News

Top 3 Cyber Security Risks Introduced by Remote Working

When an organisation introduces remote working, inevitably this will introduce new and additional cyber security risks, including an increase to the overall attack surface of that organisation.  In this article we look at what some of the top risks are and how you can address them.

  1. Lost or stolen devices.
    Lost and stolen devices are one of the number one reasons that organisations report data breaches to the UK Information Commissioners Office (ICO). While it is no surprise that devices get lost, what is surprising is the number of organisations that fail to implement any form of controls to mitigate this risk.

    What is the impact of this risk?
    Lost or stolen devices could potentially result in data loss, sensitive data ending up in the wrong hands, regulatory fines and contractual breaches.

    How can we mitigate this risk?
    1. Firstly you should ensure that all of your devices are encrypted. For Windows devices you will need to enable Bitlocker and implement strong authentication to ensure that only authorised individuals can access a device. For Apple devices you will need to enable FileVault. Mobile phones are slightly more complicated which brings us onto the next point.
    2. All mobile devices, including laptops, phones and tablets etc should be enrolled onto a Mobile Device Management Solution. This will enable you to quickly configure encryption policies across your devices, apply other components of secure configuration and also remotely wipe devices should they be lost or stolen.
    3. Increase the security awareness of your staff by communicating remote working procedures and ensuring that they are securely storing business assets when they’re off site.

  2. Office centric Network Security
    When working in the office, devices are often subject to a number of different security controls, including Network Firewalls, Intrusion Prevention Systems and Web Filtering etc. If users are working remotely, unless they’re connecting back to the office network via a VPN or utilising a Secure Access Service Edge (SASE) solution, they’re suddenly far more exposed than they were before. It is very important that organisations begin to adopt an approach that see’s security controls deployed to end user devices or as close to them as possible.

    What is the impact of this risk?
    The reduced coverage of security controls means your users and their devices are more susceptible to malware and phishing attacks, additionally users may inadvertently connect to unsecure wireless networks. The impact of these attacks could result in operational downtime, reputational damage, fraud and theft, regulatory fines and contractual breaches.

    How can we mitigate this risk?
    1. Review your security controls and ensure that you have deployed centrally managed security that is deployed to the device. Further guidance can be found on our article Effective Security Controls to Protect Remote Workers.
    2. Deploy a Secure Access Service Edge (SASE) agent to end user devices. SASE solutions route network traffic via cloud based network security stacks.
    3. Deploy VPN agents to your end user devices and route traffic via the security controls on your office network or datacentre. Ensure you understand the potential capacity impact that this could have before implementing such measures.

  3. Weak Configuration
    Weak configuration can expose your devices to increased levels of risk, e.g. default firewall rule sets exposing non-essential network services, inadequate device lockout policies etc. Devices should always have a secure configuration applied and this will differ for mobile devices that are taken out of the office. When a device is taken outside of an office, your security perimeter changes from the network boundary of the office to the device itself, so it is important that this is taken into consideration when applying device configuration.

    What is the impact of this risk?
    Weak configuration could expose devices to significant risks, e.g. exposing SMB port 445. This increases the risk of devices being exploited on unsecure networks and could also potentially allow users to browse the web, bypassing VPN’s and agent based network security controls installed on a device. The impact of this could result in operational downtime, reputation damage, fraud and theft, regulatory fines and contractual breaches.

    How can we mitigate this risk?
    1. Develop a Baseline document for the secure configuration of your devices, taking into account the risks of mobile working.
    2. Review best practice configuration for each device type. For Windows based devices, Microsoft offer Security Baselines which you can download to review, tweak and rollout via Group Policy or a Mobile Device Management solution.
    3. Test configurations and roll them out gradually across your user base.

Effective Cyber Security Controls to Protect Remote Workers

This article looks at some key Cyber Security Controls that will help to reduce risk, particularly when you’re protecting a remote workforce from internet based threats. While this is not a comprehensive list of controls, we feel that all of these items are quick to deploy and will offer an immediate increase of security in an organisation.

