COVID-19: Threat Model of a Remote Worker

First and foremost I give full credit here to Digital Shadows for the core content for this article and credit to the ISSA for featuring Digital Shadows in their latest membership update.

Article Objective

My objective is to help you to ensure your remote workforce has the tools and support needed to work safely and securely away from your traditional office space, giving you quick links in this article to trusted sources of information and knowledge, and relevant checklists to make your life easier.

Here are three trusted sources to start with which feature simple checklists or ready to deploy training you can make immediately available to you workforce straight away; just hover and click on the description below:

1. Information Commissioner’s Office (ICO) – How do I work safely from home securely?

2. PCI Security Standards Council (SSC) – How the PCI DSS can help Remote Workers

3. UK Government – Cyber Security Guidance – Free Online Training Top Tips for Staff

Remote Working

Remote working is nothing new, but the global lockdown driven by COVID-19 has forced most of you to significantly accelerate your plans to deliver secure remote working; you may have had to force through previously untested controls, or become over-reliant on policy and user awareness training, leaving your remote workforce vulnerable.

Statistics and Quotes

• When COVID-19 lockdown descended we went from ~10% remote workforce to ~90% almost overnight

• ‘We’ve seen two years of digital transformation in two months’ – Satya Nadella – CEO Microsoft

• Only 27% of staff forced to work remotely received additional training to use platforms like Zoom and Teams securely

• 60% of remote workers are using personal devices for work, and almost all of them believe their devices are totally secure

• UK National Cyber Security Centre noted malicious actors are targeting organisations with vulnerable O365 setups

• As a rule, across all industries IT was generally more agile that security.

‘Threat Actors’

Digital Shadows highlight the following top five ‘threat actor’ categories that have the motive to abuse and take advantage of your remote workers (please visit our website here for expanded detail within the full article):

1. Cyber/organized crime: Cybercrime groups have the capacity and the skill set to perform targeted attacks on end users with increased volume due to work-from-home conditions. Use of personal devices with fewer security measures/controls makes users more attractive for such operations. Access to corporate services and resources, even from the end user’s own devices, makes the target more attractive as the probability of gaining unauthorized access is significantly increased.

2. Fraudsters: Fraud attempts are expected to increase, exploiting the COVID-19 outbreak. These will likely be especially effective against workers not used to working on personal and/or mobile devices.

3. Accidental/Malicious Insider: Non-hostile threat actors who need special consideration are the users themselves. Those not used to remote working might experience issues with accidental sensitive data exposure, mistakes in file sharing, etc.

4. Hacktivists: Regular phishing attacks will continue to evolve, especially now with the end user being more exposed to the Internet, where they can be targeted more easily.

5. State actors: Remote working extends to governmental and other critical infrastructure entities, which are top targets for state actors. Such operations are expected to increase since users will continue to have access to restricted resources from home.

Complacency

I’ve said it before, and I say in again, do not be complacent! I have participated in numerous webinars in lockdown detailing the increases in cyber-crime, phishing attacks, and fraud. Our adversaries have been anything but complacent since the advent of COVID-19.

If you are comfortable that you have everything under control and cannot improve secure working for your remote workforce, please feel free to stop reading now.

But if you have any doubts about the tools, controls and training you have provided to your remote workforce in the last three months I encourage you to take the time to read this complete article, and to book a conversation with us here if you’d like to talk to us about any topic raised in this article.

Cyber Threats

Digital Shadows highlight these top six cyber threats your remote workers may have already been targeted by:

1. Attacks on availability: Increased dependency on remote-access solutions, such as VPNs, may increase the impact of these attacks. Internet traffic has increased significantly by default during the COVID-19 outbreak, so denial of service attacks might have more chances to be successful.

2. Lost/stolen laptop: A working from home restriction might be helpful to mitigate this use case, which generally refers to remote workers using public places to access the Internet. There is a small likelihood of this threat.

3. Data leakage owing to inadvertent disclosure (accidental sharing, shoulder surfing, etc): Since the users themselves have been identified as a threat, there is a high probability of accidental exposure of your company’s sensitive information. Cloud-based file-sharing platforms might cause confusion between what is personal and corporate data.

4. Unauthorized access to corporate sensitive data through a software bug exploitation: Since access to corporate resources and services with sensitive information for remote workers is the business goal, attackers will have many more chances to exploit those conditions.

5. Phishing: Initial access using phishing will remain the top attack vector, but now the success rate is expected to be higher with potentially fewer security controls and measures applied to remote users.

6. Stolen/leaked user credentials reuse: Credentials will still be the number-one goal for attackers to gain access to unauthorized resources.

Priority Security Measures

Digital Shadows recommends the following six priority security measures you should adopt to decrease your organisation’s overall risk level in relation to your remote workers.

1. Advanced endpoint protection: Next-generation endpoint detection and response (EDR) and continuous monitoring will significantly aid in detection and response.

2. Encrypted communication: Extensive use of VPNs with an always-on model, whenever applicable, is highly recommended to mitigate man-in-the-middle (MITM) attacks. Always-on refers to the idea that the user’s device must be connected to the designated VPN to access any resource that requires an Internet connection.

