By Chris Moschella, CPA, Risk Advisory Services Senior Manager | Cybersecurity Services Team Leader
Preventing and Detecting Company Data Breaches in a Remote Work Environment
In response to COVID-19, businesses in Virginia and across the country recently found themselves required to rapidly transition from a predominantly on-premise workforce to a predominately remote workforce. Businesses that did not have work-from-home technology in place understandably rushed to stand up their remote capabilities, often overlooking security in the process.
My prediction: A major surge in corporate data breaches stemming from weaknesses in remote work is on the way. We probably won’t see the full extent of these breaches for at least a year.
Data breaches and other cyber attacks give rise to tremendous financial hardship for victim businesses. It is frequently impossible for a healthy company to survive such an attack. In today’s economic environment, businesses may be facing extreme financial hardship, making it even more difficult to survive a cyber event. Although it is understandable that many businesses moved quickly to configure themselves for remote work to get past this immediate need, it will be important in the coming months for businesses to verify the security of their remote work setups.
When employees work on-premise, their computers connect to your corporate network and that network is protected by a firewall. That firewall was likely configured to block all inbound connections but allow outbound connections. In other words, computers from outside your network cannot initiate communications to devices on the interior of network. Computers from outside your network can only communicate with computers inside your network if your employees initiate contact first. For example, if an employee opens a web-browser and navigates to the QuickBooks Online, then the QuickBooks online website can communicate with the user’s computer. But the QuickBooks Online server cannot initiate communication with your staff’s computers.
The firewall is a critical part of your corporate cyber defense, and it is lost when employees work from home. Instead of your robust corporate firewall that was configured by professionals, your company computers are protected with a consumer grade firewall/router. Most home routers are configured securely by default, but they can easily be configured insecurely. Imagine giving every employee access to change the rules on your corporate firewall. That essentially happens when an employee works from home.
What can go wrong on a home network?
Allowing all inbound connections
Take for example the screenshot below. It depicts the available options on a Verizon Fios home router.
The default selection is Medium Security, which allows you to initiate any outbound connection, but blocks connections initiated from outside your network. With a single click, however, your employee can change the security to Minimum Security for the firewall and allow direct inbound connections from the Internet to all the devices on that home network. This is bad.
Improper DMZ Configuration
Another option on most home routers is the configuration of a Demilitarized Zone, or DMZ. By default, home routers should not have this enabled. If it is enabled, computers that are in the DMZ are also directly connected to the internet with no firewall protections. This would be akin to simply removing the firewall from your corporate network and exposing all user computers directly to the Internet. The screenshot below shows how this is configured on a Verizon Fios router. Note the language towards the top which says, “Allow any single networked computer/device to be fully exposed to the Internet.” This is bad.
First, a bit of background on ports. Most traffic that passes from the internet through your firewall/router and into your network comes through a “port.” Think of a port as a logical (rather than physical) pathway through a network. There are over 65,000 ports that can be opened and closed for inbound and outbound connections, as needed. However, opening ports for inbound connections creates a significant security risk.
Sometimes, services you may want to run on your home network need to allow inbound traffic on certain ports. For example, if someone in your home wanted to host a server for multiplayer gaming with friends, your router may need to allow inbound connections to the port on the server required to host the game. For example, it is common for home users to forward port 25565, which is required to host a Minecraft server.
By enabling Port Forwarding on the router, all inbound connections from the Internet on the opened port are forwarded to a specific network device. Although this allows the traffic you want (incoming connections from your Minecraft friends), it also allows threat actors direct access to that server. Port scanners are constantly scouring the Internet for open ports, and your open port will rapidly become known to threat actors who will try to compromise the machine. Once that machine is compromised, the threat actor can sniff network data, including data from your work computer and attempt to access the work computer directly. This is bad.
Remote Router Administration
Some of your company users may have configured their home router so that they can log in to it from outside their home network. By enabling this feature, they have also opened a new attack vector for hackers. Once a threat actor gains control of the router administration page, they will have access to all the relevant information about the home network necessary to further access other devices on the network. This is bad.
We’ve only scratched the surface of the things a home user can do to compromise the security of a home network. Some other weaknesses might include:
- Not using a Wi-Fi password or using a weak password
- Using Wi-Fi weak encryption
- Using Wi-Fi Protected Setup
- Using Wired Equivalent Privacy (WEP)
- Having malware on other machines already on the network
- Having insecure Internet-of-Things (IoT) devices on your network
- Out of date (insecure) router firmware
What to do?
We’ve established that your employee home networks are a minefield of potential security issues for your business. Because you cannot control their home networks, you need to ensure that the company computers from which they access the corporate network are sufficiently hardened.
