Q&A

The Challenges of Securing All Those Newly Remote Workers

Security expert Dale Meredith identifies cybersecurity challenges, best practices and major concerns resulting from all the employees forced into home offices by COVID-19.

• By Scott Bekker
• 03/27/2020

The last few weeks have brought an unprecedented migration of workers and government employees from offices to remote work scenarios due to the global emergence of COVID-19. Getting workers safely (from a public health standpoint) up and running from their apartments, condos and houses was the top priority.

Now, as the crisis grinds on, with potentially weeks or months of at-home work on the horizon, there's more time for IT to worry about workers' safety from a cybersecurity point of view. Redmond caught up with security consultant and Pluralsight trainer Dale Meredith for an e-mail Q&A on challenges, best practices and major concerns.

Redmond: What is the biggest challenge for IT in securely supporting all of their newly, suddenly remote workers?
Meredith: I think there's a large number of concerns. We asked IT, support folks too (in some cases), to massively expand their network infrastructures in such a small amount of time. Odds are policies, procedures and steps were skipped. IT and security professionals may have gone from supporting maybe 20 percent of their workers remotely to 90 to 100 percent. There are bandwidth issues for VPNs. Thousands of new laptops and tablets were issued to employees in such a short time span. There was a sudden allowance for BYOD. The use of other Band-Aid solutions (using personal e-mail, personal cloud storage or even new collaboration apps) could also present some security issues.

There have been calls for attackers to honor a detente due to the severity of the COVID-19 situation, and predictably it looks like those calls are being ignored. How are attackers going after organizations differently now that many of their workers are remote?
Attackers = Greed. This is the BEST time for attackers to do their "thing" as it will be the most profitable and/or damaging for them. There's no way they'd turn down such a massive opportunity. We're already seeing an uptick in phishing e-mails hitting the Internet. Before, we may have trained our employees on handling phishing when it comes to internal e-mails, but now attackers might be able to take advantage of employees that might use company devices for personal use. Imagine getting an e-mail like this:

From: [email protected]

Hey Grayson, the corporate email isn't working for me at the moment, but I have a situation that is pressing so I'm using my personal account...blah, blah, blah, send me money, blah, blah, take a look at this document (see attachment or click on this link), blah, blah, send me 50 Amazon $100 gift cards....."

Shortcuts might have also been taken to allow more employees access to the corporate network, so attackers WILL be probing public-facing connection to look for any new openings.

What are the obvious steps that IT departments need to take to protect their remote workforce? As in, the top 3-5 moves that will prevent 80 percent of the problems?
If history teaches us anything, it's that most attacks/breaches come from two major vectors: updating/patching systems and phishing. So here are my top suggestions:

1. Figure out how you can make sure these remote systems are patched and updated at all times. Just this week it was announced that there are two vulnerabilities that affect Windows 7, Windows 10 and Windows Server 2008-2019, which haven't been patched yet. Have security teams communicated that to all employees? Given them the workarounds to help protect their systems from this vulnerability?
2. New training with employees about the risk of using company systems to work on personal projects, as well as loading personal software or using any torrent software to download movies, books or music (I know we're all getting bored). Phishing, as I already mentioned, is on the rise and training or retraining really helps. Sidenote: If it's on the rise, then it's working for attackers!
3. Make sure all devices that handle all the connections coming into the corporate networks have been updated and patched. And please monitor them.
4. See something, say something.

What are some of the more subtle things IT departments can do to protect that workforce? In other words, what are some of the rarer but interesting ways attackers go after remote workers?
Attackers are looking at home users' networks (when was the last time everyone here updated the firmware on their home routers?) and then looking for systems that they can then use to pivot and gain access to the corporate infrastructure. If this pandemic continues, organizations that are serious about security should really be looking at the possibility of providing new home routers for employees that have been updated and configured -- no default settings, folks -- for deployment.

What does all this remote working do to the threat of ransomware -- make it more likely or less likely? Easier to defend or harder to defend?
Much higher chance since folks aren't behind any IDS [intrusion detection systems] that your work network might have in place that normally protects them. Now there are two options.

1. If the employee is working in an ad hoc fashion (meaning, no connectivity to their organization's network), they only have the risk of encrypting their own system and maybe systems on their home network.
2. If connected via VPN to their corp-net and the office endpoint isn't secured (segmented, IDS, etc.) then there is a chance of hitting systems back at HQ.

Are there special challenges related to workers forgoing the locked-down corporate PC and grabbing the nearest device -- maybe a personal iPad or a Chromebook -- to log into corporate resources, especially SaaS-related ones? Are there different attack classes in that scenario that might be unfamiliar to corporate IT pros?
Yeah, that temptation is going to appear in certain situations, but it could be controlled if IT teams are denying access to unsanctioned devices instead of just a simple user name and password. If their SaaS provider doesn't offer this, it may be time to look around. The only scenario I can think of (none that I've heard in the wild as of yet) would be various types of phishing attacks, especially advertising attacks that are focused around the COVID-19 virus, such as fake online "sale" links/ads, charitable ads, etc.

What about drive-by attacks on wireless networks? Every apartment complex is now like a low-security workshare office building. Has WEP [wired equivalent privacy] been sufficiently stamped out that it's not much of a problem? Any other novel Wi-Fi attack methods gaining steam?
I think [that WEP is mostly gone]. You'd really have to have an old WAP laying around that still offered up WEP, but using easy passwords or enabling "Guest Wi-Fi" services on your network might lead down a road (as always) of issues.