For many of us, our home has become our workplace over the past few months, and a full return to the office still appears a remote prospect.
The COVID-19 pandemic has proved that employees from across different industries can work efficiently from home. A recent PwC Survey found that 84% of employees feel able to perform their role just as effectively when working remotely as they would in the office. PwC itself expects the majority of its 22,000 UK staff to spend some of their time working remotely, even after the coronavirus crisis passes.
Enterprise businesses equip staff with mobile devices such as laptops and smart phones to perform daily tasks. This makes the workforce much more mobile but places an implicit burden on the staff to ensure that they are always online. Security is handled by the underlying operating system and supporting solutions, such as a Virtual Private Network (VPN).
While commercial VPN technology has been around since at least 1996, it has reached a new level of importance due to increasing numbers of employees accessing corporate network resources remotely.
As a result, the National Cyber Security Centre (NCSC) recently updated its advice on the use of VPNs by home workers. The advice includes a new section on the topic of “Managed Tunnels” which, as the guidance outlines, allow you to access specific services outside of the VPN. For example, they can be useful for reducing the load on networks caused by video conferencing services or where the function of an application requires it to communicate directly with the network, such as Wi-Fi captive portal helpers.
Our own research has found there remains significant concerns around the use of VPNs and their ability to provide sufficient protection against common threats.
In particular, we believe that further guidance is required for larger organisations which, in our experience, widely use third party TLS-based solutions for their manageability and extended feature sets, rather than the inbuilt IPSec-based solutions that the NCSC favours. Our own research supports the NCSC’s view that split tunnels are risky. However, we expect that this form of configuration – and the associated risks – will persist. Usability will potentially come at the expense of security where VPN configurations are concerned.
Our own research builds further on the NCSC guidance. On the issue of Captive Portal risks, for example, a compromised home-router device needs to be seen as equivalent to a captured portal, in that it can display all the same behaviours of a captive portal. It’s arguably even worse in that it doesn’t have to ‘advertise’ these behaviours and can therefore be much harder for the VPN software or user to recognize. Home Wi-Fi equipment typically falls outside the control of the business, is notoriously poorly patched and is a frequent target for large-scale attacks. This is therefore an important use-case that is not getting the attention it deserves.
Furthermore, during the process of dealing with the captive portal or compromised WiFi, it is important to recognise that the VPN is essentially unable to provide the computer with the protections the NCSC is advocating for. This therefore places VPN technology in an untenable position and leaves the business exposed to all the risks the NCSC describes.
We suggest that businesses look at how they apply best practice and configure their VPNs appropriately to balance the connectivity versus security conundrum. We would encourage organisations to revisit the trade off and consider their appetite for risk so they can apply the right processes, procedures and technology to address their business needs in their entirety. Those processes could include:
- Emergency response procedures and systems: Assume attacks will happen during this time and that successful compromises are more likely than usual. With this in mind, take some time to facilitate a planning session with key IT and security role-players to consider your response capabilities in the event of a suspected compromise or breach;
- A security support hotline: Providing users and customers with a number or address they might use to speak to someone about attacks could be a powerful tool for reducing levels of anxiety about the crisis and improving security postures;
- Back up and disaster recovery: Two real threats which have arguably escalated due to the pandemic are ransomware and Denial of Service. Take some time to review the state of your backups and the readiness of your data and disaster recovery processes;
- Equip users with the right information: Users are your first line of defense, so the better educated they are on cyber threats, the better equipped they are to help you fight incoming attacks. Exercise vigilance and share information.
In summary, we welcome the updated NCSC guidance related to VPN as it reinforces its significance for many organisations. Further, coupled with our own recent research, it highlights that it is just one consideration in any remote working security strategy.
Technical countermeasures against phishing attempts and detecting malicious activities are much more robust than they have been in the past. The human, on the other hand, is more complex and hard to predict in certain scenarios, while easy to manipulate in others.
Security awareness educates employees about manipulative techniques that might be used against them and also highlights the benefits of adapting their information security behaviour. Building resilience towards social engineering attacks provides a significant line of defence.
Contributed by Stuart Reed, UK director, Orange Cyberdefense