Alternatively, how did Barbara in Finance just download malware on the network?
As the leaves are turning brown and we are being asked, once again, to work from home where we can, we, as IT and cyber security professionals, are thinking about how we help our organisation and our customers to work securely wherever we are located.
A lot of time and thought typically goes into what employees can and cannot access while they are at work. Perhaps your organisation bans access to social networks or frowns on accessing YouTube on company time. To do this, many organisations make use of internet filtering and web proxies, which are also used in the fight against online threats such as malware and remote access trojans. These solutions are often tied to the office network, only protecting users who are physically present at a company site or whose traffic is backhauled to your corporate HQ through a VPN or similar solution.
With increased home working and a growing expectation to continue having flexibility in how and where we work, whether that is organisations only asking employees to attend for meetings and workshops or a wholesale move to countries that are actively courting remote workers, corporate VPNs are coming under strain. If your company has embraced the cloud and the services that your users need to perform their roles are not located within your corporate network, does it still make sense to divert all user traffic via your corporate HQ? Your security controls are slowing users’ access to the tools they need to do their jobs, frustrating users, encouraging them to find alternative ways to the same end result.
The Cyber Essentials approach is to require either an always-on VPN, which starts at boot and connects to corporate headquarters, or for organisations to enable software firewalls and require all home workers to change the default passwords on their routers and to confirm that the home workers have done this. This might have been a reasonable thing to ask when the numbers of home workers (defined within the standard as workers who spend more than 50% of their time working from home) was small and therefore manageable. Our current situation can make that a mammoth task even for larger SMEs, not counting large corporates. As it stands, if your organisation wants to achieve Cyber Essentials, these are your options.
Surely there must be a better way?
Firstly, you must get the basics right. Sending users out into the world with insecure devices is a recipe for disaster.
- Install anti-malware software. Make sure it is receiving automatic updates and scanning files and webpages on access. You cannot stop malware if you cannot detect it.
- Enable host-based firewalls on all devices and ensure that the firewall is configured to block unwanted connections. It is also important that there are business justifications for open ports on your software firewalls, as you would do with hardware firewalls.
- Ensure that devices are receiving patches regularly. When devices are off-network, they cannot always connect to update servers on your network to receive patches and if they can connect, consider whether you have the bandwidth to deliver potentially large updates to every client via your corporate VPN.
- Provide a secure connection to resources. This means securing data in transit, using at least TLS 1.2, and requiring robust user authentication and authorisation. Strong passwords, such as NCSC’s Three Random Words, and multi-factor authentication help.
Secondly, there is a time and a place for a VPN. If your organisation hosts the applications and resources that your staff need to do their jobs, then they need to be able to access those resources and a VPN is a simple way to connect a remote user to your corporate network. Split tunnelling should not be enabled, to ensure that your existing proxy and filtering continues to be enforced.
If you have actively embraced cloud solutions, such as Microsoft 365, Google G Suite, Salesforce and similar Software as a Service applications, you likely have very little that users will need to connect to hosted within your office environment. In these situations, backhauling traffic to your corporate network over a VPN makes less sense. Instead, you could consider using a secure DNS provider or an agent-based solution to secure your users’ internet traffic.
There are many secure DNS providers, at different price points and offering different features. Quad9, for example, offers no customisation, but provides fast DNS lookups and blocks known malware-serving and command and control domains. Other solutions, such as Comodo’s Secure Internet Gateway allow for full customisation, including custom blocklists, in addition to blocking malicious domain requests and responses, but this comes at a price.
Agent-based secure web gateway solutions require an application to be installed on the device, which tunnels traffic to your provider’s infrastructure, where it can be, for instance, filtered, scanned for malware and logged. Gartner’s leaders in this space are Zscaler Internet Access from Zscaler and Symantec Secure Web Gateway by Broadcom. Gartner notes iBoss as a leading visionary in secure web gateways.
Protecting your users against the sorts of malware and other internet-based threats they could come across on a day-to-day basis doesn’t have to be difficult, costly or frustrating for your users or your IT team. This article was written in collaboration with my colleague Jacques du Toit. For a personalised view of how your organisation can better protect your users once they leave the networks you control, feel free to reach out to either of us via LinkedIn for an impartial, informal conversation.