The COVID-19 epidemic emerging in early 2020 has led to a large scale, rapid shift to work at home for many companies, to protect their workers and comply with governmental mandates. Companies without existing remote work solutions have needed to scramble to procure and deploy solutions, and those with existing solutions had to rapidly scale existing systems to handle increased load as well as address any increased licensing costs.
The pressure to move quickly to deploy or expand remote work technology can easily lead to decision makers taking short-cuts in cybersecurity. Business leaders may not be aware of risks involved unless cybersecurity professionals are prepared to make specific recommendations and explain why they are important. A critical aspect of this is to be able to automatically detect and prevent threats, as well as respond quickly.

Secure Remote Work Strategies

The two secure approaches for remote work are as follows.

• Company managed laptops with VPN
• Personally owned computers with virtualization software

Companies can choose to support one method or both, after considering the pros and cons for each from operational, cost and security perspectives. The laptop approach is straightforward and allows the worker to use the same computer at work and at home, although can present challenges in workers needing full size monitors, keyboard, and mouse. Use of a personally owned computer avoids procurement of laptops or the greater risk of theft and loss, however it requires a back-end virtualization infrastructure for high security.

Securing Laptops with VPN

The best way to ensure a high level of security and detect Indicators of Compromise (IOC) is to use a Virtual Private Network (VPN) client which connects to the company’s IT infrastructure automatically. A VPN ensures all network traffic is routed back to the company where its subject to enterprise security controls. Critical security control includes intrusion prevention, URL filtering, vulnerability scanning, patching, anti-malware and Security Information and Event Management (SIEM) monitoring.

Simple split tunneling with the VPN is not recommended, however a more advanced approach such as optimized split tunneling can allow selective offloading of specific sites from the VPN such as video conferencing. Selective split tunneling can improve the worker experience with bandwidth intensive applications and reduce load on the VPN connection.

It is critical to ensure VPN access is restricted to authorized company laptops. The recommended approach is to deploy machine-based certificates to the laptop automatically, such as with Windows Active Directory, and then configure the VPN to validate against the certificate.

Cloud Based Security

Consider using a cloud based anti-malware solution. Should the VPN connection be disabled intentionally or unintentionally, the anti-malware client may no longer receive updates, nor be able to report threat detections back to the company.  Most major anti-malware companies now offer cloud-based versions.  Some solutions such as Cybereason were designed and built as a cloud platform with the latest capabilities including threat hunting.

The VPN can also be hosted in the cloud for higher availability.  Otherwise, an outage of the back-end VPN device can leave all remote workers without access to critical data and applications.

Remote Access to Laptops

Ensure both IT and cybersecurity staff can gain access to the laptops across the VPN for support, threat hunting, and incident response. This may require specific VPN configuration, firewall and access rights.   If unusual activities are reported, staff need the ability to remotely access the devices or do a remote-control session with the user. Options include software built into the operating system such as Microsoft Remote Desktop Services (RDP) or third party solutions such as LogMeIn and Splashtop.

Virtual Desktop Infrastructure (VDI)

For remote work from a personally owned computer, the recommended approach is run VDI software, whether onsite or the cloud. These solutions containerize applications and data to where threats and personal data from the home environment cannot leak into the company environment, nor can company sensitive information leak back onto the home computer.  These solutions allow easy access from a web browser on a home computer.

Examples include Citrix which can be built on-premises, and Amazon Workspaces which is cloud based. For highest security, disable features that allow mapping the local drive and movement of files back and forth from the personally owned computer. Carefully consider whether to allow printing to the home environment.

Data Loss Prevention (DLP)

DLP software is an additional cybersecurity tool to deploy where appropriate, to avoid data leakage during remote work.  This is a category that includes insider threats from workers, whether intentionally or not.  DLP solutions may focus on different areas such as endpoint, e-mail, and perimeter.

The need for DLP depends on the type of data the company is responsible for protecting.  Health organizations for example may want to detect movement of HIPAA Protected Health Information (PHI) and financial companies can keep an eye on credit card information.

If remote workers are using company laptops, it is recommended to disable worker ability to use USB flash drives unless there is a business need for it. Workers plugging in a personal flash drive can easily introduce malware, as well as be used to exfiltrate company information. If allowed, ensure USB access logs are monitored or use DLP software to monitor what is copied to it.

IT Asset Management

IT Asset Management and reliable contact information for remote workers is vital. If security systems detect a threat such as malware, cybersecurity professionals need to quickly identify who the worker is and obtain a phone number to call them at.  For someone working at home, this may be a personal cell phone number that may be known only to their manager.  Relying on email is not recommended- if the computer has been compromised, then the attacker may have access to the email and pose as the worker.

Security Awareness

Finally, implement a strong security awareness program that includes remote work. Send out regular security education notices by email on best practices for work at home, including tips on securing their home environment. Consider use of a security awareness service such as Proofpoint. Use of gamification features can increase worker participation.