The COVID-19 pandemic has triggered a dramatic digital transformation of the workplace. Some employees need to telecommute remotely using whatever means at their disposal. Remote work isn’t possible without cloud-based productivity software. An increasing reliance on such software can result in the emergence of a shadow network, reduced transparency, ineffective governance, and limited control over personal or private information. This policy and standards vacuum can be actively exploited by adversaries.
The expedient solution for corporations, organizations, and governments has been providing employees with a laptop, firewall, and VPN connection to access workplace systems. This solution can be inadequate for protecting sensitive information without additional safeguards being put in place. Complying with a conventional security policy that only relies on encryption is neither acceptable nor efficient. Relying only on a VPN is not a best practice, nor does it comply with existing and evolving standards.
Efficacy
There are potential problems with employees connecting to the Internet through their home router, using their phone to tether or hotspot, or using public WiFi - especially with a personal device. Employers need to consider that using personal Internet connectivity is not ideal for these important reasons:
- the company no longer has visibility on the infrastructure
- the company loses governance, which introduces legal implications for public and private sector executives under the Financial Administration Act (FAA), Privacy Act, Sarbanes-Oxley Act (SOX), or Personal Information Protection and Electronic Documents Act (PIPEDA)
- employees are entitled to individual remuneration for using personal infrastructure
- the company cannot take advantage of corporate data plans and significant cost savings
- security monitoring of personal infrastructure by the organization is prohibited by law
- the quality of service (QOS) is poor, bandwidths are marginal, and resiliency is fragile, negatively impacting productivity
- poor QOS leads to employees using other means to conduct their work and share sensitive information - a shadow network can emerge and create significant security vulnerabilities
Vulnerabilities and Exploitation
While a virtual private network (VPN) and computer system hardening are important components to secure remote work solutions, they are insufficient. Providing a foreign VPN for sensitive investigations exposes employees to risks. What they need is a managed attribution service from a trustworthy service provider.
VPNs are not as secure as you may think.
VPN services provide some security at the network presentation layer but neglect the application, session, transport, network, datalink and physical layers. Although traffic is encrypted, there is no control over the route that packets take to their destination (from one point in a network to a specific IP server). In this sense, they are not true private networks. Traffic flow analysis of even the best encryption yields plenty of intelligence data. With a VPN, companies don't own, control, or have visibility of the infrastructure or traffic between remote workers and corporate offices. This creates a problem.
Conventional security solutions are ineffective against advanced persistent threats (APT). Remote workers relying on VPNs to access the global Internet are susceptible to distributed denial-of-service (DDoS) attacks - cyberattacks in which the perpetrator(s) seek to make a network unavailable to intended users by overwhelming the host infrastructure with a flood of Internet traffic. The risk of compromise when relying on a VPN is significant if employees use the same device to surf the web, interact on social media, and answer emails without a split VPN. This creates a wide attack surface. Even a dedicated hardened computer with restricted VPN access remains susceptible to cyberattacks. A VPN is useless if systems are compromised.
A company should not put all their trust in encryption. The cryptosystem is susceptible to cryptanalysis. Flaws in VPN implementation are routinely discovered. VPNs are also vulnerable as they are being deliberately and successfully targeted at scale by nation-state and criminal actors because so many employees are now using VPNs. DHS, CISA, NCSC, FBI, and NSA have all issued warnings of the exploitation of VPNs. Even high-grade encryption systems offer no better protection than commercial VPNs. While VPN vulnerabilities become known and patched, exploitation of High Assurance Internet Protocol Encryptor (HAIPE) is rarely revealed. Prolonged exposure is common. This has resulted in a false sense of security.
Cellular systems, such as 5G, are outperforming most home and corporate Internet connections, making tethering or hotspots more common. Cellular systems are susceptible to a variety of attacks including:
- forcing 5G/4G LTE cell phones to drop to Global System for Mobile Communication (GSM) networks using interference to compromise communication encryption
- phishing attacks
- redirecting to malicious sites where hijacking malware can be uploaded
- trojanizing of popular applications to allow surveillance and control
- offering free WiFi or cell sites to conduct man-in-the-middle attacks
- SIM swap scams exploit a mobile phone service provider's ability to seamlessly port a telephone number to a device containing a different subscriber identity module (SIM). This feature is utilized when a customer has lost their phone, had their phone stolen, or is switching service to a new phone
- downloading malware onto the Subscriber Identity Module (SIM) card
- Baseband Attacks and Remote Exploitation of Memory Corruptions in Cellular Protocol Stacks monitoring incoming and outgoing calls, performing calls, sending and intercepting short messages, intercepting IP traffic, as well as turning the iPhone into a remotely activated microphone by activating its capability to auto-answer incoming calls
- SS7 signalling system exploitation permits the adversary to redirect calls or text messages (SMS) to a phone number under their control, to intercept or manipulate the communication - interception of SMS messages enables adversaries to obtain authentication codes used for multi-factor authentication
Solution
Employers should subscribe to a private network service with trusted routing from the employees' remote devices to the company servers. This will help to ensure control plane security, routing integrity, and high-assurance delivery standards. The solution should provide multi-factor identification, authentication, and authorization at all network layers.
The chosen system should secure billing information and individual privacy, provide priority cellular connection (4G/5G encryption), a higher bandwidth providing availability and reliability, resiliency to denial-of-service attacks, be compliant and transparent, deploy managed Internet connectivity to each remote user, deliver enhanced security, provide malware protection and anomaly detection, provide multi-factor authentication and enhanced identification, geofencing, firewall service, a remote wipe security feature, and verified supply chain security - to name a few.
The management of the chosen system should be free of foreign ownership, control, or influence (FOCI) and comply with supply chain security for information technology. Data should only travel through secure hosting facilities in encrypted forms using a Commercial National Security Algorithm Suite (CNSA) approved system.
The answer is not just one product or standard but a system and application of the best practices.