Secure Remote Working: Critical Areas, Tips and Best Practices

Published in

CDeX

19 min readApr 7, 2021

An employee works from home securely and sitting in front of a monitor screen at an online meeting

Remote work will stay with us for a long time and there is no indication that this will change any time soon. As many as 82% of companies plan to continue home office practices after the pandemic ends. Still, many organizations, for various reasons, have not yet managed to implement an effective and safe working model in the mode forced by the coronavirus. In case of every fifth security breach, the source of a problem was the insufficient security of this operating mode.

So how to secure remote work? We present seven critical areas along with guidelines and best practices that should be the starting point for any organization that wants to be confident in the safety of working from home for its employees. It is worth taking them into account, especially if we have not been targeted by attacks so far. Negligence in this area may, consequently, bring considerable problems also for us and our company.

Table of Contents

The coronavirus verifies the technical maturity of companies and the security of remote work
Security of remote work starts with KPI, BCP and BRP
Rush is a bad advisor, i.e. a list of sins when implementing remote work
Working remotely — new times, proven attackers’ tricks
7 key areas for the secure remote working
1. Encryption of data carriers on workstations
2. VPN and home networks
3. Local system administrator is not authorized
4. Bring Your Own Device and Mobile Device Management
5. Security in Depth, Assume Breach and Zero Trust
6. Cyber Security Awareness and Cyber Range training scenarios
7. Pen tests, configuration audits, and social engineering tests
Summary

The coronavirus verifies the technical maturity of companies and the security of remote work

2020 will be remembered for a long time. The regularity of various crises is generally known, but few expected that the next significant event of this type, after the memorable economic crisis of 2007–2009, would be the outbreak of the COVID-19 pandemic. The economic, social and technological consequences of these events will certainly be the source of many analyses and studies in the coming years. It is safe to say that the world will be different in many ways from what we have known until recently. Experts signalled that such a scenario could eventually occur, but few took their predictions seriously.

Of course, the pandemic itself did not have a direct impact on the IT industry. It was the lockdown, which was introduced at an express pace in subsequent countries, that forced a large part of the society to adapt to this very new situation overnight. The introduced restrictions had an impact not only on personal life, but also on the professional sphere. Companies from all industries that avoided complete closure began to reduce office work, either on their own initiative or due to restrictions introduced in a given country. It was a real “check” thrown by fate towards the management teams and towards those responsible for the companies’ business continuity.

The coronavirus verifies the technical maturity of companies and the security of remote work — a check list

Changing the work model overnight meant that March and April 2020 was an extremely busy period for IT departments. The enormous pressure that was exerted during this period to enable remote work may in many cases have negative consequences for the security of individual organizations for many next months or even years. Every person responsible for making decisions on the selection of technology knows well that it is very difficult to withdraw from some missed choices.

Security of remote work starts with KPI, BCP and BRP

When analysing reports from many companies of various sizes and business profiles, it can be noticed that two factors were of key importance. The first was the style of work of senior management, while the second was the approach to Business Continuity Plan (BCP) and Business Recovery Plan (BRP).

Security of remote work starts with Business Continuity Plan, placed on desk

Companies that measure the effectiveness of their activities at all levels of operation through the Key Performance Indicator (KPI) had much less mental problems with allowing remote work. However, there are still organizations where employee engagement is measured by how crowded and noisy it is in the office and how tired employees look. Establishing specific measures of the work efficiency of individual employees and entire departments is definitely conducive to building two-way trust. The existence of such a common denominator allows you to be sure that the company works efficiently regardless of where the employees perform their duties from.

Nowadays, it is impossible to find a company employing more than several dozen employees that will not have a Business Continuity Plan (BCP) and a Business Recovery Plan (BRP). Formal preparation in these two areas is required in too many “compliance with …” audits for the relevant documents not to be prepared, printed, hidden in an appropriate folder and left for eternal oblivion. Practical preparation for the occurrence of a crisis situation and maintaining this constant readiness is often so expensive that many companies consciously accept the deficiencies in this area due to the relatively low estimation of the probability of such a situation. It is this approach which seemed to be the source of problems in many companies after the lockdown was announced.

