Defending the F.O.B. - Work From Home Security Basics for the Post-COVID Paradigm
May 31, 2020
Its 2020, and while there are still no commercially available VTOL cars or independent AI, we do have the centennial pandemic changing our work paradigm from centralized loci of operation to dispersed "forward operating bases." A similar paradigm difference exists in forward deployed environments, between the phase3-style "firm base near AO + patrol" semantic, and the "distributed/fluid positions in AO + patrol" approach (AO being the area of operation). Both of these methods have their advantages and downsides; and their applications are largely determined by the mission objectives, types of assets available, the type of environment comprising the AO, and the state of relations with the populace in it. Commanders plan and define doctrine and methods based on the optimal fit for their mission, and execute those plans as precisely as militarily possible - managers and business owners in this new world no longer have this choice, and lets be fair, rarely planned all that well anyway. Any workflow not explicitly requiring on-site interaction with equipment, product, or people has been hastily moved to some form of remote access. Unlike the well planned military implementations of this approach, civilian society was completely unprepared, and executed the shift with no planning or validation of security posture - after all, people do not realize that lives or livelihoods depend on the security of these deployments like they do downrange. To compound these core issues, companies are in bed wetting mode, trying to cut costs on everything, including operational security.
Private conversations between medical billing professionals formerly one cube away from each other have moved to messaging platforms, with the content stored on who knows how many drives at which providers and with what kind of encryption and auditing? Banking, insurance, billing, collections, legal communications, and almost all other back office functions have migrated to any number of workflows requiring that data leave its former enclaves or added access to them. Use of personal systems to access (and store) confidential information previously only touched by reasonably policed company systems has become "acceptable" overnight; regardless of what the kids did on it 5m ago or how many citizens of the Russian Federation/North Korea/PRC have persistent access through the freeware/malware installed or porn sites still open in their browsers (really, we often see your home DNS requests on the ops side of the house when you're on a VPN...). Network access policies have gone out the window with the addition of innumerable OSX or Windows XP and Home Edition endpoints, and data loss prevention systems are blind or simply off at this point to avoid alert fatigue. For the most part, corporate responsibility for the integrity of confidential information handled by their personnel has evaporated overnight - or so they seem to think anyway. Even attorneys suddenly have no clue about privacy laws in the states where they are accredited, an apparent selective amnesia has set in across multiple industries resulting in the abdication of legislated responsibility.
The reality of this new situation however, is that all of the rules and regulations about personally identifiable, healthcare, financial, and protected (by contract or classification rating) information are still in place; albeit in some cases temporarily suspended like certain provisions of HIPAA HITECH in order to provide telehealth services. There is no force majeure clause for loss of privileged assets due to incompetence. Liability for loss, theft, and misuse still resides with the entity which received the data, and in jurisdictions where the originators of data have the right of audit, recovery, or deletion - those rights still exist. Moreover, financially/politically motivated attackers know this; and they know that home systems are weak, that companies are doing nearly nothing to protect them because "its not their system," and even in cases where corporate systems are used at home, the networks themselves are insecure, behind some very generic vendor-backdoored media access converter (cable/fiber modem). They are changing their training, tactics, and procedures to accomodate the new target landscape. To the adversary, the value and priority of exploits against commodity edge devices, browsers, messaging clients, and telco gear from the local hub to the core are climbing day over day. Same goes for pilfered lists of credentials they can use to brute force (credential stuff apparently in modern parlance) their way into external services, and for any personal information they can aggregate to generate more credentials based on an entity's attributes. Who's seen someone use birthdays or company addresses for passwords? ... usernames are well known most of the time.
These new threat models target information cached or intentionally copied to insecure home systems, including access credentials to remotely accessible central systems, along with deep pesistence in the low-rent operating systems used at home. The TTPs & tooling developed now will not go away as companies slowly move back to the office, partially or otherwise; and the resulting threatscape will persist beyond the work from home conditions of a pre-vaccine pandemic. Savvy clients have started to ask us about this, so lets dive in to what companies can and should be doing to protect employees, customers, and confidential information/systems at large.
The first thing any company needs to do is make a plan from a clean sheet of paper if the previous disaster plans did not cover the situation currently at hand - trying to twist a DR plan into a forward operating semantic won't cut it, and will be more work/less effective. The plan should first take into account the critical assets (data/systems) which must be protected from unauthorized access, audited for access, or maintain encrypted storage. Once key assets are identified, the plan should enumerate workflows to be executed by remote workers, and the level of access (network, system, application, and data) required for each. The access-for-workflows map can then be cross-referenced with the critical asset list to determine which workflows require protected access. For small entities with limited ability and resources to gate remote access (on the VPN or not/logged into office portal or not), the critical asset pool is everything. For larger entities which can tier access, there is more flexibility and ability to reduce overall defensive workload. Once these critical paths and access patterns are identified, the plan must determine how they will be addressed, and the priorities they take based on dependencies and criticality of asset. Finally the plan should be used to update policy, clearly defining what users can and cannot do in WFH conditions, at different phases of the plan's implementation (for instance not copying files until they're on an encrypted company laptop). As with all policy changes, users should be informed, and if possible required to sign their comprehension with arterial blood.
