https://youtu.be/YXW2X3P051M Just like fire drills, having an incident response is key to prepare for cyber-attacks.…
COVID-19 has had a significant impact on our daily lives and will continue to do so for some time to come. At Shing Digital, we are not on the front lines of fighting the virus, but we are hard at work behind the scenes, along with our peers, supporting organizations by enabling them to work at home to keep the economy working.
Some organizations are better prepared than others. While some have had work at home policies and implementations for some time, others are struggling because few (or none!) in their work force are properly setup for remote work. For others it is not even possible because of the nature of their work.
There are many ways to work from home. Some organizations utilize software as a service (SaaS) applications and can access their apps and data from anywhere. Many still have traditional applications and data that can’t simply be moved to the Cloud, especially not at a time like this.
No matter what position your organization is in, suddenly being thrust into “having” to work from home is very different than choosing to work at home. There are sets of technical and very human challenges that go with working from home. I won’t address the human challenges here, but I will address some of the technical challenges.
The biggest technical hurdle is security. Is your infrastructure ready for the influx of remote connections? Do you let your users use their personal computers or do you have company issued computers? Ideally, you would have company-issued laptops but in this COVID-19 Pandemic, that isn’t always an option.
So, what are the security risks of letting users use their personal computers?
- According to Statistics Canada, 57% of Internet users in Canada have experienced some sort of Cyber Security event.
- In total, 1 out of every 13 Internet requests leads to some sort of malware.
- Personal computer infection rates are estimated to be as high as 30% in North America.
We know that hackers have taken this opportunity to step up their attacks on users. In Cyber Security terms, we are always trying to minimize the attack surface area that is available for hackers to exploit. Suddenly, our well-planned, secure, and pin-holed sized attack areas have become the size of a city. In real time, we see the rise in attacks coming from the Internet and across VPNs. Internet-based attacks are something that we are accustom to. Attack attempts across VPNs means that users have compromised computers.
What can organizations and users do, if there is no choice but to use personal computers. Here are some tips you can adopt:
- Ensure that VPN firewalls/servers have Intrusion Detection Systems and Prevention Systems (IDS/IPS) and anti-malware systems in place and configured properly.
- Ensure users have adequate anti-malware protection on their personal computer. Free anti-virus software is not considered adequate.
- If possible, have users limit access to work related activities to a single personal computer that is not a family shared computer.
- Utilize multi-factor authentication to protect VPNs and applications.
The world certainly has changed due to COVID-19. In many ways, it has not only shone a light on the weaknesses in our Government and medical preparedness systems but also on our Cyber Security preparedness. It is also going to be hard to put the work-at-home genie back in the bottle. Users and even organizations that had not embraced the concept previously, have been thrust into it and by the time this is all over, will have adapted to it. Organizations with weak Cyber Security systems will have to make sure that it is shored up and take steps to protect against multiple vectors of attacks on an ever-increasing attack surface area.
Here is the top list of questions and answers to working from home:
Q: What options are available to work from home?
A: There are, mainly, three ways to access work resources from home: remote control applications, VPN and RDP, or RDS (and in the same breath, CITRIX) and VDI (Virtual Desktop Infrastructure). It really comes down to company policies, goals, and budgets.
Q: What are some of the remote-control applications out there.
A: There are many remote-control applications available. Some examples are: LogMeIn, SolarWinds Take Control, and TeamViewer are just to name a few.
Q: What are the advantages and disadvantages of remote-control applications?
A: The biggest advantage is that remote-control applications are easily deployed. In situation like we are in now, you simply sign-up your users, install the applications and off you go. The biggest disadvantage is that users may not understand that they are controlling their PCs and that they are unlocked. This means that if someone is at the office, they can simply watch the screen and if they wanted to take over the session. Even though this method is easy, it should be deployed with care.
Q: How does VPN and RDP work?
