Key Security Operational Responses to the Surge in Remote Work

The debate about employees working remotely has ended for the time being. Driven by the response to the COVID-19 pandemic that is threatening life and livelihood, working-from-home is the new normal. All you have to do is look at the sharp increase in the use of remote conferencing software and accompanying skyrocketing stock prices of companies such as Zoom. As society hunkers down to ride out this pandemic, companies are rushing to enable their employees to work from home, frequently leaving the security systems that kept them safe in the office behind.

The pandemic is causing tremendous emotional turmoil, and cyber criminals are having a field day. As people thirst for information and answers, crooks are exploiting and defrauding them – primarily using sophisticated email phishing campaigns, but also more advanced approaches such as weaponized Coronavirus-themed mobile apps that steal user information as they delivery pandemic updates.

How can companies avoid serving up their users to cyber crooks? Best practices include issuing company-owned and hardened devices, enforcing the use of strong passwords and multi-factor authentication (MFA), and having employees use a virtual private network (VPN) to connect to the company firewall. However, the reality for many companies is that these measures are difficult or impossible to effectively put in play:

  • Companies may not have laptops, much less hardened ones, to issue to all employees. Additional devices, especially mobile ones, are expensive to buy and difficult to service and manage.
  • Installing, configuring and training users on MFA can be challenging, and MFA may not be supported by the systems users are accessing. Some VPN solutions provide MFA, but only for access to internal network apps. Cloud-based apps have their own MFA controls that companies don’t control.
  • What happens when users go home, connect to the VPN and access apps in the cloud? Companies are now backhauling all of that traffic to their corporate firewall for inspection, only to send it back out over the same network connection to the internet. Firewall, VPN and internet service that is sized for employees working in an office often won’t scale for a remote workforce.

As a result, many companies are faced with the unpleasant decision to either issue all employees hardened laptops and upgrade their existing firewall, VPN and internet service, or allow employees to use their personal computers (BYOD) to access internal company resources while bypassing security controls altogether for company resources in the cloud. It is easy to see how this plays right into the hands of cyber criminals who are keen to profit from this mad rush to remote work.

Fortunately, there is another option…

SASE for Secure Remote Access

The new normal, where workers are remote and apps are in the cloud, has fundamentally changed network traffic patterns, rendering existing network and security models obsolete. Traffic patterns are now inverted, forcing a change from data-center/corporate-office centric architectures to a model that pushes the security inspection and access control to the edge, where the endpoint and user are – an architecture called secure access service edge (SASE, pronounced “sassy”).

With SASE, it doesn’t matter where employees are working from (home or office), or what apps they are using (on premise or in the cloud). Why? Because users and all of their devices securely connect to a high-performance, auto-scaling security fabric in the cloud.

How can IT management pivot quickly to keep the organization running and your employees healthy and safe?

Discover why a secure access service edge (SASE) architecture is timely for shifting remote-access and remote-work requirements.

Listen to the Webcast,Scalable Secure Remote Access for Mobile Users.”

Read the white paper,How SASE Architecture Enables Flexible, Scalable, and Performance Remote Access for Workforces.


SMS Hijacking: What do Midsize Enterprises Need to Know?

The security world has been buzzing recently about attacks that target text message-based multi-factor authentication (MFA) systems. In mid-July an article in Motherboard detailed the criminal underworld that has formed around the lucrative practice, which can be used to compromise consumers’ online banking accounts, steal bitcoins, and hijack popular social media accounts. On August 1st Reddit announced that an attacker exploited SMS-based MFA to compromise several employee accounts at its cloud and source code hosting providers. This is a security issue that deserves some focus because of the fact that criminals have operationalized the attack techniques involved.

How do these attacks work?

The attacks target multi-factor authentication systems that work by sending a text message to the user with a code in it that they must enter in order to access their account. The attack works by taking over the victim’s phone number, so that the attackers receive the access code instead. The most common techniques for hijacking a mobile phone number are a “SIM-swap” and a “port-out scam.” In a SIM swap, the attacker convinces the phone company to associate the phone number with a different SIM card. On a “port-out” the attacker convinces the phone company to transfer the number to a different phone company. These attacks can be performed by social engineering phone company employees, but may also involve corrupt insiders at the phone company who take a cut of the proceeds from the scam.

In both cases, when the attack takes place, the victim’s phone will lose service, and may receive text messages from the phone company indicating that the SIM or phone number has been moved.

What should enterprises do?

First, consider educating end users about the issue. If they receive unexpected messages indicating that their SIM has been moved and their phone won’t connect to the cellular network, they may be the target of an attack in progress, and they should contact their phone company immediately. In some cases it may be possible to dial 611 to reach the phone company even if service is not active. Some phone companies offer additional security features such as PIN codes and Port Validation that can be enabled at no additional charge.

Second, review the multifactor authentication systems that you have in use. Systems that rely on pushes to a mobile app or a hardware token aren’t vulnerable to this attack, but some MFA systems support multiple modes and allow the end user to decide which authentication mode to use. Consider deactivating modes that rely on text messages and phone calls. However, it is also important to keep perspective. Mobile phone based MFA is better than not having MFA at all. It’s vulnerable, but it’s another hurdle that an attacker would have to cross, and it should be adopted in places where it’s not possible to use more secure systems.

Third, consider your network architecture. Organizations increasingly rely on cloud hosted systems that may be exposed to the entire Internet, whereas in the past internal corporate applications were usually hosted behind firewalls. The ‘de-perimeterized’ network requires more care regarding what services are exposed and how/where they can be accessed.

One strategy that can be effective is to lock down remote administration services in the cloud so they will only accept traffic from the egress IP address of your organization’s firewall. Administrators will then have to access your corporate VPN before they can administer your cloud, where you can enforce strong multi-factor authentication.

A more secure approach is to place internal applications hosted in the cloud within your VPN. OPAQ’s unique Firewall-as-a-Service approach can connect far-flung corporate offices with data centers and clouds without the expensive overhead of deploying individual firewalls to each location or backhauling traffic to and from a corporate headquarters. We can work with you to build a network that enables your organization to efficiently adopt cloud services without losing the security capabilities of your traditional VPN.