Get best of the week

How to protect remote employees, or Home Office Security



The coronavirus epidemic is forcing companies and state authorities to massively abandon their security principles, exit secure perimeters and transfer users to a remote mode of operation. Many articles have already been written on how to make access secure and where to get free licenses. We, as a center for monitoring and responding to cyber attacks, will try to describe the risks and temporary difficulties in protecting the perimeter that arise in connection with the new world order. About what and how to monitor when transferring employees to remote work, read under the cat.


Drains, leaks and home appliances


The path to remote access begins with a connection. If we had a lot of time to design a real secure solution, we would build entire echelons of protection:

  • Checking connected devices for security policies or, at a minimum, denying access from personal devices.
  • A certificate embedded in devices or a second authentication factor.
  • Administrator control system for recording accesses, commands and videos.

But time is limited, it is urgent to transfer employees to a remote site, so no one will wait for a large implementation, delivery of tokens / new systems or scaling of current access. As a result, most companies remain in home devices and connection protection at the configuration file level (easy to select), as well as the classic username / password pair from the account.

And here we are entering the orbit of the first circle of problems. Despite domain policies, users manage to use “dictionary” and “rainbow” passwords. Some of them coincide with personal passwords from external resources, where the plums are so active that it does not even make sense to do analytics. Sometimes logins and passwords simply leak from infected personal devices and in new realities not only compromise mail, but also give an attacker room for further influence on the infrastructure.

What we recommend to follow:

  • VPN connection geolocation - the error of the scenario is high (especially when working with Opera Turbo or actively bypassing locks), but, nevertheless, allows you to see the deputy general manager, connecting (suddenly) from Senegal. Each geolocation base has its own limitations and error, but now it’s better to overdo it.
  • «» — VPN- ( , , , ). , , .
  • «» . : , , , VPN-, .. , , , , , – . «», , .
  • . , , — -. — .
  • ( ). , , . VPN , . , , .
  • An important factor is the use of TI. Attempts, and even more successful connections from compromised hosts, anonymizers, proxies or TOR nodes, can be a sign of an attack by hackers who try to hide traces of their work through anonymizing the last step.

VPN is hacked, we protect the network


If an attacker managed to get past the first line of defense and gain access to a VPN, then our capabilities in identifying it do not end there. Like the problems:

  • As a rule, in the heat of quick work, redundant accesses are opened: instead of target systems, to entire network segments.
  • Often there is no full-fledged account management, and up-to-date system or privileged accounts are in general access.

What to control at this stage:

  • () VPN . , . - -, VPN root, .
  • , / . VPN- , «» , . , . .
  • . , , low and slow . , ,
  • Indirect signs of an attempt to collect data are monitoring the volume of sessions in the VPN, their duration and any anomalies that indicate that the user is behaving unusually. This allows you to identify both internal and external incidents.

Protecting target systems or terminal access


If we are not so desperate brave as to let each user to our workstation, then the terminal servers / hubs of users usually act as a collaboration / proxy environment for remote employees.

In their case, monitoring approaches are completely identical to monitoring any critical host:

  • Analysis of host process start logs for anomalies
  • Monitoring remote process and service starts
  • Remote Administration Tools Control
  • ,

About monitoring of end stations, I hope we will tell you in the very near future. But it is important to note that if in the general scope of machines, as a rule, there are a lot of false positives, then in the local group of terminal servers we are usually able to deal with each positive and render a verdict.

One way or another, providing remote access for employees to the infrastructure does not have to be implemented due to expensive and complex solutions, especially at the start. And while we are designing truly secure access, it is important not to let go of the level of security in free swimming and continue to deal with key problems and risks. Therefore, observe hygiene in everyday life, but do not forget about hygiene in terms of information security. And be healthy.

More articles:


All Articles