The modern workforce is more flexible and dynamic than ever before, with technology enabling employees to work from anywhere, at any time, on any device. But these new remote workforces are not without their security risks. We spoke to industry experts about some of the biggest cyberthreats and how companies can best address these.
What are the main cybersecurity challenges that remote workforces need to overcome and how can CISOs ensure they are secured?
Nicolai Solling, CTO, Help AG
Securing the remote workforce has always been a challenge and there are a number of reasons for that. First of all, historically there has been more focus on protecting the organisation instead of the remote user. As an example, organisations have deployed more and more sophisticated networks security components such as next-gen firewalls and anti-malware solutions, which typically inspect network traffic within the organisation.
However, users take their laptops home, they are vulnerable as they are outside of this protection. From a technical standpoint, we have been able to address this for a number of years by backhauling remote users’ traffic to the headquarter via VPN but organisations today are still worried about user experience and bandwidth consumption.
Another element is the actual user behaviour, arising because users may have more versatile use of their devices when they are outside the organisation as compared to internally.
An example here could be the ‘road warrior’ who is on a business trip and needs to take care of personal tasks on his corporate device – potentially introducing risk.
After all, you may know how the mail security is for the company, but do you know the security level of every consumer-based e-mail solution? Or for that matter, recreational browsing which may introduce risk to your organisation. As a result, it is very challenging for organisations to maintain the same security level for the user off their internal networks as on the network.
The third and perhaps most important challenge is consumerisation of the devices that remote worker are utilising. We sometimes call it Bring Your Own Device (BYOD) but the fact is that it is extremely challenging to enforce security settings on a device which you do not own and control. I still believe that many organisations are not giving enough thought to the impact of enabling users to access corporate data from privately owned devices. How do you secure the usage of the data on a device which could be inherently insecure? And how do you offboard that data again if you have no governance over the device?
Statistics also talk their own clear language and unfortunately research by T-Systems found that when working away from the office, 31% of employee use Wi-Fi hotspots, 28% emailed work documents from their personal accounts, 10% used free USB charging stations and 15% connected shared USB sticks and memory cards to their work computers. Each of these activities presents a known opportunities and risks for exploitation by cyberattackers.
All this said, the ability to work from anywhere and at any time positively impacts both employee productivity as well as job satisfaction. In today’s business environment therefore, it is imperative for IT to support and secure the remote workforce.
So, what can organisations do to secure their remote workforce?
Employee awareness and training
Last year, social engineering was the initial attack vector used in 65% of the threat advisories that our Managed Security Services (MSS) team published. Recognising that humans still present the weakest link in the cybersecurity chain, the first task should be to raise cybersecurity awareness within the workforce. This should include making employees understand the implications of their actions, company security policies and best security practices such as the use of strong passwords.
Furthermore, training should be an ongoing activity rather than a one-time exercise.
Use of VPNs
As employees will often use their personal devices when connecting to company networks, it is best to provide them with a secure means of access. VPNs are designed specifically for this as they encrypt data and hide the IP address of the user. So even if the employee is accessing sensitive company data via an insecure connection, potential attackers wouldn’t be able to extract any useful information.
I still believe that organisations can do much more by enforcing policies that ensure users are still behind corporate services even when on the road. Always on VPN has been around for a very long time and can be enforced without any user impact.
Identity access management
In the world of cloud and the distributed workforce, there is no more important security task then being able to identify users in a strong way. We unfortunately still see too many successful attacks that rely on stealing user credentials. Not a day goes by in the world of cybersecurity where we cannot add another data breach. One of the services on the internet that monitors these data breaches has a total of 6.5 unique online identities in its database, yours truly included.
I cannot emphasise how important identity hygiene is in our current threat landscape. Passwords should always be unique but your most sensitive identities, including your corporate services, should also be backup up by a second factor.
Endpoint robustness and limiting user rights
It’s clear that deploying the same security on endpoints and remote users is very challenging. Therefore, it is important to understand the various endpoint vulnerabilities. I find that too many organisations deploy new endpoint solutions without validating whether they achieved the goal of securing the end devices.
