Coronavirus is here, and fear, uncertainty, and doubt are rampant. The move to a remote workforce has come suddenly and the vast majority of companies were unprepared. The sudden shift to remote work for organizations that were traditionally on-site teams has created a cybersecurity crisis. Bad actors have increased their activity to take advantage of this, which could lead to a surge of breaches coming during the health epidemic, or just as we’re recovering. However, there are things, actionable things, organizations can still do now to protect themselves, and avoid the seemingly inevitable catastrophic breach.
WHAT WE WOULD DO IF THIS WASN’T A BLACK SWAN EVENT?
If we had started preparing for this weeks to months ago, we would have taken certain steps, but by the time we were all aware of the issues, it was already too late. However, here’s what we would have done that is now out of the question.
We would have acquired work laptops for employees, probably connected to a Windows domain, Active Directory or Azure AD, configured BIOS protection, installed Endpoint Protection, and configured Mobile Device Management to protect company identity and control applications that were being used. Alternatively, we could have done something similar using Google’s ecosystem, buying Chromebooks for everyone connected to GSuite. By the time we all realized we were going to need to support a remote workforce, the supply chains had already collapsed to the point where it would have been impossible to acquire the hardware for this, let alone configure, provision and disseminate it.
WHAT PEOPLE ARE DOING THAT WE SHOULDN’T
Business continuity is the priority here, so we understand why organizations sometimes need to take the fastest path, not the best one. However, there is serious concern in the InfoSec community about what’s going on. Security perimeters are being relaxed to allow remote desktop access to on-premise resources from outside, with companies scrambling to set this up TeamViewer, VNC, Citrix, or whatever else they have on hand, circumventing existing controls, sharing credentials and opening ports for access. This approach has been responsible for endless breaches in the past and is a recipe for disaster, as well as creating an unimaginable amount of technical debt for the IT department to deal with in the future.
WE CAN STILL TAKE ACTION
There are two main things organizations need to be thinking about. 81% of all attacks start with compromised identity security, which dictates that that’s where 81% of the effort needs to be focused. The other 19% are compromised systems and infrastructure, AKA hacking, and organizations can leverage cloud providers and their security here. Here are 5 steps to get organizations on a course for survival:
#1 - Cloud Docs
Get teams on cloud docs. First, it will make collaboration easier, and second, it keeps information and content in the cloud, rather than having it downloaded on whatever unsecured, unmanaged devices your team is using now. Google Docs and Office 365 can help here, allowing teams to collaborate in secure environments rather than sending around Excel spreadsheets and Word docs on unmanaged machines. Getting your organization onto cloud storage and applications puts MSFT, Google or whoever you use behind the security of your information, and access to it, which is a really good thing.
#2 - Single Sign-On (SSO)
Put all resources behind Single Sign-On. Having a centralized place to control, limit, and authenticate access and identity is so important for a distributed team, and maintaining security across the internet. It also gives you software that is backed by a ton of R&D into securing identity on the internet. Get everything you can behind SSO, and really shoot for 100% coverage as it will make the situation so much easier. My team and I have stood up several SSO instances for various reasons, it can be done quickly with just about any of the vendors, although we did find Okta to be the easiest.
#3 - Multi-Factor Authentication (MFA)
Enable MFA on everything possible. Credentials are the weakest link, and MFA is the only remedy right now. The largest uptick in attacker activity is in spear phishing. Adding MFA to every place credentials are used is an absolute must-have right now. If you already have SSO in place, it’s often included in that platform, or you get something like Duo hooked to SSO very quickly and have users enroll themselves.
#4 - Zero Trust
Zero Trust is really a stance and state of mind more than any specific product: don’t trust any incoming connection. There are many risk-based authentication (RBA) tools and tricks out there, but what is the new normal? Just because a connection was MFA’d from a device in the past doesn’t mean you can trust it again if your people could be on a shared machine, or in an internet cafe. To secure ourselves in this new environment, Zero Trust is about configuration. Shorten session lengths, turn off RBA tools, don’t remember and trust devices, don’t remember browsers, don’t let user’s through if they log in at the same time as yesterday. Trusting anything other than proof in a situation where you know nothing about where your employee is or how they’re working will get you breached.
#5 - Education
This is another of those things that we could have done if we’d known months in advance, but we didn’t. If we follow these steps above, we’re in a pretty good spot. Advanced persistent threat (APT) crews are working hard to get in, and they’re succeeding because systems are weak and workers are in completely new situations and environments. For example, an employee receives an email they believe to be from HR saying they may have been exposed to COVID-19 before they went remote, requesting credentials and then prompting for MFA. Maybe HR really did set up a new page for this new and evolving situation? The page is from an attacker, and the user handed off their credentials and then granted access by accepting a challenge they believed to be authentic. Cases of this type of attack are occurring daily, and allow the attacker to circumvent MFA. Making everyone aware that MFA challenges will only come from SSO, and SSO is the only place that will ask for your SSO credentials is the bare minimum. If you can’t get everything behind SSO, at least let people know how spear phishing attacks succeed, and what to look out for. Setting up spear phishing protection would be great, but that usually isn’t something that can happen overnight.
THE UNFORTUNATE TRUTH
There are certain types of compliance that won’t allow for remote work, and where the law does not provide for this scenario. The private sector as a whole will have to deal with this, and this situation is happening to all of us. Whatever decisions you need to make there, you can know you won’t be alone.
A large part of our security is in the hands of our users and is now their responsibility. Spear phishing is rampant, the tooling does not catch it all even if it’s in place already, and it only takes one misstep from anyone to let an attacker in. The usual User and Entity Behavior Analytics (UEBA) tools do not have a baseline to compare against and, if anything, they are now adding risk by signaling that everything looks suspicious. The major lifting is done here by SSO and MFA, which unfortunately puts the responsibility on the user, and as MFA challenges go up, the user experience will undoubtedly suffer as employees go remote on unmanaged machines. This is the price employees need to pay to make sure the company is still around in 6 months and we all have jobs.
At TWOSENSE.AI we’ve just gone through this process ourselves. For smaller tech-savvy, cloud-native companies like us, it isn’t a big deal since we already had most of this in place, including provisioned take-home laptops. Even better, our team does not have to deal with increased MFA challenges. Our products, which we use ourselves, utilize continuous biometric authentication to respond to MFA challenges and authentication requests on behalf of the user, making our MFA (we use Okta and Duo) invisible to our employees. Since it runs continuously across the session, it also secures us against MFA spear phishing and hacking that circumvents the MFA challenge, catching would-be intruders mid-session even if they were to penetrate through the perimeter.
If you’re looking to improve remote work security and give employees a better experience, please reach out.