How can you prevent cyberattacks while rapidly changing to a remote work setup?
Many companies’ challenge is to change to a remote work setup on short notice and with limited preparation. What is more, critical internal systems are connected to more publicly available endpoints these days. Some short-term actions companies can take now – and some more long-term to stay secure in the long-term.
Effects of the Corona Virus
The Corona Virus forced companies to close their offices or reduce on-site staff to prevent spreading the virus. Social distancing is the key to mitigating the virus, and many people work remotely for the first time in their lives. This dramatically impacts the security of systems.
A good friend working in the public sector told me the following story yesterday. She started working remotely three weeks ago. After two weeks of being home, she received access to her business e-mail account. For a few days, she now has access to her file share, which contains important documents to work with. Everywhere, IT teams are trying to enable the companies to work from home as good as possible. Of course, the quality of remote work enablement differs a lot from company to company.
In most cases, this means providing web applications for remote access. There are changes in (probably) all areas of tools that you can think of:
- Webmail clients instead of desktop tools
- Browser-based file shares instead of traditional network storages
- SIP-based phones instead of traditional landlines
- Online word processors instead of their traditional desktop versions
- CRM, ERP and other tools…
Certain aspects, such as CMS tools for managing website content, most likely are web applications already anyways. Boundaries such as company networks do not count anymore, and security measures should not rely on them. These measurements could impact the user experience a lot (i.e. if they are locked out) or not provide any security due to a bad setup. To use such measures, tools like VPN connections or methodologies like Zero Trust Architecture are needed. However, building up these things takes time, energy, and good knowledge of the domain. Unfortunately, these are all items that IT departments do not necessarily have, especially these days.
Separation of critical Systems – Past and Present
Traditionally, public-facing endpoints for users, such as public websites, have been separated from critical, company-internal networks responsible for manufacturing goods, business-critical accounting or internal communication (Fig. 1, left).
The transition to cloud services changed these things in the last years already. Nowadays, communication tools are used for internal and external communication similarly. Manufacturing processes are monitored using on-site sensors, combined with external data and presented as web dashboards for the management or even customers. Business-critical calculations are sourced out as servers are cheaper in the cloud or are not feasible to build certain systems (hard- and software) on their own premises (Fig. 1, right).
Fig. 1: Separation of systems previously and nowadays.
Prevent attacks on publicly available applications
The bottom line is that many applications that were only accessible internally are now open to the public. The transition from separated networks to the interconnection of everything – from production-site sensors, cloud servers to home computers – is accelerated.
All applications should be secure. But public applications need even more protection. The attack surface widens to a size that the developers may not have thought of during the application’s planning and development. These things cannot be fixed ad-hoc during the operation of the system. As a software provider, you have a shared responsibility with the software’s operator and users to keep the environment secure. Automated vulnerability scans and manual penetration tests increase the security of applications to prevent cyber attacks.
DevSecOps principles support the developers in developing a web application to create secure software throughout the whole software development life cycle. Automated security scanners such as Crashtest Security play a prominent role in checking vulnerabilities before every software release. As a company using web applications, I need to ensure that my applications are secure, even if I did not create them myself. Any negative impact will not (only) hit the software vendor, but me in the first place, e.g. if client data gets stolen or corrupted. Security scanners support continuously monitor all used web applications.
Secure web applications will not only be beneficial during remote work within the Corona Crisis. The impact will stay much longer and hopefully outlast the coronavirus for a more secure web.