Posts

Securing SOHOs, Remote Workers and Your Private Data Network

Mobile and small office/home office (SOHO) workers require connectivity to the same resources your campus-based, firewall-protected employees regularly access from the data center, private network, and now increasingly from the cloud. This poses problem and risk: Network IT departments have low visibility into the configurations, security defenses, and points of access for these employees and devices accessing data remotely.

SOHOs and mobile employee workstations consist of affordable, consumer-oriented network equipment (often BYOD) and security software, all of which is not as sophisticated, protectable and secure as the computing tools in corporate offices. Many IT departments, smaller offices, and remote workers are dependent on public Wi-Fi, inexpensive home-based routers, iffy VPN use, and basic-AV-protected computers to protect their confidential internal and customer data at the edge.

The equipment used in the outlying areas of your network represent the weak link for hackers, the low-hanging fruit, increasing the overall security risk for the organization and its B2B/B2C partners. Common risks include spying, infection of connected devices, and the ransoming of the wider network ecosystem. Compromised endpoint network equipment such as computers and routers can set the stage for sophisticated botnet attacks and the spread to other systems, networks and servers, including those of partners.

Are you going to regularly mobilize truckloads out to every possible remote router site to try to secure these new connections? More sophisticated security equipment requires technical expertise, something most home office workers and many branch offices lack. Constant truck-hauls to every distributed site add up from an overall cost standpoint. Bolting on security through software patches can be a struggle, especially when managing updates and renewals across several security vendors and your busy workforce.

In response to these security and cost challenges, best practices for protecting remote equipment endpoints include:

  • Frequent, automatic software updates that don’t harass business-focused, non-technical home officer workers. Leverage security-as-a-service (SECaaS) to rapidly orchestrate and automate advanced security and smart cyber risk management.
  • Virtual firewall as a service (FWaaS) that blocks unwanted traffic from your defined and controllable network endpoints, including wandering user devices.
  • A VPN, or similar secure tunnel, that segments ISP traffic from private network traffic. This VPN capability should be “always on,” noninvasively coating the attack surface and protecting company used-devices from breach and deeper infection.
  • Multifactor authentication (MFA), which helps to ensure the person or system trying to access a device, network or system is the same person or device authorized for access. MFA includes passwords, security tokens, and, in some cases, biometric identification.
  • Cloaking of a device’s and network’s unique identifiers or presence, making it difficult for other people and devices in range to detect.
  • Encryption and private circuit use to mitigate outsiders from viewing, stealing or ransoming sensitive data.
  • Device hardening, so the endpoint can block legacy or unnecessary ports and services that act as doors for easy infiltration.
  • DNS filtering. These are the oft-color-coded listings and commands, which involve preconfiguring devices with software agents to prevent infection from dangerous sites and other network entities.
  • Avoidance of direct peer-to-peer computing or peer-to-private-server communication approaches. Remote Desktop Protocol and similar P2P network services are an easy gameboard for hackers. RDP sessions store credentials which can be stolen and wielded in “pass the hash” attacks. If you use P2P apps, it’s critical to orchestrate advanced, layered security mechanisms, including identity access control, encryption, and zero trust architecture.
  • Seamless support of the latest Wi-Fi authentication and encryption standards, which can help to protect on-device data and access points.

Securing Your Mobile, Remote Workforce

Every digitally transforming organization has its traveling users, the consummate contributors; the mobile warriors. They are a worrisome potential target for close-encounter cyber-takeovers.

Wandering human endpoints access different networks. They use whatever means available to keep their device batteries charged and to stay connected. Sometimes these individuals work in crowded, cramped seating areas where strangers are in physical proximity or router range.

Common behaviors that put remote worker security at risk include:

  • Connecting via unsecure, unencrypted Wi-Fi, or failing to authenticate through the corporate VPN while working from home, in a hotel, or coffee shop. Without the filtering and blocking of a leading firewall or VPN service, the employee can mistakenly land on a phony site or host (e.g., a man-in-the-middle attack), or click on a link from which malware can be delivered, infecting the device and from there seeking to spread.
  • Directly accessing SaaS applications in the cloud beyond the visibility and control of corporate IT security. Employees are at risk of man-in-the-middle attacks in this scenario, and hackers can steal credentials from the endpoint device and use that private data to gain unauthorized entry to cloud servers or back into the enterprise network.
  • Physically plugging into public charging stations, or attaching untrusted devices including other computers, flash drives and USB ports. Conversely, someone else might gain physical access to the network endpoint device and plug in a flash drive or perform some other type of direct tampering.
  • Falling for phishing attacks. Social engineering schemes are getting more effective at fooling curious, emotional human beings into clicking on links that appear to be legitimate but aren’t. These IP spoofing, phishing, and websites appear authentic but have surreptitiously rerouted the user to an ersatz click-on/sign-in with credentials page…

Your mobile warriors need help identifying and avoiding these deceptive man-and woman-in-the-middle attacks.