Rush is a bad advisor, i.e. a list of sins when implementing remote work

The combination of deep unpreparedness for the new situation and a lot of pressure to maintain business continuity is a real explosive mixture. The more difficult the situation of a given company, the greater and more difficult it is to resist the temptation to ignore the rules of IT security. This path led straight to dire decisions such as:

using private mail addresses to communicate with colleagues and clients,
using private devices to access corporate networks and process sensitive business data,
using free or public services (e.g. videoconferencing systems, instant messaging, file sharing services), which the company did not have, and which turned out to be necessary to function in the new situation,
expeditious opening access to corporate services and data, which for years was only available from the company’s internal network.

Obviously, the list of committed sins is much longer.

Working remotely — new times, proven attackers’ tricks

A puppet controlled by attackers who use known tricks when employees work remotely

The development of this situation was closely watched by cybercriminals who, as always, were adapting quite flexibly to new, favourable conditions. Greater use of digital communication channels is a great opportunity to be successful in phishing and spear-phishing campaigns. As many as 18 million COVID-19-related scam emails each day were blocked by Google from trying to end up in Gmail mailboxes. A sudden change of internal processes from those requiring direct interpersonal contact to a remote variant is an opportunity for fruitful social engineering attacks.

It is worth examining regularly the resistance of employees to attempts of manipulation as part of social engineering attacks, about which you can learn more from the description of social engineering tests.

Only a few months after the outbreak began, more than 3,300 malicious domains containing the word “zoom” were registered, and attacks on this videoconferencing system were regularly reported on news sites. The careless use of free file sharing services is a chance for cybercriminals to find confidential company documents in such places. Using private devices for business purposes is an opportunity to find on the seized machines not only confidential data concerning the private sphere, but also the victim’s business sphere. Sharing corporate services in a rush, which until now were only available in the “secure” internal network, is a great opportunity for cybercriminals to take control over them.

A trained eye will notice that it is difficult to look for completely new concepts among the abovementioned cybercriminal activities. This is not surprising, since well-known tricks turn out to be so effective. It was in 2020 that there was an increase in the number of companies that, after being attacked by ransomware, were willing to pay the ransom demanded. In the same year, as many as 58% of victims opted for this solution, while two years earlier it was only 39%. A similar trend could be observed in the amount of the average ransom, which in 2020 increased by 33% and reached the amount of $ 111,605. Financial loss is not the only aspect of ransomware infection. Due to this type of attack, one of the patients of the Düsseldorf University Hospital did not receive a life-saving treatment on time. This is clearly illustrated by the fact that attackers have no qualms about choosing their targets and they take advantage of the situation without scruples.

7 key areas for the secure remote working

It is ironic that all the necessary technologies that allow for safe and effective remote work have been known for years, and sometimes even for decades. It is difficult to talk about a technological breakthrough here. The breakthrough is the scale of using these solutions in companies for which working from home is something completely new.

Regardless of whether you are looking for confirmation that you have taken care of everything in this area or are just looking for ideas on where to start such an undertaking, below you will find valuable tips that will certainly make it easier for you.

1. Encryption of data carriers on workstations

A computer screen displays encryption of data carriers on workstation

This is one of the most urgent steps you should take to secure your workstations. Before the lockdown, especially in companies where working from home was something strange, cryptographic protection of data carriers on workstations might not seem particularly important. However, when workstations had to leave safe office spaces with relatively tight physical protection and move into employees’ private homes, priorities changed.

Potential attackers gaining access to an unsecured laptop disk have enormous opportunities to act. They can, for example, copy all confidential documents and all electronic messages stored locally on this workstation and can access the user’s corporate accounts. These accounts can open an attacker access to confidential documents stored on corporate servers to which the victim had access. It is also possible to leave a backdoor in the operating system, with the help of which the attacker can maintain access to the employee’s laptop for a very long time after the first infection. The most frightening thing is, of course, the fact that a patient attacker with the appropriate level of skills can do all of these actions without arousing any suspicion, not only from the victim, but also without alerting the company’s security department.