  1. Secure Access Service Edge (SASE)
    SASE solutions reinvent the network perimeter and enable you to protect your devices with multiple layers of cloud delivered network security, regardless of their location. Often businesses will have security controls installed into the office and while this works to protect devices that are connected to the office network, devices that are used remotely will not benefit from this security unless they connect back to the office via a VPN. This in itself also introduces other challenges such as capacity issues, can your office network facilitate the inbound and outbound traffic of your entire userbase all at once?

    SASE solutions can be deployed by installing a simple piece of software to a device and also connecting on premise networks back to the cloud service in order to inspect all inbound and outbound traffic.

    Another benefit of SASE is that it can be used to protect and securely access private workloads such as databases, web applications and more, all of this delivered without having to open up any firewalls and expose your servers and infrastructure.

  1. DNS Filtering
    If it is not possible to deploy SASE, consider looking at DNS filtering and web based proxy solutions. While these won’t give you the same coverage as a SASE service, they’re still very effective at reducing the risk faced by organisations, particularly when it comes to blocking Phishing attacks. Again DNS filtering is deployed by installing a small piece of software, so your remote workforce will also benefit from this protection.
  1. Endpoint Protection & Endpoint Detection & Response (EDR).
    Centrally managed Endpoint Protection is key as it allows you view the status of security and threats detected across your devices while also giving you the ability to remotely respond to threats. Endpoint Detection & Response will also enable you to search for suspicious signs of activity and for Indicators of Compromise.

    EDR should be high up on the list of any IT manager or security professional, as it gives visibility across entire environments and starts to shift the focus away from signature based protection and looks at the Tactics, Techniques and Procedures (TTP’s) deployed by attackers so you can detect and stop new and never-before seen attacks. Most organisation rely on preventative security technology but when that prevention is bypassed e.g. by a new attack, they lack the detection and response tooling and capabilities to quickly detect, respond and mitigate attacks.

    EDR is particularly effective in remote working scenarios as it often includes Incident Response tools and it gives you the forensic ability to respond to incidents remotely. We often see organisations that will rebuild computers if they become infected with malware, this can be very difficult if a user is remote. EDR allows you to reverse the effects of a malware or non-malware based attack without having to rebuild a full device. More importantly though, it gives you full visibility across your whole environment and allows you to query your endpoints and servers, e.g. which devices have made a network connection to Russia in the last 24 hours, what programs have been executed from the downloads folder in the past 30 days.

Summary

As we said at the beginning, we have listed these controls because we feel that they provide organisations with remote workers a rapid increase in their overall security maturity and are quick to deploy. Do not forget about other technical controls and measures such as patch and vulnerability management etc.

Our Managed Detection & Response services incorporate a number of these technologies so please get in touch if you’re interested to find out more or have any questions about this article.

Legal, Regulatory and Contractual Considerations for Remote Working

This article is intended to help organisations which are implementing remote working into their business operations by providing an overview of its legal, regulatory and contractual implications.

Legal and Regulatory Considerations

Depending on the type  of business you operate, there are certain legal requirements that you must adhere to when processing customer data. Laws such as the GDPR and Data Protection Act 2018 require that personal data is processed is a way that ensures its security. This entails using appropriate technological and organisational measures to avoid unauthorised or unlawful processing and accidental loss, destruction or damage of personal data. Businesses are accountable for demonstrating compliance with these rules. Certain sectors, such as the legal sector, have additional regulatory requirements in terms of data security (see this article for guidance aimed at law firms).

The Government has recently decided to enter the ‘Delay’ phase in its fight against COVID-19 and the latest guidelines of PHE are now encouraging businesses to work from home. As such, the security and privacy of personal data and business sensitive data has become a main priority for businesses. Remote working means all communications take place in a decentralised environment, thus increasing the risks to sensitive data – some examples include employees using unprotected internet connection and business hardware such as laptops getting damaged or lost outside the office. To avoid being victim of security breaches, businesses must ensure they have in place strong privacy and security policies, adequately supported by strong cybersecurity infrastructure and staff training.

To better support businesses during this time, the ICO has issued new guidance on data protection. Businesses are being advised that staff can work from home, however the same security measures apply to remote working as they do to office working. This is a clear indication businesses must implement the necessary changes to ensure that adequate cybersecurity infrastructure is put in place and that remote workers adhere to privacy and security policies.

