Often without the input of the security team, working from home phase 1 is slowly fading as organizations now ramp up for phase 2 to create a long term cybersecurity strategy. Mike Hamilton, former CISO of Seattle and Co-Founder of cybersecurity firm, CI Security, is working directly with municipalities, hospitals, financial services and other organizations to create this phase 2 long term security strategy that protects both the employees and the organization itself.
Hamilton explains more to Digital Journal.
Digital Journal: How have businesses had to change their work relationships in recent weeks?
Mike Hamilton: They have had to very quickly engineer remote access methods, potentially procure, configure, and deploy systems to send home, and relax security controls through policy exceptions.
DJ: What are the main cybersecurity risks from home working?
Hamilton: First, the fact that home employees are being targeted – see recent statement from the CEO of Akamai (which has pretty good telemetry here) talking about the uptick. Actors are relying on the chaos to take business email compromise and other fraud to a new level. Note that a major objective is to gain authentication credentials – the easiest way to “break in” is to just walk in with someone’s password.
Second, the methods used for remote access may be insecure. As an example, consider the use of remote desktop protocol. Known to be vulnerable if not current, and known to be the target of brute-force attacks. Similarly, VPN appliances by Fortinet, Cisco, and others are vulnerable to a number of exploits.
Third, the tools used for remote work are being attacked. Zoom is the poster child, but as soon as the shift to Teams got serious, threats shifted to Teams.
DJ: To address this, businesses have adopted phase 1 measures. What did these involve?
Hamilton: One size doesn’t fit all, but the variety of security initiatives that we’ve seen include:
Embrace Office 365 and other cloud systems for office tools.
Leverage/improve existing policy on remote systems – ensure they’re under some type of management.
Address endpoint security. Because the distributed workforce is no longer in a physically secure facility, endpoint security becomes more important.
Do what’s possible to monitor those endpoints.
DJ: What lessons have been learned from the phase 1 WFH experiment many organizations were forced into?
Hamilton: It’s really hard to perform security monitoring when you don’t own the network. Split-tunnel VPNs are good for performance, bad for security monitoring. Policies need work – for example separation of personal and corporate/government work is key to keeping secure: Personal use on personal devices. We have to patch those remote systems, and to do that we have to give admin rights to the users. Need a better method or way around that
DJ: What risks have emerged that need to be mitigated?
Hamilton:Nation-state activity is way up. Nigerian fraud has ramped, China and Russia are looking to steal Covid research, North Korea is stealing money from banks. Collateral damage from this uptick is a risk for everyone (ask Maersk).
Failure to use multifactor authentication is now a larger risk, given the criminal focus on credential theft, password-spray and brute force attacks, etc. Disinformation is everywhere, and people need information – the possibility of tripping over fake or booby-trapped information being sought. We can mitigate the “bait” coming in through e-mail and channels that we can secure, but if employees use facebook, gmail, instagram, etc. on a work computer that’s harder to stop with a distributed work force.
Home network security is in question. Strength of the home wifi password, and how widely it’s known by the neighborhood. What type of router is in use and is it patched to current and with a strong password of its own.
DJ: What do phase 2 measures involve in practice?
Hamilton:Deciding whether this is permanent to a degree or not. That decision will drive how much investment goes into zero-trust networking, remote access security, and distributed workforce monitoring for security events. Preparation for whatever fraction of systems come back into the network, and how that intake process will be handled in terms of examination, cleanup, and evidence preservation.
