Information security in the age of the distributed workforce
More people are working remotely than ever, and with the social isolation demands of the COVID-19 pandemic the remote work trend has accelerated in pace tremendously. This new reality has numerous real-world implications, many of them positive (dramatically reduced carbon expenditure, less stress and more personal time for employees due to less commuting, lower office costs), while the security threats associated with the paradigm are substantial and will be unfamiliar to many organisations.
Our focus in this article is on security concerns around cloud or SaaS services that have become ever more popular in recent months. Examples of such SaaS applications are Slack, Microsoft Teams, WebEx, GitHub, the Atlassian suite of tools, and (who could forget?) the infamous Zoom.
“After analyzing cloud usage data that was collected between January and April from over 30 million enterprise users of its MVISION Cloud security monitoring platform, [security software company, McAfee] estimates a 50% growth in the adoption of cloud services across all industries. Some industries, however, saw a much bigger spike–for example manufacturing with 144% and education with 114%.”
“Attackers have taken notice of this rapid adoption of cloud services and are trying to exploit the situation. According to McAfee, the number of external threats targeting cloud services increased by 630% over the same period, with the greatest concentration on collaboration platforms.”
One of the biggest information security risk factors in the rush to maintain business continuity is that a large patchwork of tools and methods have been put in place in an ad-hoc fashion to keep staff in touch and productive. That means that many businesses and government departments have numerous entirely new and often unknown attack vectors and surfaces, and vulnerabilities that they aren’t even aware of. This, due in part to the fact that they may not even be aware of all the tools, methods and technology in use at their organisations at the moment. Due to the haste in provisioning these new services, they may not have been thoroughly evaluated and may not be configured or implemented properly.
Even when configured and implemented properly, very real threats in SaaS applications abound and have been found in the wild. Most such applications support external links and attachments, which can be used by malicious actors to launch phishing attacks or to trick users into running malware. Many of us are aware of some astonishing security issues and flaws in the Zoom video conferencing platform (1,2,3) – at least some of them intentional – as well as their significant ties to China. There have been significant flaws discovered in other popular platforms in recent months as well, such as Slack and Cisco WebEx (1,2), all of which should concern executives, governments, policy-makers, and IT departments alike.
Of course, no software is without bugs, and security bugs are always possible if not likely as well. So how can firms and government organisations eliminate or at least mitigate the risks?
Research your options.
Find out what options are available. Regardless of your use case or the type of collaboration tool you need, the competition is intense and you have many choices.
Once you have determined which features are critical for your needs, learn about the company behind each platform. Basic questions like “what is their primary business?”, “How long have they been in business?” matter as ever, while buyers can and should look at each vendor’s security record – How severe have their known vulnerabilities been? How many security vulnerabilities have been discovered on their platform in the last three years? How quickly do they patch vulnerabilities once they are made aware of them? Do they have a bug bounty program? How comprehensive is their security practise in general? Is security a core value and a core part of the way they develop their products?
Some key security features should be sought after in any collaboration tool:
- Brute force protection.
- DoS protection.
- Complex password enforcement.
- Centralised authentication.
- Malware scanning.
Much of the security of cloud services is in the hands of the service provider, which is why it is vital to choose the right vendor. At the same time, a fair number of other crucial aspects of security with regard to these applications are up to the users. So be CUTE:
Use complex passwords. One of the most common attacks against cloud platforms are brute force attacks, where hackers run programs that continuously guess passwords to users until they get a match. Long, complex passwords with upper and lower case letters, numbers, and symbols are orders of magnitude more difficult to guess than simple passwords that do not employ all of those elements of complexity. The threat of brute force attacks is another major reason cloud providers should have their own strong defences against such attacks.
Provide user education and tools. “Social engineering” attacks, where hackers attempt to trick, distract, or confuse staff members and system users are another major threat to cloud application security, as well as the security of everything — local networks, VPNs, e-mail systems, information of all sorts (be it on computers, on paper, in people’s own memories, and even the security of an organisation’s physical premises). This is why education is key. Every employee should be generally aware of cyber and real-space threats, the forms in which such threats may manifest, common targets, which assets, information, and individuals are considered especially desirable targets, how to reduce such threats, and what actions to take if they suspect foul play. Employee training (even for employees that may rarely or never use technology at work) is part of a comprehensive set of organisation policy and procedures to guide staff in protecting themselves, the organisation, and their customers.
Workplaces that allow users to “bring their own device,” and use their personal devices should absolutely provide security tools and support for them. Such tools need not come at substantial cost. Windows comes with Microsoft Security Essentials, which includes virus and malware scanners. Malwarebytes provides a “freemium” malware scanning app that is quite comprehensive. ClamAV is freely available for Mac and Linux. SELinux, Apparmour, and rkhunter are all very effective in preventing, detecting, and containing malware on Linux systems as well.
Implement two-factor / multi-factor authentication. Multi-factor authentication — “something you know, and something you have” — like SMS codes, smart cards, or key fobs are yet another strong defence against authentication attacks. An affordable smart card solution is Yubi Key. SMS-based multi-factor authentication options depend on the application they are being used with. Even if an attacker were to somehow get a user’s password, they likely still can not authenticate to that person’s account without also having their phone / smart card / key fob / etc.
Ensure e-mail and collaboration tool vigilance and hygiene. As mentioned, a common way malware makes its way to users is through attachments and links. Sometimes a user’s entire computer, phone, or tablet can be compromised with such malware — a scenario with potentially devastating consequences.
Hopefully that gets you off to a solid start in addressing security across local and remote locations. Need more guidance? Reach out!