Contractual Considerations

Organisations should review their cybersecurity infrastructure to ensure their response to attacks is appropriate. Contracts with vendors and service providers should address liability for attacks resulting from remote working practices. In particular, businesses should ensure that such contracts include provision of security measures for the following:

  • Handling mobile devices or media that may contain personal or sensitive data;
  • Encryption and truncation requirements;
  • Transportation or transmission of personal or sensitive data, including over public or wireless networks;
  • Risk allocation, including indemnification obligations, for security breaches.

Contracts with vendors and security providers might also contain obligations for businesses to notify third parties of security breaches. Organisations should ensure they are adhering to contractual obligations, whilst also making sure service providers are offering them adequate protection for remote working practices.

Secure Configuration for Remote Devices

Secure configuration is an important element of any good Information Security Programme. There are specific elements of  secure configuration that are more prevalent when protecting devices that are to be used remotely and off the corporate network, primarily due to the change of attack surface and increased levels of risk.

In this post we will summarise at a high level, what we feel are the most important elements of Secure Configuration that should be implemented when introducing remote working. These pieces of configuration should be implemented as part of a comprehensive Information Security system.

  1. Device Encryption.
    As mentioned in our article about the Top Risks Introduced by Remote Working, lost and stolen devices are one of the main reasons organisations report data breaches to the UK Information Commissioners Office (ICO). Ensuring your mobile devices, including laptops, USB storage, mobile phones etc, are encrypted is critical to protecting your organisations data. If a laptop is subsequently lost or stolen and it has strong encryption configured, there is a significant reduction in the chance that a third party could access your data. Specific encryption instructions can usually be obtained from your device manufacturer or from the below links.

    Windows based devices – https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview
    Apple based devies – https://support.apple.com/en-us/HT204837

  2. Firewall Configuration
    When users work remotely, the perimeter of your security and control suddenly shifts from your office network to the device itself. For example, when a user connects to their home network, you have no control over the configuration of that network or the devices connected to it, so the focus of your security needs to shift to the device itself.

    Ensuring the firewall is configured correctly on both Windows and Mac devices is very important. As a minimum we would recommend changing away from default firewall settings and ensuring that all inbound traffic to a device is blocked. To take this a step further you could also enforce strict outbound firewall controls to only authorised services. Device firewall setting should be configured as standard but from experience we know this is an area that is often overlooked.

    Having inbound services exposed due to a poorly configured firewalls can have a number of implications, including exposed Remote Desktop Sessions (just like the ones in the top image) and SMB services which are frequently targeted by cyber criminals.

  3. Enforce Strong Passwords
    Strong passwords should be enforced by policy across all of your devices at all times.  We would recommend that all default passwords are changed as a minimum and strong password policies are enforced across all devices, including laptops, mobile phones and tablets. If possible we would also recommend using a Password Manager.

    User education when setting passwords is key and the NCSC has published some great advise on choosing strong passwords. This is particular key if you’re not in a position to enforce password policies.

For organisations that are looking for a more comprehensive approach to Secure Configuration, Microsoft offer a set of Windows Security Baselines and the Center for Internet Security offer a range of baselines for other operating systems, including Windows.

Summary

These three elements are critical components of a well rounded information security strategy and they should be a prime focus when introducing remote working. We hope you found this article useful and if you would like any assistance or have any questions then please feel free to get in touch with us.

Network Security for Remote Workers

Network security has traditionally been anchored to office and datacentre locations, in more recent times and with the increase of Remote Working, this has added new security challenges by increasing the overall attack surface faced by organisations, but also potentially taking remote workers away from the security provided by corporate networks.

In this article we will look at the different options available for addressing network security for remote workers and also the challenges it can introduce.

Virtual Private Networks (VPN’S)

Many businesses operate with a network VPN, enabling remote users to connect back to the office network over a secure tunnel. This means that all of the users network traffic goes over the internet, into the office network and back out of it. The benefit of this is that the user will still be protected by network security appliances installed in the office or data centre. There are a few downsides though, firstly if you don’t configure the end device correctly, the user could access the internet without connecting to the corporate VPN, exposing them to security threats. The second issue is that this requires a large amount of bandwidth at the office internet connection, the more users then the faster the connection you will need.

