Having employees connect remotely to your corporate network is not new. Most companies use cloud-based software-as-a-service (SaaS) applications and have some virtual private network (VPN) or remote desktop capabilities to enable field sales staff or roaming users to connect to essential applications and data. However, few -- if any -- companies were prepared for our current reality. Companies had to make an overnight shift to a largely remote workforce -- never mind doing so securely.
When the year started, employees showed up at the office and sat down at their desks and connected to the internal network from a company-issued PC or laptop. They sat comfortably behind network defenses such as a firewall, intrusion detection and spam filters. If any issues arose, IT was usually in the same office.
Now, with the COVID-19 pandemic and the shift to working from home, we're faced with a new reality: Most office employees will continue working from home for the foreseeable future. Some may have a company laptop, but many are getting their work done from their personal PC. They are connected to their home Wi-Fi router and accessing company resources and data across the public internet.
What does that mean? It means that the attack surface has expanded exponentially, and that corporate resources and data are exposed to devices and networks that are less secure and almost entirely outside the control of the IT security teams. At the same time, attackers aren't unaware of this shift to working from home, and they are honing their attacks to take advantage of the opportunities this scenario presents.
Home network cybersecurity
Companies have a lot of people now working from home full time -- people who are not technical and who are not used to being responsible for their own technology and security. Attackers are increasingly targeting weaknesses in home network environments and exploiting the chaos and complexity of users working from home.
There are three primary concerns with home networks and personal cybersecurity in a work-from-home scenario:
- the computer being used;
- the network they're connecting to; and
- the security awareness and savvy of the user.
As mentioned, many remote workers are getting their jobs done on personal PCs. SaaS applications tend to be generally secure, and any connection to internal resources should be encrypted over a VPN connection, but the device itself still poses some risk. There is a chance the device is already compromised. For instance, if other family members use the computer or trusts other devices on a shared home network, the PC is at greater risk of malware infection.
The network itself is also a risk. Many home Wi-Fi routers are notoriously weak and prone to exploit. Critical vulnerabilities have been discovered in common home Wi-Fi routers that could allow a successful attacker to remotely execute arbitrary code on the home network. Attacks have been discovered during the quarantine that redirect users to malicious websites that install malware on the user's system and steal user credentials.
It doesn't help that many people never patch or update these devices, and they often contain default login credentials that an attacker can easily obtain. If attackers are able to compromise or gain access to the router on the home network, they will be able to view or capture traffic on the network and may be able to compromise or infect the devices connected to it.
The users themselves are perhaps the biggest security concern, though. The COVID-19 quarantine and shift to working from home has created a fair amount of chaos and confusion that attackers are leveraging for phishing attacks. Emails that appear to be from the company or about official business related to COVID-19 are likely to catch the attention of remote workers who are anxious for information and status updates and may be less cautious than they would normally be.
Keeping company data secure during remote access
As companies embrace the work-from-home model, there are many factors to consider when it comes to company data and resources and enabling secure access to them remotely. You should consider this from the perspective of both access to data and access to facilities of hardware.
Data is the lifeblood of the business and workers need access to get their jobs done no matter where they are. For organizations that have adopted SaaS platforms and applications such as Salesforce or Office 365, that data already lives in the cloud and users can continue to connect to and access it just as if they were in the office. If essential data is stored on internal servers within the company network, users need a way to securely connect to and access those resources -- such as with a VPN connection.
The other side of the equation is the hardware being used to access systems and data. In an office environment, most workers use company-issued desktop or laptop PCs that the company's IT team manages. Company-issued equipment already has the necessary configuration and tools in place to meet established security policies, so there may be less to be concerned about if a user is connecting remotely using a company-issued laptop. Remote workers who connect to platforms and data -- whether SaaS applications or internal company resources -- pose a greater risk because the IT team doesn't have visibility of or control over how the device is configured or secured.
Perhaps the most important factor is a lack of visibility. IT teams were forced to change network parameters and add VPN connections to allow remote access overnight. It is unlikely that sufficient testing was done to ensure the configuration is secure, which is why it is even more crucial to capture and analyze log data to identify and plug any holes and monitor for attacks taking place.
Keeping data and employees secure
Companies should start with clear expectations and communication. Remind remote workers of company security policies and basic cybersecurity best practices, and make sure they are informed about potential or emerging threats so they know what to look for.
Ensure that operating systems and applications are fully patched and updated -- even on personal computers -- and require a VPN connection for access to any internal resources or data. It is also more important than ever to be vigilant in monitoring usage of user credentials and access to company assets and data. Make sure you have the tools and expertise in place to identify anomalous or suspicious behavior quickly and take action to stop any malicious activity.
About the author
Rohit Dhamankar is vice president of threat intelligence at Alert Logic. Dhamankar has over 15 years of security industry experience across product strategy, threat research, product management and development, technical sales and customer solutions. Prior to Alert Logic, Dhamankar served as vice president of product at Infocyte and founded consulting firm Durvaankur security consulting. He holds two Master of Science degrees, one in physics from the Indian Institute of Technology in Kanpur, India, and one in electrical and computer engineering from the University of Texas.