3. Increased identity and access management: Access controls should be improved to mitigate lost or stolen credentials and their reuse. Multi-factor authentication is highly recommended for access to every corporate resource, especially the critical ones. Continuous monitoring and visibility of access is also very useful for auditing and abnormal behaviour detection. Least-privilege/need-to-know principles should be also applied and reviewed carefully to avoid unnecessary access to sensitive information.

4. Email, instant messaging, and browsing protection: Advanced and specific solutions should be used to protect users from malicious emails and URLs, which are the main threat vectors. Those services are expected to be used widely, given the nature of remote working, so they will be heavily targeted by threat actors.

5. Endpoint security hygiene: Endpoints, both corporate and personal, should be included in the continuous asset management program enforcing the latest patches, properly managing vulnerable software, and effectively controlling access to any corporate resource.

6. User security awareness: The remote environment, and in many cases the new tools and solutions that might be used, need to be well communicated and presented to the users. Users should be educated on the risks of remote working and with the advanced threats that they may encounter. Extensive user education and training is required to mitigate this increased risk as users might not be familiar with special tools or solutions tailored for remote working, making confusion between personal and corporate data/resources very likely to happen.

Layered Defence

Picking up the priorities recommended here, this is a great list of measures and controls to adopt if you don’t already have such controls in place, and to bolster what you do have if there are any doubts over the quality or depth of your defences.

Multiple layers of defence are stated as a priority, which is essential so as not to rely on the end user, your workforce, as your only line of defence.

I have seen many examples in the lockdown where the main focus has been on education, training and awareness, which whilst essential should not be the only layer of defence you have implemented.

How many of these systemic software driven defences do you have implemented? How vulnerable are you leaving your remote workforce without adequate controls and defences in place?

Colleagues – Our Greatest Asset

Too often I hear it said that our people are the weakest security link; I believe our colleagues are our greatest asset in our perpetual endeavour to prevent data and information loss, and we shouldn’t expect them to be the last line of defence in the absence or failure of layered defences described as priorities in 1 – 5 above.

As human beings we are fallible and make mistakes, and with the high ‘quality’ of targeted phishing attacks we’ve seen since the start of the COVID-19 lockdown, inevitably we will all make mistakes; and more mistakes will be made working alone than in the office where we don’t have the opportunity to turn to a colleague to ask their opinion on a suspect email or attachment.

I have seen numerous examples of very convincing fraudulent websites and emails over the last few weeks and have reproduced a few screen shots here just to show you the level our adversaries are prepared to sink to in order to impersonate trusted organisations to make a gain at our cost.

To hold our remote workforces to account for failing to spot every nuance and detail of a phishing email is not good enough without doing all we can to layer a defence through the systems, software and applications. If we do so we are not supporting them to work securely, regardless of the amount of updated remote working security training and education we provide them with.

Awareness, Education and Training

User security awareness, education and training are as essential as a systemic software driven layered defence included in the list of priority security measures.

Statistics I shared earlier suggest that only 27% or remote workforces have been given additional training to help them work securely at home; does your organisation feature in or out of that statistic?

Have you sought feedback from your remote workforce to understand their secure working concerns? And if so, what have you changed to support and protect them?

Awareness, education and training can be some of the most cost effective controls you can put in place in your organisation, and if budgets are limited this is a great place to start, but include in your budgets the capital required to implement or improve your other system, software and application controls.

There are a plethora or free education and training resources available from third party service providers and government sources as well as online organisations, much of it ready to issue online direct to your workforce now, today, to get you started.

You may already have a thorough bespoke information security training and awareness programme in place, but have you reviewed it and altered the emphasis from office-based working to remote home working and re-issued key modules?

Use some of the free resources available to benchmark your existing programme and then work with your contracted provider to make real tangible adjustments.

The Future

Without COVID-19 the global workforce was already making strides towards a remote working environment and this recent pandemic has accelerated this significantly. Therefore, keeping our remote workforce working securely is ‘here to stay’ and thus investment in better systemic software and application driven layered defences is an investment in your organisation’s viability for the future.

Similarly, so is an effective, integrated information security awareness, education, and training programme, not as the first line of defence, but as an essential complementary element of a well thought out information security strategy and programme.

Take the time now to learn the lessons of enforced remote working and to plan for the continued viability of your organisation through a layered defence for your workforce; review your strategy and your information security programme and make the necessary changes.

UKDataSecure Services

Please book a conversation with us here if you’d like to talk to us about any topic raised in this article.

UKDataSecure can support you to understand the current status of people, process and technology involved in securing your remote workforce, and can support you to find the best trusted third party service providers who can deliver all of the layered defence tools and controls discussed in this article; we can also manage governance of the whole process as required.

Please visit our website here for further details of our philosophy and the services we can assist you with.

More Resources

Please visit Digital Shadows here for further resources you may find helpful at this time and the source article here.

Here are some further hyperlinks to trusted resources to assist you, previously highlighted in our earlier COVID-19 Lockdown; What Next? featured article:

• How to avoid a videoconferencing security mishap

• Remote working security challenges amid Covid-19

• Home working security checklists for employers

Sources for this Article

• ISO360

• Exponential-e

• ISSA

• Digital Shadows