Security And Privacy In A Brave New Work From Home World
from the security-from-home dept
We have moved to a radically remote posture, leaving a lot of empty real-estate in corporate offices and abandoning the final protections of the digital perimeter. For years, we?ve heard that the perimeter is dead and there are no borders in cyberspace. We have even had promises of a new and better style of working without being bound to a physical office and the tyranny and waste of the commute. However, much like the promise of less travel in a digital age or even the total paperless office these work-life aspirations never had a chance to materialize before COVID-19 forced us to disperse and connect over the Internet. This has massive implications on corporate culture and productivity. More immediately, the surge in use of remote work capabilities has consequences from a security and privacy perspective that cannot be ignored.
For some, working from home isn?t new. This is especially true for those in sales and field marketing across many industries or for knowledge workers, such as federal government employees that are familiar with their telecommuting contract. The day after the ?stay home? order is given, the rest of the company suddenly find themselves doing the math on how to stay productive, whether they are the 20% of largely general and administrative or management staff who are always in the office for a young tech startup or the 80% of all employees at a big blue chip company. Some already have a laptop that they bring with them everywhere and are used to bringing home, but for others it?s time to spark up the family computer or get a hastily issued company laptop and try to get it running without an IT technician parked at their elbow to help. Others will grab a tablet or a smartphone, once relegated to mostly personal use, and repurpose it to attend to professional needs. Any way you look at it, the enterprise footprint just grew and radically changed in a 24 hour period.
From a security perspective, the basics are critical. This is true whether a company is a mature security shop or not?risk management is the lodestar. It starts with a risk analysis and dialog. You?ll need to first create a master list of security essentials and rank them in order of sensitivity, likelihood and impact. The reality is that you can do anything, but you can?t do everything; and ultimately this is a triage game.
High on the list are concerns about misinformation, weaponized information and social engineering. While companies can?t control machines that they don?t own, they have to try to get the most secure endpoints they can and ensure identity integrity. This means emphasizing what channels are appropriate or not for employees and their families for information: news networks, websites and the like. But COVID-19 is our new common watering hole, and malicious actors are manufacturing phishing attacks, devilish spear-phishing campaigns, rogue applications and more. Regular, short, routine communications to remind people of the basics, to gain a pulse on the organization and to provide clear policies are essential.
Also at the highest level of concern is securing the connection to the network and back into the environment. This requires VPN connections, strong authentication and endpoint prevention and detection controls. In the back office generally and in the security operations center specifically, baselines from which anomalies are normally noted for focus will be in flux; everything will look like an anomaly for a while in the brave new remote world.
Which brings us to the most difficult of topics: privacy.
Did employees bring notes and data home before the office closure? Are they creating IP and data protected by privacy laws and regulations as they continue to do business? Who is in the immediate environment physically? These are some of the critical questions. In some cases you may never know the answers to these questions or you may not have a right to know the answers but must appreciate others? living situations and assume some worst case scenarios.
There are still more questions. Should cameras be on for conference calls when employees might be embarrassed of their personal space being seen by colleagues? Should they use headsets when a life partner might work for another company or even a competitor or perhaps a roommate might simply overhear sensitive information? Do we encourage them to care for a child when they are crying or do workers feel the need to hide their families? While many companies have previously developed ?work from home? policies now we are beginning to understand what is really needed for remote, working employees. Now is the time to take a fresh look at privacy in your work from home policy.
Finally, we must understand the adversary is moving into a new normal as well. They may not be able to immediately exploit all weaknesses or even any given weakness. They too will pursue the lowest hanging fruit while investing in some longer term R&D to develop new attacks specifically for the home environment. Threat actors may be purchasing tools from cybercriminals, mining existing botnets to see what IP is on those already-compromised machines or targeting home automation, printers and routers after triangulating IP addresses and digital locations for targets. In the weeks ahead, targeting new dimensions of technical diversity and innovating to develop new attack vectors will be the name of the game for the bad guys.
The future is very much a moving target for security and privacy professionals. Here is where the ongoing maintenance on an ongoing basis is critical: watching vulnerabilities in the new battery of enterprise applications for remote productivity, moving to the next order of vulnerabilities and so on. This might involve extending IT support and patching advice to home users on how to secure their home network, how to configure Amazon or Alexa devices or new tools and services for secure note-taking, collaboration, use of newly available standard operating environment systems and so on. In short, the game of security and privacy will be about rates of adaptation between asymmetric opponents.