As a CISO, you also need to understand that attacks are constantly changing, so validating how your systems hold up against new attacks is important. In the last two years, Help AG discovered more than 80 zero-day vulnerabilities, many of them covering kernel and application vulnerabilities that if applied exploited could impact endpoints and therefore remote users as well.
What is important to know is that while you may not always be able to uncover vulnerabilities, the correct configuration and security applications can make it exponentially more difficult to exploit those that do exist. Also, why not get your endpoint tested by the experts with a service such as penetration testing?
Constant security validation
A final thing that I also recommend CISOs look at is how they validate the security of their remote users. Since we know that this user group is more exposed, it is important that you validate the integrity of the endpoint constantly. This could for instance be done at any connection to your networks and applications – this is why we have NAC, VPN and identity access management solutions which validate not just the user but also the security of the device before granting connection.
Taking it one step further moves you towards endpoint detection and response – it is not a coincidence that our Managed Security Services monitors endpoints both on and off the network allowing us to take remediation actions 24x7x365 no matter where the user is sitting.
Morey Haber, Chief Technology Officer, BeyondTrust
There are a few cybersecurity challenges that face all remote workforces. The top three are listed below:
Remote employees traditionally connect to corporate resources using a VPN or cloud resources directly. They are often behind their own home routers that use technology like Network Address Translator (NAT) to isolate the network. This creates a network routing problem.
Corporate cybersecurity solutions cannot resolve and route to remote employees to push updates or query systems directly. All remote devices must therefore poll into cybersecurity resources for updates or to submit data and often require a persistent outbound connection to determine state regardless if using a VPN or cloud resources.
Discovery technology, pushing policy updates, etc all become batch driven in lieu of near real time. Even remote support technologies require an agent with a persistent connection in order to facilitate screen sharing since a routable connection inbound to SSH, VNC, RDP, etc is not normally possible for remote employees.
Therefore, the number one cybersecurity challenge for remote employees is based on devices that are no longer routable, reachable, or resolvable from a traditional cooperate network for analysis and support.
Remote employees’ technology can come in two forms – corporate supplied IT resources and Bring Your Own Device (BYOD). While corporate deployed resources can be hardened and control in extreme ways, personal devices are often shared and not subjected to the same security scrutiny.
The largest cybersecurity challenge occurs in the latter. Organisations struggle to manage end user devices with Mobile Device Management (MDM) solutions and technology that can only isolate applications and user data on a device. They cannot harden it and govern its operations as tightly as a corporate deployed system.
Therefore, this is the second most important cybersecurity threat for remote employees; how to allow BYOD without introducing unnecessary risk. This includes having administrative access to the device since you are the owner.
The third challenge for remote employees involves traditional cybersecurity controls like vulnerability assessments, patch management and anti-virus. Traditionally, all of these where performed using network scanners, agent and services to perform various functions. But these require connectivity to on premise servers. With the cloud, these disciplines have become easier to manage but many organisations have not matured enough to embrace these technologies for remote employees.
Therefore, organisations empowering remote employees should consider the cloud for managing basic cybersecurity disciplines since the problems with connectivity are only getting worse with cellular and other mobile technologies.
Advice for CISOs
The best advice for CISOs that need to secure the remote workforce involves an open mind and acceptance of new technologies, methodologies and workflows to accomplish cybersecurity best practices. This includes using MDM solutions, leveraging the cloud and monitoring data and workflows to prevent a breach.
CISOs need to think out of the box regarding connectivity. We live in the age of cellular, broadband and will see a bandwidth evolution with 5G. The theft of large quantities of data can occur within minutes using wireless technology and new techniques are needed to defend against these threats.
This is not only from a remote employee copying the data from corporate resources but also threat actors breaching a remote employee and leveraging them as a beach head.
Therefore, CISOs need to understand their business models, the roles remote employees play, and the data and system risks they represent. Then, a defensive strategy can be built using modern security technology and practices.
Rabih Itani, Regional Business Development Manager – Security, Middle East and Turkey at Aruba, a Hewlett Packard Enterprise company
Today’s collaborative digital workplaces have resulted in a vanishing perimeter.
First, Wi-Fi networks have moved the network perimeter beyond the building perimeter. In the past, employees and visitors had to pass through security to enter a building and use its network. But Wi-Fi extends the network perimeter into parking lots, across streets and even into other buildings.
