Remote working is not a new topic for IT and cyber security colleagues, but with the pandemic it has scaled up to a new unexpected level with, in the best, or worst case, 100% of an organisation’s employees working remotely. Were supporting infrastructures often in place? No. Were we, cyber security colleagues, fully prepared for this new challenge? No.
What we have discovered is that we were mainly ready on a technical part, but we needed to work on the human side. Another point was thus raised: How do we handle so many different unsecured ways of connecting to our facilities? Public hotspots, Bring-Your-Own-Device (BYOD), home local area networks (LANs), and so on. extended the attack surface to a never seen before scale.
From the technical perspective, three main scenarios have spawned:
The ‘No Trust’: Assets that can be only used with a Virtual Private Network (VPN) on and no side communication is allowed, just like an inside asset, as controlled and hardened as it should be.
The ‘Partial Trust’: Assets that allow the user to have a side activity (controlled by CASB (Cloud Access Security Broker), EDR (Endpoint Detection and Response), etc.), but ask for a connection when the activity is around office work and company data.
The ‘Whatever’: BYOD or uncontrolled assets, but with access only to ‘public’ apps or through Virtual Desktop Infrastructures to gain access to internal apps.
Now, if we move to the user side, we must notice that not everybody was at the same level of security awareness, particularly when thinking about working in public spaces. It seems obvious to not speak loudly about data or sensitive projects in public spaces, to lock sessions, to be sure that nobody can see your screen, and so on, but it’s not. For that, we need to teach more and emphasise on the consequences of those behaviours. And at the same time, we need to be sure that our detection systems can handle user behaviour and take that into account. We further need to consider the specificity of critical functions and be sure that security is at the right level.
It’s always hard to determine what the future will look like, but we know for a fact that remote working will remain. We have to focus on being sure that employees are aware and understand the increased threat level we’re facing. Cyber security operators should quickly support employees in case of suspected security incidents, we should reinforce the messages about threat, risks, and behaviour, and give better guidance and help users with assets that fit properly to their needs without weakening security.
On another end we should provide robust controls over configurations and functions, be prepared to enhance identity and authorisation checking, harden filtering and systems, and be sure that no bypass to the crown jewels actually exists. Remote working doesn’t mean that everything is wide open to the world, the access should, au contraire, be tighter than ever.
Lionel Garacotche is technical office leader for IT cyber security architecture at Airbus Protect