We have users connecting our devices to their (poorly or not secured) home WiFi. It is enough to give you gray (or no) hair. We are often accused of being paranoid about security here, but are we paranoid enough?
The global switch to remote working in early 2020 gave hackers a whole new set of juicy ransomware targets. Or so says Secureworks, which throughout 2020 has, perhaps counterintuitively, insisted there has been minimal uptick in cyber activity from malicious people, stating in its research The Effect of COVID-19 on Incident …
True, but that company device still needs to connect to some form of network. If the home network already has one or more compromised devices on it, the company device can still get p4wn3d, even if you are running a closed tunnel VPN from the device for when it is connected to the office network
A VPN is needed and helps, but you need to still make sure the device is safe from attack when it is in "strange" networks, regardless of your VPN settings.
My latest set of paranoia is, I think user proof.
The user logs in to a secured web page and after doing the 2FA login then selects an option to open the Remote Desktop via the web page on the firewall, and the firewall hosts the connect from the firewall to the server internally and just displays it to the user via web page.
Even if the remote computer and network is utterly compromised the worst that can happen is that the information viewed on the screen can be stolen by screengrabs. No applications have any method of sending unauthorised data to the company network.
The downside is that there is no possible integration with the local PC so local devices like printers can't be mapped across if you needed to do this.
My latest set of paranoia is, I think user proof.
The user logs in to a secured web page and after doing the 2FA login
...their compromised system now has access to your network.
<quote>the worst that can happen is that the information viewed on the screen can be stolen by screengrabs</quote>
Oh please. I can live stream on Twitch anything my PC is doing, post it on Youtube, share it with Albanians living in Northern Cyprus and breach a dozen laws even if I only use your equipment.
This security thing: tricky.
If you use Remote Desktop Gateway server you can actually disable clipboard, printer and shares. I've tried using Fortigate's web-based RDP which does not support multi-monitors so had to build a Remote Desktop Gateway server and create policies. Then it connects to a real remote desktop server. The idea behind that is VPN client is not needed. They just use the gateway settings in Microsoft's native RDP client and boom you're in.
I've set up restrictions to only allow access to certain resources and the remote desktop servers. So if the hackers tried using an account that does not have the permissions to access the RDP servers they won't be able to log in.
I get it why you use your firewall's own SSL-VPN with RDP feature to limit your exposure to Microsoft servers to the internet. Sometimes it limits the users too much from what they need to do.
"The downside is that there is no possible integration with the local PC so local devices like printers can't be mapped across if you needed to do this."
Two conflicting points of view, both excellent in their own way.
Some data is definitely hybrid. Any email from company to worker relevant to employment and copies of similar emails going the other way are both company and personal data. Depending on your relationship with your employer you may need your own copy. I'm sure it's a grey area of law. OTOH if the communication had been on paper there'd probably have been no question of the employee being forbidden to retain it.
Then there's general knowledge - all those accumulated little code snippets or scripts that an employer expects an experienced techie to have at his finger tips. Does it all have to be in the head or can some of it be preserved in some other form? And I'm sure every old-school salesman had his little black book or card index which went with him from employer to employer. In either case the employer can't expect the leaver to be brainwashed.
In my previous employment at BT, the IT security team created a little button on MS Outlook that would send a selected e-mail to the anti-malware team, and delete it from your inbox. All you had to do was identify a suspect e-mail, select it and click the button. It worked very well, though I don't know the code they used, sounds like a good idea others should copy. Of course the users did have to recognise suspicious e-mails first (we had a training course for that too), but it was a start to taking IT Security seriously for the whole company, rather than just words like 'Security is everyone's responsibility', and suchlike.
Your assumption about who training is actually for and what it actually does is as invalid as assuming HR is there to protect you. HR is there to protect the business from the employees, and training is to ensure that they have valid reasons to discipline/terminate, as you become accountable for the subject of the training. The training has no need to be connected to reality or education in any way, shape or form -- if there is unpleasantness, and you were at the bottom of it, they have proof in writing that you know better, and so they have a legit right to get rid of you. This, even if the actual training had absolutely nothing to do with the title of the course. If the course title is "Internet Security", and the instructions are simply how to make a bacon sandwich, you now are responsible for internet security in spite of the material presented -- and the training would actually be useful (for once). Did you *really* think a swarm of HR drones could make useful internet security training, anyway?
Our users do that anyway.
We've had a flood of phishing emails being forwarded from the users, asking if it is truly a phishing email. And I am glad they do, I'd rather deal with a dozen requests for confirmation every day than one incident of a user using their own initiative and reacting to a phishing email.
We have seen an up-tick in malware attachments, generally in .doc or .xls files and those formats are automatically stripped from emails by policy, regardless of whether they are infected or not. Some users complain that they aren't getting information from suppliers or customers, but we are hard and ask them to inform the other party that file formats that have been declared dangerous for over a decade will not arrive and they should use more modern formats that are less* vulnerable.
* I don't think any format is 100% safe, you can just try and minimize the chances of compromise.
" I'd rather deal with a dozen requests for confirmation every day than one incident of a user using their own initiative and reacting to a phishing email."
Agree 100% - sadly I've had a few examples recently where they've forwarded an email to us asking if it's a phishing email, we've confirmed it is and the had the reply back "Oh -I clicked on it does it matter?"
Fortunately other things have managed to protect them from doing this so far, but I'm aware that it's only a matter of time before something goes badly wrong.