The brave new work from home world would be best if it was short lived, but the genie won?t go back in the bottle. While the economy will adapt and move on at some point, it?s too early to tell what percentage of current remote workers will continue to work from home permanently in a post COVID-19 world or if we will return to the tyranny of the commute. Regardless, the lasting effect of innovation on both attack and defense will persist. As has been said, never waste a good crisis: let?s hope that IT, corporate culture, security and privacy all benefit from the current situation to make a more productive and humane cyber world when we return to a more normal epidemiological world.
Sam Curry is Chief Product and Security Officer at Cybereason.
Ari Schwartz was Special Assistant to President Obama for Cybersecurity and Is Managing
Director for Cybersecurity Services at Venable.
Filed Under: cybersecurity, privacy, security, work from home
Comments on “Security And Privacy In A Brave New Work From Home World”
Working from Home
I’m one of the few who were working from home already when the pandemic started. Pretty much all of my work has been over the company’s VPN. And the company, too, had everything already lined up for working from home prior to the pandemic. For most of the staff, the work-from-home questions have been answered, the problems solved.
But even with all of that, we have problems: some of our staff were on vacation in foreign lands when the plastic curtains of national isolationism came down. They can’t fly home – the airlines are offlined. Even if they could, government customs offices are offlined. While there is some work being done through the respective embassies, that’s a narrow channel of function with a wide reservoir of need. And alas, being on vacation, they don’t have the tools they would have at home.
So while this is indeed a "brave new work-from-home world", that is only a (large) portion of the world situation. And it doesn’t matter how well you prepared for people working from home, you (almost certainly) didn’t plan for this.
Re: Working from Home
"some of our staff were on vacation in foreign lands when the plastic curtains of national isolationism came down"
I can’t help but wonder – where were they when this happened? Most countries in my experience had warnings before the lockdowns and they made some concessions for tourists with existing flight bookings out of the country, unless the destination country would not accept them.
For example, we’ve been locked down in Spain for nearly 3 weeks and we had warning for a few days before that was enforced. Flights from most airlines were running for a few days after that, and even after airlines were forced to drastically reduce routes it was still possible to fly to some degree until this weekend just gone. There have been stories of flights cancelled last minute and price gouging by airlines, but those have tended to the exception from what I’ve heard.
I’m not saying you’re wrong, I’m just interested in where this was happening.
This comment has been flagged by the community. Click here to show it.
NICE
Woah! Hey Roy Sabag of law-sabag … do you know Ayelet Sabag at sabag-law? You guys should get together and … not spam blogs with off-topic links for your web site.
What about the standard boilerplate statement that employees should expect no privacy whatsover when using corporate systems, that anything may be monitored? Do you really want to bring something into your home that lets the boss literally watch you at any time? Tape over that camera, and if you’re paranoid, open it up and cut the wires/traces from the microphone. And of course, if you have no internal security on your home network (e.g., NAS devices with open shares or that transfer unencrypted data), don’t put it on that network.
On the flip side, if this lasts another month or two, maybe I can warn my employer of the dangers of teleconference eavesdropping via open windows, and get them to pay to install air conditioning…
Re: Re:
"What about the standard boilerplate statement that employees should expect no privacy whatsover when using corporate systems, that anything may be monitored?"
That’s possible to enforce without a video feed. If your employer believes they have to be looking at your face the entire time you’re working, that’s an employer problem.
Re: Re: Re:
You’re missing the point. The point is that they assert full control over the computer and say that users have no privacy whatsoever. They probably don’t use the camera or microphone like that, but by using the hardware you’ve given them permission to do so. At least until a court strikes it down.
Re: Re: Re: A Different Point of View?
"by using the hardware you’ve given them permission to do so"
Not when you’re using your own hardware at home it doesn’t, although the agreement would still apply to company email, documents, VPNs, etc.
Re: Re:
Google and every other online advertiser: "Users should be able to use a computer that they don’t own to communicate securely."
What they really meant was that users should be stupid and fork over the data without a second thought. Which is exactly the way they’ve been trained over the last few years. Nowadays if you as a network admin even attempt to block something or gasp use a proxy server on the company’s own hardware with a corporate policy that says such use will be monitored, you’re viewed as illegitimate by the end users. Google and friends are exempt from this suspicion in their eyes, of course. No amount of explanation will help either. You’re forced to argue innocence from the position of assumed guilt.
