Social distancing forced by the Covid-19 crisis has created enhanced activities in the cyberspace. While digital tools and remote access solutions are the enabling workforce to be productive while allowing organizations to keep their operations going, they have also made enterprises vulnerable to malicious attacks.
Many city and state lockdown mandates caught several organizations off guard and forced them to rush into the remote working mode. Many organizations resorted to purchasing or renting laptops or allowed access from personal devices that probably ran on an un-patchable OS or lacked enterprise-grade security. Connecting unprotected laptops or desktops to the enterprise network may result in a range of cyberattacks. Concerns are more pressing for organizations that are regulated by various data security guidelines or lack proper cybersecurity planning.
Malware attacks from within
Cybersecurity has emerged as one of the major concerns for organizations when moving to a more mobile workforce. Generally, cyber-attackers choose an inherently trusted end user’s device – be it a laptop or a smartphone. The end user can be anyone, a freelancer, a vendor or an employee, who are often referred as frenemy in the cybersecurity community.
Anyone who has access to an organization’s network in any form can be an entry point for malware. Once in the network, this malware can spread throughout the network. With so many people currently working from home, malicious elements potentially have multiple entry points.
Why ring-fencing by a firewall isn’t enough?
Firewalls can be effective, but not always. Particularly if an organization has implemented work from home for a large, geographically dispersed workforce, it needs more than a generic firewall. Even a best-in-class firewall frequently falls short of expectations when it comes to securing remote endpoint devices.
Why generic VPN isn’t a good alternative
Most organizations use a traditional VPN as a secure access to enterprise resources. However, traditional VPN’s bring with it certain additional issues, exposing corporate network and internal IP addresses outside the firewalls. If left un-controlled, these issues may lead to a breach in the network security.
By default, all traffic from a user connected to a VPN client passes through a tunnel linking the VPN server. The data travelling through the tunnel is protected by way of encryption and decryption. However, when the data passes through computers or sites that do not come under the intranet of the VPN server, the tunnel effect breaks. This is called split tunneling. Malicious elements can exploit the split tunneling in the end device to launch an attack.
Inherent problems with traditional VPN solutions
VPN offers ease of use. So, many users tend to access it through unmanaged and uncontrolled endpoint devices. Attackers with access to a shared machine or unmanaged device can breach the security and risk critical corporate resources.
-Uncontrolled devices may run browsers with less than optimal security levels, increasing their vulnerability to cyberattacks.
-Users may not be aware of the presence of keyloggers in their devices, which are not managed or controlled by the organizations. In such a case, although the data sent and received through VPN is secure, keyloggers are aware of the user’s activities on the device, which can lead to loss of sensitive information
-Since corporate networks are exposed, any malware will have access to corporate resources from the remote devices.
How to mitigate risks facing VPN users
–Eliminate L4 access to remote devices: Deliver only applications (L5-L7) to remote devices. One may consider Zero Trust architecture
–Identify and enroll end devices: Perform deep remote device inspection. Identify and sanitize all endpoint devices based on multiple parameters to get rid of pre-existing malicious elements and content. Only clean and authorized devices should be provided access corporate resources
–Assess security level of end devices: Assess security level of end devices thoroughly, at the beginning and at regular intervals during a user session. Devices with possibility of split tunneling should not be allowed access to the corporate network
–Context-based access: Use multiple parameters, like geolocation, source IP address, log-in time etc., to monitor activities on the end device. Allow access to only white-listed resources, folders/files, applications, URLs, etc. Define rules for granting or denying access in real time. Verify need for access based on the context and if at all, grant least privileges required
–Multi-factor Authentication (MFA): Enable multi-factor authentication (MFA) based on (a) something that the user knows – username, password; (b) something that user has – OTP delivered through email, mobile number, push notifications etc., (c) who the user is – biometric recognition with fingerprints or iris scans
–Use Virtual Desktop: Besides work from home users, third-party vendors and contractors too often access the internal enterprise network as part of normal business operations. The risk associated with such a situation can be mitigated by using a secure VDI solution
–Cache cleaning: Delete all session data, like temporary files, cookies, browser history, etc. after every session
–Detect keyloggers: Check and detect keyloggers’ presence before each session. If any hardware-based keylogger is found in a device, restrict it from accessing the internal network.
Organizations must adopt best practices to ensure proper identification and access management (IAM) solution to protect their valuable resources. A strong and comprehensive IAM solution in combination with L5-7 VPN can help organizations deal with cybersecurity issues, even as their employees work from home and remotely access key business applications.