This article explains possible security threats from the attacker’s perspective while the business operations are running remotely from home by employees. Also, it will help us to see the security poster of work from home policies to effectively protect the personal and vital business data from leakage during the COVID -19 situation.
The need for this Article
Adversaries are taking advantage of the fact that many people who are working from home have not applied the same security on their networks that companies usually adopt in their workplace environment. Companies also don’t deploy the right technologies or corporate security policies regardless of whether they’re connected to an enterprise network or an open home Wi-Fi network to ensure that all corporate-owned or corporate-managed devices follow the same security measures as widely accepted for better security outcomes. Take a look at Figure 1 and 2 which represents sample network topology for better understanding the current situation.
Topology when employees working before Covid-19
Figure 1: Employees are working behind a secure Network/corporate environment
Topology when employees working during Covid-19
Figure 2: Employees working from home
Internal users or employee LAN machines are not using behind the secure network which includes the right security controls such as firewalls/IPS, malware threat preventions, application/URL filtering, proxy, anti-spam, sandboxing and many more advanced multi-layered attack detection and prevention alerting systems. Instead, the same users are able to connect the network using VPN which creates a tunnel and allows users to access corporate resources securely but may help in providing full protection to users which otherwise was possible while working in a secure corporate environment.
Some questions you should consider asking internally are:
Do we have a strong password management system in place? Are we regularly applying patches to our systems? Can we see and s top common malware? Do we have sufficient data sources to succeed with ATTACK?
What are the possible threat scenarios?
Let’s see only on work from home scenarios at network, endpoint, and connectivity levels.
Network Level (Routers/Switches/VPN Gateways/Servers):
Access Level Threats:
- Open ports can expose vulnerabilities to the entire world.
- DDOS on newly exposed servers/applications can occur.
- Critical device availability – especially HA setups are more likely to get exposed.
Authentication Threats
- Bruteforce Attack.
- The mapping between users and departments is compromised.
Policy rules under risk
- VPN Rules may allow full access to unwanted/unauthorized users.
- Split Tunnelling enabled.
Auditing Challenge
- Increase in false-positive alerts.
- Insufficient log feeding to SIEM for tracking incidents.
Endpoint Level (Lap tops/Desk tops/Mobile Phones/Tablets):
Access Level Threats:
- Infected machines can infect other devices in VPN Domain.
- Machines can download malicious files as there is no proxy (Application/URL) Filtering.
- Someone unauthorized can also access the endpoint device.
Authentication Threats
- Credential Thefts.
- Multi geo login
Policy rules under risk
- Uncontrolled Endpoint devices can spread malware.
- Data Loss from end-user machines if they download critical information.
- Increase in phishing attacks along with malicious attachments/links/fileless.
- Unwanted software installations on endpoints as users have full access.
- Status of Endpoint Security controls.
- Patch updates failures.
Auditing challenge
- Moni toring Endpoint Behaviour
Local connectivity Level (Wi-Fi, Mobile Hotspot, Data Card, LAN, USB)
Access Level Threats:
- Insecure Wi-Fi Access points can leak credentials.
Authentication Threats
- Default Credentials.
Policy rules under risk
- Data transfer via removable media.
Auditing Challenge
- Anyone can attach removable media and logs will not differentiate the user.
How can companies respond to the aforementioned issues?
Without the right security, personal devices used to access work networks can leave businesses vulnerable to hacking. If information is leaked or breached through a personal device, the company will be considered responsible by law. Here are three recommendations for business leaders.
- Logon accounts: VPN, network and any other resources should be disabled for leaving employees.
- Understand the threats to your organization: Work with their security teams to identify likely attack vec tors which include prioritizing the protection of their most sensitive information and business-critical applications.
- Provide clear guidance and encourage communication: This should include instructing employees to communicate with internal security teams about any suspicious activities.
- Provide the right security capabilities: Extend the essential security capabilities and the same network security best practices that exist within the enterprise to all remote environments.
These critical capabilities include:
- An ability to securely connect users to their business-critical cloud and on-premise applications, such as video teleconferencing applications increasingly relevant for remote work environments
- Endpoint protection on all lap tops and mobile devices, including VPN tools with encryption
- An ability to enforce multi-fac tor authentication (MFA)
- An ability to block exploits, malware, and command-and-control (C2) traffic using real-time, au tomated threat intelligence
- An ability to filter malicious domain URLs and perform DNS sinkholing to thwart common phishing attacks.
How can employees take responsibility to work securely?
- Maintain good password hygiene: Employees should use complex passwords and multi-fac tor authentication wherever possible and change these passwords frequently.
- Update systems and software: Individuals should install updates and patches in a timely manner, including on mobile devices and any other non-corporate devices they might use for work.
- Secure your Wi-Fi access point: People should change their default settings and passwords in order to reduce the potential impact on their work of an attack via other connected devices.
- Use a virtual private network (VPN): VPNs can help create a trusted connection between employees and their organizations and ensure ongoing access to corporate tools. Corporate VPNs provide additional protection against phishing and malware attacks, the same way corporate firewalls do in the office.
- Be wary of COVID-19 scams. We’ve seen phishing e-mails, malicious domains, and fake apps out in the wild already. Threat ac tors love to exploit real-world tragedies, and COVID-19 is no different.
- Don’t mix personal and work. Avoid the risk of infections. Use their work devices to do work and your personal devices for personal matters.
Some important policy checklist you have to verify again
- Identify the crown jewels:
List down what is most critical for the cus tomer and user access permission and authorization policies.
- VPN Rules created during WFH:
Audit the rules left many holes and see the gap if the VPN Rules are not created as per security policy.
- How VPN users created and maintained:
Check for Password strength and authorization and implement for below
- Complex password used
- Multi-fac tor authentication(MFA)S is enabled
- Password shared with secure means
- Password expiry policy.
- Check for unwanted open Ports and services
Check if FW admin has opened many ports on Firewall. List out all the ports which are open along with the risk involved in opening these ports. Terminate the services if not required.
- Vulnerability Assessment on VPN Gateways:
SSL or IPSec Gateways has to undergo VA and report the list of external IP address vulnerabilities of VPN Gateways and patch them immediately.
- Security log assessment for security operations:
Check Security logs for any security issue on the overall network/endpoint. List down the major/minor security issues being observed on the Tools and fix them.
- Check Patch Status and Update Anti Malware on the working systems.
- Endpoint Security Controls:
Media encryption and port protection along with threat prevention security controls are at a place in order to avoid corporate data leakage.
- Machines in AD or Workgroup:
List out user machines that are not part of AD and enforce identity management for zero trusts.
- Other Perimeter Security Controls
How Proxy/IPS/URL Filtering/Endpoint Security is being modified. List of open issues that could be at risk.
- Log Moni toring and Alerting Tool Assessment
- Is the tool for receiving all the required logs?
- Is alert getting generated? Send a sample attack and test.
- Is anyone working on alerts?
- Check the load of VPN Gateways and other supporting Devices for WFH.
- Reconnaissance for organizations critical data exposures on internet
Last but not the least, check if any related critical info is available on the net by performing OSINT techniques.