We’ve always been told that security is best within the confines of the enterprise firewall. Mostly because companies spend significantly more on protecting the network than most individuals do. The problem with this idea is that in the last decade we’ve seen a greater propensity for workers to be mobile. For instance, traveling executives tend to be more productive on the road than in the office, often working for longer periods – on the plane, in the hotel room, wherever a quiet opportunity presents itself.
Then COVID-19 came and business leaders were told that operations must learn to Work From Home or work remotely for extended periods of time. In some cases, there is no clear guideline of how long this extended period will be.
At the onset of the circuit breaker, companies scrambled to extend data protection practices to nearly everyone in the organisation who needed to access the company network on a regular basis. This meant equipping portable computing devices with the necessary data protection tools like anti-malware and virtual private networks (VPNs).
“The rapid shift of a large portion of employees to a remote setting has forced companies to take shortcuts to enable their workers for extended remote access to keep up productivity. This includes reduced security controls, allowing direct access to systems previously only available through a Virtual Private Network (VPN) or simply allowing temporary remote access to partners or customers,” said Tommi Makila, a senior solutions architect with Synopsys Software Integrity Group.
For a while things seemed good.
On June 2, 2020, Singapore exited the government enforced circuit breaker with what it called “Phase One: Safe Re-opening”. While it is not a return to mostly normal – a condition that can be found in Hong Kong and Taiwan, some employees are being allowed to get back to you if employers follow certain guidelines.
As offices begin to power up their office infrastructure Chua Bo Si, technical program manager at HackerOne, suggests that IT and security teams conduct version checks across all IT assets and perform security patching across all of those assets. Many of these office appliances, including printers, wireless access points and servers, have been left unused and unmanaged for weeks.
“It will also be important to make sure that IT teams disable any remote working capabilities or applications if they are not needed any longer (e.g. remote desktop), as those applications only add to the attack surface unnecessarily,” he added.
Synopsys’ Makila concurred and added that once people return to the office, such changes should be thoroughly assessed and reversed back if not required, which may prove problematic given the changes may have been hastily implemented to only parts of the system and not properly documented.
“Employees may have found alternate ways of working and use new technologies to overcome shortcomings in their remote work environment. This might include consumer grade video conferencing, chat and file sharing applications that may have not been previously sanctioned for business within the company. While such technologies certainly pose a security risk due to inherent vulnerabilities during the WFH -period, they are also more likely bringing them back to the office upon their return for continued use,” he cautioned.
While Makila wasn’t pointing a finger specifically at anyone, he opined that the problem is not only about people using their own devices and risky applications to handle potentially confidential data, but also businesses themselves having too much trust on traditional security mechanisms like anti-virus software, firewalls and VPN solutions, while not having proper vulnerability management and application security practices in place.
Application security and vulnerability management practices sadly often focus on patch management only, which may also have been implemented with the general premise of equipment being physically present at the office and connected to the office network, thus potentially leaving equipment taken home lacking important security updates.
This then leads to a situation where company equipment may have any number of vulnerabilities left undetected and unpatched and may already have been silently compromised and running malware or having backdoors implemented and ultimately pose a serious risk upon being returned and connected to the office environment despite the patches being applied eventually.
HackerOne’s Chua also suggested running an anti-malware scan on all machines before introducing them back to the corporate network. “But all in all, I think going back office does not directly introduce more vulnerabilities (as opposed to the reverse),” he said optimistically.
Makila acknowledged that there is no standardised model that organisations could follow to transition back to work-from-office. Different circumstances like government regulations, industry requirements, and people’s opinions can considerably impact the timeframe when certain offices are reopened.
He believed that businesses will ultimately face a hybrid situation where a part of the workforce will remain in a work-from-home setting for an extended period, while others return to the previously normal office environment.
“Such a situation will require reconsideration towards security practices like endpoint security, data protection, logging and monitoring, vulnerability management practices (application testing and patching) and authentication mechanisms which will support both the people working from home as well as people at the office with an equal level of usability and security, not forgetting cyber hygiene awareness and communication to employees to understand best practices and potential risks, now more than ever,” concluded Makila.
Hopefully things the return to the office will not be as traumatic as the experience employees had following the announcement of an impending lockdown.
