COVID-19 Has Created Security Concerns for Working Remotely
Note: This article first appeared at InCyberDefense.
By Dan Williams
For businesses fortunate enough to allow their workers to work home versus letting them go, this sudden surge in remote access due to the COVID-19 pandemic has created many security problems.
Start a Homeland Security degree at American Military University.
With families restricted to their homes, the high concentration of devices utilizing internet resources round the clock, many Internet Service Providers (ISPs) are having bandwidth and congestion problems. Unfortunately, performance issues for employees may be the least of any company’s concerns once the question of infrastructure security enters the conversation.
Cloud-Based Versus On-Premises Infrastructures
Some organizations already operate in the cloud, meaning they use publicly accessible hosting platforms that provide Infrastructure as a Service (IaaS), in most cases offering ultimate flexibility for working from anywhere at any time.
For decades the more traditional on-premises infrastructures comprised of server rooms or data centers owned by an organization have offered remote access using Virtual Private Networks (VPNs).
When it comes to protecting an organization’s information assets, both models face similar threats when remote access is concerned. This is due to inherent vulnerabilities in both the user and workstation domains, as well as the fundamental flaws in the public internet as a backbone connection.
End-Point Devices and SOHO Networks
Both company-issued and personal devices with access to an organization’s resources are much more vulnerable to threats when they are outside the virtual stone walls and iron gates of their on-premises defenses.
Once a device is taken off the company network, even devices utilizing a VPN connection are at risk of contributing to a loss of control of company data. Compounding this is the hostile environment created by consumer-grade network appliances and poor practices in users’ homes. Despite the best intentions of equipment vendors and security awareness training experts, there are many myths about “feel good security.”
This false sense of security means you assume someone else has performed the due care and diligence to defend your data for you. But have they? Small office-home-office (SOHO) networks typically do not possess the robust security features of an enterprise environment. But they can be configured to offer a sufficient degree of protection.
Debunking Security Misconceptions to Shore Up Defenses
When choosing to operate remotely, consider the following:
“My wireless router’s box says that it has a built-in firewall, so outside threats can’t reach my laptop.”
While your wireless router may possess a rudimentary firewall, default configurations of any network appliance are one of threat actors’ easiest vulnerabilities to exploit. These vulnerabilities may include:
- Whether the firewall is enabled by default
- The ports open by default on the firewall
- Publicly exposed services that can be abused without the need for login credentials
You’ll want to ensure that these defenses are not only operational but configured to allow only needed services, such as HTTP/S traffic. If the manufacturer offers a service package for device support, there may be an open port for remote access on your router’s firewall, meaning that threat agents also will have access to this service.
“These companies are run by professionals; this device is plug-and-play right out of the box!”
Factory default administrative credentials for the appliance management console should be changed immediately, especially before connecting to the internet. Your manufacturer’s website or instruction manual will have details on how to make this vital adjustment.
Missing software and firmware patches released by the manufacturer since purchase further demonstrate the importance of keeping patches up to date.
Often logging into the web interface will display a dashboard that alerts you to a new software version that is only a click away from remediating. Look up your router by manufacturer and model to find out how to access this dashboard.
Threat agents can use tools such as “Metasploit” or “Kitploit” to automatically exploit known vulnerabilities and to gain access to SOHO appliances. The exploitation is based on details exposed to the internet that are discoverable by port scanning tools from the other side of the planet.
For a small additional expense, you can ensure that your wireless router has a consumer or small business-grade firewall appliance between it and your external connection. That appliance can help protect your devices from inbound connection attempts and the exploitation of known device-level vulnerabilities, and actually analyze the traffic to block it based on defined rules.
Just remember, the luxury of working from home will always bring additional setup costs. Prepping your SOHO network prior to using a company or personal device at home is a measure of due diligence which, depending on circumstances, may actually be required by regulatory guidelines.
“If someone wants to use my Wi-Fi, why should I care?”
Allowing unknown systems and their users to join your wireless network gives them access to your Local Area Network (LAN). That means they can reach every other system on that network and access the administrative portal for the wireless router.
Devices infected with malware that scan the connected networks can identify other vulnerable systems and gain access to them as well. Most modern wireless routers offer the option to create a guest network or additional channels, as well as the ability to restrict devices on that channel from accessing your LAN and only directly connect to the internet.
Make sure the wireless router is set to use a sufficiently secure protocol such as Wi-Fi Protected Access 2 (WPA2). More antiquated protocols such as Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access are known to be vulnerable to common attacks that can lead to the decryption of your wireless traffic, leaving it exposed.
This is another setting that is simple enough to verify and change if necessary. Follow your appliance manufacturer’s instructions for accessing the administrative portal.
These considerations do not apply just to guests in your home and neighbors in need of a good Wi-Fi connection. There are individuals who conduct “wardriving” operations. That is, they drive around neighborhoods searching for unsecured or easily defeated security controls on wireless routers so they can remotely access your devices from a safe distance.
