OUT OF SIGHT, out of mind, the saying goes. Thanks to COVID-19, however, most channel pros are positively obsessed with what they can’t see these days.
That’s because their clients are still mostly working remotely, beyond the reach of the email gateways, content filtering systems, firewalls, and other technologies that protect them at the office. “”Once users are out of that environment and they’re using their devices at home, we no longer have any visibility or control,”” says Stanley Kaytovich, director of operations at QWERTY Concepts, an MSP in Piscataway, N.J.
Cybercriminals, moreover, are well aware of that fact. Indeed, malware attacks generally jumped 358% in 2020 and ransomware attempts specifically rose 435%, according to endpoint and mobile security vendor Deep Instinct, due in part to the rise of work-from-home (WFH) computing.
Confronted without warning last spring by the coronavirus pandemic, IT providers improvised remote work arrangements for their customers in a hurry. They’ve been refining the security measures they put in place in those same hectic days ever since. Along the way, they’ve learned a lot about what makes WFH security unique and how best to construct a layered work-from-home security strategy.
Continual Headaches
Inadequate visibility and control are just part of what makes securing home-based employees so difficult. Their ever-changing, unpredictable hours as they juggle childcare with work make the pattern analysis many security solutions rely on to distinguish normal from suspicious user behavior difficult as well.
Worse yet, many SMBs have been relying on Microsoft’s Remote Desktop Protocol to connect homebound employees with office resources despite RDP’s well-known vulnerabilities. In fact, security software maker Kaspersky observed a 242% leap in brute force attacks against RDP in 2020. “”Honeypot”” servers set up by researchers at security vendor Sophos last year, meanwhile, received a median average 467,000 RDP login attempts each over a 30-day period. That’s about 600 an hour, or one every six seconds.
Unauthorized apps have been a continual headache too, according to Lawrence Cruciana, president of Corporate Information Technologies, a provider of security and managed IT services headquartered in Charlotte, N.C. For example, he notes, users have been holding meetings on conferencing solutions other than approved systems like Teams and Zoom. “”We started seeing that kind of blossom in software audits,”” he says. “”There were some we’d never even heard of.””
The worst problem of all, though, is also the most familiar to channel pros: users doing business on home PCs with consumer rather than business-grade security software onboard, or perhaps none at all. Making matters thornier, remote workers often switch back and forth between corporate and personal devices at will—and without notifying their employer.
“”In many cases, when employees are using their own systems you might not know about it until after credentials have been compromised [and] information has been breached,”” notes Kevin Beaver, founder and principal consultant of Principle Logic, a security consultancy based in Acworth, Ga.
To address issues like those, channel pros must embrace a combination of tools and techniques built around four fundamental objectives.
1. Protect the Data
Ultimately, everything in your work-from-home security stack is about protecting data, because data is the most valuable and coveted asset your customers have. Keeping data safe begins with encrypting it, according to Nancy Sabino, CEO of SabinoCompTech, a security and support services provider in Katy, Texas.
“”Whether it’s a laptop or a desktop, if it’s going home with a user then it needs to be encrypted, because someone could break into their house and steal that device,”” she says. Encrypting data also allows companies to avoid the financial fallout and reputation damage that inevitably follow publicly disclosing a breach, something most data privacy regulations require businesses to do.
BitLocker, a drive encryption feature provided free with Windows 10 Pro and Windows 10 Enterprise licenses, is an obvious place to start, but protects only data “”at rest”” on an individual device. A wide variety of business-oriented encryption solutions keep data free from snooping “”in transit”” between devices as well.
2. Protect the Endpoint
It probably goes without saying that every desktop, laptop, or other device used for work at home should have an enterprise-caliber endpoint security system on it and at least a local firewall enabled. Cruciana recommends making DNS filtering software mandatory too, and further advises choosing a product that users can’t easily shut off or bypass. “”It’s not that we want to be the internet police, but we want to make sure that we’re not introducing additional risk,”” he says.
Software for managing endpoints, like an RMM solution, is critical as well, Cruciana adds. “”At a minimum, we’re doing daily software and configuration audits of the device, [and] limiting and restricting the use of administrative access on those endpoints so that users aren’t able to go and install software and make changes.””
Sabino, for her part, leans on mobile device management software to ensure that she can lock or wipe work-from-home hardware if it’s lost or stolen, or if its owner changes jobs. Though Sabino uses Intune, Microsoft’s single-tenant MDM offering, alternatives with the multitenant management capabilities MSPs require are available from vendors like VMware and SolarWinds MSP.
Cruciana, meanwhile, employed an increasingly popular shortcut last year to secure devices for some of his clients with especially strict regulatory requirements: a virtual desktop solution. Products like Windows Virtual Desktop centralize potentially vulnerable resources in a heavily fortified Microsoft data center. “”In the right client set, that obviated the need for a lot of the stuff on the endpoint,”” Cruciana notes.