There are a number of solutions, both commercial and free, which can allow for the implementation of appropriate cryptographic protection with a relatively small amount of work. If you have an infrastructure based mostly on Microsoft systems, then note that for many years Bitlocker has been an integral part of Windows systems, which enables full encryption of the disks used by the system. If you prefer OpenSource solutions, it is worth taking an interest in the VeraCrypt project.

2. VPN and home networks

VPN as one of key areas for secure remote working

Data carrier encryption is only half the battle in cryptographic data protection. While during normal work from a company office, the protection of transmitted data was a distant place on the priority list, in the case of remote work this issue becomes one of the most crucial. The office network is not only physically separated from the Internet, but is often equipped with various security solutions that not only limit the access of unauthorized devices to specific network segments (NAC), block illegal network traffic (Firewalls), and even detect or block known attacks (IDS / IPS).

Office network infrastructure is often very refined in terms of security and, while it is not always fully free from vulnerabilities, it is on a completely different level than home networks operating in employees’ apartments. Problems that may come to mind include the following:

poorly secured Wi-Fi networks using the WEP protocol or WPA / WPA2 protocols with a default or easy to crack password,
after the outbreak of the pandemic, routers with outdated software with security gaps were used by attackers to redirect victims to modified versions of known websites featuring scary stories about the coronavirus outbreak by replacing DNS settings on these devices,
no isolation at the IP layer level from other clients of given Internet providers — an opportunity to perform Man-in-the-middle attacks.

In order to guarantee the security of remote work, we must assume that some employees may be in a situation where the attacker has control over the network link between the employee’s workstation and the company’s infrastructure.

Fortunately, we can take many actions to limit the attacker’s capabilities. First, we can implement individual VPN connections to our network infrastructure. If we are lucky, it can be done without incurring significant costs — many network devices used as edge devices in corporate networks have the functionality of VPN servers. It is a good idea to take further steps to secure your VPN connections. It is worth adding adequate isolation of network traffic so that individual VPN users do not have access to the entire infrastructure, but only to the elements necessary to perform their duties.

If for some reason VPN connections are not available or cannot be used by all employees, then it is worth verifying whether publicly available services are available only using secure data transmission protocols with adequate cryptographic protection (e.g. HTTPS, SFTP).

It is also a good idea to prepare guides for employees, which will present a few relatively simple actions that they can take to increase the security of the home network they use when working remotely. Updating the firmware of most routers or changing the Wi-Fi password and wireless transmission protocol are activities that do not require much experience, especially in the case of network devices found at homes.

If the possibility of network attacks on specific remote workers’ workstations is of particular concern to us, we may consider an additional remedy in the form of purchasing a certain number of SIM cards and LTE wireless modems, which we will verify for potential security issues.

3. Local system administrator is not authorized

A computer screen displays lack of local system administrator authorisation

The issue that drives crazy most corporate administrators and security officers is the access of regular employees to the Administrator account on their local workstations. It is the usual race between safety and the so-called “convenience of use”. It may seem that it is a trivial thing that limits the security of individual workstations and does not affect the security of the entire organization. You can quickly change your mind by looking at the issue from the attacker’s perspective. Access to an account with local administrator privileges is one of the key stages of an attack on a given organization. You can even hear voices that in the event of attacks on companies with a certain security maturity, the hijacked workstation for which it was not possible to gain access to the privileged local administrator account should be abandoned by the attackers. Why? Because there is a belief that without these rights it is impossible to perform most of the actions that can guarantee remaining undetected by security systems. Shortly speaking, an attacker who gains access to a workstation and realizes that a user who fell victim to the attack has local administrator rights at the same time, may feel that it is his extremely lucky day.

It is naturally an organizational challenge to take away local administrator rights from all users who should not have such rights. There are many solutions to relieve administrators in terms of software installation and changes to workstations, which you can read about in this article.

Good knowledge of the specifics of work of individual departments may allow for the efficient selection of software and authorizations that can be automatically installed and granted to individual users belonging to relevant departments through an automated Help Desk type mechanism. Higher criticality software and rights may also be delivered to end users automatically, but may require approval from a given supervisor. Only in the case of occasional use of software and very specific permissions may actual attention from administrators be required. A properly conducted process of examining the needs of individual departments of the company will effectively reduce the number of the latter cases.

