September 26, 2020

Security And Privacy In A Brave New Work From Home World

We have moved to a radically remote posture, leaving a lot of empty real-estate in corporate
offices and abandoning the final protections of the digital perimeter. For years, we’ve heard that
the perimeter is dead and there are no borders in cyberspace. We have even had promises of
a new and better style of working without being bound to a physical office and the tyranny and
waste of the commute. However, much like the promise of less travel in a digital age or even the
total paperless office these work-life aspirations never had a chance to materialize before
COVID-19 forced us to disperse and connect over the Internet. This has massive implications
on corporate culture and productivity. More immediately, the surge in use of remote work
capabilities has consequences from a security and privacy perspective that cannot be ignored.

For some, working from home isn’t new. This is especially true for those in sales and field
marketing across many industries or for knowledge workers, such as federal government
employees that are familiar with their telecommuting contract. The day after the “stay home”
order is given, the rest of the company suddenly find themselves doing the math on how to stay
productive, whether they are the 20% of largely general and administrative or management staff
who are always in the office for a young tech startup or the 80% of all employees at a big blue
chip company. Some already have a laptop that they bring with them everywhere and are used
to bringing home, but for others it’s time to spark up the family computer or get a hastily issued
company laptop and try to get it running without an IT technician parked at their elbow to help.
Others will grab a tablet or a smartphone, once relegated to mostly personal use, and repurpose
it to attend to professional needs. Any way you look at it, the enterprise footprint just grew and
radically changed in a 24 hour period.

From a security perspective, the basics are critical. This is true whether a company is a mature
security shop or not—risk management is the lodestar. It starts with a risk analysis and dialog.
You’ll need to first create a master list of security essentials and rank them in order of
sensitivity, likelihood and impact. The reality is that you can do anything, but you can’t do
everything; and ultimately this is a triage game.

High on the list are concerns about misinformation, weaponized information and social
engineering. While companies can’t control machines that they don’t own, they have to try to get
the most secure endpoints they can and ensure identity integrity. This means emphasizing what
channels are appropriate or not for employees and their families for information: news networks,
websites and the like. But COVID-19 is our new common watering hole, and malicious actors
are manufacturing phishing attacks, devilish spear-phishing campaigns, rogue applications and
more. Regular, short, routine communications to remind people of the basics, to gain a pulse on
the organization and to provide clear policies are essential.

Also at the highest level of concern is securing the connection to the network and back into the
environment. This requires VPN connections, strong authentication and endpoint prevention
and detection controls. In the back office generally and in the security operations center
specifically, baselines from which anomalies are normally noted for focus will be in flux;
everything will look like an anomaly for a while in the brave new remote world.

Which brings us to the most difficult of topics: privacy.

Did employees bring notes and data home before the office closure? Are they creating IP and
data protected by privacy laws and regulations as they continue to do business? Who is in the
immediate environment physically? These are some of the critical questions. In some cases you
may never know the answers to these questions or you may not have a right to know the
answers but must appreciate others’ living situations and assume some worst case scenarios.

There are still more questions. Should cameras be on for conference calls when employees
might be embarrassed of their personal space being seen by colleagues? Should they use
headsets when a life partner might work for another company or even a competitor or perhaps a
roommate might simply overhear sensitive information? Do we encourage them to care for a
child when they are crying or do workers feel the need to hide their families? While many
companies have previously developed “work from home” policies now we are beginning to
understand what is really needed for remote, working employees. Now is the time to take a
fresh look at privacy in your work from home policy.

Finally, we must understand the adversary is moving into a new normal as well. They may not
be able to immediately exploit all weaknesses or even any given weakness. They too will
pursue the lowest hanging fruit while investing in some longer term R&D to develop new attacks
specifically for the home environment. Threat actors may be purchasing tools from
cybercriminals, mining existing botnets to see what IP is on those already-compromised
machines or targeting home automation, printers and routers after triangulating IP addresses
and digital locations for targets. In the weeks ahead, targeting new dimensions of technical
diversity and innovating to develop new attack vectors will be the name of the game for the bad
guys.

The future is very much a moving target for security and privacy professionals. Here is where
the ongoing maintenance on an ongoing basis is critical: watching vulnerabilities in the new
battery of enterprise applications for remote productivity, moving to the next order of
vulnerabilities and so on. This might involve extending IT support and patching advice to home
users on how to secure their home network, how to configure Amazon or Alexa devices or new
tools and services for secure note-taking, collaboration, use of newly available standard
operating environment systems and so on. In short, the game of security and privacy will be
about rates of adaptation between asymmetric opponents.

The brave new work from home world would be best if it was short lived, but the genie won’t go
back in the bottle. While the economy will adapt and move on at some point, it’s too early to tell
what percentage of current remote workers will continue to work from home permanently in a
post COVID-19 world or if we will return to the tyranny of the commute. Regardless, the lasting
effect of innovation on both attack and defense will persist. As has been said, never waste a
good crisis: let’s hope that IT, corporate culture, security and privacy all benefit from the current
situation to make a more productive and humane cyber world when we return to a more normal
epidemiological world.

Sam Curry is Chief Product and Security Officer at Cybereason.
Ari Schwartz was Special Assistant to President Obama for Cybersecurity and Is Managing
Director for Cybersecurity Services at Venable.

Via:: Security And Privacy In A Brave New Work From Home World