3. Protect the Network
Perhaps the most unnerving moments in securing WFH clients are when you know someone is connected to their network, but you’re not sure who. That makes identity and access management software, or at least a good password management system, especially important with remote users.
“”We find a lot of people are writing down their passwords on Post-it notes,”” says Kaytovich. Too many of them have been using short, obvious passwords too, so QWERTY now pushes users to adopt more effective replacements. “”They don’t like typing in long and complex passwords, but ultimately the longer and the more complicated the password, the harder it is to breach,”” Kaytovich notes.
Multifactor authentication software can further help channel pros prevent imposters from slipping into customer networks. According to Microsoft, in fact, organizations protected by MFA are 99.9% less likely to be compromised. Kaytovich is a believer in the technology as well but, like many channel pros, struggles to convince clients that the extra safety makes the hassle worthwhile.
“”For the last three months, we’ve been trying to roll out MFA for [Microsoft] 365 to all of our clients, and we’re getting a lot of resistance,”” he says. “”People don’t want to enter codes. They don’t want to use their mobile device.”” The only answer, he and others say, is to tell customers that like it or not, MFA is an obligatory fact of life these days, whether you’re accessing your personal checking account online or a corporate file share.
RDP, by contrast, is increasingly avoidable, and most channel pros have phased it out in favor of VPN services. Where that isn’t possible, secure RDP services from providers like PC Matic and TruGrid enable end users to employ the Microsoft protocol more safely.
Kaytovich, meanwhile, explicitly bars WFH users on personal hardware from utilizing RDP or VPN. “”If this was a business-owned device, it would inherit the permissions and the security policies from the business network. If it’s a home device, unfortunately, there’s no way for us, without managing it, to be able to enforce that,”” he says. In such cases, therefore, Kaytovich lets employees open SSL-protected connections to the network via the remote access software included with the RMM platform his company uses, which also requires MFA.
Sabino further mitigates the risks that come from linking personal LANs to corporate ones by separating business traffic on home networks from everything else—especially if the user in question has teenaged children. “”I have a teenager at home myself,”” she says. “”They’re getting smarter and they’re starting to learn how to get past certain security [measures].”” Most consumer routers have built-in segmentation functionality these days, Sabino adds.
4. Protect the Users
Strictly speaking, the goal in this part of a work-from-home security strategy isn’t protecting users from attackers so much as protecting businesses from their users. That begins with setting clear rules of the remote work road, and enforcing them rigorously.
“”Your documented security policies are worthless unless you have something to back them up,”” Beaver observes.
Written policies concerning personal hardware are particularly critical, according to Sabino, who insists that her customers give remote workers two options: Use a company-owned machine or let us secure your machine as if your employer owned it. “”If you want to use your personal device, then the same controls have to be applied to it as if it were a company device,”” she says, adding that home-based employees must also consent to have their personal device wiped should they take a job elsewhere.
Like many channel pros, Cruciana puts end users through continuous security awareness training as well. “”We’ve seen a four-digit rise in the volume of highly targeted, very, very convincing phishing emails toward our clients,”” he says. Teaching them how to recognize fake messages is at least as effective a defense as the latest email security solution.
“”They have to be kind of both our first and last line of defense against what these threat actors want to accomplish,”” says Cruciana of users.
But then again, when has that not been the case? Work-from-home computing has complicated security in many ways, but it hasn’t changed the field completely. “”The same requirements that we had back in the old normal [are] still the case today in the new normal,”” Cruciana says. “”We just have some new hurdles and obstacles.””
Eating Your Own Security Dog Food
Desk jockeys everywhere have been working from home since the arrival of COVID-19 last year. That very much includes channel pros, most of whom have been providing help desk services and performing remote maintenance from a collection of living rooms and kitchen tables instead of cubicles at the office. Protecting those technicians from attackers who were already targeting MSPs before the pandemic has been as big a priority for many channel pros as safeguarding customers.
Nancy Sabino, of SabinoCompTech, has employed a simple principle to guide that process: Embrace every security tool and policy she recommends to customers within her own business. “”If we’re asking our clients to do something, we ourselves have to test it and implement it within our own environment,”” she says.
Stanley Kaytovich, of QWERTY Concepts, has taken a similar approach, enforcing multifactor authentication among his technicians and deploying an automated security awareness training solution that tests users for susceptibility to phishing attempts. The system quickly fooled someone who thought he knew better, in fact—Kaytovich himself.
“”I kind of just wasn’t thinking, and I failed this test,”” he says. So far, none of his techs have made the same mistake.
Images: iStock