In addition, many of today’s mobile workers are using their own personal devices. BYOD is well established in many organisations but the security challenges never get old. BYOD moves, or even eliminates, the security perimeter. It used to be that you could not do work unless you were in the building at your desk. The desktop environment could be locked down. But with BYOD, malware can walk in through the front door on a personal device and then gain access to the corporate network. And what’s more, business data and personal information are both being sent across the same networks.
Second, many enterprise applications are consumed directly from the cloud. These direct-to-the-Internet pathways don’t pass through the traditional enterprise network protections and create new risks that old tools can’t address. Most security technologies deployed today are perimeter-based and not designed for cloud-oriented threats.
Third, the advent of the Internet of Things (IoT) is bringing thousands of often inherently insecure sensors and other devices into corporate networks. These devices may be on movable equipment, attached to a company’s building, or given to employees.
‘Things’ can be rogue devices connected to open ports on the network and often times go undetected by IT. These ‘things’ also don’t have the compute power to protect themselves with endpoint security software such as anti-malware.
When the physical perimeter is no longer the network perimeter and threats can enter from the inside, the old ideas of trust don’t apply. Today, siloed protection is no longer enough. Security must be built into the network infrastructure and act as a fabric that integrates network, access, device and user security.
Driven by the demands of enterprise mobility, BYOD, cloud and IoT, Aruba saw the need for a different design approach to connecting and securing networks. Aruba is now changing the paradigm with the Aruba 360 Secure Fabric, an enterprise security framework that gives security and IT teams an integrated way to gain back visibility and control.
It allows you to detect gestating attacks with machine-learned intelligence and proactively respond to these advanced cyberattacks across any infrastructure – with the enterprise scale to protect millions of users and devices and secure vast amounts of distributed data.
There are three elements to this fabric:
- Aruba security software: Proactive network access control and policy management and industry-leading UEBA for any network
- Aruba Secure Core: Analytics-ready network infrastructure with embedded security
- A best-in-class security ecosystem
Starting with core security capabilities embedded in the foundation of all of Aruba’s Wi-Fi access points (APs), switches, routers and controllers, Aruba builds on this foundation by integrating IntroSpect Machine Learning-based attack detection with access control systems like Aruba ClearPass in an open, multi-vendor platform. With the Aruba 360 Secure Fabric, security teams can now develop a seamless path from user and device discovery and access, to analytics-driven attack detection and response – based on policies set by the organisation.
IT disaggregation means organisations not only need a secure network foundation but also visibility and control of the users and devices connected to the network.
ClearPass allows the enterprise to cover the entire set of access control use cases from wired to wireless, guest, BYOD onboarding and policy-based remediation and attack response.
Going a step further, in February 2017 Aruba added Machine Learning-based attack detection capabilities by acquiring Niara. This addition leverages ClearPass’ visibility into network access as well as the ability to take a range of either manual or automated actions in response to an attack.
Aruba IntroSpect’s User and Entity Behaviour Analytics (UEBA) detects attacks by spotting small changes in behaviour that often are indicative of exploits that have evaded traditional security monitoring and analytics.
Today’s attacks can be comprised of many smaller actions that occur over long periods of time. These types of attacks are also notoriously difficult to detect because they can involve compromised users and hosts where cybercriminals have evaded perimeter defences using legitimate credentials to access corporate resources.
Phishing scams, social engineering and malware are just a few of the popular techniques by which these criminals acquire employee corporate credentials.
IntroSpect uses machine-learned intelligence and automates the detection of these attacks by giving security and network operations early visibility. Supervised and unsupervised machine learning models process large amounts of data in order to establish a baseline of typical IT activity for a user, device or system. Deviations from these baselines are often the first indication that an attack is underway.
Both ClearPass and Introspect serve as Aruba’s security software solution and can be applied individually or in tandem to any network across campus, distributed enterprise, cloud, and IoT edge environments.
While overlaying Aruba’s Secure Core, ClearPass and Introspect provide unmatched analytics-driven protection against today’s changing threat landscape.
A critical advantage of the Aruba 360 Secure Fabric is an open, multi-vendor integration of the Aruba security solutions with more than 100 partners in the 360 Security Exchange Program.