While this scenario works for large organisation such as banks and financial institutions who implement adequate controls and capacity management, implementing a VPN for a large number of staff requires a lengthy period of planning and implementation.

 

Secure Access Service Edge (SASE)

SASE solutions reinvent the network perimeter and enable you to protect your devices with multiple layers of cloud delivered network security, regardless of their location. SASE solutions can be deployed by installing a simple piece of software to a device and also connecting on premise networks back to the cloud service in order to inspect all inbound and outbound traffic.

Unlike traditional VPN solutions, SASE doesn’t require expensive hardware, nor does it consume large amounts of bandwidth forcing you to upgrade you internet connections.

Once an agent is installed on a device, inbound and outbound network traffic is sent via the SASE service for security inspection. SASE offers a significant increase in security too, with multiple layers of security being deployed including Intrusion Prevention Systems, Application Firewalls, Web Filtering, Malware Scanning, SSL Decryption, Sandboxing and more.

SASE is quick to deploy and can rapidly protect a remote user base from a single piece of software. If your end users do need to connect back to on-premise or private applications and resources, SASE services can also be configured to broker secure remote access, without the need for a VPN.

DNS Filtering & Cloud Web Proxies

Another option would be to deploy DNS filtering and a Cloud Web Proxy service. Like SASE this solution can be installed with a simple piece of software, but it does not give you the same level of features or security coverage.

DNS filtering works by intercepting your web requests and checking the website against a known database of malicious websites. Cloud Proxying takes this one step further by inspecting website and content as your browse for it for malicious content such as malware.

Summary

While there are a number of ways to secure remote devices that are off the corporate network, our recommendation is to deploy a SASE solution as it provides a large feature set, enterprise class security and can be quick deployed. If you have any questions about the topics covered in this article then please get in touch.

 

Secure Remote Working

These articles are intended to help guide organisations who have introduced remote working or increased the number of remote workers due to Covid-19. This guidance is broken down into several bitesize articles and guides that are aimed at both board members and IT teams.

The following guidance should be reviewed and integrated into a good information security strategy in order for it to be completely effective. Not all of the information may be applicable to your organisation, but we hope that you find this useful and that it helps you to enable the continued operations of your business in a secure manner.

We will continue to update and add new articles as the weeks go by. We would appreciate any feedback you may have.

Contents

  1. The Top 3 Risks Introduced by Remote Working.
  2. Legal, Regulatory and Contractual Considerations for Remote Working.
  3. Secure Configuration for Remote Devices.
  4. Effective Cyber Security Controls to Protect Remote Workers.
  5. Network Security for Remote Workers
Mitisubishi-Cyberattack

Anti-Virus Exploited During Mitsubishi Cyberattack

Hackers have utilised a zero-day vulnerability in popular anti-virus product during attack on Mitsubishi Electrical.

According to ZDNet, sources close to the ongoing investigations of the Mitsubishi Electrical cyberattack have indicated that attackers exploited a zero-day vulnerability in the popular anti-virus product, Trend Micro OfficeScan.

In a press release published on its website, Mitsubishi said it detected an intrusion on its network last year, on June 28th 2019. Reports suggest that the initial discovery was triggered by staff who found suspicious files on a server.

What is a Zero-Day?

A zero day vulnerability is a software vulnerability that is either unknown or unaddressed by the vendor. In this particular instance, Trend Micro released a software patch for the vulnerability (CVE-2019-18187) in October 2019 but for Mitsubishi, this was already too late. Alongside the patch, Trend Micro also published a warning to customers stating that the vulnerability was being actively exploited by hackers in the wild.

Trend Micro Advisory

Who Was Responsible?

Initial reports are suggesting a Chinese hacking group was responsible, with Japanese media stating that the attack was the work of a Chinese-state backed hacking group called Tick. Tick, also tracked as Bronze Butler are an Advanced Persistent Threat group, primarily targeting organisations in Japan and South Korea.

Prevention is not the Cure

While organisations often rely primarily on preventative security controls, this attack further highlights the need for comprehensive detective measures. Adversaries craft and design attacks to bypass preventative controls such as anti-virus, email filtering and firewalls and without solid detection capabilities such as EDR and network monitoring, it is often impossible to identify attacks until its too late.