Learn more about protecting workstations in a Windows environment, including how to use LAPS, in our course on Udemy.

Windows Active Directory for IT Security Adepts

Active Directory is the most critical application for the majority of enterprises. It allows its administrators to…

www.udemy.com

4. Bring Your Own Device and Mobile Device Management

Bring your own device on tablet’s screen

The popularization of mobile devices such as tablets and smartphones many years ago motivated many companies to allow employees to use private devices for business purposes. Even before the outbreak of the pandemic, as many as 59% of companies accepted the BYOD approach. It is worth noting that this very popular abbreviation BYOD (Bring Your Own Device) applies not only to the aforementioned types of devices, but also to private computers. This approach offers high flexibility and convenience to the workers themselves, but can present a significant security risk. If we have not formally sorted out this issue so far, or if we have clung to the model in which employees performed their tasks only from the office, we have good reason to analyse and seriously consider what approach will be the most appropriate for our organization. Due to the different risks to private computers without proper care from administrators, allowing them to be used for business purposes may not be a good choice. The use of private mobile devices to view work e-mails, participate in meetings through solutions such as MS Teams or GoToMeeting, seems to involve a much lower risk.

If we want to have a solution offering a much higher level of security, it is worth considering the implementation of an MDM (Mobile Device Management) class solution. It is advisable to have them, regardless of whether we plan for our employees to use only business smartphones or use private devices — or even if we allow both options. What you need to pay attention to is the multitude of variants of mobile device configurations available on the market, especially in the case of Android. The more such variants are present, the more work is ahead of us.

5. Security in Depth, Assume Breach and Zero Trust

A change in the approach into the extensive use of remote work is the last call for all those who still consider security in the context of a monolithic perimeter and see the boundary between a safe and trusted part of the network (internal company network) and a dangerous Internet on the part of edge devices. Relying on a single line of defence is asking for trouble, and although the “Security in depth” paradigm became popular in the context of cybersecurity well over two decades ago, there are still people dividing into what is safe and dangerous according to this approach. “Security in depth” says that the appropriate separation of infrastructure and the placement of multiple layers of protection between these areas makes it difficult for potential attackers to act. They must breach several layers of security, with each of these layers providing another chance to spot an attack or deter attackers from continuing their activities.

Assume breach goes one step further. In this approach, we not only try to counteract potential attacks, but we also analyse whether (theoretically, or even better in practice) scenarios in which the attacker managed to defeat some of our security solutions and gained access to a few selected resources (e.g. workstations of several employees). A thorough analysis of an appropriate number of such scenarios can bring many valuable ideas for introducing additional security measures that will make it difficult for the attacker to act or make it easier to detect. If you’ve never done this, start with a simple scheme — a potential attacker is gaining access to a middle-level manager workstation in your organization — what opportunities will they have with such access, what protection mechanisms will they have to overcome to gain access to valuable resources?

Zero Trust is the next stage in the perception of the security model. Even more restrictive in its assumptions in relation to the aforementioned Assume Breach. Zero Trust is an attempt to hinder the attackers who have already found themselves in our infrastructure (Assume Breach!) Of the activities called lateral movement, i.e. in short, taking over the next fragments of the company’s infrastructure based on the accounts accumulated so far and the trust assigned to them. If you are not convinced by this model, you need to be aware that as much as 34% of IT security teams across the globe have shared that they are in the process of implementing a zero-trust.

6. Cyber Security Awareness and Cyber Range training scenarios

An employee sitting in front of the computer screen and doing a Cyber security training on cyber range

It is impossible to overestimate the benefits of conducting regular security awareness training for employees of a given company. You can often hear from people working in SOC (Security Operations Center) teams that their colleagues are for them another, apart from all technical solutions, source of valuable information about threats. The statement that a human being is often the weakest link in the security chain is a cliché, but it cannot be denied that it is right. It is worth noting, however, that this blame does not always lie with those “regular” employees who simply try to carry out their daily duties, and at the same time are not experts in the field of cybersecurity. It is a completely wrong approach to equate reading the security policy or information security policy during the first day of work, and being an educated employee whose security awareness is regularly updated with new threats and attack techniques.