Since there are far too many access paradigms, gating techniques, and audit processes to cover in this or any single post, lets look at the generic defensive techniques which can be applied in support of the plan's findings and details. First and foremost, any company which can provide corporate systems to its users should. Even if its a bottom of the barrel Chromebook they use to access the remote workplace portal/VPN, its 100X safer than their family home machine, 1000X if they don't have anything resembling administrative privilege on it. Principles of isolation 101 - do not use shared systems for confidential functions. Secondly, having a company owned system means company-built security controls and audit sinks, without concern for personal privacy of the user - they shouldn't be using it for personal things anyway. Remote access functionality such as VPN, applications, and links to online portals are all included with this approach. Secondly, to mitigate the shared network concern, companies can provide extremely cheap routers with dedicated wireless, and built-in VPN functionality for a pittance - RouterBoard hardware, and their RouterOS software stack provides everything needed for 802.11AC, locked down services, and a persistent VPN link to home base for less than a week's worth of coffee at any shop. Slightly higher-end systems from HP or Cisco dont cost all that much more and are on the approved vendor lists for enterprise/gov. These can also be pre-configured by IT and delivered to end users ready to roll, with the company system set up to automatically connect to the device, and network access controls on the device to prevent the company laptop from simply accessing the WAN, but requiring datapaths to traverse the VPN link or a proxy. Finally, the company should provide and enforce a fully controlled data path for access to internal and external resources during work hours, gating HTTP through filtering and logging proxies, and if possible passing all VPN traffic by a NIDS pickup port for analysis at the connection point and event storage for future correlation. Any authenticated system/service accessed remotely should use two factors, which can be had for free with any number of open source implementations or neatly bundled by providers such as Duo or Google.
For smaller entities which cannot afford to distribute company systems to home users, the situation is a bit more dire - personal computers are often not touched by company IT for policy reasons, already compromised, unpatched, using pirated software which can get the employer in a lot of hot water, or simply lack the security qualifications required to access certain data. These conditions can be handled with a bit more projection of the worker to the environment, rather than data to the worker. Terminal services through Microsoft TS, Citrix, VMWare, or open source mechanisms (VNC/SPICE/Guacomole/etc - over a VPN link to deter attacks on the service) permit users to access entire remote desktops or specific remote applications and perform work in those environments, without pulling the data back to their machines, in theory. This is still far from ideal as any attacker having compromised a home machine will log all keystrokes, and probably record the screen, so if there are bills with PII/PHI/fin data being shown on the screen of the terminal session, the loss will still occur (plus they know how to log into the terminal server now if 2FA is not in play). Employers may need to reconsider IT policy as relating to home machines, and either have users permit IT to fully wipe and deploy proper stacks, or at least corporate AV, DLP, patch management, and HIDS/HIPS to have situational awareness and some level of protection. Finally, there's the option of not buying hardware, but providing hardened virtual machines to be run on home computers or in a cloud. However, compromise of a VM in a type 2 hypervisor from a foothold host is trivial, and the attacker with foothold on the source/host machine still has full key and screen logging capability.
However employers choose to implement controls and standoff to protect their workers and assets, they cannot continue to do business as usual, pretending nothing has changed or that their IT workload has somehow been reduced. To the contrary, this new reality requires much tighter integration between operations and security, acquisition of actionable telemetry from afar, in spaces which the company might not own, and implementation of capacity to effect remedial efforts downstream wherever the user, service, or infrastructure component may now be. Companies which can afford to deploy hardware to user locations will need to standardize and automate their deployment and configuration processes if not already done, and they will have to develop entirely new remedial and replacement procedures along side data integrity/backup/security/etc functions which change with remote topologies. Even with all of this in place, companies may find themselves subject to liability for data lost in the initial "move to remote" since any information gone from fully audited access paths is lost and likely to be used for ransom or worse. Every day entities waste being blind to where their critical data and assets are, how they are behaving, and who is accessing them, should be considered 24h of ongoing breach at the highest level - because in the end, we only know what we can prove, and we are beholden to know what our companies, staff, and adversaries are doing with our customer's data.
Our Recent Posts
Defending the F.O.B. - Work From Home Security Basics for the Post-COVID Paradigm
May 31, 2020
Atomic Shelters for Active Observers – Hardening by Example (part 2)
August 6, 2018
Protecting the Watchtower - Hardening by Example (part 1)