Most end users are apathetic. "Privacy is dead." They say. "The government already knows about everything I do." They say. "The internet will record it forever anyway." They say. "It’s inconvenient for me." They say. There’s virtually no convincing them that privacy shouldn’t be discarded out of hand, or that they should seek permission to post about someone else. I work in a school district and since the pandemic started the staff has started using Zoom’s consumer freebies to do online classes. When I suggested that they use the services we have prior agreements with to provide these classes, as Zoom isn’t exactly safe for these purposes and using it with underage students is legally suspect even from the state’s perspective, they shot it down instantly. Why? "The other services are not convenient enough, and privacy is dead anyway." You can’t protect a user from themselves. Especially when they just don’t care.
Contrarian positon
The genie will go back in the bottle, because the workers are the lease influential voice in the crowd.
At the moment one of the least heard but more powerful groups in the work environment is the lower and middle management. These people are directly seeing their power and position threatened by the work from home stuff.
Many lower/middle managers (most in my experience) base their own career’s on the ability to compel workers to spend long hours at work. These managers gauge carefully how much then can get out of each worker then add something to ensure that a worker never lives up to the standard management sets. That way they always have something to hold over the workers. Without the ability to directly see how many hours a worker takes to perform their tasks, these managers can’t set goals for workers which advance management’s interests. This means that lower and middle management can’t exploit the workers to the maximum, and advancing their own career in the mean time.
The lower and middle managers have a big voice in how corporations (medium and large) function. Senior management/CXO are exclusively concerned with their own interests. Thus senior management/CXO type hear almost exclusively middle management, who hears almost exclusively lower management (coming up from the bottom).
In the end, the voice of the workers is hardly heard, and the middle men (lower/middle management) will shape the corporate environment of the future. That future will look like the recent corporate past.
Re: Contrarian positon
Management’s voice may lean toward a more work-from-home friendly attitude following this exercise. People tend to work longer hours from home, are generally more available, and office space costs are non-trivial. Reducing the number of people actually working in the office can save huge amounts of money.
My employer has had a friendly attitude toward working from home for a lot of years. I myself worked from home at least 80% of the time despite being only 15 minutes from the office. Many of my coworkers have done the same. As a result, we have delayed plans to lease a larger office space a few times simply because we don’t actually need it.
Our current office only has desks for about 75% of the employees assigned to that office. If everyone showed up at the same time we would have people working in the break room and meeting rooms and probably still have people standing. But with so many working from home so often none of that is a problem.
For reference, my employer is a global company with 7 offices located around the world. All of our offices operate the same as my local office and we don’t have problems with security (we’re a security company) nor are there problems with work not getting done. Quite the opposite. And we save a lot of money by not leasing larger offices that would have a lot of empty desks at any given time.
Remote work is the future.
Re: Re: Contrarian positon
"Reducing the number of people actually working in the office can save huge amounts of money"
This is the kicker, really. The resistance on letting people work from home en masse has been fears of lost productivity and micro managers losing out on their fix. However, if this is proven to work then those fears go away and management starts looking toward the costs of the premises they run.
"I myself worked from home at least 80% of the time despite being only 15 minutes from the office."
That’s fortunate. I’ve experienced the opposite – 3 hours total commute each way to do a job that I could do 95% from home. This will hopefully get the more intelligent managers to realise that’s wasted time and leads to less productive employees, as does using time worked vs. other productivity measures.
I understand skepticism, but if productivity remains solid during this period then a general change is inevitable, at least as long as middle and micro managers don’t find a way to pretend productivity was hit.
Re: Re: Re: Contrarian positon
Yep, straight to the cost of running a sweat shop in India.
That’s the problem with Remote Work. If it can be remoted, it can be outsourced. The other problem? Figuring out how to keep financially exploiting a society that has all of it’s jobs being taken by cheap foreign labor. Eventually, society’s productivity becomes too expensive to pay them for and a crash results. Capitalism in it’s purest form. The real big question is what happens to all of the poor suckers who’s jobs have been clearly marked as "outsource ready" by the global pandemic? Although if the government response so far is any indication, you already know the answer.
Security systems have changed dramatically over the past few decades. Recently I read this article about facial recognition systems and got the feeling of coming dystopia. I think that privacy should become one of the main themes of discussion in the mass media. And I know that surveillance could help to find criminals but there should be a balance between security and privacy.