With COVID-19 forcing companies to implement work-from-home policies, Jim Fitzsimmons helps us understand the cybersecurity risks posed by a remote workforce
The COVID-19 pandemic has forced organizations around the world to implement working from home. The challenges of this new working pattern include a loss of productivity, social isolation, and the complications of managing the abrupt mix of home and work life.
Companies and people are adjusting and becoming accustomed to these circumstances. But this new working model owes more to a mobile consumer culture than to conventional enterprise information technology (IT). Many companies have quickly adopted cloudbased productivity tools (such as Microsoft’s cloud-based Office 365 solution) to support a suddenly remote workforce.
In the rush to adapt, however, companies have become increasingly concerned about the overall cybersecurity of this approach to working. For many years cybersecurity was based on a perimeter security model: Protecting an organization’s information and computers was predicated on isolating them from external access. Computers could connect to the internet on the “outside”, but, in principle, no connections from the outside were let in. But when everyone is working from home, they are all on the “outside”, and this old security model is poorly suited to a mobile workforce.
Companies look at how they work today – individually at home, connected via apps, sharing data and video conferencing – and they are unsure of their cybersecurity risks. Is the cybersecurity risk higher when working from home?
To understand the risks of working from home, it is important to understand the threats, and the underlying actors.
Motivated, well-resourced attackers specifically targeting an organization are the most acute threat. Nation states have the hacking talent, software development capability and the funds to mount complex espionage campaigns. Meanwhile, sophisticated cybercriminals who steal information for sale, or on the behalf of another organization, are almost as well-resourced and capable.
These threat actors will research their targets in detail and expend considerable resources to achieve their goals. Whether or not their target has staff working from home is not relevant – it is just a factor in planning a campaign.
But not all organizations have assets of enough interest or value to justify these attackers’ investment of time and effort. There are more opportunistic attackers whose motivations are strictly financial. They are the cybercriminals, who use established tools and tactics to extort or divert money. They will identify targets opportunistically, then commit resources to gain access.
Some attackers focus on spying on communications, waiting for an opportunity to divert payments. Others will infect systems with ransomware, waiting to ensure that the ransomware is backed up before triggering an attack to extort money.
These fraud-focused attackers see a new improved opportunity in a dispersed and remote workforce, only because communications, reviews, approvals and oversight all require time to adjust to a new working model.
Conversely, ransomware attackers are somewhat hampered by the physical and IT isolation of the remote worker. Without access to more computers to infect, ransomware becomes an individual helpdesk problem rather than a lucrative extortion opportunity (The opportunity remains when remote workers are using VPNs to access a data centre).
Finally, there are people and organizations that steal information to embarrass a specific target, gain attention and further their agenda. Their motivation, and occasionally their skills, are high, but they are usually not well resourced. As with other highly motivated attackers, the physical location of a target is a challenge to overcome, rather than a determinant for their attack.
THINKING ABOUT RISK
Risk can be defined as the likelihood of an incident happening, and the impact of that incident to the organization. Security is a practice to mitigate those factors. In the context of working from home, the question is not “is the home environment secure or insecure”; rather, the question is whether working from home measurably increases the risk.
The answer is different for each organization. In reviewing the attackers, threats and concomitant risks, companies should be conscious of what assets – either in information or access to money – they have, and which attackers may target them. Some firms may hold sensitive information that can be monetized, while others may be convenient targets for extortion via ransomware.
But what is clear is that working from home in and of itself doesn’t substantially increase the risk. Motivated attackers will pursue their targets regardless of their location. Opportunistic attackers may find additional avenues via a remote working environment, but they also may be limited in their ability to access other systems.
Working from home may not substantially increase a company’s cybersecurity risks, but it may change somewhat how those risks manifest themselves. The abrupt transition to working from home will probably disrupt established cybersecurity procedures and practices, especially for IT staff.
It’s not a question of whether software (for an application, an online service or an operating system) has vulnerabilities, but when those vulnerabilities are discovered. Most cyberattacks are predicated on exploiting a known or unknown vulnerability to compromise a system.
There are vulnerabilities for operating systems (for computers and phones), for the firmware that controls computer hardware, for consumer and enterprise networking equipment, for applications, for online services, etc. The cybersecurity risk around system vulnerabilities is a fact of modern life, no matter where someone is working from.
