The COVID-19 pandemic resulted in many organizations transitioning to a remote workforce without time to properly prepare.
Devices that are normally connected directly to the corporate network may not be configured to operate securely when working remotely. Before allowing these devices to reconnect to the internal network, it is important to ensure that they are healthy, up to date and have not been compromised during their time away.
Security Concerns of Remote Devices
Remote workers have many of the same security concerns as on-site workers. However, they are also exposed to more potential cyber threats since they are not connecting to the Internet via the corporate network.
Devices should be tested in a quarantined, sandbox environment to avoid infecting the rest of the network until they have been determined to be clean.
It is important to take these security precautions before reintroducing devices to the network:
- Check their patch status
- Verify a clean anti-malware scan
- Run a vulnerability scan and mitigate any discovered weaknesses
- Verify security configurations
Vulnerability and Patch Management
Vulnerability management is a challenge at the best of times with more than 22,000 new vulnerabilities being discovered in each of the past couple of years. Security teams are often overwhelmed by the need to acquire, test, and deploy patches for potentially exploitable vulnerabilities in their deployed software.
Historically, remote workers’ devices are further behind on patching than devices deployed on-site. Research shows 48% of on-site devices receive a patch within three days of it becoming available, compared to 42% of remote devices.
During COVID-19, the rush to transition to a fully remote workforce means issues with patch management could easily have been overlooked. For example, machines may be configured to download the latest updates from the company intranet, which may not be reachable remotely.
Before reintroducing a device to the network, research and apply the latest patches and ensuring that it is compliant with the organization’s security policy is essential.
Detect Dormant Malware Infections
Some malware infections are immediately obvious: They may instantly start attempting to steal sensitive data or communicating with command and control (C2) infrastructure over the network.
Other malware infections are designed to be subtler. In three quarters of cases, a ransomware operator waits at least three days before encrypting files. These time-lapsed attacks are more difficult to detect than ones that immediately work toward their objectives.
When employees work from home, they are using untrusted networks and are more vulnerable to malware infections. If their systems are infected with malware designed to lie dormant for some time, the threat can potentially sneak past a network’s defenses without anyone being the wiser.
For this reason, it is essential that all devices undergo a comprehensive anti-malware/anti-ransomware scan before being allowed to connect to the corporate network. A scan by the company’s chosen anti-malware, with the latest security updates, decreases the probability that an infection could sneak in under the radar.
Insecure Account Security Configurations
When reintroducing devices into the network, it is important to look beyond the computer itself to the data and services that it can access as well. Microsoft Office 365 is a leading target of cybercriminals who use a single set of compromised account credentials as an initial foothold and enabler for an attack.
After compromising an employee’s Office 365 account, the cybercriminal will use mail forwarding to send a copy of the employee’s emails to themselves. These emails provide useful intelligence for performing Business Email Compromise (BEC) attacks or taking advantage of the trusted nature of the account in future spear phishing attacks.
A best practice is to prohibit such rules from being created in any mailbox, or at a minimum monitor for the creation of such rules. In an abundance of caution, even the well-prepared who have done this ahead of time would benefit from extra vigilance. Check the general security hygiene of each user’s mailbox. Any red flags, such as unauthorized mail forwarding rules, should be investigated in case they indicate that the device has been compromised and has been used in a more general attack.
Securely Reintroducing Devices
The COVID-19 pandemic has provided organizations with a number of opportunities to reevaluate the effectiveness of their cybersecurity and business continuity strategies. A sudden shift to remote work for organizations’ entire workforces placed many organizations in a situation for which they were unprepared.
The process of securely reintroducing these remote workers’ devices onto the corporate network is important to consider before a large number of workers start returning to the office.
Avertium advises organizations on how to follow best practices to secure their systems. If you need help understanding security precautions to take before reintroducing devices to the network, reach out to start the conversation.