New Normal, New Risk: Addressing the Security Challenge of Remote Workers
Addressing the Security Challenge of Remote Workers – The ‘New Normal’ is a COVID-19 catchphrase used (and for many, overused) to categorize a host of new personal and business policies forced upon us by this global pandemic. A prime example is remote work. While by no means a new concept, the adoption and acceptance of remote work has varied widely based on industry, company culture and geography. The arrival of COVID-19 changed all that.
As a matter of survival, or simply because there was no other way to carry on safely, organizations have been forced to quickly acquire and deploy new devices, subscribe to new services, and install new apps to adapt to their New Normal and keep workers productive from home. But this quick pivot, as well as the escalating infection rates in many regions that are keeping workers out of their offices, has also set the stage for unacceptable risk exposure.
Many employees are now working remotely for the first time in their careers. New remote workers using new applications on new devices on their personal networks, creates a new opportunity for attackers. A growing number of phishing campaigns are being executed to exploit this opportunity. An alert (AA20-009A) from the Cybersecurity and Infrastructure Security Agency further highlighted the dangers when it revealed the growing number of attacks attempting to take advantage of the COVID-19 pandemic. In addition to phishing campaigns, there were intrusions through applications used for virtual meetings and VPN connections. Malware families designed to steal confidential information, exploit vulnerabilities, and spread laterally through networks are now likely entrenched on many systems and devices used by remote employees. This alert directly recommends that companies prepare a risk management strategy that assumes these dangers will threaten corporate assets.
Addressing the Security Challenge of Remote Workers – Meeting the Challenge
Whether your fleet of remote devices are company-issued or personal, managed or unmanaged, they are exposed to home networks and therefore the devices and information connected to them. In a “smart home,” the list can be expansive.
Company security personnel should assume that devices used for remote work will be infected and ready to exploit your corporate network.
Unfortunately, like many other initiatives, once your facilities reopen, there will be an understandable sense of urgency to return to normal operations. The pressure will be on your security team to ensure that this happens quickly, and with minimal risk.
- As you prepare for post-COVID-19 re-entry, some key questions must be considered.
- How much remote worker risk can you address with your current security technology?
- Will your security process delay your employees’ ramp to full productivity?
- How much will your alert volume increase when employees are introduced back into your corporate network?
- Do you have the staff and processes ready to handle the increased volume?
- Is there a more effective and efficient way to mitigate risk?
Do Isolation VLANs Work?
A common practice for re-entry is through isolation VLANs that act as quarantine zones for the returning devices. The quarantine zone would have a network IDS (Intrusion detection system) and end point monitoring solutions designed to detect any actions taken by malware. However, this approach has flaws that could leave corporate assets vulnerable. One major problem is alert volume.
Newly infected devices combined with new, unwhitelisted applications will cause a substantial spike in already high alert volumes that your response teams must triage and neutralize. This raises the further challenge of trying to determine how much observation is enough to consider a device “safe.”
Malware has become increasingly complex in terms of defense evasion, such as scanning the environment they are in and then only executing relevant pieces of code. It’s entirely possible that some malware may remain dormant for extended periods, increasing the odds that goes completely unnoticed. The combination of increased alerts and their ambiguity can result in employees not being returned to full productivity at a reasonable rate.
Virtual Quarantine via Deception
While the legacy approach to re-entry requires that security teams reduce risk by hardening assets and anticipating threats, an alternative and highly effective method of stopping the threat from returning devices is through the use of deception. Deception immerses real assets among replicas that are invisible to legitimate users but completely authentic to the attacker. It then channels the attack toward the trap with “bait” such as browser histories, cached credentials and links that makes the trap appear more valuable and vulnerable. The attacker and his/her techniques are exposed the moment an attacker interacts with a trap as high-fidelity alerts are sent to the SOC.
A successful deception strategy is contingent on three key factors:
- Immersive deployment: The primary objective is to divert and quickly detect an attack. Blind spots create risk. The ability to cover the complete attack surface area, including end points, IoT and OT devices is paramount.
- Speed: Honeypots are valuable but are known to be complex to deploy and manage. An effective deception solution must enable rapid and scalable deployment.
- Non-intrusive, ease of use: The addition of deception resources does not require any changes to existing assets. There are no agents to install on endpoints that could cause problems with previously installed applications.
We may look back and find that our remote work response to COVID 19 bears a striking resemblance to other digital transformation initiatives that have preceded it. In fact, it may have amplified a security problem that already exists. Security teams often struggle to balance speed and acceptable risk. Traditional security controls still leave vulnerabilities and blind spots.
Deception offers a new opportunity to mitigate risk and reduce fatigue ahead of traditional security practices by diverting attacks away from real assets and making the attackers path from initial access to lateral movement frustrating, time-consuming and risky.
About TrapX Security
TrapX has created a new generation of deception technology that provides real-time breach detection and prevention. Our proven solution immerses real IT assets in a virtual minefield of traps that misinform and misdirect would-be attackers, alerting enterprises to any malicious activity with actionable intelligence immediately. Our solutions enable our customers to rapidly isolate, fingerprint and disable new Zero-day attacks and APTs in real-time. TrapX Security has thousands of government and Global 2000 users around the world, servicing customers in defense, health care, finance, energy, consumer products and other key industries.
TrapX Security, Inc.
303 Wyman Street, Suite 300 Waltham, MA 02451
TrapX, TrapX Security, DeceptionGrid and CryptoTrap are trademarks or registered trademarks of TrapX Security in the United States and other countries. Other trademarks used in this document are the property of their respective owners.
New Normal, New Risk: Addressing the Security Challenge of Remote Workers