Most contemporary cyberattacks bypass the perimeter and the firewall, and focus on users and their computers or electronic devices. In that sense, physical location is immaterial. The most common means are phishing emails, where opening an email or clicking on a link may compromise the computer (targeting a known or unknown vulnerability).
Most enterprises have issued computers to their employees configured in such a way as to mitigate this risk (at least to some degree), and have complementary security on their email systems.
Mobile phones have similar vulnerabilities to a work computer. Given the rich personal and organizational information they hold, they may even be a more valuable target than a conventional computer.
Phishing of a phone may come via a messaging platform, bypassing any email security filters. Phishing is very effective. Crude mass emails from opportunistic phishing attacks are easily identified. But sophisticated attackers who have researched and targeted specific people with personalized messages still succeed in engaging their targets and gaining
access to the computer or device.
Those controls remain in place for work-issued computers and devices, whether in the office or at home, and people are just as likely to fall victim to a phishing attack at home as at the office.
HOME WI-FI SECURITY
Home Wi-Fi networks usually poorly secured, yet for most potential targets this is not actually a serious issue. The effort required to follow a target home, identify their network amongst their neighbours (no small feat), hack it, find the target computer, and then try to compromise it, is an enormous (and potentially risky) effort. Opportunistic attackers may find devices they can connect to and compromise, but that threat is always present.
The rapid shift to home working and the need for efficient communications has led to the widespread adoption of video conferencing technology. The consumer video-conferencing experience has driven rapid change in how the enterprise supports communications. Enterprises are focused on ease of use and supporting shared sessions with large user groups.
The quick rollout of these consumer-focused tools has been accompanied by the internet troll culture. The Zoom platform was targeted for “zoom-bombing” attacks, where insecure meetings were disrupted by uninvited guests. The spike in these incidents has driven up cybersecurity awareness for the service provider and participants. Users are now focused on controlling who can join meetings and what they can do in the meetings.
Managing the zoom-bombing risk is relatively straightforward, but it has left lingering concerns on the privacy of data, video and audio communications going over the internet. However, the scenarios that involve intercepting and decrypting video conference communications in transit require skills and resources that are typically found only in highly motivated and capable hackers.
Aside from capturing those session in transit, there are further concerns on the security of the overall service. Tools such as Zoom and Microsoft Team’s architecture are such that individual client connections are made to central servers, which then manage the sessions with multiple users.
The connections are only secured between the user’s device and the central server. This means it is possible, if the service provider is compromised, for those shared sessions to be eavesdropped upon. This is already happening – nation state actors and sophisticated cybercriminals are increasingly targeting online service providers.
This is not a change in risk from working at home. It’s a change in risk that reflects a change in technology. As information and business processes shift to the cloud, the attackers have adapted their tactics accordingly. By using those services, companies have accepted those risks, consciously or not.
In most cases, particularly with top-tier service providers, their cybersecurity practices are better than most individual companies. The risk, along with the information, has moved from the data centre to the cloud.
THE OFFICE AND/OR DATA CENTRE
While staff may be working remotely, the office network and data centres are still there. Attackers will look for the people who can give them broad, unfettered access to data centre systems. Their targets are the system administrators with privileged access to systems and information.
Attackers target system administrators to piggyback on their remote access to systems and information, or to steal the credentials that permit that access.
Depending on how the accounts and activities of system administrators are secured, this can be a trivial or complex attack. The key factors are the motivation and capability of the attacker, but the key for all attackers – whether opportunistic fraudsters or a highly capable nation state – is to gain privileged system access.
The old concept of perimeter security and varying risk “inside” and “outside” the firewall is coming to an end. The COVID-19 pandemic has driven a rapid move to working from home, but that change was underway already as part of a more general paradigm shift in enterprise IT to the cloud.
“Working from home” represents substantial changes in technology and enterprise IT operations. With the end of the perimeter security model and the rise of the cloud, companies need to adjust their risk management approach accordingly.
The attackers remain focused on users and information and have adjusted their tactics as necessary, and companies must be equally nimble. The new security model is focused on users and information to facilitate not just working from home, but working from anywhere.
Jim Fitzsimmons is the director of cyber consulting at Control Risks, a global risk and strategic consulting firm specializing in political, security and integrity risk.