With the ongoing rush to transition staff to remote workers, great opportunities open for con artists and evil hackers to exploit the situation. We in IT and even IS often think that software controls such as VPNs, DLP and Cloud technologies will secure our remote workers. That is false and exactly what the con artists and evil hackers are counting on you to think.
The Remote Work Experience
With the current situation I have seen some reasonable advice passed around in short videos and articles about keeping a remote workspace secure. I won’t waste your time by repeating that advice. I have been giving security classes remotely and doing remote work involving security awareness for decades (yes, I was securely remote before it was cool), and I’ll share some scenarios people don’t always consider.
When we forget the human elements of hacking such as social engineering, we swing the door wide open allowing exploits that no VPN, firewall or DLP control can assuage. Remote workers offer far more opportunities for this than when they are on premises.
The “human factors” of information security take a different kind of thinking than regular information technology or information security. Even Pen-Testers in our industry tend to rely on email phishing tests and tailgating rather than on some of the more subtle arts of social engineering, simply because they are on-prem for a restricted number of hours.
The first question you need to ask is this: has my organization given Security Awareness training specifically tailored to a remote workforce to all employees that work off-prem AND manage or work with the remote workforce? If this answer is “NO” for goodness sake don’t let anyone outside the company know. You are at risk of compromise especially in our current environment. If you answered “YES”, that is great provided this program was updated within the past 12 months and everyone has had training or a review within this time frame.
If your Security Awareness program did not pass the criteria above you will need to work with a program designer fluent with adult learning, neuroscience-based methods of behavior change and cybersecurity.
If you hope to put this together yourself or wish to evaluate your program here are some topics to consider including.
Out of Band Controls
This is CRITIAL for all employees but more so for remote workers and especially those that are new to remote working. One of the most popular social engineering exploits of 2019 and continuing into 2020 involves tricking your employees to purchase items by what appears to be an order from a fellow employee (see https://blog.cadre.net/tech-security-insights/how-to-avoid-the-4-top-security-cons-in-2020).
There are many forms of these attacks but generally an email arrives from a superior that directs an employee to buy gift cards or other goods or programs for an incentive, or to wire money for some important past due bill. These emails look VERY good and appear legitimate!
To stop these and related social engineering attacks you must have a side-band method of verifying activities that does not go through the same channel(s) as the request. Workers who typically walk across the hall to verify a transaction are now remote, and therefore far more likely to fall for these scams.
To mitigate these attacks, you need to establish a policy or procedure to verify these transactions through a side band and you must educate and test your remote employees to verify that their behavior is appropriate.
Examples might include that email requests for purchases of any kind must be out-of-band verified by a phone call or a text message using a cell phone and not messaging through the same computer. Likewise, if the request was in the form of a text message verification should be through email or a phone call on another device.
The Cloud of Confusion
An ongoing challenge in today’s environment is workers being confused between personal cloud services like a personal DropBox and corporate file and collaboration tools like SharePoint and Office365. This opens up all kinds of data loss and especially security concerns. If you are not making a solid effort to both educate your employees and put in mitigations, you leave yourself open to data loss and possible fines from HIPAA violations or other ramifications. You can include some succinct training and information on this with your security awareness training. Remember you MUST show honest due care and due diligence to avoid fines and legal liabilities.
Case Study in Data Loss Protection
As a security professional I can’t give specifics, but I can convey what happened. A remote worker had the plans to an important product and facility on a second monitor. He was using some third party software on his main monitor. When he had issues with the third party software he contacted support and they asked for a screenshot of the error. The remote worker did not realize that screen shots include BOTH monitors not just the one he was looking at and working on at the time he sent the screen shot with the image of the “secure” documents to the help desk in India.
Remote Data Loss Protection (DLP) controls typically focus on text information looking for keywords that are transmitted. Images are not so easily protected by DLP. Workers that are new to being remote are far more likely to seek help from vendors and such contact can have unintended consequences. Dealing with this not only involves specific Security Awareness training for remote workers but also making sure that you have vetted the partners and third parties you use. If you don’t have the staff or resources to do this kind of vetting, consider a Trusted Security Advisor such as a vCISO (https://www.cadre.net/outsourced-ciso).
The Clean Workspace From a Cybersecurity Point of View
Hopefully you have already educated your remote workers on the dangers of letting family members use company devices. You should also be making sure that remote workers themselves don’t use personal devices on the company equipment such as USB drives and unapproved Bluetooth devices. What about understanding the importance of printed documents that might print out of a home printer and end up in a child’s homework package that will get mailed out to a professor’s assistant?
