Fighting Unobvious Security Threats of the Remote Work
In the spring of 2020, most governments and businesses around the world were forced to quickly transfer many employees to remote work. Because of this, the design issues of a new information security system were postponed. Instead, organizations took the most relevant protection measures available at that time, for example, firewalls, VPNs, and multi-factor authentication.
Due to the rush in building the remote work and limited budgets, many urgent security threats were ignored. Over time, the information protection system and its documentary basis have been refined to take into account the greater number of actual threats. However, attackers continue to find and use loopholes to inflict damage.
Threats to user accounts
· Intercepting entered credentials
One of the measures to protect information when organizing remote work when employees use personal devices is virtualization of workplaces and moving applications to a terminal server, followed by complete isolation of the environment.
Indeed, if malware is installed on an employee’s computer, it will not affect the work environment or business applications.
However, even if alternative authentication is used for the remote connection, if you connect to a virtualized workstation (VDI) and a terminal application (for example, via RemoteApp), there is a high probability that the application will require authorization using a username and password. In this case, the malware can intercept keystrokes, identify the correct login-password combination, and finally, an attacker will be able to gain access to confidential data.
To mitigate this threat, it is recommended to use Single Sign-On (SSO) solutions in conjunction with solutions for alternative authentication. The SSO solution should be installed on office workstations to which the employee connects via VDI or on a terminal server. Further, to confirm authentication in corporate applications, the system will require an alternative authentication factor, after which SSO will independently provide the necessary credentials. Thus, even if there is a keylogger on an employee’s workstation, entered logins and passwords cannot be intercepted.
· Cloning the one-time password generator
It goes without saying that strong (multi-factor) authentication methods significantly increase resistance to threats while working remotely. However, all authentication technologies have significant differences in terms of both applicability and security.
Today’s popular multi-factor authentication methods that use one-time codes generated on the device or sent in messengers have significant vulnerabilities. If an attacker gains continuous access to a smartphone, he can try to gain elevated privileges on a smartphone (jailbreaking for iOS devices, root for Android.) And if an attacker succeeds, he will be able to clone the keys of the one-time password generator and configure it to send codes to his own device.
To mitigate this risk, it is recommended to abandon one-time passwords and use push authentication, which is explicitly tied to the device and will not work on the attacker’s device.
Threats to corporate resources availability
· Remote lock of user accounts
Often, web services are available over the Internet. For example, webmail can be used to access corporate resources.
Sometimes, the mailbox name is the same as the domain account name. Hackers can try to guess the password by launching a brute-force attack. To neutralize this threat, account lockout should be enabled after several unsuccessful password attempts.
However, an attacker can brute-force passwords to purposefully block a domain account. Such an attack can paralyze some business processes.
In order to partially neutralize this threat, you can use a specialized solution for two-factor authentication (2FA), for example, one-time passwords. In this case, even if a brute-force attempt is made, the second authenticator, and not the account, will be blocked. Thus, the employee will retain the ability to gain access to corporate resources, albeit only through an alternative connection or when working locally.
· Loss or breakdown of a medium that stores security keys
When performing work duties, remote workers can use digital certificates to sign documents, connect to third-party web services, or for other tasks. At the same time, in the event of a loss or breakdown of the device (for example, the flash drive that stores the keys), the problem of its prompt replacement arises. Often, it cannot be implemented within a reasonable time, especially if the employee is located far away from the office.
To neutralize the threat, you can use specialized solutions that implement a virtual smart card that does not keep key information on a removable device.
In this case, the storage of key will be carried out in the following ways:
1) On the server side, all operations with keys are performed on the server.
2) A specialized module inside the device – Trusted Platform Module.
Such solutions are considered less secure than removable protected media, but these solutions are the most flexible and suitable for the described emergency situation.
After replacing the key, the virtual smart card can be disabled. Thus, even if the key carrier is lost or broken, there will be no downtime in the company’s business processes.
Threats of non-attribution of the actions that led to the incident
· Disputes in the event of a critical resource failure
Whenever privileged users work with IT resources, there is always a risk of human error. Their actions themselves can lead to the failure of a critical resource.
Even when working directly on the premises of an organization, it can be difficult to figure out what happened and who is responsible for the failure. In the case of remote access, this situation becomes more complicated. The investigation of such incidents not only negatively affects the work environment when there are attempts to blame the innocent party but also wastes a lot of time on unproductive actions.
Using SIEM solutions will probably allow you to find out who connected to the resource, but it is unlikely to accurately determine who is responsible in case of multiple simultaneous connections. And the sequence of actions that led to the failure is also hard to determine.
However, when using the Privileged Access Management (PAM) solutions, all connections of privileged users can be recorded in various formats (video, text, screenshots, keystrokes, transferred files, etc.) Later, using these logs, you can quickly determine which sequence of actions led to the failure and identify the person responsible for the incident.
· An attempt to evade responsibility
There are situations when a malicious insider works in a company. He can purposefully carry out some actions that may lead to a failure or disruption of a critical resource. By itself, the task of identifying the responsible party is not easy; however, using PAM solutions, you can quickly find the culprit.
When caught employee may say that his password was stolen. It is no secret that password authentication is very vulnerable to various threats, and the very fact of disclosure is often revealed only after the incident.
Obviously, in such a situation, security officers can think that the employee is innocent and that what happened is just an unfortunate coincidence.
To neutralize this threat, it is recommended to use 2FA in conjunction with the PAM solution. If the employee is indeed a malicious insider, it will be difficult for him to evade responsibility. If nevertheless, an employee claims that not only his password but also his phone has been stolen, on which a one-time password generator is installed, he will be asked a logical question: “Why did you not promptly notify the security service about this?”
Having considered additional threats that arise when working remotely, it is necessary to keep in mind that information security threats evolve with the development of IT technologies. Attackers adapt and are always looking for new ways to make more money. Until the defense systems are completely rebuilt for new realities, cybercriminals can take advantage of your old and new weaknesses for their own purposes.
Today, the remote work format has firmly entered our life and is even regulated at the state level in some countries. Consequently, information security specialists have to consider thoughtfully and without haste to what extent the existing protection systems are ready to withstand modern cyber challenges.