It is not easy to create a good cybersecurity education program in a company. One should avoid creating boring presentations based on a large amount of text and verifying participants’ knowledge with tests based on questions without practical aspects. The best solution is to organize relatively short (60 minutes), cyclical (quarterly or twice a year) presentations filled with as many practical examples of attacks as possible. Remember that Security Awareness training is not a training on the basics of cyber security. Many technical aspects are completely unnecessary and their inclusion in the training program can be downright counter-productive. Our colleagues do not need to remember what exactly DDoS stands for, nor do they need to know about the existence of the TCP / IP stack and its layers. Instead, they should be great at determining if an email looks suspicious (and why) and what to do with a flash drive found in Atrium. Properly conducted Security Awareness trainings may mean that in the case of our organization, a human being will not be the weakest link in the security chain, but one of the strongest links. This situation will certainly not be liked by the attackers.

Taking care of the appropriate level of knowledge about cybersecurity of the company’s regular employees is only one of the two areas of maintaining competencies at a sufficiently high level. Due to the dynamic changes in the IT area — both in terms of the technologies used and attack techniques — we should ensure a harmonious development of skills among IT specialists (programmers and administrators), as well as among cyber security experts.

While the creation and development of the Security Awareness program may be successfully carried out by experts employed in a given company, in the case of advanced training in the area of cybersecurity, it is much more effective to rely on entities specialized in this area. When analysing offers for this type of training, it is worth paying attention primarily to the aspect of practice. Access to theoretical knowledge is not a challenge at the moment, but many of the training courses currently offered, described by their authors as “advanced”, are unfortunately limited to the theory itself. Many entities make their training process more attractive with interesting laboratories, but real practical cyber security training is offered primarily by platforms called Cyber Range.

These types of solutions not only allow you to gain practical skills. They also ensure that the process of competency development takes place in an exceptionally realistic environment that allows trainees to explore areas and cases that do not occur in theoretical training or ordinary laboratories. An example of a Cyber Range solution is the CDeX cyber range platform we are developing. With its use, you can implement any training scenarios, and in the context of the security of remote work discussed in this article, two of them are worth mentioning. The first is about detecting and preventing attacks on mail services. This training concerns the protection of Exchange servers against direct attacks on its services and the protection of e-mail users themselves. The second deals with the security of Active Directory, which is the main focus of every attacker, especially in the era of remote work. This training scenario allows you to learn about all currently encountered attacks on Active Directory, and the trainee can learn in practice to detect and block the possibility of implementing these attacks.

Here you can find more information about the CDeX cyber range solution

7. Pen tests, configuration audits, and social engineering tests

Penetration tests as key element of secure work from home

If we have implemented most of the aforementioned solutions and we feel that our cybersecurity situation is quite good, then it is worth verifying it. False self-confidence can become a significant problem for us. When organizing cyclical activities to verify the effectiveness of the implemented solutions, it is worth bearing in mind that the verification should not be carried out by the same people who implemented these solutions or who take care of them on a daily basis. It is worth focusing on a fresh point of view, and in the absence of a dedicated team in our company to carry out security tests, commissioning this work to companies that specialize in this.

By focusing on what is in our infrastructure, you cannot lose sight of how our infrastructure looks like from the outside. Before removing risky entry points to our infrastructure, we must be aware of what domains we advertise on the Internet, what IP addresses we have purchased and with which operators, what open ports are on these IP addresses and what services operate on these ports. This extensive topic is beyond the scope of this article, and we have described it in one of the other materials.

Summary

Guaranteeing secure remote work nowadays is an area of cybersecurity that seems to be very well known. Unfortunately, last year’s events showed that many companies neglected important areas. Cybercriminals busily seized the opportunities, and many organizations suffered doubly. The seven areas presented in the article should be a priority for any organization that wants to be sure about the safety of working from home for its employees.