[BreachExchange] Four Considerations For CISOs With Expanding Remote Workforces

Destry Winant destry at riskbasedsecurity.com
Wed Apr 1 10:30:59 EDT 2020


If you have ever attended an executive conference, you have probably
seen a session titled “Birds of a Feather.” The full cliché is
actually “Birds of a feather flock together,” because similar or
like-minded people generally coalesce based on ideas, interests or

For CISOs, like myself, we generally run in herds, flocks and
sometimes even gaggles. All joking aside, we do share war stories, ask
each other for advice and trust nearly implicitly recommendations for
strategies and vendors based on our own collective experiences.
Unfortunately, the truth is any one of us could be breached at any
time, and for any animal that could be the target of a predator, there
is safety in numbers. This is why we run in herds.

With all the news and development around the coronavirus (COVID-19),
many of my peers have begun exploring their disaster recovery plans to
allow workers to operate remotely and access their environments. Their
goal is to keep their organizations productive and ensure we do not
create any unacceptable security risks.

While most disaster recovery plans focus on a single catastrophic
event, the coronavirus represents a long-term threat that might
stretch a disaster recovery model to its brink of coverage. With this
in mind, I have compiled four considerations for how to expand a
remote workforce and deal with this threat — potentially for the long

1. Sensitive Data And Privacy

When enabling large numbers of employees to work remotely, CISOs need
to consider the exposure of sensitive data and privacy of information
flowing to the remote end user’s environment. There are many tasks and
transactions that are performed by office employees, and the data
should never leave the traditional corporate perimeter.

Chief Information Security Officer Priorities For 2020

For these situations, consider how you are protecting the data and the
transaction itself. As a simple example, are you allowing for the data
to be downloaded to a local spreadsheet via VPN technology, rendering
a sensitive spreadsheet in a browser via Office 365 OneDrive
documents, or remotely rendering a desktop directly via browser or
bastion host? The latter is the most secure since the data is only
visibly available, not rendered locally, and not downloaded
potentially to the end user’s device. While this might be a low risk
for web applications, Win32 applications operating over protocol
tunneling can expose data outside of any pre-authorized network zone.
Therefore, we need to consider how we enable remote employees and what
datasets they are working with.

2. Shadow IT With Free Tools

For some organizations, employees have been asked to work remotely but
have not been given the proper tools for a variety of reasons. These
include cost, lack of authority by geographic region or simply lack of

This leaves employees, or even local IT staff, to download free remote
access solutions to solve the problem. These free tools lack the
monitoring, authentication and security modeling necessary to protect
against an incident. In addition, if employees pick their own tools,
you could be facing a plethora of remote access solutions and a
mountain of shadow IT problems that are simply unmanageable.

If remote access is being requested for your organization, find a
single scalable and secure tool for the entire organization. Many
vendors are offering multiple months free to manage this crisis, and
if the solution works well, it might be a permanent solution to a
growing problem. This is especially true for any privileged access
performed by remote employees or even vendors.

3. Bring Your Own Device (BYOD)

Many information technology organizations just do not have enough
assets to ramp up all the remote employees that now need access.
Unfortunately, the resolution is to allow employees to use their own
devices with corporate-issued VPN or secure-remote-access technology
to solve the problem.

For many CISOs, this is just an unacceptable risk. With no traditional
security controls like antivirus or vulnerability assessment on these
devices, there is no way to mitigate the threats when they are
connected and unmanaged. And if these devices are shared among family
members, the risk of malware from a simple online game increases
exceptionally when the same device is used to connect to potentially
sensitive data.

If BYOD is your only recourse, ensure your remote access technology
does not use a VPN or any local clients, does not do any protocol
tunneling, and renders all remote sessions in a browser. This is true
for even remote web applications. This minimizes the exposure of the
device to the corporate network and has no network path to compromise
additional assets.

4. Privileged Remote Access

There is a strong chance that if the coronavirus has affected your
organization, then some of the employees being asked to work remotely
will need privileged access to resources. This means that once they
establish a remote session, the credentials they need to access and
operate a resource are either administrative, root or power user. If
they are entering them remotely, then they are exposed to the local
computer, and any malware or attack can sniff them out.

Consider using a remote access solution that performs credential
injection from a password safe or password vault. The session itself
is automatically detected by the remote access solution, and
attribute-based access will automatically inject the proper privileged
credentials into the session remotely in order for the user to
continue. No credentials, especially the password, leave the
organization, nor are they typed in. They are managed and potentially
even changed after every session, so the threat of an exposed
privileged credential remotely is mitigated.

As we ramp up users' access, we should consider the risks. A few
simple steps will ensure these changes do not become an unacceptable
liability. They are not hard to implement and will ensure the herd
does not become a victim of the changes we need to make in order to
manage the threats of this pandemic.

More information about the BreachExchange mailing list