Your employee computers should be equipped with a restrictively-configured host-based firewall. A host-based firewall is a firewall that runs on an individual computer, and it can be configured to allow and disallow traffic similar to a network firewall. Because host-based firewalls run on the computer itself, they can also allow and disallow traffic on an application by application basis. A host-based firewall may prevent a threat actor who has compromised your home network from accessing your computer.
All computers should be equipped with an anti-virus package, and ideally one that will alert your security team if malware is identified on the computer.
Hard drive encryption
Most users will store some amount of sensitive data on their computer, and for most businesses it is not a matter of ‘if’ but a matter of ‘when’ a laptop will be lost or stolen. Depending on the jurisdiction, a lost laptop could meet the legal requirement of a data breach and result in embarrassing and costly reporting to customers and authorities. Encrypting the hard drive makes the hard drive unreadable to anyone who finds or steals a company computer.
User computers should be configured to apply security patches. Computers with known security weaknesses can be easily compromised by an attacker has gained access to a network.
Secure Configuration of Remote Access
There is no doubt that many companies are moving to remote access systems for the first time. Many companies will have configured a Virtual Private Network (VPN) so that employees can remotely connect to their corporate network. VPNs are popular because they create a remote work experience that is virtually identical to the on-premise work experience.
Another option is to use Remote Desktop Protocol (RDP). This is a protocol from Microsoft, which allows users to connect to a computer on the corporate network from one that is not on the corporate network.
Worse than a handful of employees with insecure home networks is insecurely configuring the main access point for all of your employees. Securely configuring services like these requires skilled professionals to properly implement them.
Bring Your Own Device
What if your employee is connecting to company owned assets from their personal computer? There is no doubt that the rapidity with which businesses had to move to a remote workforce and the dearth of available hardware necessitated many businesses to allow employees to connect remotely using employee-owned computers. Given the current circumstances, this is completely understandable.
Allowing employees to use employee-owned computers is generally referred to as Bring Your Own Device (BYOD). Although BYOD best practices deserves its own article, suffice it to say that any computer, company or employee-owned, should be secure.
If you can’t control the security of the machine, you should not allow it to connect to your network over VPN. If a computer with malware, like ransomware, connects to your network, it can instantly spread that malware across your network. Properly configured RDP and similar remote access tools, like Citrix, are better equipped to insulate the business network from a potentially insecure computer, but they are not fool proof.
If you expect the current remote work requirements to make an indelible mark on your company making remote work more common in the future, we recommend moving away from BYOD in favor of providing employees with computers you own, control, and can secure.
Multi-Factor Authentication (MFA) for remote access
If users can remotely log in to a VPN, RDP, or other remote access tool, threat actors can as well. Because of that, we recommend implementing MFA so that even a lost or stolen password will not result in a compromised network.
Security Awareness Training
When employees are working from home, there are aspects of security awareness training that should be emphasized that are not as important when an employee is on-premise:
- The computer should not be shared with others in the house. There is probably private information about your employees or clients on the computer.
- Kids should not install or play games.
- Non-work-related web-surfing should be kept to a minimum.
Many companies run corporate web filters that are integrated into the corporate firewall. These web filters can automatically perform advanced functions to help protect users from malicious websites by automatically blocking phishing websites, scanning downloads for malware before allowing the file to download to a user’s computer, geoblocking websites from foreign countries, etc.
When users are working remotely, they may not be protected by the web filter that is integrated into the firewall. As a result, a web filter tool, which can function independently of the corporate firewall, can be an important layer to your remote employees’ device protection.
Intrusion Detection – Dragnet
Almost all of the security mechanisms discussed here focus on prevention. However, detection is equally important. According to separate studies released by Verizon and IBM, a threat actor will be on a corporate network for over 200 days, on average, before being detected. IBM found in their latest Cost of Data Breach Study that intrusions that last over 200 days are 37% more costly than those that are ended before 200 days. As I predicted above, there will be a huge increase in corporate intrusions resulting from insecure remote work configurations and poor at-home security.
If an employee’s home network is compromised, and an attacker was on your corporate network, how long do you think it would take your business to detect the intrusion? Could it detect the intrusion at all? The answer for most businesses, unfortunately, is -No.
Keiter has recently released a security tool that vastly increases your capability of detecting such an intrusion, including intrusions on employee computers. It’s called Dragnet. It is simple to use and requires no software installation. Although it is available exclusively through Managed Service Providers (MSP), we are available to provide you a demo. Email us at firstname.lastname@example.org to schedule your demo.
The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.