As people are using remote work systems, the corporate management of the “device fleet” is somewhat lacking, causing vulnerabilities and exposing organizations to potential breaches. For this and other reasons, companies should be implementing systems and techniques to manage and control potential vulnerabilities that will arise during remote work.
What is a vulnerability?
Regarding computer security, a vulnerability is a weakness that can be exploited by a threat actor. An attacker could exploit the vulnerability to perform unauthorized actions within a computer system.
How to approach remote work vulnerabilities
A pragmatic approach should be followed. This means that the risk should be evaluated for each organization and the probability of the exploit determined. There should be a system that continuously performs this risk assessment on the fly (dynamically) so that the risk posture of the entire organization is reflected in the responsible people. This team of people can then take the remediation actions to apply the required controls to reverse or stop damage and avoid a breach.
Evaluating the entire posture
Finding and fixing remote work vulnerabilities, as we have identified, requires a pragmatic approach. However, so many vulnerabilities exist that we cannot address them all. The strategy needs to be balanced with the likelihood of exposure and breach. This balance can be evaluated and must be done continuously to avoid a breach. For this reason, several governments are now internationally proposing, as part of an essential cybersecurity defense, that some form of an automated vulnerability assessment is performed to assure the organization of their cybersecurity posture.
The entire posture of an organization differs from company to company but typically contains the following.
1. The people
Everything starts with the people who use, manage, set up, operate, maintain, fix, and interact — inside and outside of the organization. It is essential to consider all of the “people facets” that make up the whole organization. And this includes the external parties (those people that are typically not always visible to you), like the third parties that support the company. Believe it or not, this includes the janitorial/cleaning staff as well as the reception staff — all supporting functions are vital.
Often the attackers look for people that they believe are a soft target. These people are still supporting your company and may have some form of access to your environment, which means the potential exposure is there. Knowledge equates to control, so training, testing, and awareness have an important part to play. If people don’t know what to do, how to do it, and when to do things, and if boundaries are not set, then issues could arise. For this reason, technical controls that help limit the vulnerability will help and act as a safety net when people falter.
Administrative controls can also be put in place to help guide people to do the right thing and act as a reference. These controls should be reinforced to help people to work in the right way. Additionally, the constant reinforcement is key to ensuring the people don’t stray. The technical controls should have the ability to detect any potential vulnerability or help with an automatic limitation of damage.
The proven way of knowing if your controls are adequate is by testing the users with reasonable tests that demonstrate that your controls are effective. The first step is to educate the people so they understand the threat, followed by explaining the vulnerability. This process builds trust and also demonstrates that the organization knows about the various issues and the current state of affairs.
Through working from home, many accentuated problems have arisen that make it more challenging for IT/IS teams to keep up with the onslaught of attacks, as the surface area has broadened to include home networks.
2. The devices that people use
People use something (a device) to access something else (data and resources) as we are in a digital space. If we think of how people access things and abstract this element, then we can find ways to manage access and thus secure the platforms that need protection. The now accepted method is through laptops, mobile devices like smartphones, tablets, and home computers. Not all of these devices are company devices, and the company does not always manage personal devices. A vulnerability exists when something can be exploited. The risk of an unmanaged device posing a threat to an organization is high and will remain high because of a lack of management and visibility.
3. Possible controls
Only allow managed devices to connect to the organization! Unfortunately, with remote working, this is no longer an approach every company can take. However, in environments that require higher levels of security, it’s a better way of enforcing assurance. Remember, it is about getting the balance right. If the organization accepts that people will use their own devices to access corporate systems, then the organization accepts that it needs a better approach to manage the potential vulnerability it may cause. Without it, the organization is unable to manage the device and the applications and operating systems on those devices. Hence, the organization will have to assume that those devices cannot be trusted.
So, what do we do? Well, we adopt the Zero Trust model, shout-out to John Kindervag. We forget about the castle and moat system and the traditional firewall model that we were bound to. Instead, we embrace a more modern approach whereby we abstract the device. So, it does not matter what device is used to access the platform and resources, as long as it’s done in a secure way that the organization architects.
Sounds complicated? It isn’t. The concept is quite simple. We don’t trust the people and devices accessing our platforms and thus put controls in place that require the people and, in this case, devices to pass certain checks to ensure security.
For instance, when a device used by a user, who has been identified and authenticated, is trying to access the corporate data, the system performs a posture assessment. It checks multiple things: If the device is in the geography expected, that the device is somehow linked to that user, that the device is not jailbroken, that the device is fully patched to the latest or as close to the latest patch level allowed, and that the application used to access the platform is on the newest version. In simple terms, there is a layered, prioritized checklist performed on the device as if it were managed. If it meets the cyber-hygiene level required by the organization, the organization can grant the appropriate level of access to the device.
It’s important to reflect that denial of service is not a good option as it denies authorized user access to a resource they would typically have. So, we need to balance the reasonable level of cyber hygiene with the right level of access.
4. The servers that devices and people access
If the organization manages the servers, services, or clouds where the applications and the services are delivered from there is more flexibility. However, it’s essential to get the security right. Otherwise, you risk exposure. Controls like CASB and restricted interfaces (like Citrix and published applications) delivered over VPN or SSL VPNs are good options. Further protection through multifactor authentication is vital to control and mitigate remote work vulnerabilities.
5. The data and resources
With regards to a breach, more often than not, the data (people’s details and other sensitive information, including email and credit card numbers) is what attackers are after. The location of the data must be considered, and it’s fair to say, if we are honest, we don’t always know where all the data lives. Data can reside in applications, on people’s devices in the form of documents and email, pictures of whiteboards, physical documents, and in clouds. Making sure the data is protected at rest, in transit, and when accessed is now a requirement.
6. Applications running on devices and servers
Applications running on devices and servers, serving the users, are a crucial part of the security consideration. These applications need to be checked for vulnerability and security. The assessment process should be continuous, and although the cloud providers have endeavored to build trust and reliability in their platforms, if your data were to leak, your organization would be responsible.
The cloud provider provides a service, most of which are based on their terms and conditions, and you have little recourse if something were to go wrong. To that end, it’s vital for the organization to ensure that the data, applications, and access to these are managed to observe the CIA triad, which is the confidentiality, integrity, and availability of the data.
Remote work — and its vulnerabilities — are here to stay
Remote working, for millions of people, is likely to remain on a more permanent basis. Our new working arrangements, remote working (from home), means working differently, for employees and employers. It also means security must adapt to meet the changing needs. It requires the application of a modern security approach to defend the broadened workspace and burgeoning vulnerabilities.
Featured image: Shutterstock