Do your workers know how to make sure their devices are secure when unattended? Do you have controls to mitigate against human failures?
Do you have full disk encryption and if so, what is your recovery plan? Have you practiced it?
Do all laptops and webcams have a physical slide cover that is used when the cameras are not used?
Do your remote employee have a way to access the organization’s equipment use policy and do they know how to access it? When was your use policy updated?
What to do About the “VPN HYPE”?
VPN vendors and low grade information security advisors are pummeling everyone on the necessity of using a VPN for your remote workers. It this hype or is it real?
What is real is that a VPN is an essential tool for the remote worker, especially if they are mobile and use any kind of public Wi-Fi. However, VPNs are being touted as a “cure all” for security. They are NOT.
VPNs create a secure tunnel that can pass information from a workstation to a corporate office or cloud hub. This is a great tool to stop eavesdropping from many (but not all) security threats. Sadly, VPNs can often create a false sense of security.
For a VPN to live up to the hype it must be configured in such a way that it will only allow a fully secure computer to attach to the corporate tunnel and only after a health check. Additionally the workstation would NOT be able to send any traffic outside of the tunnel at any time including before and after the tunnel was initiated or closed. For most remote workers this is not likely the configuration they are using.
If a remote device or workstation can make any communications outside of the VPN, other exploited devices on the home network or a public Wi-Fi network may have the opportunity to compromise the workers’ devices or perhaps even gain access to the corporate network through the VPN.
In a corporate environment if due diligence is met IOT devices would be kept on a separate screened network or at least well vetted. Do you think this is true of your employees’ home networks or networks at neighborhood coffee shops?
Not all VPN vendors are trustworthy. What procedures did you use to vet the VPN provider(s) you or your workers are using?
What ports does your VPN require? Can the VPN be used at a coffee shop like an SSL or TLS VPN and if not, will your worker connect to the internet without a VPN “just once” to do something “important”? If you use an SSL or TLS VPN are you ok with the reduced performance? What is the Certificate Authority that signed the certificates?
For a long term remote worker I might recommend having a work-only home router with confirmed bios versions and some form of manageability. For the influx of short term remote workers this might not be feasible. Consider having your remote employees use a company cell phone hot spot for their internet access if you are unable to verify their local network’s attributes or if they are high-risk. For high profile remote workers that handle critical information have an assessment done of their work location.
Haste Creates Unseen Problems
Lastly, with the rush of all these new remote connections, did your IT crew make “any-any” rules in your firewalls just to get things going and have now forgotten to clean up and recheck? I know I have been under pressure and made what I thought was a temporary fix just to find it sometime later and realize that it might have created problems.
Perhaps a quick external scan from an outside assessment team is in order? Outside vulnerably scans should be done on a regular basis and especially after changes that are either significant and or could have significant impact.
Social media scams are serious and now more than ever hoaxes can be costly and dangerous. All employees, not just remote workers, should have a refresher on fact checking and scam identification.
Social media should not be accessed using a corporate device. Just telling your workers this is not likely to be effective and software controls can sometimes backfire. You need workers to understand why this is important to achieve buy-in. If the social media work is organization related, a separate device and connection might be warranted unless the employee is very well trained on how to identify all of the various forms of click-bait, tracking, scams and social media related malware.
Hoaxes about products or services can negatively impact the organization and its ability to operate. Hoaxes and misinformation can be mitigated but you really need to understand how this is done and work through at least some tabletop exercise BEFORE you are in the situation where you must deal with a runaway viral hoax.
If you don’t have time and resources for this, contact me (Tim.Oconnor@cadre.net) for information about forming Security Awareness programs that can be designed for your needs.
I hope this article has answered some questions and provided suggestions that you have not seen elsewhere. Please stop back for updates and additional case studies and advice.
About the Author
Tim O’Connor works for Cadre Information Security as the lead of knowledge services and vCISO team member. He is a professional public speaker, has been working in IT for 20+ years and holds a number of certifications including PCI-QSA, CISA, CISSP, CTT+, MCSE, CISSO, CWNE, Security+ and CISSM. Tim has authored over a dozen books, has written for a number of publications and is certified as a commercial rotorcraft pilot and flight instructor. His principle hobbies include antique motorcycles, astrophotography, mentalism and doing science outreach.
For questions please contact Tim.firstname.lastname@example.org or 513-762-2026