that even after the fear of COVID-19 subsides, a significant number of people will continue to work from home regularly, and as social distancing guidelines ease, home offices might sometimes be replaced by a nearby coffee shop or a friendly neighborhood pub.

With more gazelles in the vast open plains, lions are hunting for easy meals, increasing the risk to your organization's resources, data, and infrastructure.
Below are some quick and lean ways you can protect your gazelles.
Even if you can't be faster than the lion, you can at least be faster than the other gazelles.

Secure Authentication

Considering that password-based authentication has been disliked, particularly among the security community, for decades, it's somewhat surprising that the overwhelming majority of systems still rely on passwords to authenticate users. A large part of why passwords persist is their familiarity, convenience, and ease of implementation. Conceptually, password authentication is very secure, so its risks are often underestimated.

"If" passwords are securely hashed, encrypted, and stored in the backend system.
"If" passwords only travel through secure communication channels.
"If" users choose sufficiently complex passwords.
"If" users do not reuse the same password across multiple systems.
And "if" users avoid being tricked by sophisticated phishing attempts or scammers into leaking their passwords.
In such cases, password authentication could be considered very secure.

You'll notice there are many "ifs" here, as well as significant responsibility placed on users. Again, even if the vast majority of users practice proper password management, one slow gazelle can jeopardize the entire system.

Here are some measures you can take to significantly improve authentication security:

• Do not rely solely on password authentication; add a second authentication factor or use biometric authentication instead. Ideally, your authentication mechanism should rely on secure hardware compatible with the Web Authentication specification. Using SMS-based or time-based one-time passwords is also better than using only passwords for authentication.
• Implement a Single Sign-On solution to reduce the number of systems users need to authenticate to. This not only eliminates password reuse across systems but also allows most single sign-on services to support more advanced authentication mechanisms than services that only perform sign-on.
• Implement a strong password policy and educate users about the inherent risks of password-based authentication.

Device Identification and Management

If the devices used to access your organization's resources are compromised through other means, even the strongest and most secure authentication policies will be insufficient to protect them.
Ideally, all devices should be identified, centrally protected, and managed. However, you might encounter situations where users working from home are using their personal computers or mobile devices to access your organization's network and various cloud services.

Here are our recommendations:

• Deny access to unidentified devices to mitigate the risk of malicious attackers accessing your resources. Using X.509 client certificates to identify devices is a reliable method, especially when backed by physically attached secure hardware to the device, such as a Trusted Platform Module (TPM) or other secure elements.
• Ensure that devices accessing resources are up-to-date with the latest operating system and software patches. If you don't have a device management system, set policies to instruct users to keep their systems updated and send reminders when critical security updates are released. Again, while undisclosed security vulnerabilities and zero-day exploits are frightening, remember that they are less likely to be the slowest gazelle in the herd. More often, it will be like an executive's PC running an unsupported OS, saying, "I can't work without this" (which seems to happen in every organization).
• Don't forget the networking equipment clients use to access the internet. While you'll likely have little control over home modems and Wi-Fi access points, instructing and educating users on how to change default modem passwords or how to set up sufficiently strong Wi-Fi encryption and MAC address filtering can greatly help prevent traffic snooping, unauthorized access, and ultimately, man-in-the-middle attacks.

Access Restrictions

If you've been restricting access to some or all of your organization's resources based on traditional client IP addresses, you might find that while this was easy to manage when most users worked in the office, it's virtually impossible now that they're working from home. Still, there are several things you can do:

• Access via VPN and keep original IP access restrictions intact. Here too, you must pay attention to the authentication method used to access the VPN. Many VPN services can now integrate with the single sign-on solutions described above, allowing you to apply similarly strong multi-factor authentication requirements to network access.
• Ease restrictions. If you can no longer maintain IP address restrictions, replace them with geographical or time-based restrictions. This will at least narrow down the attack surface and allow connections only from users who are in the necessary locations and during the required hours.
• Tighten restrictions. Once users can access your infrastructure (e.g., via VPN), ensure that access controls are properly in place so they can only access the resources necessary for their daily work. This reduces potential risk and damage if access is compromised.

That's it. Wake up and start running. By raising user security awareness and implementing most or all of the above recommendations, you significantly increase your chances of outrunning other gazelles, and perhaps even leaving the lions behind.
Please be careful out there.