Is Remote Working a Security Issue?

people hacking a computer system

As the trend for remote work surges forward, I started to think about a few things that go along with remote work. These thoughts, along with the reading of an article and some comments on the “third workspace” trend, formed the idea for this post. This third workspace is somewhere other than your corporate office or home office, somewhere like a coffee shop or a park, or any other number of places that are not the two mentioned above. Mix this with the recent wave of ransomware attacks, and I can understand at least on that level where the thought of your whole company working from home forever could cause some anxiety.

When you work in a corporate environment, the networks and resources are generally vetted better than your home network. Even if you connect through a VPN, it still has to traverse your network and your provider to get back to your employer’s corporate network. Using a public wifi hotspot concerns me even more.

This post is not to bash remote working. I think it is the future. But with the ransomware attacks and all other hacking that goes on every second of every day, I think employers should look at their remote working policies and set rigid standards that have to be adhered to. Some companies that have been in the remote working game for a long time already have these policies and standards, and it works well. Even at that, no one is immune to a simple mistake that could let an attacker into your corporate network through any number of channels. My main concern is companies that are just moving into the remote work arena.

As remote working exploded during the pandemic, many companies I know of had no other choice except to send the employees home and use their own equipment. Allowing personal devices to connect to the corporate network is mistake number one. You have no control over these personal devices, and for all you know, they could already be infected with any number of viruses or even time bomb ransomware. By allowing these devices to connect to your network, even over a VPN, you are opening up your network to dozens if not hundreds of unknown devices.

Mistake number two is allowing employees to install anything on even company-provided devices. All devices should be prepared with everything need before delivery. The corporate administrators should push out any updates or new software that is needed with no exceptions. Again, many companies do this or at least do it for machines in the office, but this needs to be a no-exceptions policy. Allowing an employee to install whatever they want is the same as them having a personal device connected to the network. Dangerous always, but especially in the current environment.

If I were designing this policy, it would allow no connections from public wifi hotspots. All connections would have to be firewall approved from the IP address at your home network, even if you are using a VPN. A VPN is just a secure network inside of a network, still susceptible to wifi sniffing. You have no idea if the public wifi hotspot has a port mirror on it, pushing all that traffic into someone’s server for later research. A hacker may not crack your VPN encryption, but they can easily know where you are connecting to. I could do it quickly and quietly with access to the wifi router and a Raspberry Pi. I could have it direct that duplicated traffic anywhere in the world. The fact that I know where you are connecting to and could easily find out what browser and computer you use should be a little concerning. It would not be that hard to target you and, with a bit of social engineering, be on your VPN or have stolen your laptop within a matter of minutes.

Without even the idea above of port duplication, social engineering is still a very powerful tool of hackers. You can have the best trainers train your employees to look out for and be wary of social engineering but humans are flawed. It only takes one person at the right time, right place, right cadence, the right tone, and terminology to fool even the best-trained personnel. In my view, this could be more prevalent when working in an open public space.

This post is not meant to upset or scare anyone. These are truths that we must face if we are going to move happily into the future of remote working.

–Parting Wisgom

-Sometimes truths are hard to swallow-

–Bryan Vest

Leave a Reply

Powered by WordPress.com.

Up ↑

%d bloggers like this: