New India’s most advanced hyper-realistic security training lab is live now. Visit PurpleSynapz for more information.

Work from Home Security Approach

Murali M By Murali M in Security
867 Views
0 Comments

This article explains possible security threats from the attacker’s perspective while the business operations are running remotely from home by employees. Also, it will help us to see the security poster of work from home policies to effectively protect the personal and vital business data from leakage during the COVID -19 situation.

The need for this Article

Adversaries are taking advantage of the fact that many people who are working from home have not applied the same security on their networks that companies usually adopt in their workplace environment. Companies also don’t deploy the right technologies or corporate security policies regardless of whether they’re connected to an enterprise network or an open home Wi-Fi network to ensure that all corporate-owned or corporate-managed devices follow the same security measures as widely accepted for better security outcomes. Take a look at Figure 1 and 2 which represents sample network topology for better understanding the current situation.

Topology when employees working before Covid-19

Figure 1: Employees are working behind a secure Network/corporate environment

Topology when employees working during Covid-19

Figure 2: Employees working from home

Internal users or employee LAN machines are not using behind the secure network which includes the right security controls such as firewalls/IPS, malware threat preventions, application/URL filtering, proxy, anti-spam, sandboxing and many more advanced multi-layered attack detection and prevention alerting systems. Instead, the same users are able to connect the network using VPN which creates a tunnel and allows users to access corporate resources securely but may help in providing full protection to users which otherwise was possible while working in a secure corporate environment.

Some questions you should consider asking internally are:

Do we have a strong password management system in place? Are we regularly applying patches to our systems? Can we see and stop common malware? Do we have sufficient data sources to succeed with ATTACK?

What are the possible threat scenarios?

Let’s see only on work from home scenarios at network, endpoint, and connectivity levels.

Network Level (Routers/Switches/VPN Gateways/Servers):

Access Level Threats:

  • Open ports can expose vulnerabilities to the entire world.
  • DDOS on newly exposed servers/applications can occur.
  • Critical device availability – especially HA setups are more likely to get exposed.

 

Authentication Threats

  • Bruteforce Attack.
  • The mapping between users and departments is compromised.

 

Policy rules under risk

  • VPN Rules may allow full access to unwanted/unauthorized users.
  • Split Tunnelling enabled.

 

Auditing Challenge

  • Increase in false-positive alerts.
  • Insufficient log feeding to SIEM for tracking incidents.

Endpoint Level (Laptops/Desktops/Mobile Phones/Tablets):

Access Level Threats:

  • Infected machines can infect other devices in VPN Domain.
  • Machines can download malicious files as there is no proxy (Application/URL) Filtering.
  • Someone unauthorized can also access the endpoint device.

 

Authentication Threats

  • Credential Thefts.
  • Multi geo login

 

Policy rules under risk

  • Uncontrolled Endpoint devices can spread malware.
  • Data Loss from end-user machines if they download critical information.
  • Increase in phishing attacks along with malicious attachments/links/fileless.
  • Unwanted software installations on endpoints as users have full access.
  • Status of Endpoint Security controls.
  • Patch updates failures.

 

Auditing challenge

  • Monitoring Endpoint Behaviour

Local connectivity Level (Wi-Fi, Mobile Hotspot, Data Card, LAN, USB)

Access Level Threats:

  • Insecure Wi-Fi Access points can leak credentials.

 

Authentication Threats

  • Default Credentials.

 

Policy rules under risk

  • Data transfer via removable media.

 

Auditing Challenge

  • Anyone can attach removable media and logs will not differentiate the user.

How can companies respond to the aforementioned issues?

Without the right security, personal devices used to access work networks can leave businesses vulnerable to hacking. If information is leaked or breached through a personal device, the company will be considered responsible by law. Here are three recommendations for business leaders.

  • Logon accounts: VPN, network and any other resources should be disabled for leaving employees.
  • Understand the threats to your organization: Work with their security teams to identify likely attack vectors which include prioritizing the protection of their most sensitive information and business-critical applications.
  • Provide clear guidance and encourage communication: This should include instructing employees to communicate with internal security teams about any suspicious activities.
  • Provide the right security capabilities: Extend the essential security capabilities and the same network security best practices that exist within the enterprise to all remote environments.

These critical capabilities include:

  • An ability to securely connect users to their business-critical cloud and on-premise applications, such as video teleconferencing applications increasingly relevant for remote work environments
  • Endpoint protection on all laptops and mobile devices, including VPN tools with encryption
  • An ability to enforce multi-factor authentication (MFA)
  • An ability to block exploits, malware, and command-and-control (C2) traffic using real-time, automated threat intelligence
  • An ability to filter malicious domain URLs and perform DNS sinkholing to thwart common phishing attacks.

How can employees take responsibility to work securely?

  • Maintain good password hygiene: Employees should use complex passwords and multi-factor authentication wherever possible and change these passwords frequently.
  • Update systems and software: Individuals should install updates and patches in a timely manner, including on mobile devices and any other non-corporate devices they might use for work.
  • Secure your Wi-Fi access point: People should change their default settings and passwords in order to reduce the potential impact on their work of an attack via other connected devices.
  • Use a virtual private network (VPN): VPNs can help create a trusted connection between employees and their organizations and ensure ongoing access to corporate tools. Corporate VPNs provide additional protection against phishing and malware attacks, the same way corporate firewalls do in the office.
  • Be wary of COVID-19 scams. We’ve seen phishing e-mails, malicious domains, and fake apps out in the wild already. Threat actors love to exploit real-world tragedies, and COVID-19 is no different.
  • Don’t mix personal and work. Avoid the risk of infections. Use their work devices to do work and your personal devices for personal matters.

Some important policy checklist you have to verify again

  • Identify the crown jewels:

List down what is most critical for the customer and user access permission and authorization policies.

  • VPN Rules created during WFH:

Audit the rules left many holes and see the gap if the VPN Rules are not created as per security policy.

  • How VPN users created and maintained:

Check for Password strength and authorization and implement for below

  • Complex password used
  • Multi-factor authentication(MFA)S is enabled
  • Password shared with secure means
  • Password expiry policy.
  • Check for unwanted open Ports and services

Check if FW admin has opened many ports on Firewall. List out all the ports which are open along with the risk involved in opening these ports. Terminate the services if not required.

  • Vulnerability Assessment on VPN Gateways:

SSL or IPSec Gateways has to undergo VA and report the list of external IP address vulnerabilities of VPN Gateways and patch them immediately.

  • Security log assessment for security operations:

Check Security logs for any security issue on the overall network/endpoint. List down the major/minor security issues being observed on the Tools and fix them.

  • Check Patch Status and Update Anti Malware on the working systems.
  • Endpoint Security Controls:

Media encryption and port protection along with threat prevention security controls are at a place in order to avoid corporate data leakage.

  • Machines in AD or Workgroup:

List out user machines that are not part of AD and enforce identity management for zero trusts.

  • Other Perimeter Security Controls

How Proxy/IPS/URL Filtering/Endpoint Security is being modified. List of open issues that could be at risk.

  • Log Monitoring and Alerting Tool Assessment
    • Is the tool for receiving all the required logs?
    • Is alert getting generated? Send a sample attack and test.
    • Is anyone working on alerts?
  • Check the load of VPN Gateways and other supporting Devices for WFH.
  • Reconnaissance for organizations critical data exposures on internet

Last but not the least, check if any related critical info is available on the net by performing OSINT techniques.    

Leave a Reply

Your email address will not be published. Required fields are marked *

Take a sneak-peek into our minds.

Read our musings on what’s changing and impacting the world in the field of cyber security and analytics.

Subscribe our Newsletter and recieve updates directly to your inbox

We don't spam!

Learn Check Point, Red Team Skills, Wireshark, OSSIM, and Splunk from certified and top-rated security practitionersEnroll Now
+