The office has been deep cleaned and set up to comply with social distancing recommendations, and – against all the odds – enough of the workforce is willing to brave public transport to go back to work. It’s time to try to get back to business as normal.
Most of us won’t be there just yet, but in the next few months, as the Covid-19 coronavirus pandemic begins to subside, more and more offices up and down the UK will find themselves in this scenario.
Unfortunately, reintroducing employees to the office as lockdown regulations ease will expose security teams to a heightened level of risk that has never really been seen before, or so says Joseph Carson, chief security scientist at Thycotic.
“It’s essential to put in place measures to mitigate and manage the potential risks so that the corporate network is not overwhelmed with new threats,” he says. “Organisations will have to consider that systems which have been taken out of the office with limited security controls will need a mandatory security review in place.”
Rich Orange, UK and Ireland vice-president at Forescout, tells Computer Weekly that his customers are already asking him about the potential for problems here.
He says: “When everyone downed tools and went to work from home, the VPN became popular and sexy again, which is fine, but the not-so-obvious threat which most organisations are realising now they’ve had thousands people out working from home is addressing, ‘How do we safely get these users and devices that have been remote and outside of our typical corporate security controls back in now?’
“Devices are not sitting behind layers of enterprise security, they’re sitting at home behind a BT router for 12 weeks, customers haven’t been able to do a vulnerability sweep on them and haven’t been able to auto-push any patches to them because they need to be connected to the network. How do they safely bring these devices in, making sure that they still meet corporate policy?”
But this isn’t just a problem that affects major corporate enterprises – any business of any size that has implemented universal remote working during the pandemic is at risk.
“One of our main concerns around this is for less cyber-savvy companies with people working remotely and just getting by how they can,” says Redscan head of threat intelligence George Glass. “Maybe they’re sharing files via email, or maybe their VPN solution can’t support the throughput of the entire company working remotely, and therefore they’ve reduced the amount of connectivity they have between their remote devices and the internal network.
“Additionally, those devices that are being used remotely may not be getting antivirus updates because certain companies may require a connection to a centralised server to push those, therefore those devices could be compromised with little knowledge to the organisation. If they’re not running an endpoint detection and response (EDR), they may not know that there’s been a compromise on a device until it returns to work and plugs directly into the network.”
Nor does the problem only affect devices that have been out in the wild. As Zeki Turedi, Europe, Middle East and Africa (EMEA) tech strategist at CrowdStrike, points out, security teams will also need to make sure that on-premise IT equipment is able to deal with people coming back to the office.
“If you’ve got desktop systems that have been shut down for the past three months and not been used, do you know if they have been updated correctly? There’s probably thousands of desktop computers in offices all across the UK that have got huge vulnerabilities that need to be mitigated and looked after before people start utilising them,” he says.
Lying in wait
Perhaps even more worrying is the fact that this problem doesn’t end with basic patching and antivirus hygiene – it has the potential to be much more sinister, as a recent alert issued by Redscan revealed, warning that having successfully inveigled their way onto employee devices through targeted phishing attacks, organised cyber criminals are now lying in wait to connect to corporate networks and wreak havoc.
Since the UK’s lockdown began on 23 March, Redscan’s security operations centre (SOC) has observed a significant rise in cyber criminals targeting remote workers, including a surge in malware spam, external scanning attempts to find weaknesses in remote access tools, and credential stuffing attempts on public cloud accounts.
The firm says that many business understandably rushed to introduce remote working without doing their research and implementing sufficient controls to minimise the risks that malicious actors pose to workers and devices when they’re beyond the corporate perimeter.
Glass believes that with a wearisome inevitably, this lack of attention will lead to an uptick in incidents as employees log back onto the organisational infrastructure and dormant hackers launch their attacks by moving laterally through the network in seeking elevated domain admin rights, or launching a ransomware attack, for example.
After all, it is no skin off a determined cyber criminal’s nose to wait around for a bit. Carson at Thycotic says: “Cyber criminals will no doubt be playing the long-term game, using compromised devices at home to get one foot in the door, and when those devices return to the corporate network they will have two feet in the organisation’s network, now potentially with remote access and deciding the next malicious action.
“Remote working has provided the perfect opportunity to plant the cuckoo’s egg of attacks on edge devices, to launch later once workers go back to the physical workplace and connect to the corporate network.”
Glass adds: “Our concern revolves around exactly this. Big game hunting cyber criminal gangs are more than happy to sit around for as long as they need to, as long as they feel they can avoid detection, it could be weeks or even months. We’ve seen dwell times are certainly on the increase, and we know, specifically with things like Maze ransomware, cyber criminals will gather as much intel and data as they can and use that as leverage.”
Fortunately, the return to work need not necessarily be a disaster for security teams, as long as you plan ahead, says Glass, and one helpful tool that most businesses will already have in place is a guest wireless network.
“Connecting employee devices that are returning to the office to a guest network first limits the risk of an immediate spread to the rest of the corporate network, to network-attached storage [NAS],” he says.
“Over the past weeks and months, people have learnt to quarantine themselves and limit interactions to the people they immediately live with to contain the spread of the coronavirus,” says Orange at Forescout.
“This approach of isolating individual elements of a system to avoid cross-contamination isn’t unique to virology; it is just as effective when it comes to cyber security. Segmenting a network into different, independent parts continues to be a cyber security staple that, in case of a breach, prevents bad actors from laterally moving across an organisation’s network.
Rich Orange, Forescout
“Just like hospitals are sealing different sections off and controlling who goes in and comes out of them, organisations need to do the same with their networks.”
Besides network segmentation, whether done on a rudimentary basis or more formally, organisations should also put in place comprehensive network compliance policies ahead of a return to work, just as national governments are closing their borders to visitors from badly hit countries.
It is also recommended to ensure firewall rules are up to date with the latest threat intelligence information to try to catch some of the more well-known command and control servers.
For the endpoint devices themselves, Glass recommends first conducting a vulnerability scanning exercise to pick up missed software patches and operating system updates – something a competent security officer should be doing anyway – and then increase monitoring of endpoints going forward.
“Not all companies are going to be able to immediately roll out EDR solutions across their entire estate, I understand that, but increasing monitoring could definitely help catch actors that are trying to move laterally,” he says.
Security professionals should also take the opportunity to resurface basic security training, helping staff understand the risks that they might face when they go back to work, and remind them of standard guidelines around spotting phishing emails, and so on.
CrowdStrike’s Turedi cautions that for a while – possibly even permanently – offices are not going to be running at anything like their pre-pandemic capacity, so it is also important that chief information security officers (CISOs) maintain whatever measures they put in place to safeguard their remote workers. It is also worth their while to formalise remote-working policies that were drawn up in haste in March.
“This is a much more complex stage because the return to work is not just about turning on devices and patching updates, it’s about identifying what the core mechanisms are that are used to secure the environment, and making sure the tools and technologies in place are actually able to provide full security, no matter where employees are,” he says.
“As you come into the post-lockdown world, people maybe will not want to go and work from an office or will maybe not be able to work in the office because those offices can only be at 20% capacity, so they may start opting to work from a cafe or work from the park or from a shared space that at least enables them to be outside of the home. That will change the security environment.”
In the mid- to long-term, Orange at Forescout says that the return to work is a good opportunity to consider implementing zero-trust policies, establishing minimum security requirements that devices must meet before they connect to the network. For example, should a vulnerability in an older operating system be identified, any device running it can be denied access until it has been updated or patched.
“If such policies already exist, it is essential to review and update them now as the threat landscape is constantly changing. Cyber criminals won’t stop looking for potential exploits in common operating systems just because a global pandemic is going on,” he says.