Posted on 2020-03-17 by Alexei Doudkine in Business Security
The sad truth of the world is that there are people out there who will take advantage of the COVID-19 crisis. As more organisations shut down their offices and ask employees to work from home, those that are less geared towards remote work will be targeted by threat actors.
It is my goal to give organisations pushing for remote work the basic necessities for securing their remote workforce. Rather than long-term strategies, these are things you can do or start doing this week to protect your employees and keep the organisation safe at the same time.
Remote working is not a new concept. Entire companies such as GitLab and yes, even us, have adopted an “all-remote” philosophy from day 1 as a conscious business decision. There are many benefits to this that I won’t go into here (but let me know if you want more info). On the other hand, companies with more traditional “work from the office” mentalities are now being forced into making hasty decisions about their IT infrastructure to remain operational. If you’re in the later category I hope that these security tips come in useful.
1. Lockdown the Endpoint
In an all-remote workforce, much of the security relies on the laptops that employees use. They are on unknown networks that may or may not be compromised and they no longer have any on-prem protections. For this reason, performing a SOE security review is crucial. If you’re doing it yourself, I recommend the ACSC’s Windows 10 hardening guide as a starting point. Further, EDR solutions such as Microsoft ATP and Crowdstrike are a few of the best players, but neither are silver bullets.
2. Multi-factor authentication where possible
If a service is meant for your employees and allows MFA, it’s time to enable it. Business critical services such as authentication (e.g. Okta), email (e.g. Office 365), CRM (e.g. Salesforce) and IaaS provider (e.g. AWS) should be at the top of the list. Previously you had a hidden 2nd factor – people had to physically enter the office. With remote work, this no longer applies and should be replaced with another authentication factor, such as one-time tokens.
3. Geofencing
Geofencing is where you restrict access from certain countries. For example, if you know all your employees are working from home in Australia, you can apply a block to only allow Australian IP addresses to access your services. Authentication providers such as Azure AD and Okta should already support this. If your other services also support this, consider enabling this feature at least for the short term.
4. Regular vulnerability scans
As you spinning up new servers to assist your remote workers, it’s essential that they undergo some basic security scrutiny and don’t become “low hanging fruit” for attackers to find. If you already have a vulnerability scanner, fire it up and use it as much as you need. If not, I have previously written about some decent open source alternatives such as OpenVAS.
5. Consolidate account management
In an all-remote workforce, the number of third party services can range in the 10s if not 100s. To put it in perspective, we, a small firm, have 11 (which was surprising even to me). Imagine if each employee had an account in each of your third party services. It would impossible to manage. By consolidating authentication and account management into a single place such as Azure AD or Okta, you significant reduce the risk of overpermissive accounts or disabled accounts with leftover access.
6. Client certificates
Where possible, use certificates stored on user machines for authentication. These certificates are usually installed during laptop provisioning and remain on that device. They are traditionally only used to authenticate to wireless networks in the office, but they also be used for authentication against Azure AD. If Azure AD is already your authentication provider for other services, those services inherit that protection. This is a great way of ensuring only company owned devices can access your services.
What to do & when to do it
Here is a summary of actions you may consider taking based on the points above:
- Start planning how to harden your staff endpoints this week.
- Start enabling MFA on your critical services this week.
- Enable geofencing where possible this week.
- Perform a vulnerability scan of your publicly facing servers this week.
- Start planning for account consolidation. Prefer services that have SAML or OAuth capabilities.
- Consider if client certificates are viable for you. If so, start by deploying and testing on a few devices next week.
There is much more to think about if you plan on remaining a remote-first organisation including security architecture and strategy. But if you tackle some of the above now, you’ll be in a much better position security wise.
Doing our part
We at Volkis want to do our part in these uncertain times. If you need advice on anything security related, please reach out to us at [email protected]. We’re happy to help you through this, even if it’s just giving you ideas or some basic help or guidance. Further, we would like to offer a significant price reduction for any work we do that relates to facilitating remote working efforts (e.g. Windows 10 security review, external pentest, etc…). No matter if you’re a small business or an enterprise, we’ve got you covered!
About the author
Alexei Doudkine is Co-Founder and Offensive Director at Volkis. Hacker, tinkerer, car modder and dog person, Alexei has been in the infosec game for over 10 years focusing on the “attack” side of security. You can catch him on Twitter and LinkedIn.
Cover photo by Jan Baborák on Unsplash.
If you need help with your security,
get in touch with Volkis.
Follow us on Twitter and
LinkedIn