The COVID-19 pandemic has caused a forced work-from-home situation that many organizations and businesses were likely not prepared for. From dealing with undersized VPN infrastructure, insufficient bandwidth and not enough managed devices for employees to take home, IT departments are scrambling to limit the impact on productivity and enable access to corporate resources and applications their colleagues need to perform their job duties.
Unfortunately, mounting pressure from management to set up remote working capabilities as quickly as possible could result in IT teams cutting corners and ignoring existing security policies and practices. This could have major implications for business continuity in the long run.
Imagine the disruption an attacker could cause by gaining access to the company’s private network through an exposed service or a remote employee’s personal device, then moving laterally and infecting internal servers with ransomware at a time when the IT and security teams are also working remotely and can’t take a hands-on approach to remediate the problem.
It would be extremely difficult to recover from such a situation, Chase Cunningham, principal analyst serving security and risk professionals at Forrester, tells CSO. “This is the type of scenario where one person’s access could literally wreck an entire infrastructure in no time.”
Attacking remote workers
In the past there have been many cases of companies exposing Remote Desktop Protocol (RDP) services directly to the internet and those services being hacked and used as entry points for cybercriminals. Unfortunately, during the COVID-19 crisis, incidents involving insecure configurations of services and firewalls are likely to increase as people take shortcuts to enable remote access.
Last week, researchers from Bitdefender warned that TrickBot, a credential-stealing Trojan, added a new module to its arsenal that uses infected computers to launch RDP brute-force attacks. Companies from the telecom, education and financial services sectors in the United States and Hong Kong were on the target list seen by the researchers. TrickBot also has modules for stealing OpenSSH and OpenVPN credentials, which are typically used for remote access, and is a known delivery platform for the sophisticated Ryuk ransomware.
Experts agree that these kinds of attacks will continue and intensify as attackers jump at the opportunity to target the large number of workers who are now accessing corporate resources from outside their protected corporate network perimeters and potentially from their own, less secure, devices.
Criminals will always respond to circumstances and develop techniques that work and continue to get better, Kevin Curran, an IEEE senior member and professor of cybersecurity at Ulster University, tells CSO. We now have many situations where people have moved out from environments where they were protected by the simple fact that there were firewalls in place and warnings and procedures and they had to have certain versions of operating systems or their software updated. They are now using their personal laptops which, for all we know, could be running Windows XP, he says.
Enter zero trust
One potential method of avoiding some of these security issues and limiting the risk is to adopt a zero trust security model, where access to business applications, including legacy, is done through a secure web-based gateway following least-privilege principles with support for multi-factor authentication (MFA) and device security checks. Such systems are more scalable than VPNs without added infrastructure costs, can easily integrate with existing single sign-on (SSO) platforms, and allow for granular access control policies that define who may access what from which device.
The good news is that some vendors in this space in response to the COVID-19 crisis are now offering extended free trials for their products. Content delivery company Akamai is offering complimentary 60-day usage of its Enterprise Application Access (EAA) solution as part of its Business Continuity Assistance Program. Cloudflare is offering companies of all sizes free use of its Cloudflare for Teams product through September 1, which includes Cloudflare Access for zero-trust access to internal apps and Cloudflare Gateway for DNS filtering and network monitoring. Cisco’s Duo Security also offers new customers free licenses to its zero-trust and MFA platform. CSO is maintaining a list of free work-from-home technology offerings from security vendors during the crisis.
“All those [business] leaders that have been trying to justify the reasons for remote work now have a reason to do it,” Cunningham says. “But the reality of it is VPNs are not going to work at this scale, so they should be taking advantage of these [zero-trust access] offerings and, if nothing else, use them for pilot purposes to try and figure out where they’re going to be. This is not just going to be something that is done for the next couple of months. This is the future of the workspace and now they have an opportunity to test that stuff out for free in lots of instances and continue to grow from there. If it was me, I would be jumping on this as fast as I could.”
Zero-trust models gaining popularity
Many companies were considering switching to the zero-trust network security model even before this crisis hit. A newly published survey of IT managers across 100 small- and medium-size enterprises and Fortune 500 companies found that 31% are considering it, 19% are in the adoption phase, and 8% have already implemented it in their organizations.
Fully deploying zero-trust security across the entire corporate network is not an easy task. It requires a phased approach that involves pilot programs, gathering metrics, tweaking access policies, making sure various products integrate seamlessly, making changes to internal data flows and training employees. However, companies could start now on the remote access side and then build from there.
“If you asked me a year ago ‘Could you roll out a zero-trust network if a pandemic hit and the company had to switch within a few weeks?’ I would have said: ‘No, that’s impossible’,” Curran says. “To be honest, these cloud-based systems seem to be the most seamless way to get to a semi zero trust network in a rapid time. I wouldn’t say these are true zero-trust networks, but they do a damn good job.”
“I would encourage companies to go down this route actually because, in some ways, this is really privileged access management, which is the starting point for building a zero-trust network,” Curran says. “You can build out the other things later. There are some policy changes needed and a bit of training, but it’s a good system […] and it is stronger than any VPN.”
Advice for moving to zero trust
When developing their access policies, companies should make a clear distinction between managed devices they give to their employees and the unmanaged personal devices that some employees might use to access the company’s applications. Ideally, if they’re faced with a BYOD scenario, companies should ask their employees to install a mobile device management (MDM) solution on their personal devices.
Cloud-based zero-trust access gateways generally perform some security checks for connecting devices through the browser, like verifying the patching state of their OS and other software, but that might not be enough, especially if this forced work-at-home situation lasts for months. The longer a device remains unmonitored, the higher the chances of a compromise.
“Obviously, in a perfect world they would eventually get to an end state where they have agents on the machine so they can actually do something, but right now this is about putting the fire out or controlling the fire rather than having the optimal state,” Cunningham says. “We’re not ready for optimal. We’re ready for ‘keep people working and keep the economy moving’.”
It’s likely though that companies that had at least some remote workers before this forced work-from-home situation already use some MDM solution. In that case, they would only have to talk to their MDM vendor and buy additional licenses.
Legacy apps should be run in virtualized environments or containers and should be segmented from the rest of the network so that if they’re compromised, attackers can’t pivot and move laterally to compromise the rest of the infrastructure.
“Back to the whole viral deal, it’s a guarantee that there’s going to be some infection, but we don’t want to have massive infrastructure-wide infection because of something simple like an old app that got hit,” Cunningham says.
Copyright © 2020 IDG Communications, Inc.