Your people could be reading this blog at home and if you’re lucky they are using their dedicated work device and following your organisations cyber security best practices. If not, your remote workers may be unwittingly risking your organisations data. Or worse. So, What are common remote working cyber security risks? Working from home used to be a rare privilege for the few. But now, remote working for all those who can is becoming normalised, bringing with it an increased risk of compromised systems, data breaches, identity fraud and of course, organisations being held to ransom.
Post lockdown, we have seen a worrying rise in the number of security misconfigurations identified during our remote working security reviews. This may be due, in part, to the speed in which IT teams had to adapt to the new remote working de facto. Our testers are now averaging a 70% access rate; for every 10 external penetration tests, 7 of them result in the tester gaining access to the organisations crown jewels.
Unfortunately, by allowing staff to work remotely, you are increasing the risk posed to the organisation from cyber criminals; if a staff member is able to access resources remotely, then so is an attacker, providing that they are able to guess or obtain the same tokens used for authentication. That being said, there are things that can be done to minimise the risk. Here are some of the remote working cyber security risks that we see regularly, and how to minimise them:
An increase in staff responding to phishing emails.
It is easy for remote workers to be lulled into a false sense of security when working from home and forget everything they have been told about cyber security best practices, including all the rules you apply in the office.
Hackers understand that remote workers pose a risk to an organisation’s security and will try to phish them, posing as a legitimate contact, to trick a victim into providing their personal login credentials or sensitive information. This information can then be used to access accounts, steal sensitive data, undertake identity fraud and install ransomware.
Phishing is becoming increasingly sophisticated and can be hard for employees to detect when working alone at home, without a colleague at hand to provide a second opinion. Furthermore, given the abnormal situations and confusion which a rushed lockdown brought, staff may have become desensitised to strange requests received via email.
Prevention is always better than cure, so educate your people as to the risks of phishing attacks, with Covid-related emails particularly pervasive currently. Remind them, security is everyone’s responsibility. Consider having your workforce phished by security experts, which can highlight behaviour likely to cause a problem and help focus your training efforts.
Staff using weak authentication methods.
In the panic of lockdown, many IT professionals opted for a solution that was easy to set up and administer, in many cases the solution was to link remote access with internal access controls that were already in place (sometimes known as single sign on/active directory integration). If you use the same username and password to access remote resources, as you do to log into your PC, this is probably what is being used. This method has several major drawbacks; colleagues set their own passwords and are responsible for their password’s security; the password also provides access to lots of different services, emails for example.
If your organisation is large enough, chances are that someone will be using a weak or easily guessable password. Hackers will try to guess account passwords to access sensitive company information, using a range of methods, from trying all the most common passwords, to using scripts to continuously attempt to guess a password by trying out different variants. Given enough time, even seemingly complex password will be guessed.
The most common way of providing extra security is through a second form of authentication such as a time-based token. When connecting, not only is your password required, but so is a 6-digit code that is usually generated through a phone app. Having a second form of authentication protects users should the first (usually their password) be compromised. An attacker may be able to log in with the compromised password, but they should not have access to the phone to read the code, and thus should not be able to access any resources. Be warned though, even having a second form of authentication is not infallible. Very sophisticated phishing attacks may prompt for the code and send the code to the attacker too.
So, what is the best method in ensuring that remote access remains secure? In an ideal world, certificate authentication should be implemented alongside user supplied credentials. A certificate can be thought of as a very long complex password that your laptop/PC provides automatically to prove its identity. A certificate is difficult to steal as an attacker would need to gain access to the device. However, certificate authentication can tricky to implement as the technician would need to access each laptop/PC to install the certificate. Furthermore, many devices and services do no support this authentication method.
Home broadband routers lack certain features
Home broadband routers usually lack the sophisticated features available to commercial routers. For example, In the office, users may be accustomed to having content filtering in place. Content filtering may stop a user from unwittingly stumbling onto a malicious website, or prevent a user from entering in details to a phishing website. Without this feature, remote workers may unknowingly download malware, or provide details to an attacker. Many antivirus products will also provide content filtering, so the lack of device content filtering can be compensated with software.
Another key feature that users may be lacking is a border firewall. Firewalls prevent machines from talking to other machines on certain ports and protocols, which could allow an attacker to more easily siphon out information. Windows Defender has a firewall built in, so again this lack of an external firewall can be compensated with properly configured local software.
Windows updates, policy updates and antivirus updates
If you are part of a large organisation, your computer may be set to grab updates from a server within the office. Whilst working from home, your machine may not have access to the update server. This could lead to machines being out of date and vulnerable to the latest vulnerabilities. This can be rectified by ensuring that computers download their updates from an online source.
In organisations with potentially hundreds of machines, chances are that the IT team may be using some automation to ensure that computers are correctly configured and compliant. Rather than making a configuration change manually on hundreds of machines, many will use something called a group policy to make the change automatically. The server that controls the distribution of these changes may have been locally available within the office, now that everything is remote, PC’s may not be able to access the configuration changes, potentially leaving them vulnerable.
Unapproved apps and software
Without the prying eyes of the office watching their screens, some users may be tempted to install third party applications which are not approved by their IT teams. This may not necessarily be for procrastination; For example, if a user has a home printer, they may incorrectly install the bundled software, instead of just installing the drivers. With a greater number of installed applications, comes a greater risk that one of those applications contain a vulnerability that could be exploited by attackers. Worst still, the IT team may be unaware of the application and therefore won’t ensure that it is kept up to date. This can be controlled by restricting users from installing software, or through thorough auditing.
In this blog post, we have highlighted a few of the many remote working cyber security risks. By now we should have made a compelling argument for undertaking a remote working security assessment for all your people working from home, for some or all of the week. If you want to know more or would like to arrange an assessment, please get in touch.