The social distancing forced by the Covid-19 crisis has spurred enhanced activities in the cyberspace. While digital tools and remote access solutions are enabling workforce to be productive and allowing organisations to keep their operations going, they have also made enterprises vulnerable to attacks by malicious factors.
In fact, the mandate for a countrywide lockdown did catch several organizations off guard and prompted them to rush into the remote working mode. Many of them resorted to renting laptops that probably ran on an un-patchable OS or lacked enterprise-grade security. Connecting unprotected laptops or desktops to the enterprise network may result in a range of cyberattacks. For organizations that are regulated by various data security guidelines or lack proper cybersecurity planning, the concerns are even more grave.
Malware attacks through frenemies
Cybersecurity has emerged as one of the major concerns for organizations in the current scenario. Generally, cyber-attackers choose an inherently trusted end user’s device – be it a laptop or a smartphone. The end user can be anyone, a freelancer, a vendor or an employee, who are often referred as frenemy in the cybersecurity parleys.
Basically, anybody who has access to an organization’s network in any form can be an entry point for malware. Once in the network, this malware can spread along the network. And with so many people currently working from home, malicious elements potentially have multiple entry points.
Why ring-fencing by a firewall isn’t enough?
Firewalls can be effective, but not always. Particularly if an organization has implemented work from home for a large, geographically dispersed workforce, it needs more than a generic firewall. Even a best-in-class firewall, like Palo Alto, often falls short of expectations when it comes to securing remote endpoint devices.
Why generic VPN isn’t a good alternative
Many organizations use VPN as a secure access to enterprise resources. But VPN does bring with it certain additional issues, exposing corporate network and internal IP addresses outside the firewalls. If not mitigated, these issues may lead to a breach in the network security.
By default, all traffic from a user connected to a VPN client passes through a tunnel linking the VPN server. The data travelling through the tunnel is protected by way of encryption and decryption. However, when the data passes through computers or sites that do not come under the intranet of the VPN server, the tunnel effect breaks. It is called split tunnelling. Malicious elements can exploit the split tunnelling in the end device to launch an attack.
Inherent problems with generic VPN solution
VPN offers ease of use. So many users tend to access it through unmanaged and uncontrolled endpoint devices. Attackers with access to a shared machine or unmanaged device can breach the security and pilfer enterprise resources.
- Uncontrolled devices may run browsers with security below the optimum level, increasing their vulnerability to cyberattacks
- Users may not be aware of the presence of keyloggers in their devices, which are not managed or controlled by the organizations. In such a scenario, although the data sent and received through VPN is secure, keyloggers are aware of the user’s activities on the device, which can lead to loss of sensitive information
- Since corporate networks are exposed, any malware will have access to intranet from the remote devices.
How to mitigate risks facing VPN users
- Stop L4 access to remote devices: Deliver only applications (L5-L7) to remote devices. One may consider Zero Trust architecture
- Identify and enroll end devices: Perform deep remote device inspection. Identify and sanitize all endpoint devices based on multiple parameters to get rid of pre-existing malicious elements and content. Only clean and authorized devices should be allowed to access corporate resources
- Assess security level of end devices: Assess security level of end devices thoroughly, not only at the beginning but at regular intervals during a session. Devices with possibility of split tunnelling should not be allowed to enter the network
- Context-based access: Use multiple parameters, like geolocation, source IP address, log-in time etc., to monitor activities on the end device. Allow access to only white-listed resources, folders/files, applications, URLs, etc. Define rules for granting or denying access in real time. Verify need for access based on the context and if at all, grant least privileges required
- Multi-factor Authentication (MFA): Enable multi-factor authentication (MFA) based on (a) something that the user knows – username, password; (b) something that user has – OTP delivered through email, mobile number, push notifications etc., (c) who the user is – biometric recognition with fingerprints or iris scans
- Use Virtual Desktop: Besides work from home users, third-party vendors and contractors too often access the internal enterprise network as part of normal business operations. The risk associated with such a situation can be mitigated by using a secure VDI solution
- Cache cleaning: Delete all session data, like temporary files, cookies, browser history, etc. after every session
- Detect keyloggers: Check and detect keyloggers’ presence before each session. If any hardware-based keylogger is found in a device, restrict it from accessing the internal network.
Organizations must adopt best practices to ensure proper identification and access management (IAM) solution to protect their valuable resources. A strong and comprehensive IAM solution in combination with L5-7 VPN can help organizations deal with cybersecurity issues, even as their employees work from home and remotely access key business applications.