OPAQ Provides a Secure Access Service Edge Through Security-as-a-Service

Your network’s edge needs easier IT security reinforcement; a cost-effective, circulating burst of easily distributed security-as-a-service software from the cloud.

OPAQ provides strong endpoint protection as a service to ensure secure access at the network edge, empowering what Gartner calls the secure access service edge (SASE). Harness your expanding workforce. To support your remote employees and protect your network and business ecosystem, reinforce protection at the network endpoint and workstation level with help from the cloud.

 

Learn more.

8 Achievable Steps to Remote Security.

Visit our secure access service edge (SASE) page.

 

Why Wireless Security Protocols Won’t Protect Your Roaming Remote Workers

Whether it’s in a coffee shop, airport or crowded mall, wireless networks present a range of security risks not inherent in wired networks. Wireless access points (WAPs) and wireless routers broadcast data over the air in every direction. In hotspot environments where this traffic is unencrypted, any eavesdropping device within a limited range can easily pick off the signals and steal information.

The threat, while diminished, isn’t eliminated when WEP, WPA or WPA2 wireless encryption standards are employed to protect the data. WEP encryption can be cracked in minutes, and hackers have also compromised modern routers utilizing WPA and WPA2. Organizations can patch the vulnerabilities in their WPA and WPA2 protection, but the threat doesn’t end there.

Using readily available wireless sniffing devices such as the popular WiFi Pineapple, determined hackers can spoof the WiFi network as part of a man-in-the-middle attack to steal user credentials, insert malware, and compromise machines, whether the user is still in the café or has returned home or to a nearby office.

Outside the enterprise firewall, VPNs help with these mobile worker scenarios, but remote endpoint security relies heavily on the human element: What people do, what they don’t do. Even the best employee will temporarily disconnect from the corporate VPN to access the Internet directly, exacerbating the risk of infection from spyware, malicious sites or embedded files. Users go into coffee shops and airports and board trains and then bang away on their keyboards and do work. They make sustenance purchases. With the right level of caffeination, they can be rather productive in their contributions of digital and perhaps even audio- or video-delivered work. They’re focused on the job at hand, and they don’t want to be hassled by too many security steps in order to maintain a productive pace. You know the drill: Log into the VPN, complete two-factor authentication, and then, due to any extended human pause such as deep thought or bathroom break, you have to do it all over again just to resume your work.

In addition, wireless data encryption and VPNs, even when used, can’t stop shoulder surfing, and unattended machines are a big no-no since thumb-drive malware insertions can successfully be executed in seconds.

According to IDC research, more than 70% of breaches start at the endpoint. From there, a hacked employee, or a hacker or malware piloting the compromised device, might then use a “secure” tunnel to access your organization’s active directory, or a customer communication tool. Here, the compromised endpoint can lead to widescale network infection including the loss of data, network control, reputation and business.

Distributed Network Security Requires Endpoint Visibility

Do you know all the assets connecting to your network? The pathways they’re taking, the payload or suspicious behavioral tics or storms they’re carrying? Can you recognize immediately who is trying to connect to your network, using which app, on which device, and quickly authenticate identity, monitor and control for appropriate network usage?

Traditionally, on-device endpoint protection is managed sporadically and inconsistently, which is not an effective way to maintain a shrewd Zero Trust approach across your network. Ransomware, bots and malware have a way of morphing to get past static, outdated antivirus protection at the endpoints. In the majority of cases, especially when involving BYOD, the hardware drive isn’t encrypted and the VPN isn’t used. Exposure to ransomware threats increase outside the private network – for example, a largely unprotected mobile employee opening email or entering data into your network from a crowded restaurant or a public hotel. Intrusions such as spyware, password theft, and open-port assaults can all result from a malicious presence lurking, listening and entering from a nearby or remote location.

Do you really want an employee plugging his laptop into a public charging station at an airport and then reconnecting directly to your live conference, private network or datacenter without first orchestrating detection and authentication? Do you want to leave network pathways open so new worms, viruses, malware and other hacker schemes can spread? Firewall and VPN defenses are vulnerable to this lateral exploitation. Workers, whether mobile or in the office, as well as certain types of computing architectures, can inadvertently leave open windows for malware and file-less malware schemes such as social engineering ploys to spread deeper into the network. As if that’s not enough, denial-of-service (DoS) attacks are increasingly targeting prone remote users for an easy entry point (sometimes via another protocol known as Remote Desktop Protocol, or RDP) and they can then flood your network.

Advanced Always-On Endpoint Protection

You can’t rely on wireless security protocols, disciplined VPN use, and static antivirus protection to secure your remote workers as they run the gauntlet of cybersecurity threats outside your firewall. Your endpoint protection must be always-on, even when your people aren’t.

