Security And Privacy In A Brave New Work From Home World
from the security-from-home dept
We have moved to a radically remote posture, leaving a lot of empty real-estate in corporate offices and abandoning the final protections of the digital perimeter. For years, we?ve heard that the perimeter is dead and there are no borders in cyberspace. We have even had promises of a new and better style of working without being bound to a physical office and the tyranny and waste of the commute. However, much like the promise of less travel in a digital age or even the total paperless office these work-life aspirations never had a chance to materialize before COVID-19 forced us to disperse and connect over the Internet. This has massive implications on corporate culture and productivity. More immediately, the surge in use of remote work capabilities has consequences from a security and privacy perspective that cannot be ignored.
For some, working from home isn?t new. This is especially true for those in sales and field marketing across many industries or for knowledge workers, such as federal government employees that are familiar with their telecommuting contract. The day after the ?stay home? order is given, the rest of the company suddenly find themselves doing the math on how to stay productive, whether they are the 20% of largely general and administrative or management staff who are always in the office for a young tech startup or the 80% of all employees at a big blue chip company. Some already have a laptop that they bring with them everywhere and are used to bringing home, but for others it?s time to spark up the family computer or get a hastily issued company laptop and try to get it running without an IT technician parked at their elbow to help. Others will grab a tablet or a smartphone, once relegated to mostly personal use, and repurpose it to attend to professional needs. Any way you look at it, the enterprise footprint just grew and radically changed in a 24 hour period.
From a security perspective, the basics are critical. This is true whether a company is a mature security shop or not?risk management is the lodestar. It starts with a risk analysis and dialog. You?ll need to first create a master list of security essentials and rank them in order of sensitivity, likelihood and impact. The reality is that you can do anything, but you can?t do everything; and ultimately this is a triage game.
High on the list are concerns about misinformation, weaponized information and social engineering. While companies can?t control machines that they don?t own, they have to try to get the most secure endpoints they can and ensure identity integrity. This means emphasizing what channels are appropriate or not for employees and their families for information: news networks, websites and the like. But COVID-19 is our new common watering hole, and malicious actors are manufacturing phishing attacks, devilish spear-phishing campaigns, rogue applications and more. Regular, short, routine communications to remind people of the basics, to gain a pulse on the organization and to provide clear policies are essential.
Also at the highest level of concern is securing the connection to the network and back into the environment. This requires VPN connections, strong authentication and endpoint prevention and detection controls. In the back office generally and in the security operations center specifically, baselines from which anomalies are normally noted for focus will be in flux; everything will look like an anomaly for a while in the brave new remote world.
Which brings us to the most difficult of topics: privacy.
Did employees bring notes and data home before the office closure? Are they creating IP and data protected by privacy laws and regulations as they continue to do business? Who is in the immediate environment physically? These are some of the critical questions. In some cases you may never know the answers to these questions or you may not have a right to know the answers but must appreciate others? living situations and assume some worst case scenarios.
There are still more questions. Should cameras be on for conference calls when employees might be embarrassed of their personal space being seen by colleagues? Should they use headsets when a life partner might work for another company or even a competitor or perhaps a roommate might simply overhear sensitive information? Do we encourage them to care for a child when they are crying or do workers feel the need to hide their families? While many companies have previously developed ?work from home? policies now we are beginning to understand what is really needed for remote, working employees. Now is the time to take a fresh look at privacy in your work from home policy.
Finally, we must understand the adversary is moving into a new normal as well. They may not be able to immediately exploit all weaknesses or even any given weakness. They too will pursue the lowest hanging fruit while investing in some longer term R&D to develop new attacks specifically for the home environment. Threat actors may be purchasing tools from cybercriminals, mining existing botnets to see what IP is on those already-compromised machines or targeting home automation, printers and routers after triangulating IP addresses and digital locations for targets. In the weeks ahead, targeting new dimensions of technical diversity and innovating to develop new attack vectors will be the name of the game for the bad guys.
The future is very much a moving target for security and privacy professionals. Here is where the ongoing maintenance on an ongoing basis is critical: watching vulnerabilities in the new battery of enterprise applications for remote productivity, moving to the next order of vulnerabilities and so on. This might involve extending IT support and patching advice to home users on how to secure their home network, how to configure Amazon or Alexa devices or new tools and services for secure note-taking, collaboration, use of newly available standard operating environment systems and so on. In short, the game of security and privacy will be about rates of adaptation between asymmetric opponents.
The brave new work from home world would be best if it was short lived, but the genie won?t go back in the bottle. While the economy will adapt and move on at some point, it?s too early to tell what percentage of current remote workers will continue to work from home permanently in a post COVID-19 world or if we will return to the tyranny of the commute. Regardless, the lasting effect of innovation on both attack and defense will persist. As has been said, never waste a good crisis: let?s hope that IT, corporate culture, security and privacy all benefit from the current situation to make a more productive and humane cyber world when we return to a more normal epidemiological world.
Sam Curry is Chief Product and Security Officer at Cybereason.
Ari Schwartz was Special Assistant to President Obama for Cybersecurity and Is Managing Director for Cybersecurity Services at Venable.