A: VPN and RDP are two separate technologies that can work together or apart. The most common deployment for SMBs is to have user’s VPN to the office and then RDP to remote control their desktops. The advantage of this model is that the screen remains locked so that no one can “watch” your screen. RDP is also a built-in technology in Windows operating systems and at the workstation level, does not require additional licensing.
Q: What are the advantages and disadvantages of using VPN and RDP?
A: It really depends on how it is being done. If done properly, this can work very well on a small scale for SMBs. It becomes much harder to manage when you scale up the number of employees. The other factor is what the users are using to VPN to the office. If they are using personal computers, it could pose a large security risk to the company as home PCs tend to be very insecure.
Q: What about RDP straight to my desktop from the Internet?
A: One answer: don’t do it. We apply layers of security, such as VPNs, on purpose to make it harder for hackers to attack an organization’s assets. I can go on about this topic all day but, just about, every organization that I have worked with that has used this method of remote access has been hacked at least once through this conduit.
Q: What is RDS, VDI, and Citrix
A: Remote Desktop Services, Virtual Desktop Infrastructure, and Citrix are, generally, utilized in companies that have identified the need for better deployment of shared infrastructure to cost effectively deploy these resources to users working at the office or remotely. In other words, they have identified that it costs less to deploy these methods than to have to manually set every single user up individually and then to manage them individually.
Q: What are the advantages and disadvantages of using RDS, VDI, and Citrix?
A: The biggest advantage of all these systems is efficiency and consistency of delivering work resources (I.E applications, desktops) to your users. Setting up a new user and maintaining their setup is done centrally and with less IT resources. It can also reduce workstation and laptop costs because the workloads are performed by the servers and not the endpoints. The primary disadvantage of these systems is startup costs. Server, storage, project, and licensing costs are the biggest hurdle for organizations. Out of the three, RDS, is the lowest cost to implement and license.
Q: Can I get some laptops in a hurry so that our staff can work remotely?
A: The supply chain on laptops is very tight right now. It’s not impossible and we have been able to get some for our Clients, but choice is limited.
Q: Can you setup our users on their personal computers?
A: Yes, but with caveats. We always want to make sure that personal computers are protected by, at least anti-malware software and that it is not a shared family computer.
Q: What personal anti-malware would you recommend?
A: There are many out there but stay away from free or freemium offerings such as Avast or AVG. Even Microsoft’s free offering of Defender is not good enough. If your organization doesn’t offer to extend the corporate license, here are some of the top applications: Sophos, Bitdefender, Trend Micro, and Norton. Everyone will have a differing opinion on which is the best one, but just having an adequate anti-malware application for protection is a big step forward from the free offerings.
Q: What is multi-factor authentication?
A: Multi-factor authentication (MFA) is another layer of security on top of your passwords. Weak passwords can be guessed, and even complex passwords can be stolen which is why we need MFA. MFA, if setup correctly, can be as simple as getting a notification on the user’s smartphone for them to verify that they are indeed trying to log into an organization’s assets (I.E. VPN, RDS, applications, etc).
Q: What is an example of an MFA application?
A: There are many out there. The top applications that we support are Duo Mobile, RSA, and FortiToken.
Q: Are there other considerations?
A: There are many considerations; each organization is going to be different. Talk to your Shing Digital Account Executive about setting up some time to go over your organization’s specific needs.
Work-at-Home is certainly here to stay but it doesn’t have to be complex or become a security risk. We are certainly in unprecedented times but, we are just being prepared for the next generation of workers. The next generation is already ultra-connected and can already work from anywhere. As an organization that has quite a number of Millennials on my team, it is about delivering work to them as seamlessly and securely as possible wherever they may be. If you can achieve those goals, you will maximize the talents of a generation and maybe teach some of us old dogs a few new tricks along the way. If you are curious about how to implement anything that I have talked about in this article reach out to us at Shing Digital. We’d be happy to help your organization get through this crisis and to move forward.