If your company resources are accessed through a wireless network that falls victim to wardriving, this can compromise that device and its data.
“My browser has the green lock icon that says my connection is secure, which means I’m safe from threats.”
Users typically do what they must to keep productivity flowing. When they see a message from their browser saying that the more secure HTTPS protocol is not available, accepting this fact and continuing to the unsecured HTTP site seems necessary to get the job done. This can be a sign of a “downgrade attack.” That is when a threat agent has compromised one of the many points between the user’s device and the service they are accessing to disrupt encryption.
The threat agent can now view data including user names and passwords, meaning these credentials are now compromised.
Never blindly accept messages like these without consulting your organization’s systems administrator or information security personnel. You may lose precious time working toward a deadline, but it will be nowhere near as expensive as a data breach from a compromised account. Chances are such a message may even be an expired or revoked certificate (responsible for the little green lock), and you could be the hero of the day for reporting it and preventing other users from making a devastating mistake.
Changing passwords regularly, not reusing passwords between accounts, and using randomly generated passwords can also mitigate the impact of stolen credentials. Password managers are a great way of centralizing credentials and eliminating the need to write them down or make them simple enough to remember (and crack).
Unfortunately, an encrypted connection is only one layer of security meant to protect the confidentiality of data. But if either end-point in an encrypted connection is compromised, this does encrypt only the malicious traffic traveling through it, making it harder to detect.
This is also the case with VPN traffic that connects to an organization’s on-premises resources. This highlights the need for in-depth defense since no single technology is a silver bullet solution or even applicable to certain threat vectors. Regular antivirus scans and the practice of application whitelisting can lessen the chances that malicious programs that compromise data will succeed.
“My laptop requires a user name and password to access the desktop, so as long as I use a strong password no one can get it.”
The bad news is if your laptop hardware does not have a trusted platform module (TPM) or equivalent protection enabled and full disk encryption, the user name and password won’t matter. Simply removing the hard drive and plugging in a drive-to-USB cable can allow the entire file system to be accessed. That would mean that a quick drag-and-drop operation will dump the entire contents.
Furthermore, even if the full drive encryption requires a password to gain access, if threat agents take physical possession of the hard drive they take their time running their favorite password cracking tool. It’s a waiting game at this point, but longer passphrases can increase the time this would take.
No one can wait 425 quadrillion years to access a hard drive, so make sure you take all the above precautions to prevent easy physical access to sensitive data. If your organization doesn’t offer mobile equipment, you may be asked to use a personal laptop to access company resources remotely.
The Future of Working from Home
Saving sensitive data to a personal device not configured with the above considerations in mind could result in your personal and professional sensitive data being compromised in one fell swoop.
COVID-19 emerged so quickly that many organizations may not have even taken the time to assess the risks involved when their employees are asked to work from home. As budgets are readjusted to accommodate security demands associated with remote access for employees, the security posturing of organizations will continue to improve.
Just as working in the office, data is most at risk when user vigilance and operational practices are not up to standard. The world’s most expensive security implementations can ultimately prove to be useless when a social engineering attack over the phone or malware attachment downloaded from an email is introduced into the equation.
Leadership has many obstacles to manage during this difficult time. That means we need to continue to raise concerns regarding the security of our business processes.
Ensuring information security remains a top priority is crucial in protecting our information assets when the strain on revenue has organizations exhausted and unable to handle catastrophic losses due to lapses in security policy.
About the Author
Dan Williams is an Information Security consultant with experience as a five-year veteran of the U.S. Marine Corps with over 15 years in IT Operations. Dan’s career has spanned various specializations to include systems analysis, network monitoring and defense, software development, and cloud engineering solutions, all with a central theme of security administration and strategic cyber intelligence.
He has a bachelor’s degree in Information Systems Security, a master’s degree in Cybersecurity Studies, and is a Systems Security Certified Practitioner through the (ISC)2. More recently Dan’s focus as a consultant has been on conducting research regarding DevOps security practices and cloud infrastructure penetration testing and vulnerability assessments to maintain pace with threats towards advancing and quick-adopting technologies. On a volunteer basis, Dan mentors future and junior cybersecurity personnel in both an academic setting and in the workplace to offer guidance to the next generation of Information Security professionals.
Roots In The Military. Relevant To All.
American Military University (AMU) is proud to be the #1 provider of higher education to the U.S. military, based on FY 2018 DoD tuition assistance data, as reported by Military Times, 2019. At AMU, you’ll find instructors who are former leaders in the military, national security, and the public sector who bring their field-tested skills and strategies into the online classroom. And we work to keep our curriculum and content relevant to help you stay ahead of industry trends. Join the 64,000 U.S. military men and women earning degrees at American Military University.