James Preston, Security Architect for ANSecurity offers his advice around Remote Working.

The Status

As we move into uncharted territory and businesses adapt to the (temporary) ‘new normal’ we’ve seen the massive shift towards remote working taking place mainly driven from business leaders looking to maintain operations. While IT Departments have been quick to react with many looking to upscale their existing remote working service for a great many organisations this is their first week of delivering such a service to employees.

In turn this brings new challenges with some Network Managers looking to go with quick wins. This might lead some to going down the route of least resistance and simply opening up Microsoft Remote Desktop Protocol inbound from the internet direct to clients. Hopefully though the recent BlueKeep (CVE-2019-0708) exploits which allowed unauthenticated attackers to execute arbitrary code on Windows clients is enough to dissuade most from this drastic approach.

The Risks

Based on our experiences over the past few days many organisations fit into one of the categories below.

  • Issue corporately owned (and managed) laptops and desktops for employees to take home, combined with a VPN service
  • Use employee owned devices (BYOD) to access published Virtual Desktop Infrastructure or Remote Desktop Service
  • Use employee owned devices (BYOD), combined with existing SaaS applications

Each of these bring their own challenges and risks, only recently our Technical Director pointed out how stocks of business grade laptops were running low or had their prices massively inflated. This has lead organisations to send employees home with their work desktop/monitor – something I’ve seen some friends in other fields display quite proudly on social media. While Trusted Platform Modules and disk level encryption are commonplace in business laptops many organisations may find that such features are either not enabled or are simply not possible on some of the devices which are now being taken off site.

While the virtual machines or sessions which users connect to within VDI and RDS environments are likely to be heavily managed the core risk with this deployment scenario is the protections around the user’s identity. As more users are enabled for such services the likelihood that a threat actor will be able to gain access to a network through traditional credential stuffing increases.

The final category has its core weakness at the trust placed in the users own device. In particular if they are using a personal laptop has the user taken steps to ensure that it is patched and runs an up to date antivirus agent? Equally so if that laptop is shared amongst family members what steps have been taken to ensure that business data is only accessible by the employee?

The Direct Threats

The National Cyber Security Centre has already issued warnings with threat actors now actively exploiting the situation with traditional (but topical) phishing and malware campaigns. In the most targeted examples employees who are now working from home are sent updated instructions on how to use remote working services which in turn directs them to websites masquerading as login portals looking to capture credentials.

The Mitigations

Not a single one of these risks or attacks are fundamentally new in nature and many can be relatively easily stopped.

For the first category organisations should look to enable encryption at rest wherever possible and recorded where any exceptions are made. Based upon this information a risk assessment can be taken and additional controls implemented such as preventing machines without hardware encryption from accessing particularly sensitive data.

Weaknesses in identity protections have always been some of the easiest to exploit. Organisations should adopt well known practices around password length (we typically recommend a minimum of 14 characters) and advocate the use of passphrases (e.g. MyPasswordisBetterThanYours) instead of draconian password complexities (e.g. P@ssw0rd). Multifactor authentication takes security to the next level with Microsoft claiming that it can stop 99.9% of all identity based attacks.

For organisations which are adopting the BYOD and SaaS approach now is also the time to adopt a Mobile Device Management service which can use host inspection checking and application sandboxing to verify that a device has at least been patched while also looking to isolate business data from the user’s cat photos.

Finally and as part of good practice organisations must remember to always test that new firewall rules (in particular those allowing access from the internet to internal services) are performing as expected and use vulnerability management tools to identify and remediate unpatched systems (VPNs/web portals/email services) as soon as possible.

Useful links Updated guidance from the NCSC on home working SANS Security Awareness Work-from-Home Deployment Kit

Written by James Preston, Security Architect for ANSecurity