With companies across the globe implementing mandatory work from home policies at a never-before-seen rate as they seek to take refuge from COVID-19, many questions have arisen about the long-term difficulty of protecting the cybersecurity of remote workers and network infrastructure.
As workforces adjust to the new reality of working from home, employees are being subjected to spotty home-based, WiFi networks that are less secure and working on non-hardened devices. Today’s antivirus and EDR tools depend on network connectivity, which limits their overall effectiveness. It’s an undoubtedly stressful time for security professionals as endpoint security becomes a last line of defense. In fact, we’re already beginning to see the repercussions with cyberattackers pinpointing these vulnerabilities and leveraging Coronavirus-themed threats.
While COVID-19 has indisputably magnified concerns across the board, the cybersecurity risks of working from home aren’t new. The remote employee movement reached into practically every industry long before this global health pandemic befell us. What’s different now is the rapid need to change and the vast scale of remote workers that are exponentially increasing the attack surface. More employees have moved to Work From Home (WFH) environments at one time than ever before in history.
Five Critical Issues
These unprecedented times are creating all types of new weak links in cybersecurity defenses. Here are five critical cybersecurity issues teams face with Coronavirus and how to address them.
- Securing Spotty Home WiFi With Spotty Antivirus Protection
Most modern organizations, whether in the private or public sector, have extensive network monitoring and security tools in place. These include firewalls, network analysis and forensics, and email spam filters designed to catch malicious code and phishing attempts before they even access employee computers. When an employee works remotely, all that protection goes away. In a study on mobile workforce security, 81% of organizations reported they had seen WiFi-related security incidents in the last year, with 62% of these occurring in cafés and coffee shops.
Man-in-the-middle attacks, network spoofing and packet sniffing of unencrypted traffic are the most common. Furthermore, the problem with antivirus and detection tools is that they need a constant network connection to be even slightly effective at blocking attacks. This doesn't work in spotty WiFi scenarios. While many WiFi attacks are crimes of opportunity and pose more danger to employee personal data than to your business, they still can put your organization at risk. Confidential information can be compromised if sent over public or even home WiFi, access credentials stolen, and even malware introduced.
Even with a password-protected home WiFi network, you aren’t going to have the sheer scale of monitoring tools that a corporate office does. There is also no guarantee that the password protecting that home network isn’t used elsewhere, or even that it meets the standards of good governance established within the organization. With the cost of a data breach increasing from $7.1 million in 2018 to $8.64 million in 2019, according to Ponemon Institute research, it’s vital that companies utilize advanced threat protection alongside traditional antivirus in their security stacks given its spotty efficacy in work from home scenarios.
- Combining Windows 10 Built-In Antivirus with Advanced Protection
With antivirus protection struggling in remote environments, there may be a better way to allocate security stack budgets for today’s reality. The full migration to Windows 10 is nearly complete and that means more than one billion employee devices are now on the new operating system. Today, every Windows 10 workstation has free robust embedded Windows Defender Antivirus (AV) capabilities that are top-ranked by AV-Test.
Simply disabling the third-party antivirus tool automatically turns on Windows Defender Antivirus. This allows companies to immediately adopt a singular antivirus solution across their entire remote workforce.
However, like all signature-based antivirus, Windows Defender only protects users from known threats, leaving employees largely susceptible to in-memory exploits, advanced malware, fileless attacks and zero days. But with the reallocated budget from their previous legacy antivirus solution, companies can look to pair this free antivirus with protection that works to combat zero-day attacks.
Companies such as Towne Properties, who are managing a distributed workforce, have been able to leverage Defender AV alongside advanced threat protection in a lightweight stack that doesn't miss unknown threats, while also simplifying operations for a lower total cost of ownership.
- Bracing for Browser-Based Attacks
Increased use of SaaS software accessible via a web browser is a parallel trend to the work from home movement. However, as workers go about their daily routine during this pandemic, they’re browsing more than ever before; internet traffic across the globe is up anywhere from 20-50% in the last week alone!
Given how fast this pandemic has evolved, no company is fully prepared for their entire organization working from home. That means they don't have time or the resources in place to harden endpoint devices before they leave the office. With more people working from home on their personal devices, there are going to be more people accessing SaaS solutions. That opens up employees to browser-based attacks via malicious plugins and web-based exploit kits that are designed to breach passwords, IDs, and much more.
