Security Strategy, Plan, Budget

A five-step plan for managing the shift to hybrid work

Microsoft reports that MFA prevents 99.9% of attacks on user accounts – why today’s columnist, Sean Deuby of Semperis, says MFA tops his five-point list for helping companies secure the hybrid workplace. (Stephen Brashear/Getty Images)

As organizations transition into the next phase of the modern workplace, many will continue to have some type of remote work policy in place. Whether a company has a long-term remote working strategy or will shift to a hybrid office-remote environment, it’s vital that security teams stay vigilant about emerging threats and ensure their security strategy can handle the hybrid work environment.

The single largest risk for companies with remote workforces stems from insecure endpoints, such as unsanctioned devices used by employees, weakly protected home networks, open Wi-Fi networks in public places, and other vulnerabilities related to networks and hardware not under corporate control. Threat actors know the weak spots, and they target components such as virtual private networks (VPNs) that might have loose security. Additionally, many organizations that were driven by the need to get workers up-and-running quickly from home offices pivoted from exercising extreme caution around cloud service adoption to at least partially embracing these services because they make remote work easier.

In some cases, this speed took precedence over diligence in closing security gaps stemming from remote work. Many organizations use VPNs to access cloud services because they think they’re more secure based on the level of access that remote connections provide. But VPN connections aren’t always secure. Although VPNs are relatively quick to set up for an organization, they don’t offer the same security capabilities as cloud-based applications—such as Microsoft 365—that use a zero-trust model where the security of users gets tied to their identities, not their networks. And because a cloud service sees all users of an organization on VPN as essentially coming from a very small IP address range (the company’s internet gateway), security mechanisms such as Azure AD conditional access are hobbled because location-based security data isn’t relevant: If an attacker penetrates a VPN and attacks a cloud service, they too appear to operate on the corporate network rather than from their true home country.

It's easy for security pros to see the ongoing risk posed by remote work. Organizations are continuing to experience COVID-related attacks well into 2021, with phishing schemes that leverage the pandemic as a means of grabbing users’ attention among the most popular attack categories. Furthermore, hackers continue to target healthcare and pharmaceuticals companies—particularly those associated with vaccine development. In addition, supply chain attacks such as the one that impacted SolarWinds are on the rise, as attackers have realized that leveraging one intrusion to affect many systems has become a much more efficient tactic. And as ransomware continues unabated, data extortion to further strongarm its victims into paying has become the norm. 

Fortunately, organizations can fight back. Here are five steps security teams can take to help keep their modern workplaces protected.

  • Implement multi-factor authentication.

Organizations can no longer assume that just because users are on a trusted network, they are valid. They need to make sure of each user’s identity, and that requires a second factor in addition to what they know, such as a password. In modern information security, passwords are simply one of many factors that should go into determining a user’s identity. A second factor could be what they have, such as a smartphone (authenticated via an authenticator app or a text); or who they are (authenticated via fingerprint or facial recognition such as Windows Hello).

Regardless of which factors organizations or users choose, the zero-trust concept has emerged as the norm and security teams know they must add some form of additional authentication. According to Microsoft, MFA prevents 99.9% of attacks on user accounts. Encouragingly, MFA spending has increased—but often only as an aftereffect of a security breach. Here’s an idea: why not implement MFA before the company ends up in the headlines?

  • Evaluate and reduce the attack surface of Active Directory.

Most organizations still consider AD its identity backbone. Whether a user accesses the corporate network through a VPN or signs into an identity service’s web portal, the odds are good that the company uses AD to authenticate that user. Companies need to systematically identify and address security gaps in AD as a foundational part of their security posture. Otherwise, threat actors will use Active Directory as an entry point, move laterally through the organization, and devise ways to elevate privileges before dropping malware that can compromise the entire organization. 

Most large organizations that have had AD deployed for many years are naturally going to have weaknesses in their security posture, thanks to the “configuration drift” away from a minimized attack surface that occurs over time. This means attackers can more easily get in and exploit those weaknesses. Deploying a free tool such as Purple Knight can reveal indicators of exposure or compromise that an attacker can exploit. Better yet, continual scanning of the environment for unwanted changes can help stop attackers before they unleash malware. Beyond this, organizations should implement a least-privilege administrative model to remove all unnecessary administrators, lock down administrative access to the AD service by implementing administrative tiering and secure administrative workstations, and secure AD domain controllers against attack by applying recommended policies and settings.

  • Prepare for all aspects of the attack lifecycle.

In cybersecurity, most organizations focus on prevention and detection. But they need to pay equal attention to recovery. They need to know how to recover systems and data after an attack that can encrypt and/or destroy hundreds or thousands of systems within minutes. One of the important questions to ask and confirm: Can the company’s recovery processes kick in quickly following such an event?

  • Use attacker tools to enhance AD security.

Organizations can leverage a web application tool such as Bloodhound to look for attack paths to gain administrative control of their AD. BloodHound uses graph theory to reveal hidden and often unintended paths to domain dominance within an AD environment. While attackers can use the application to easily identify complex attack paths that would otherwise be impossible to quickly identify, companies can also use it to identify and eliminate those same attack paths.

  • Educate everyone in the organization.

Everyone in the organization must play a role in cybersecurity. It’s everyone’s responsibility. It’s vital to educate all employees about the proper use of technology and about the latest threat vectors. Companies also must teach users how to recognize and prevent phishing attacks because they are the most common and successful attack mode. Through effective training, organizations can create a culture that mitigates the human-factor weaknesses of data protection.

The exponential increase in remote work caused by the COVID-19 crisis has ricocheted across businesses in every sector. As companies grapple to accommodate their remote workforces by adopting or ramping up remote access capabilities and cloud-focused applications, it’s important to protect the integrity of core on-premises identity systems as the foundation of modern security. At the same time, organizations can strengthen their security stance by educating workers on how to recognize and respond to threats that might slip through their organization’s defenses.

Sean Deuby, director of services, Semperis

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.