Given the situation that many companies, organizations and government agencies have been forced into working remotely due to COVID-19, it is imperative to give some thought about corporate security.
Using a VPN for New Stay-at-Home Workers
Millions of employees are now working from the confines of their own homes in an effort to keep businesses running smoothly. In most situations, employees are told to use their existing laptop computer or are issued one to use at home. They are also provided with a virtual private network (VPN) connection for connectivity to their respective places of employment. This makes for a valiant effort to keep critical corporate, organizational or governmental information secure. But just how secure is it? VPN connections generally provide a good secure encrypted session to a workplace facility. (Many of these VPN tools utilize two-factor authentication, as well.) The VPN connection forces all external communication to traverse the workplace facility before being allowed out onto the “wild” open Internet. For example, Susan is connected to her corporate email system via VPN, and she receives a legitimate company email with a link to a partner firm that is offering products or services only to employees at a vastly discounted rate. Susan clicks the link and is then taken to the partner firm (over the internet). This traffic was initiated from Susan’s work laptop over a VPN, and using her mail client, she was connected to her corporate mail server. Once the link is clicked, the request should be routed over the VPN on to the corporate network and then out on to the internet, to complete Susan's request.
A Lack of Control over Remote Workers
Everything discussed above sounds like it falls within the bounds of corporate security. But what is happening on that company-owned system when it’s NOT connected via VPN? What if the tele-working employees decide to only connect to the VPN when doing corporate work? What about the rest of the time? Unfortunately, it is hard to control the work habits of all employees. Maybe this perceived bit of downtime becomes a good time to catch up on fantasy sports leagues. Maybe there are online gaming sites just egging some employees on to visit. Maybe some employees just like the idea of being able to surf the web without Big Brother monitoring my traffic flow. You get the idea. A Call to a Proactive Security Stance Many corporations, organizations and governmental agencies took the “proactive” approach to this and ensured that they outfitted the company owned computers or laptops with software that can assist them with ensuring their systems remain secure. One connectivity option for deployed security tools outside a DMZ is the use of a SOCKS5 proxy server. This allows front-end web portals and such to connect securely through Corporate or Government firewalls to communicate securely to security-based servers or consoles. This same method of connectivity can be utilized by corporations, organizations and governmental agencies to maintain security on remote end-points (laptops) without sacrificing precious VPN bandwidth. Proactive minded executives can deploy either VPN, PROXY, or both methods of communications to secure their remote users and laptops. Many now have the following security-minded resources and services running on their laptops/workstations securely:
- Compliance standards and corporate policy that remain in place while systems are deployed away from the safety of the corporate environment.
- Anti-virus software that makes sure malware does not end up on their systems.
- Cyber tools that monitor critical files, software, running services and much more in a “connectionless state” to ensure their corporate baselines remain unaltered.
- Solutions that run vulnerability scans on a schedule or on-demand basis.
- Programs that cache “deviations, change, discovered vulnerabilities and suspicious log events”, while off-NET and forward this activity to the workplace facility at the next active connection or via proxy.
But many do not. That’s the problem. Is your company, organization or government agency ready? Can you be counted as one of the “pro-active” businesses? Or will you be seen as “reactive”? In our scenario above, it is conceivable that employees who use “unprotected or not appropriately protected” systems will encounter “malware and bad changes” unknowingly, or a bad actor could gain control of the system through an exploited vulnerability and adjust policy controls to allow unauthorized software to run at the next reboot. The dangers have been there for years. So, I ask again: is your corporation, organization or governmental agency ready? Suffering VPN overload? Learn how Tripwire products can help.
Mastering Security Configuration Management
Master Security Configuration Management with Tripwire's guide on best practices. This resource explores SCM's role in modern cybersecurity, reducing the attack surface, and achieving compliance with regulations. Gain practical insights for using SCM effectively in various environments.
