Written by: Mike Parsons, CISP, IAM, IEM, PCIP, HIPAA Certified Security Engineer/Architect
During the world-wide pandemic that shut down businesses around the world, and forced social distancing and in turn, work from home scenarios, businesses are faced with a new challenge in terms of securing their network for remote working employees. Cyber society is no longer a vision for the future, the future is now. In this new society, where millions of employees work from home – whether part time or full time, businesses need to recognize the risks that should drive our decisions for investment and how the rapidly changing threatscape impacts those risks. As part of this, businesses need to protect themselves, and their work-from-home employees, from afar.
Email is one of the major, if not the major threats our new world of virtual work.
- Email is the most frequently used vector to attack an organization. According to CSO Online:
- More than 94% of malware is delivered via email.
- Phishing attacks account for more than 80% of reported security incidents
- $17,700 is lost every minute due to phishing attacks.
- According to Mimecast State of Email Security Report 2019:
- 61% of survey respondents believe they are likely or it is inevitable that they will suffer a negative business impact from an email-borne attack ( a jump from 58% the year prior)
- 94% of respondents experienced a phishing attack in the previous 12 months
- The average downtime from a ransomware attack is three days
Organizations should require employees and contractors to use multifactor authentication for Cloud-Based email hosting solutions like Microsoft’s Exchange online and Google’s Gmail. Unless business requirements dictate otherwise, companies should employ cloud-based email solutions like Exchange online through Microsoft 365 and Gmail through Google GSuite to provide secure, flexible solutions with Advanced Threat Protection to thwart email-based attacks before they hit the employee email client.
Another strategy a business should implement for work from home employees is to implement outgoing email encryption for emails containing sensitive personal data as a non-discretionary control. When sensitive data is identified in an outgoing email, the email is either encrypted or routed to a secure email server, where the recipient can retrieve the email.
Finally, a business should implement email authentication for the organization by configuring SPF to limit the servers that can send email on behalf of the organization, configuring DKIM to provide proof that the email indeed was sent by the organization, and configuring DMARC to instruct the recipient’s email server to quarantine or reject emails that don’t comply with the SPF or DKIM policies.
Proper email authentication helps thwart attempts by hackers to subvert company email flows.
How Hackers Gain Access
- A favorite tactic of attackers is to spoof or impersonate users or domains. Typically, the user impersonation is typically associated with Business Executive Compromise (BEC), where the email often appears to be from a senior manager. Domain impersonation often looks for domains where DMARC< DKIM, and SPF are not properly configured to prevent spoofing.
- The goal of the hacker is to trick the recipient into taking some action such as sending a wire transfer (often request in BEC), clicking on a link that points to malicious server, or opening an attachment containing malware. Oftentimes, hackers use bulk emails (aka Spam) when no identity can be associated with the mail that can be traced back to the sender.
What can an Organization Do?
- Organizations need to better identify and properly dispose of questionable emails. Organizations need to implement three defensive measures to effectively categorize incoming email for proper disposition.
- SPF (Sender Policy Framework) determines if the sending server is authorized to send the email from that domain
- DKIM (Domain Keys Identified Email) determines if the sending server is who they say they are
- DMARC (Domain-based Message Authentication Reporting and Conformance) determines, based on SPF information and DKIM information provided, how should the receiving server process email that fails protocol checks with either no action, quarantine, or reject with no alert.
It is also important that once systems are in place to flag emails, training is necessary to help employees integrate their home technology into the office environment.
Working from home is more than taking home the company laptop.
Working in a virtual environment requires changes to existing acceptable use and behavioral policies and monitoring practices. These need to be created and published so that all understand and follow them, and monitoring tools deployed to measure effectiveness and compliance.
Not all companies can support secure remote access with company supplied equipment. Restricting remote access to company-owned, company-provisioned and company-monitored laptops and network interfaces (e.g. firewalls, wireless access points). However, where it is possible, there are several steps a company needs to take to secure company supplied equipment.
- Establish policies and standards to follow when using company equipment as well as a separate set to follow when using personal equipment
- Require strongly encrypted VPN access with multifactor authentication to access information assets on the organization network or any of its cloud instances
- Furnish network/firewall equipment that can be centrally monitored
- Establish policies and standards for securing and monitoring the home office
- Establish policies and standards for minimum connection speed and use standard applications for virtual meetings (ie Zoom, Webex) and team interaction (ie. Microsoft Teams, Google Meet)
- Investigate corporate agreements with providers to meet necessary standards for performance and service availability especially where Internet or phone service is problematic
Businesses may mistakenly see work-from-home as an opportunity to transfer costs to the employee, especially if employees are using their own equipment for work tasks. It is important that businesses maintain protocols even if an employee is using their own equipment, including:
- Publish and enforce policies and standards for configuration and maintenance of personal computing and communication devices and networking equipment
- Equipment in the home office must have similar feature sets or security profiles necessary to process and protect company intellectual property since they are now working in a relatively open environment.
- Network devices that support the home network connection, wireless environment, and voice communications need to support the same applications that others in the team have
- Prohibit storage of company data or information on personal devices, especially in clear text, unless business requirements dictate otherwise
- Establish practical minimum standards for the Internet connection and software used for team meetings and inter-employee collaboration
- As in the case for corporate owned equipment, consider corporate agreements with providers to meet necessary standards for performance and service availability especially where Internet or phone service is problematic
- Put a vehicle in place to allow employees to either buy the correct equipment or service or the organization lends the equipment or software to the employee, especially where employees cannot readily obtain equipment or software that meets standards
In short, businesses need to evaluate the success of working from home in their organization, including productivity gains/losses, as well as team interaction success / challenges. Any work from home environment needs to be assessed for Cybersecurity Health and Integrity. Policies and standards are needed to support any operational changes that need to be developed.
Returning to the Office
If a business decides to bring its employees back to the office, whether just part time or full time, there are additional items to consider. If an office has been closed for any length of time, there is a high probability that some machines or processes are now in a failed state – unless continuous monitoring and script driven updates were in place. Companies need to “deep clean” their office technology equipment before jumping back into work, including updating all firmware and operating systems for servers, workstations, network devices, printers, conference room systems, security cameras and all other IOT devices.
Prior to requesting that employees return to the office, businesses should also consider bringing in a third-party cybersecurity consultant to run a vulnerability assessment that accomplishes the following:
- Performs a deep vulnerability scan looking at compliance of all devices in network with any regulatory or other legal requirements
- Reviews consistency with best practices
- Remediates all vulnerabilities of severity of medium or higher
- Sets up a quarantine segment for returning equipment
This quarantine segment should provide for:
- Updating endpoint protection agent to current version and perform deep scan
- Updating operating system to current patch levels
- Updating all office software
- Forcing a change all passwords
Only when the equipment meets corporate configuration standards, should the machine be allowed to connect to the protected corporate network. Then, the employee can resume normal activities in the office with a much lower risk of infecting others.
The worldwide pandemic has changed the landscape for millions of businesses and this shift to work-from-home environments has created a cybersecurity concern for the work-at-home environment and the return-to-work environment.
Techgardens is equipped to handle any outsourced cybersecurity review your network may require. For more information or to speak with one of our cybersecurity experts, please contact us at 646-783-4550 or firstname.lastname@example.org .