Through efficiencies in the cloud, OPAQ enables organizations of all sizes to bolster and continuously refresh remote security with:

  • Always-on end-user protection and advanced malware detection and prevention.
  • Strong authentication, including multi-factor and/or directory-based.
  • Encrypted communication over SSL or VPN, as well as on-device hard-drive encryption.
  • Suspicious activity alerts about what a company device has connected to.
  • Smart processes and safeguards before the device connects to your organization’s private networks, including a sensible screensaver timeout policy.
  • Microsegmentation, which provides additional layers of security against the spread of malware or unauthorized network control. Microsegmentation works by isolating workloads from one another and creating secure network zones that prevent infected hosts from connecting to each other or to the core network. It produces separate secure tunnels for users who are roaming and those who have been authenticated for more private network and data access. In the past, the cost and effort of network segmentation versus the risk of lateral infection was too much for many organizations to bear, but the cloud has enabled organizations to implement such advanced security controls more efficiently and cost-effectively.

Reinforce your security at the endpoints and reduce your attack surface with just a push. Apply smart, on-device security-as-a-service at the endpoint without compromising user experience or performance.

Learn more
Read the OPAQ Securing Remote Workers report.

Why Endpoint Security Is Crucial in Our ‘WAN Without Boundaries’ World

Networking: It’s not just about the physical communication structure you have to maintain. Networking is a way to grow your business, your brand, your market potential.

Leveraging the open Internet and social apps in the cloud can be more cost-effective than travel, face to face, and complete reliance on communication and collaboration over expensive private networks. However, employees are not always within the secure enterprise firewall/private WAN as they perform the functions of their jobs. Think electronic payment systems, for example, or public hot spots where the employee doesn’t first connect to your VPN. This venturing outside the perimeter leaves them – and potentially your entire company – exposed to hostile elements. Bad actors, someone or something that tries to deceive, steal or destroy, are lurking out there and trying to break in through the same Internet we’re using.

Your customers’ privacy, data, and finances are at risk, too. Data hosters and managed service providers are targeted regularly. When cracked, they lose their customers’ information and trust. The pilfered private information can be sold on the Dark Web, which is an anonymous realm where more than half of the web domains practice illicit activities.

A stateful firewall, one that inspects network traffic and packets, is not enough. Hackers, cybercriminals and AIs can successfully attack through deeply embedded, well concealed, or file-less schemes. In addition, firewalls are not good at stopping infections once a breach has occurred. You have to also be able to inspect credentials and network behavior so intruders are not able to cover their tracks, control your systems, and ruin your business and reputation.

Unfortunate Security Scenarios for Your Distributed Network and Workforce

So, realizing the threat, do you send teams out to all your branch offices for equipment reconfiguration? Maybe … But what do you do the next time, when the hackers start to exploit vulnerabilities in your soon-to-be legacy protection system? A lot can go wrong during this catch-up period.

  • Hackers, targeting easy prey, get in due to delays in applying a patch for remote access protocol. They borrow administrator privileges and create new phony accounts. It’s a deep hack. Your data, your customers’ data, has become theirs.
  • An employee in a small remote office, prone to email-driven social engineering ploys, gets infected. Any peer to peer communications from the employee’s machine can spread malware or misleading information to other users and systems.
  • Joe plugs his phone into a public charging station … or maybe he’s using a wireless network at a subway coffee shop where a sneaky neighboring device is monitoring traffic on the shared network. Oops. He forgot to log into the encrypted VPN before enjoying his espresso drink and clicking a digital link. Joe’s phone (the endpoint) thereafter starts acting suspiciously inside your own network, whether you can see this happening or not.
  • Poor Joe. In another scenario, he’s at an all-week conference and in the habit of leaving his laptop open and “on” in the hotel room when he’s not there. His system’s apps are still on, and the room’s visitor doesn’t even have to know Joe’s screensaver password. Just a little plug-in and the unauthorized person can fool your network into believing phony instructions from the endpoint are authentic.

Do you want to wait for the next truck roll to bolt on security against these very possible scenarios?

Why Remote Security Is Vital for Your Growth Strategy

Endpoint security is not just about token antivirus protection on mobile devices and a reliance on the user to log into your VPN. It’s about always-on protection wherever your employees go to do business, hence helping your organization to win in the aforementioned scenarios. You have to be able to inventory and secure all corporate-issued mobile computers and bring your own devices (BYODs) to ensure network performance and security. Doing this only at the network equipment level makes for a porous net in fighting crime at a wider network level. Instead, counterattack at the device level (phones, laptops, tablets), for these are the touchpoints roaming into the sometimes-hostile outside world.

Read the OPAQ report that stresses the criticality to:

  • Centralize team security by automatically inventorying remote and mobile endpoints inside a security-conscious dashboard.
  • Apply next-generation endpoint protection including strong authentication, encrypted communication, anti-virus management, anti-spyware, advanced malware filtering and protection, and microsegmentation.
  • Protect users with an always-on VPN that secures them while on the public Internet as well as while accessing private enterprise data, with separate clean corridors for each.

Read the Securing Remote Workers report.