Business Continuity Planning (BCP) is often overlooked by information security professionals in favour of Disaster Recovery Planning (DRP). We naturally focus on the imminent threat of service downtime and interruptions resulting from disasters impacting our data centers, malware outbreaks, and failed patches. DRPs focus on resiliency and can range from being as simple as a backup strategy to high-availability architectures to housing IT and staff at a warm site facility. As a result of the extremely thin likelihood, we don’t appreciate the enormity of the risks our businesses could face due to a city or world-altering event. These sorts of events impact the business itself and interrupt processes at all levels, not just the delivery of technology and services.
COVID-19 has exposed a vulnerability in most companies’ resiliency capabilities. As voluntary and mandatory isolation requirements cascade around the world, organizations who have not embraced teleworking are realizing how vulnerable they are to productivity losses. To stem the potential impacts to productivity, businesses are asking their IT teams to “switch on” teleworking, and fast.
This rabid race to telework enablement concerns me. While admittedly necessary given the circumstances, below are a few reasons why we as cyber risk professionals should be concerned:
Unplanned rushed projects are always successful…. Not.
Businesses will see this problem as solvable by buying “yet another box” without understanding the complexities of providing connectivity to business systems and sensitive data, in a controlled and secure manner
Expediency and ease of use will supersede security requirements when deploying telework solutions, which will lead to massive unmonitored attack surfaces within our corporate environments
Hackers will take advantage of poorly implemented telework solutions and target users for telework credentials
There will be breaches
So, on that chipper note, we as cyber security professionals must acknowledge that saying “NO” at a time like this would be inappropriate. Instead, we must support the enablement of the business while softly providing pragmatic assessment of the risk.
Let’s explore teleworking options and the associated risks and concerns:
Virtual Private Networking
VPNs are the traditional means of extending your corporate network to your employees’ locations and enabling them to access corporate resources. Most modern firewalls offer the capability to host a VPN which can provide network-level access into your corporate environment. While VPNs are very common, they also are the most risky means of enabling teleworking. Here are a few things to consider:
Is your network and IT systems designed to securely support remote users?
This is by far my biggest concern. Many legacy network architectures are not segmented and therefore are unable to enforce access control, threat prevention and threat detection capabilities from remote users
Insecure and misconfigured services hidden behind your “walled garden” will be at a greater exposure once remote access is enabled
Do you have control over what computers are connecting to your network?
If teleworking is not part of your company’s culture, chances are employees don’t have laptops configured with VPN technology to bring home
This means your company may expect employees to connect directly to the corporate network with their personal, potentially infected, computers
If employees are using their personal computers to access sensitive data, what are the implications for your data loss prevention programs?
Does your company have the bandwidth to support your entire workforce connecting remotely?
Moving from light teleworking to 100% of your workforce over the VPN may saturate your Internet connection and/or over utilize your firewall
Additionally, if remote users are streaming news updates over the Internet, they can collectively cause a distributed denial of service (DDOS) on the corporate network and halt productivity
Is your VPN secure?
VPNs can be configured in a variety of ways from easy to implement but insecure to complex to implement but highly secure
Considering they are the gateway into your corporate environment, configuration and testing of your VPN is advised
Are you Using Multi Factor Authentication?
Users still use weak, re-used and compromised passwords
Not leveraging multifactor authentication on your VPN will greatly increase the likelihood of compromise
Does your IT team have the capacity to support remote users?
While IT professionals may think it is trivial to use a VPN, users will get lost. Does your helpdesk/IT team have the bandwidth to support the increased volume of support calls?
Application virtualization is a more modern-day approach to the VPN. It enables the IT team to provide access to applications without giving the remote users direct network access. This solution is more secure; however, it is also more complicated to setup and likely not something that can be implemented under the current time constraints. Here are a few things to consider if you are exploring this path:
Are you aware of ALL applications your teleworkers will need?
Unlike a VPN which connects the user directly on your corporate network, application virtualization requires a good understanding of what applications are used by your teleworkers
Do your business applications work well in application virtualization?
Most applications are not designed to work with application virtualization, rather it is application virtualization that tries to work around the application. This sometimes doesn’t work great.
Do you have the hardware and bandwidth to support the deployment?
Many new application virtualization solutions can be installed on a virtualization platform; however, they do require resources and bandwidth to run smoothly
Legacy applications that don’t work well with application virtualization will require terminal services, do you have the hardware and licensing to support this?
How would you train your staff to use this new functionality?
Shifting your workforce to use application virtualization will need proper communications and training
First and foremost, as cyber security professionals, we need to balance managing the risk of knee-jerk emergency remote access requests with supporting the business. That means while hastily implemented telework solutions could result in a compromise, and I have no doubt we will read about some in the news, we need to avoid being seen as the team of “NO” during this time of need.
Here are some recommendations on how to enable remote work at your organization while managing the associated risks:
Work with the business to understand connectivity and application requirements
Assess and document the risk and collaboratively work with the business to understand the risks versus rewards
Determine a technical solution which strikes a balance between enough access to enable the teleworkers while avoiding giving them unnecessary access to sensitive things like…. ATMs or OT systems
Actively monitor logs and dashboards for indicators of compromise
Explore temporary bolt on security monitoring solutions to increase visibility of your brand-new attack surface. There are several open-source solutions out there, if you have the people and skills to operate them.
Avoid the Persistent Temporary Solution Problem: the temporary remote access solution should be reassessed once the business is back to a nominal state to ensure it meets your security requirements
Once workers are enabled and productive, perform a follow up risk assessment in an effort to identify and shore up sub-optimal configurations, exposures and potential compromises