First we were quarantined, then we tried to come back to the office. Now, we may need to quarantine again?
For those managing these endless transitions, stress levels continue to rise thanks to changing roles, the vulnerable expanding attack surface, and unforeseen gaps in our security.
Changing Requirements for CISOs and CIOs
Many CISOs and CIOs took their jobs expecting to focus on centralized organizations with few remote workers. Now, the requirements have expanded far more than simply managing a remote workforce.
Many organizations have asked their post-pandemic CISOs to add employee security to their plates. Physical security can no longer be restricted to security cameras and badges.
CISOs now need to define strategies and workplaces that defend employees’ physical health from disease. Those workplaces need to be backed by policies to protect employees from pathogens introduced by fellow employees, guests, and suppliers.
Mental health also becomes a more pressing concern. We can’t send stressed employees home to take a break. They are already home – and it’s stressing them out!
Monitoring remote employees for burnout requires frequent interaction and perceptive status checks with our teams – even as both the managers and the teams become spread thin by monitoring the expanding of the attack surface.
Many companies suddenly bolted cloud environments and applications to their organizations in March and expected the IT teams to somehow make them secure and functional right away.
Most IT teams can keep up with the internal resources, but not all remote resources used by the organization belong to the organization.
Exposed Holes in the Home
Many employees continue to work from home on their consumer-grade routers and access company resources through VPNs. Unfortunately, even with robust security within the company, consumer-grade routers continue to create significant vulnerabilities that are difficult to counter.
Just how bad can it be? Researchers in Germany test 127 models of routers and released their findings this month. Forty-six of the routers had not received a security update in a year and all were vulnerable to hundreds of known flaws.
For users of Netgear routers, researchers published a zero-day vulnerability that allows attackers to obtain root access on 79 models. Netgear has issued hot fixes, but how many of our work-from-home employees will know if they need to do something? How many will be able to do something even if they know?
We can anticipate that many IT managers won’t be happy with the answer to those questions! We cannot simply hope our employees are properly managing their home environments. If we want our enterprise environment to be secure, we need to be proactive about securing our extended perimeter.
Additionally, home users may need to do more than just update their routers. Printers, home security cameras, game consoles, and IoT devices can be have their security profile improved through updates, disabling Universal Plug-and-Play, and by enabling https options.
How can your team know or prioritize potential vulnerabilities in employees’ homes? We suggest starting with a simple survey for our work-from-home employees.
Ask questions that will help the IT team to evaluate the level of support necessary:
- Who is your internet provider and what level of service do you have?
- What is the make and model of your home networking equipment
- Modem (cable, DSL, etc.)
- Router
- Repeater (if installed)
- Have you changed the default passwords for your equipment? (Y/N/Don’t know)
- Do you know how to update the firmware for your equipment? (Y/N)
- If yes, when did you last update the firmware?
- What other types of equipment are connected to your home network?
- Number of Cell phones
- Number of game consoles
- Number of smart TVs
If employees answer knowledgeably, they may have the resources to fix their own problems. If most answers come back with “I don’t know,” your team may need to temporarily deploy resources to address the issues.
For more technical employees, links to YouTube tutorials may be sufficient to help the employees learn to service their own equipment. Other employees may only need help locating official vendor websites to download firmware updates.
Unfortunately, we also know those executives and less technical employees who freeze up with every technical request. They desperately need your team to remotely access their equipment to directly assist in upgrading equipment.
While this type of activity was unthinkable and beyond any reasonable scope in 2019, a practical IT manager knows that vulnerabilities cannot simply be ignored. 2020 is expanding both the expanse of the attack surface, but also the scope of the work required to secure it.
Vendor Security Gaps
Even trusted vendors can introduce security vulnerabilities to an organization. Some through flaws discovered in their products, and others through gaps in security coverage unrecognized by our IT teams.
BitDefender designed their Safepay browser component within their Total Security 2020 software to protect users from invalid certificates. Unfortunately, a flaw in their software allowed for the security features to be bypassed and allowed remote code exploitation.
While this flaw has been patched, it serves as a reminder to our IT teams not to rely too much upon our vendor’s advertised features. We need to perform checks and monitor our systems continuously.
Many organizations feel safe adopting Office 365 and allowing Microsoft to manage the cloud application for them. However, researchers tracking advanced persistent threat (APT) attacks on Office 365 found two key issues overlooked by many IT managers.
First, Microsoft takes responsibility for only a portion of the security for Office 365. Organizations are responsible for many aspects and have yet to realize it. All organizations must examine their shared security and investigate if they have sealed their potential gaps.
Second, many users forget that Office 365 is more than email. Phishing attacks that capture Office 365 credentials often allow attackers access to shared resources such as Teams, SharePoint, and OneDrive. The successful attackers can use credentials to find developer chats in teams that share API keys, pull sensitive files from repositories, or even upload malware files to active shared drives to infect other machines.
No Cookie-Cutter Solutions
Offering generic advice in a column never fits the reader exactly. At best, a reader will glimpse an issue familiar to their organization and prompt them to explore it in more detail.
Yet that is the point. Instead of diving deep into narrow solutions that only interest a few people, we hint as issues and hope we don’t stray too much into slick sales pitches riddled with fear, uncertainty, and doubt (FUD). We rely upon you, our reader to recognize when you see an issue in which you need expert help.
Often, you can find internal exert resources, but will using them over-stress them or compromise other projects? If you need outside resources, Ideal Integrations and Blue Bastion are ready to deliver expert support.
We understand every organization protects different assets, faces different threats, and uses unique network and security profiles. We know how to tune fundamental principles into custom solutions.
Generic advice and generic defenses leave gaps. Even the best experts can make oversights in configuration and unwittingly leave back doors into defenses. To find our gaps, we must thoroughly test our defenses.
Exploring for gaps will take time and effort, whether your team leverages our expertise or you harness your internal resources. Yet that time and effort is an investment that will pay off when you find the gaps and remediate them. If an attacker locates the gap first, the required resources to remediate a breach will be exponentially higher.