Telecommuting: Remote Access and Cybersecurity
This is the third installment of our ongoing series on Remote IT Asset Management during a global health crisis. By now, it's very clear that the coronavirus pandemic is having a massive impact on our society. For businesses, it imposes a lot of challenges, one of them being the rapid transition to telework and the necessity for system administrators to provide remote access to company servers.
Amid this giant wave of disruption, one thing has unfortunately remained the same: the willingness of cybercriminals to exploit society's misfortune to obstruct business, deceive users and steal proprietary data.
From CIOs to System Administrators and end-users, everyone should remain vigilant and prepare for cyberattacks before they happen, as this sort of incident can be very difficult to respond to once it has spread, just like the coronavirus itself, it's best prevented instead of treated. Any additional interruption of business continuity can scare customers, dissolve trust and cause bad publicity.
In a crisis, especially if prolonged, IT managers run the risk of making mistakes they would not have made otherwise. Attackers might cut off sysadmins from their own servers while they wreak havoc on the company network, obtain sensitive data, or install ransomware. Another risk is quickly putting up systems, without thinking of proper security measures. This article shows that a bad configuration of rapidly deployed public IT helpdesks to support remote working could lead to hackers gaining unauthorized remote access. Offline verification of the legitimacy of user requests is not so simple anymore, now that everybody is working from home.
To counter this, it is of utmost importance during times of remote work, to have the right solutions in place to Know Your IT in order to ensure an instant solid response based on up to date IT asset and network information, as you can't protect what you can't see.
In our first blog post about Remote IT Asset Management, we offered guidance and resources to maintain visibility of your -remote- assets and how to best manage them with Lansweeper. In our second blog post, we looked at common threat vectors and provided some ideas for improving cybersecurity around ransomware. Now we will continue with giving tips to remain vigilant for possible DDoS attacks and improving End-User security.
How to Monitor for DDoS Attacks
Now more than ever the internet is being used by governments, organizations and people alike to stay connected to each other. Vodafone has reported a 50% surge in European internet use, and even Netflix has been requested to cut its bitrate for 14 days in order to prevent the Internet from collapsing.
During an unprecedented time of peak traffic, the risk of a DDoS attack is growing exponentially. If the utilization of the available bandwidth is being pushed to its maximum, it does not take much to cause an outage. Any attack will almost inevitably push a server over the edge.
The U.S. Department of Health and Human Services recently suffered from a DDoS attack, aimed at slowing down the agency's services amid the government's rollout of a response to the coronavirus. We already mentioned that even hospitals are targeted with ransomware attacks. This goes to show, how low the cybercriminals will go.
During this present massive shift to teleworking at scale, VPN protocol ports could be added as a possible interesting attack surface for DDoS campaigns. At this moment, VPN servers are a major gateway to keep business going. Previously protected servers could now be opened to internet access to allow for remote working. Keeping these connections stable and secure should be a number-one IT priority for most organizations around the world who shifted to work from home. You should make sure all your VPN software is running on the latest update. You can use this report to check which version of VPN software is installed on clients and servers and update if necessary.
Another thing you need to monitor is the performance of your critical servers. Lansweeper can remotely monitor server performance and alert you on when certain load criteria are met over time.
The monitoring of event logs of important servers is also important to detect suspicious activity. Create event log alerts to notify you as soon as a critical event is scanned. By combining Windows event log scanning targets and email alerts, you will be notified within minutes when vital assets are having difficulties.
A lot of your users who are now teleworking will often login during what would previously be flagged as 'suspicious' hours. For example, as schools are closed, coworkers could start working in the evening, when the kids are in bed. You can cross-reference server user logon times with Lansweeper's ability to remotely check for asset uptime to see if they align.
How to Improve Remote End-user Security
Working from home probably also means that employees will have to rely on their personal devices - computers, smartphones, tablets, plus any internet access hardware - to setup VPN connections to the organization's servers. The trouble here is that these will lack the cybersecurity tools that are already built into office networks, such as robust antivirus software, customized firewalls, and automatic online backup solutions.
End users are the last bastion of hope to avoid security breaches. Educating them on how to best secure their home network, which emails to ignore, and which web sites to avoid is something IT should focus on, especially with a new remote workforce. There will doubtless be an uptick in Helpdesk Ticket volume with more users being remote for the first time and less opportunity for ad hoc questions.
To help reduce the confusion among users and possible security issues, you can provide security awareness training to all employees to guard against phishing scams and other social engineering attacks. These attacks are used to steal login credentials and other sensitive information. You should consider implementing security measures, such as Two- or multi-factor Authentication (2FA) to protect against lost or stolen credentials.
You can educate and inform your end-users by sharing the best policies that can be tuned to your environment. You could have a dedicated work-from-home section of the Knowledgebase that covers best practices such as only using the corporate endpoints for work purposes.
A specific example to warn your users against is the tendency to share pictures of company video conferences on social media. Often hackers can use data displayed on these pictures to retrieve email addresses or gain access to the meeting by copying the public ID in the browser bar.
Are all users using complex passwords? - Consider implementing MFA if you have not already done it. For example, you can also use Lansweeper to investigate the user's password complexity of Office365.
Are there users who have not logged in recently? - maybe they need help. You can run this report to check the last login times of users. Additionally, you can also use our asset uptime tracking to check in on device activity and last reboot time.
If the end-user has elevated permissions maybe they have been tempted to work around the guidelines of the IT department and install their own applications. Lansweeper features several reports to help you combat this problem. We have a report to quickly find all unauthorized administrators in your network, a report to track software changes in the last seven days and a report to find installed software that is not authorized. You can use our deployment module to uninstall any unwanted software remotely.
What if the endpoint is stolen? Are all the endpoint hard drives encrypted where necessary? Audit your endpoints for Bitlocker drive encryption and rest easier.
The last thing we wanted to point your attention to is with fewer or no staff at the office or data center, did you do all you could to put network monitoring in place to enhance security and help with network continuity? Did someone try and bridge the VPN and connect personal devices to it? Consider setting up our new 'Asset Radar' feature to watch for new devices the moment they connect to the network and alert you - even if you aren't there, with Lansweeper you still can be.
Hopefully, this has given you some ideas of how Lansweeper can help improve the cybersecurity of your remote workforce to make sure that your organization can keep on running under these new conditions. As stated above, it all boils down to our mantra when it comes to cybersecurity: You can't protect what you don't know you have.
If you want to dig deeper, we have also found this great guide by NIST on best practices for Telework, Remote Access, and Bring Your Own Device (BYOD) Security.
Share Your Story
Meanwhile, we are a community, so feel free to share your ideas and suggestions on dealing with this situation. You can join the ongoing Remote IT Asset Management discussion on our forum.
If you got an interesting story to share on how you coped with this sudden change, which systems you promptly put in place to keep the IT lights on, don't hesitate to reach out to us using the form below. We can set up an interview or you can be featured in a guest blog post showcasing your inventiveness to our community.
Like most of you, the entire Lansweeper Team are working from their homes currently, as we continue to improve and support Lansweeper. From our family to yours, we wish you a safe and healthy few months as the world slowly gets back to normality.