Avoid the pitfalls of ubiquitous remote work
When widespread lockdown went into effect, due to COVID-19, companies that could function remotely transitioned with all deliberate speed to conducting business outside their four walls. Under normal circumstances, it would take several weeks to ensure that proper capacity and configurations were in place to allow secure remote access to network assets and applications. But with no time to plan, many companies had to adapt to this new reality by leveraging various combinations of remote access solutions, often putting speed ahead of security.
While phased re-opening has begun in many locations around North America, businesses that can continue to function remotely plan to do so in the coming months out of caution. Some businesses have even encouraged employees not to return to the office at all. And with cases spiking again in some places, it doesn’t appear that the need for widespread remote work is going away anytime soon.
This switch to a largely remote workforce has prompted some companies to reevaluate their remote access solutions and configurations with a greater focus on security. In our experience working with several clients over the last two months, we found multiple vulnerabilities with remote access approaches stemming largely from incorrect assumptions.
How we test remote access
When assessing remote access solutions for vulnerabilities, our consultants use a 3-step approach:
Step one involves discussions with stakeholders to understand how specific configurations, groups, and profiles are intended to work. This step identifies which users and/or groups should have access to which resources.
Step two is a configuration analysis. The information obtained in step one is compared to device configurations, group settings, and device rules to confirm that the configurations in place are correct and appropriate.
Step three involves testing remote access solutions to ensure they enforce all aspects of the configuration and operate properly and as expected.
Our test results consistently showed that it is common to discover previously unknown vulnerabilities caused by misconfigurations, flawed assumptions on the part of solution administrators, and process breakdowns. The following are a sample of the findings we identified while carrying out remote access assessments.
Issues frequently arose from a discrepancy between intended and actual device configurations. Some underlying causes of this issue included: users assigned to incorrect groups, unintended permissions granted through group inheritance, and unintended permissions granted through rules that were incorrectly ordered.
Intended vs. actual functionality
Problems also arose from flawed assumptions about a solution's functionality.
One common example occured when a remote access solution did not properly validate the full certificate chain on either the client or server side. Another finding that fell into this category was device configurations that ensured clients met certain requirements before being granted access to a remote resource.
These checks were meant to ensure that AV definitions were up to date, installed and working, patches on the system were current, and many other similar validations. While these checks tend to work well on Windows systems, it is not uncommon for us to discover that these solutions simply ‘fail open’ and allow endpoints to connect if they are running a non-Windows OS due to incomplete configuration. This may not be an obvious test case for companies that only use Windows on their standard workstation images.
We discovered a number of vulnerabilities that resulted from inadequate patch management processes.
Several public exploits have recently been patched for various VPN and remote access solutions. Many of these vulnerabilities are actively targeted in the wild by malicious actors. Checking that both software and firmware are upgraded to the most up-to-date versions is critical.
With the ongoing spread of COVID-19, it’s unclear how many companies will have to continue operating in a “fully-remote'' model, or for how long. But most will likely offer employees flexibility to work from home.
Now is the time to ensure that device misconfigurations, flawed assumptions about a solution’s functionality, and breakdowns in critical security processes such as patch management don’t continue to expose companies to risks that can easily be identified through proper testing.
We recommend that businesses work with an experienced partner who can offer practical advice to reduce exposure and execute a tailored testing program to assess your remote access solutions.
In case you want more information, you can read about these solutions here.
About the AuthorFollow on Twitter Follow on Linkedin More Content by Paul Lariviere