One way to defend against browser-based attacks is through browser isolation, which uses a browser in the cloud to access a website so any malicious threats are kept away from key local resources. Cybersecurity teams also need to be on top of their remote workers to ensure they are only using business-related plugins and extensions with internet and email usage.
- Addressing Distributed SecOps With Remote Support and Moving Target Defense
A major difference in enterprise security during this pandemic is security operations teams — whose roles typically require in-person teamwork and a significant human element that’s centralized on deciding which alerts are good, which are bad, and how to perform remediation — are working from home too.
This increases the need for both better remote support tools and set-and-forget protection that is working before an attack happens and without needing any onsite team members. Remote support tools enable IT to solve the problems their work from home employees have without needing a physical presence. For organizations with a wide footprint, these solutions have fast become a critical necessity.
However, remote desktop tools also offer a new attack surface for threat actors. A few short months ago, it was discovered that ConnectWise Control was being abused to deliver the Zeppelin ransomware. Attackers can use phishing tactics on remote employees to have them install a similar remote desktop tool, which can then be leveraged to deliver a payload.
Better yet is looking to set-and-forget types of advanced endpoint protection such as Moving Target Defense (MTD) that can hide key memory from attacks without the need to recognize the threats it's facing. As endpoints serve as the last line of defense, MTD creates confusion for attackers by scrambling the locations of .dlls, memory structures and commonly used resources. Authorized enterprise programs such as browsers used by remote workers are given secret locations so they can function normally. And those locations are kept in flux, with new locations being generated each time an authorized program activates.
MTD technology is designed to secure web-based user sessions from cyberattack; regardless of the way remote employees access their critical applications, the underlying processes within moving target defense protection enables them to do so securely. Web-based exploit kits are designed as evasive malware and the process-morphing capability of moving target defense blocks these techniques without the need for updates.
- Virtually Patching Problem Areas
Industry best practices demand patching software vulnerabilities as soon as a patch is released, in order to shorten the time period in which the organization is at risk. But what happens when an employee needs a big patch update while using home WiFi? With research finding 60% of data breaches are caused by exploiting a software vulnerability that was known but which the victim had not yet patched, protection coverage that includes exploit prevention becomes even more valuable.
Typically, you can only patch systems that are inside the VPN, and not busily working at the time of the patching process. This means that your most vulnerable machines, ones belonging to employees that travel frequently, and that use dubious WiFi connections in coffee shops, will not be patched often, in the best of cases.
This brings the need for virtual patching, a term originally coined by Intrusion Prevention System (IPS) vendors. It is the process of addressing a security vulnerability by blocking attack vectors that could exploit it. Various technologies can be used to shield vulnerabilities before they can be exploited. An organization can, therefore, be protected without incurring the cost and the operational pain of downtime for emergency patching, patching cycles, and of course, the added cost of breaches in an unpatched system.
Cloud-native patching solutions are a similar option. With cloud-native patching, employees can be updated regardless of their connection to the network. They don’t have to worry about firewalls or VPN limitations. If their device is online in this scenario, a remote worker’s device can be updated.
In the Face of COVID-19, Optimized Functionality is Key
Organizations facing this unprecedented increase in work from home employees need to be aware of the risks their remote personnel present. There’s no doubting the long-term impact COVID-19 will have on business operations and the bottom line, but taking some of the above steps can ensure that critical data and systems are safe while remote workers are still served.
As the world battles to overcome this crisis, the need to work remotely isn’t going to disappear any time soon. It’s a new reality that comes with multiple rewards, alongside an increased risk of cyberattack. But as businesses seek ways to increase cash flow and streamline performance in these trying times, it’s those who implement protective measures for their employees that will have the highest likelihood of coming out the other side. Only then will their business be able to continue functioning securely over the long term as we work through this crisis.
About the Author: Andrew Homer is VP of Business Development at cybersecurity startup Morphisec and has numerous years of hands-on experience creating strategic technology partnerships and leading teams through growth phases. Prior to Morphisec, Andrew was Director of Business Development and Technology Alliances at RSA, where he led the company’s technology ecosystem, strategic alliances and embedded OEM partnerships. Over the past two decades, he has gained a wealth of both corporate and high-growth experience, having held business development positions at Dell, EMC and VMware. Andrew attended the University of Massachusetts, Amherst for his undergraduate degree and obtained his MBA from Babson College.