Congrats, you got everyone remote. But did you do it securely?

The lockdown has meant entire companies of typically office based staff being forced to work from home. The change to our way of life is like nothing anyone has in living memory ever seen. However, alongside that, IT teams have had to rush to deliver solutions that were simply not designed for the entire workforce to access it at the same time.

Remote access VPNs are typically designed for a few hundred people to access at the same time, even in organisations of thousands. Many staff predominantly use a desktop computer to access their day to day work when in the office, these are built to exist on an internal corporate network. Remote access gateways are largely only used in a limited capacity and services available on tablets are for the handful of board members.

Taking risks

So what are IT doing? How are they managing this totally new world? They are taking risk.

In the last few weeks and months we have seen an influx in clients wanting their remote access systems tested urgently, why? Because they know they have pushed out a service that may be questionable. Whilst for the majority of our clients who have tested their remote access solutions on the whole they have deployed them in a security sound manner, we know of many organisations who are taking considerable risk.

Examples include:

• Not enough VPN licences so are just sharing the licences they have among their entire workforce – this loses all user accountability and will not be seen positively by their auditors.
• Due to a lack of laptops allowing staff to use their home PC for work – this may be fine with a remote access gateway, but it needs to be controlled.
• Remote access gateways using ONLY domain credentials no two factor – phish your staff and now access the remote gateway and are on the network.
• Allowing staff to connect their home computer through a VPN to the corporate network – yes… really! This then bridges the home network directly to the corporate, what about the data now stored on these devices?

The worry is these risks which at the time were seen as a temporary solution are now being extended, staff will start expecting to work remotely and work in the way they have become accustomed to. These are IT’s dirty little lockdown secrets and believe me, they WILL come back to bite you when you are next audited or worst still when you are breached.

It will not be comfortable trying to explain how your customers PII is stored on an untrusted home PC on a 3rd party network with totally unknown devices attached to it and unknown security controls applied.

Fixing this mess

It is critical that you take a step back and look at what has been provisioned in the rush. Risk assess what you have implemented and make any necessary changes.

Implementing 2 factor authentication on all remote access solutions is critical, this will make it significantly harder for attackers to utilise any phished credentials. Make sure you do this on your Office 365 if you are using that.

It should be obvious that its not sustainable to allow staff direct access to the network from home PC’s. look at using a remote solution, there are many available, you may be able to quickly stand up a Windows Remote Desktop Services server or similar that will allow you to segregate your office from your users home PCs.

Make sure you check what you have implemented though, we have also done a lot of Citrix breakout tests lately and found many are not turning on basic controls like restricting mapped local drives.

Finally take this time to up your password requirements, all those remotely accessible services are much easier to attack now they are on the internet.