How can you prevent cyber attacks while rapidly changing to a remote work setup?
The challenge for many companies is to change to a remote work setup on a short notice and with limited preparation. What is more, critical internal systems are connected to more publicly available endpoints these days. There are some short-term actions companies can take now - and some more long-term to stay secure in the long-term.
Effects of the Corona Virus
The Corona Virus forced companies to close their offices or reduce on-site staff to prevent spreading the virus. Social distancing is the key to mitigate the virus and many people work remotely for the first time in their lives. This dramatically impacts the security of systems.
A good friend working in the public sector told me the following story yesterday. She started working remotely three weeks ago. After two weeks being home, she received access to her business e-mail account. For a few days she now has access to her file share which contains important documents to work with. Everywhere, IT teams are trying to enable the companies to work from home as good as possible. Of course, the quality of remote work enablement differs a lot from company to company.
In most cases, this means providing web applications for remote access. There are changes in (probably) all areas of tools that you can think of:
- Webmail clients instead of desktop tools
- Browser based file shares instead of traditional network storages
- SIP based phones instead of traditional landlines
- Online word processors instead of their traditional desktop versions
- CRM, ERP and other tools...
Certain aspects, such as CMS tools for managing website content, most likely are web applications already anyways. Boundaries such as company networks do not count anymore and security measures should not rely on it. These measurements could impact the user experience a lot (i.e. if they are locked out), or they could not provide any security at all due to bad setup. To use such measures, tools like VPN connections or methodologies like Zero Trust Architecture are needed. However, building up these things takes time, energy, and good knowledge of the domain. Unfortunately, these are all items that IT departments do not necessarily have, especially these days.
Separation of critical Systems - Past and Present
Traditionally, public facing endpoints for users, such as public websites, have been separated from critical, company-internal networks responsible for manufacturing of goods, business-critical accounting or internal communication (Fig. 1, left).
The transition to cloud services changed these things in the last years already. Nowadays, communication tools are used for internal and external communication similarly. Manufacturing processes are monitored using on-site sensors, combined with external data and presented as web dashboards for management or even customers. Business critical calculations are sourced out as servers are cheaper in the cloud or because it is not feasible to build certain systems (hard- and software) on the own premises (Fig. 1, right).
Fig. 1: Separation of systems previously and nowadays.
Prevent attacks on publicly available applications
Bottomline is, that many applications that were only accessible internally, are now open to the public. The transition from separated networks to an interconnection of everything - from production-site sensors, cloud servers to home computers - is accelerated.
All applications should be secure. But public applications need even more protection. The attack surface widens to a size that the developers may not have thought of during the planning and development of the application. These things cannot be fixed ad-hoc during the operation of the system. As a software provider, you have a shared responsibility with the operator and users of the software to keep the environment secure. Automated vulnerability scans and manual penetration tests increase the security of applications to prevent cyber attacks.
When developing a web application, DevSecOps principles support the developers to create secure software throughout the whole software development lifecycle. Automated security scanners such as Crashtest Security play a prominent role for checking vulnerabilities before every software release. As a company using web applications, I need to ensure that my applications are secure, even if I did not create them myself. Any negative impact will not (only) hit the software vendor, but me in the first place, e.g. if client data gets stolen or corrupted. Security scanners support to continuously monitor all used web applications.
Secure web applications will not only be beneficial during remote work within the Corona Crisis. The impact will stay much longer and hopefully outlast the corona virus for a more secure web.