Threat Modeling Risks: Remote Working Amidst Novel COVID-19 Crisis
- March 31, 2020
- Ray Parker
With the rapid spread of novel pandemic COVID-19, enterprises are deemed to rapidly adapt measures to remain safe and limit physical contact. In the past few weeks, enterprises around the globe have devised remote working policies to carry their operations without interruption. Many organizations have had a robust remote working structure for years, some had a few remote workers, and others had restricted it completely. And even for the firms that have a remote workforce, the scope of their work has dramatically increased. Business operations that have never been done remotely are also now required to operate in a fully remote mode. During the current panic situation, security experts are pondering what new risks may be posed due to remote working for sensitive business units. A security testing company is more concerned about securing networks and apps that have never been utilized for remote working otherwise.
Let’s have a look at the threat model we have devised to consider some of the risks of this new remote working trend in the wake of COVID-19 that has emerged. These threat models represent a sample and each firm is going to face some limitations while implementing them. It is important for each organization to consider its risks proactively when assessing their systems and applications.
Threat Modeling the Remote Access Approaches
The industry has never seen anything disastrous as COVID-19 and it has resulted in relying on a remote workforce. Keeping in view the new level of access provided for remote connectivity, the newly formed remote workforce, attackers are most likely to take advantage of weaknesses to get network access. Organizations are expected to improve their remote access standards such as removing IP address whitelists, allowing unmanaged devices, etc. Any changes in the configuration settings should be evaluated against the new threats to the organization and risks should be carefully analyzed.
Enterprise Threat Model
VPN / Virtualized Desktops
VPNs are one of the most commonly attacked angles, and attackers tend to use unauthenticated attacks, compromised credentials and systems. Following are a few weaknesses and common deficiencies observed in the model:
Endpoint Remote Access – Attackers are expected to continue targeting employees via phishing emails regularly. A security testing company should ensure placing security checkpoints like email filtering, endpoint hardening, reduced admin privileges, etc. so the endpoint visibility remains safe for remote users.
Multi-Factor Authentication – Organizations should train their employees to identify and report unauthorized push notification. Previously, MFAs such as SMS messages have been exploited to gain access, thus this should be evaluated in a business’s risk assessment process.
Attacker Lateral Movement – Network access should be restricted to the remote workers who actually need them to perform their jobs. Organizations should strengthen their virtualized services.
Unmanaged Device Access – Due to the COVID-19 situation, remote workers may not have the experience of working remotely previously, and may not have computers/laptops issued by their companies. Even if there were provisioned with a desktop previously, how well are they connecting to the network remotely?
Remote Access Denial of Service – With almost all employees working remotely, there will be an impact on denial of service on remote access portals, that can impact business operations. For instance, when an attacker makes multiple failed attempts, it can lock the user out. If any attacker scripts this action across different users, it may cause a widespread account lockout.
Remote Control Access Models
In the wake of threats, organizations should focus on creating strong security checks on the edge of their networks. They need to focus on protecting identities and applications to adapt to a remote and distributed workforce. Organizations can restrict unauthorized access in remote access solutions by implementing the following solutions:
Multi-factor Authentication: Organizations should implement MFA on all resources to reduce the chances of network access through attempts such as credential spraying, password stuffing, and phishing attacks. A security testing company should ensure that testers review all the external corporate resources, including cloud services and their configurations.
Device Trust: Organizations should also encourage MFA. Testers should implement a method to validate the device connectivity and device managed by the employee.
Cloud Visibility – Make sure that teams receive logs from cloud providers and regularly review them for authorized access and data exfiltration. Organizations should assess and review all configurations on a regular basis to limit unauthorized access.
Unauthorized Cloud Services – Employees should use third-party solutions for file storage and document management to ensure that sensitive company data is protected and monitored by corporate security controls.
Users and Administrators
User Awareness Training: Proper security awareness training should be provided to the remote working employees. They should be also guided regarding phishing and password guidance, and train them to use privacy screens, limit their work on confidential matters in public areas and secure physical assets.
Environment Drift: Security controls may weaken over time, and it may be difficult to manage legacy systems. Organizations should avoid environmental drift by continuously evaluating security controls through red and purple team exercises.
Secure Privileged Accounts: Domain administrators should have separate accounts and should be prohibited from remote access using their privileged credentials. These users should gain access on dedicated Privileged Access Workstation (PAWs) that are dedicated to these user accounts.
The sudden shift from on-premises to remote working has opened doors to new risks for some organizations. However, employees are trying their best to make the most of their work-from-home facility, spend time with families and remain safe from the pandemic. While each organization needs to take their own unique business into account, they need to hire a security testing company to implement the above-mentioned security checks in place and remote access considerations to keep operations secure and productive in these tough times, where most businesses have stopped operating.