In a mad dash to enable a distributed workforce amid the COVID-19 pandemic, IT teams had to make difficult compromises to keep their businesses running. However, some of their well-intentioned actions resulted in misconfigurations and security trade-offs in a rush to enable business continuity. As the dust settles and the world adjusts to large-scale remote work, IT teams need to ensure that these vulnerabilities don't persist in their environments for longer than necessary.
To that end, let's take a look at some of the most common trade-offs that IT teams have been forced to make and share some recommendations for how to rebuild a strong security posture.
Enabling the Remote Workforce: Hardware
While some companies have experimented with remote work and were more-or-less prepared, many others were in no position to suddenly shift their workforce to the home.
A significant number of organizations still issue desktop computers instead of laptops—desktop computers are more cost effective, tend to have stronger computing power, and are inherently less mobile (thereby keeping sensitive information tethered to a secure environment). For these organizations, the move to remote work presented an immediate and monumental challenge to get employees up and running securely.
Some companies purchased laptops, while others asked employees to use their personal devices; some workers literally transported their desktops home with them. No matter which route an organization took, each came with security implications.
Route One: Buy Hardware
Purchasing new hardware is the easiest and most secure option. However, according to a survey conducted by electronics trade group IPC, the computer manufacturing and supply chain is experiencing significant delays on a global scale.
If you were lucky enough to get your hands on new hardware, it's important to remember to equip those devices with the corporate image by installing the right applications and firewalls. If you're using refurbished hardware, it's critical to first conduct an audit to make sure it's a clean and secure device.
Route Two: Use Employees' Personal Computers
Many businesses have allowed employees to use their personal devices during this transition. While this may have been critical to keep operations running, personal devices come with a slew of security challenges, including the possibility of pre-existing malware and not having the latest updates installed. When these devices connect to corporate networks—more on this next—it opens up the entire organization to unseen risks.
Sidenote: this is one reason it's so important to have visibility into network communications. By monitoring that traffic in real time, network detection and response (NDR) solutions allow you to track suspicious behavior from asset to asset so you can better mitigate the threat and understand the attack vector.
Spinning Up VPNs
Whether employees connect via corporate computers or their personal devices, many are using VPNs to gain access to critical systems and assets. While many organizations already had VPNs configured, few had enough licenses for everyone who suddenly needed them, forcing IT teams to move quickly. In the rush, misconfigurations are a legitimate cause for concern. It's critical for those teams to go back and audit those connections to ensure security.
Planning for Office Reopenings
While the time frame for coming back to the office is still yet to be determined, IT teams should consider wiping machines and reimaging them with the corporate image when employees return. This includes any desktop computers that employees have physically moved from the office to their homes.
Misuse and Misconfigurations of Protocols and Software
RDP on the Internet
IT teams and employees may be tempted to use remote desktop protocols (RDP) to access their machines in the office. In fact, many already have. According to Shodan, there has been a significant uptick in RDP activity, ZDnet reported a jump from 3 million to 4.5 million RDP ports open to the internet from January to March 2020, and here at ExtraHop, we've seen an increase in RDP usage across our customer base.
While it is acceptable to use RDP for brief, ad hoc access, misconfiguring and exposing RDP to the internet is a common and potentially catastrophic mistake. As a general rule of thumb, you shouldn't use RDP long-term.
If you must use RDP under these circumstances, we recommend following some key best practices. Above all else, it's imperative to access RDP through a secure VPN in order to ensure that your critical assets and systems do not get exposed through an open portal to the internet—and keep RDP usage brief. Bad actors are scanning for openings and ready to take advantage of any vulnerabilities they find.
To learn more, read our Security Advisory on RDP.
Similar to RDP, virtual network computing (VNC) is another way that employees may try to access their desktop computers from home. While unlikely that an IT team would recommend using this system, we have heard reports of employees going rogue and using VNC tools, like TeamViewer, on their own.
Again, VNC software is okay when used as intended: troubleshooting. Sustained use is not recommended and presents a substantial security risk. Additionally, these services use a ton of bandwidth.
Unlike RDP, which must be enabled internally, VNC is managed by third-party vendors. Giving a hosted service access to the employee's computer and critical assets is an added risk. Routing authentication through a third party is not a secure option for an enterprise. Simply put, you should never allow your security posture as an organization to be controlled by a third party.
So, are employees at your organization engaging in dangerous behavior that could compromise your business? Unfortunately, you don't know what you don't know. The good news is that NDR can monitor this behavior for you. If an employee is using a VNC tool, Reveal(x), ExtraHop's NDR solution, will alert you to the risk. ####Full Tunnel vs. Split Tunnel VPN In most cases, IT teams will want employees to access the VPN via split tunnel VPN, not full tunnel, so as not to overburden the network. Failing to do so will result in challenges for both performance and for security.
High-volume applications like Zoom and Netflix—which have seen increased use since work from home went into effect—do not need to be routed through the VPN and have the potential to affect performance if left unmonitored.
Too much traffic can tip over the VPN and could expose you to denial-of-service (DoS) attacks. Full tunnel VPN access also increases your risk of routing nefarious traffic through the datacenter.
Incidentally, Reveal(x) has a detection for this too which alerts you to who is accessing the VPN via full tunnel.
Secure Shell (SSH)
As more people need to do commands and configurations from outside of the corporate environment, organizations will likely see a rise in the use of Secure Shell protocols (SSH). SSH allows for secure connections to systems in otherwise unsecured networks. It's intended to provide additional security, however, if accessed by someone who doesn't have permission, it has the potential to cause a lot of damage.
Under normal circumstances, security teams would limit credential access, but the shift to remote work has increased the number of people who will need to access SSH. With the rush to give access and an increase in employees using SSH, bad actors have the chance to slip in undetected.
Security teams should keep an eye on which IPs are accessing SSH, or have Reveal(x) scan SSH for any open ports that have left critical assets exposed, and investigate immediately if there's any suspicious activity.
Scanning and Recon
Security teams can and should scan their environments to expose any open portals. But they should also pay attention to who is doing that scanning. Monitoring who is doing asset scanning can expose potentially unwanted intruders who are looking for access points to your environment. If you're seeing an increase in scans, that should tip you off to potentially malicious behavior since malware needs to scan before starting an attack. If you can account for an increase in scanning, that's great. But if it's suspicious, then dig deeper.
ExtraHop Can Help
Enabling a distributed workforce pressed IT teams to move quickly and make tradeoffs in order to ensure business continuity, but now it's time to go back and tidy up the mess.
Without complete visibility across your (now distributed) network, problems like those outlined above have the potential to persist for a long time without detection.
Increased dwell time leaves bad actors with even more time to burrow into your infrastructure. The average dwell time for attacks remains around three months, meaning that the security implications of this new reality won't be known for some time to come. According to the IDC, ExtraHop helps security teams to reduce dwell time by 60 percent.
With cloud-native network detection and response from ExtraHop, organizations gain the perspective they need to secure their distributed business. Our approach applies advanced machine learning to all cloud and network traffic to provide complete visibility, real-time threat detection, and intelligent response across hybrid and multi-cloud environments.
For resources to navigate the new realities of remote access, check out our resources page.