e dot dot dot
home << Policy << auto security and privacy in a brave new work from home world

Thu, 02 Apr 2020

Security And Privacy In A Brave New Work From Home World
Furnished content.


We have moved to a radically remote posture, leaving a lot of empty real-estate in corporateoffices and abandoning the final protections of the digital perimeter. For years, we've heard thatthe perimeter is dead and there are no borders in cyberspace. We have even had promises ofa new and better style of working without being bound to a physical office and the tyranny andwaste of the commute. However, much like the promise of less travel in a digital age or even thetotal paperless office these work-life aspirations never had a chance to materialize beforeCOVID-19 forced us to disperse and connect over the Internet. This has massive implicationson corporate culture and productivity. More immediately, the surge in use of remote workcapabilities has consequences from a security and privacy perspective that cannot be ignored.For some, working from home isn't new. This is especially true for those in sales and fieldmarketing across many industries or for knowledge workers, such as federal governmentemployees that are familiar with their telecommuting contract. The day after the stay homeorder is given, the rest of the company suddenly find themselves doing the math on how to stayproductive, whether they are the 20% of largely general and administrative or management staffwho are always in the office for a young tech startup or the 80% of all employees at a big bluechip company. Some already have a laptop that they bring with them everywhere and are usedto bringing home, but for others it's time to spark up the family computer or get a hastily issuedcompany laptop and try to get it running without an IT technician parked at their elbow to help.Others will grab a tablet or a smartphone, once relegated to mostly personal use, and repurposeit to attend to professional needs. Any way you look at it, the enterprise footprint just grew andradically changed in a 24 hour period.From a security perspective, the basics are critical. This is true whether a company is a maturesecurity shop or notrisk management is the lodestar. It starts with a risk analysis and dialog.You'll need to first create a master list of security essentials and rank them in order ofsensitivity, likelihood and impact. The reality is that you can do anything, but you can't doeverything; and ultimately this is a triage game.High on the list are concerns about misinformation, weaponized information and socialengineering. While companies can't control machines that they don't own, they have to try to getthe most secure endpoints they can and ensure identity integrity. This means emphasizing whatchannels are appropriate or not for employees and their families for information: news networks,websites and the like. But COVID-19 is our new common watering hole, and malicious actorsare manufacturing phishing attacks, devilish spear-phishing campaigns, rogue applications andmore. Regular, short, routine communications to remind people of the basics, to gain a pulse onthe organization and to provide clear policies are essential.Also at the highest level of concern is securing the connection to the network and back into theenvironment. This requires VPN connections, strong authentication and endpoint preventionand detection controls. In the back office generally and in the security operations centerspecifically, baselines from which anomalies are normally noted for focus will be in flux;everything will look like an anomaly for a while in the brave new remote world.Which brings us to the most difficult of topics: privacy.Did employees bring notes and data home before the office closure? Are they creating IP anddata protected by privacy laws and regulations as they continue to do business? Who is in theimmediate environment physically? These are some of the critical questions. In some cases youmay never know the answers to these questions or you may not have a right to know theanswers but must appreciate others' living situations and assume some worst case scenarios.There are still more questions. Should cameras be on for conference calls when employeesmight be embarrassed of their personal space being seen by colleagues? Should they useheadsets when a life partner might work for another company or even a competitor or perhaps aroommate might simply overhear sensitive information? Do we encourage them to care for achild when they are crying or do workers feel the need to hide their families? While manycompanies have previously developed work from home policies now we are beginning tounderstand what is really needed for remote, working employees. Now is the time to take afresh look at privacy in your work from home policy.Finally, we must understand the adversary is moving into a new normal as well. They may notbe able to immediately exploit all weaknesses or even any given weakness. They too willpursue the lowest hanging fruit while investing in some longer term R&D to develop new attacksspecifically for the home environment. Threat actors may be purchasing tools fromcybercriminals, mining existing botnets to see what IP is on those already-compromisedmachines or targeting home automation, printers and routers after triangulating IP addressesand digital locations for targets. In the weeks ahead, targeting new dimensions of technicaldiversity and innovating to develop new attack vectors will be the name of the game for the badguys.The future is very much a moving target for security and privacy professionals. Here is wherethe ongoing maintenance on an ongoing basis is critical: watching vulnerabilities in the newbattery of enterprise applications for remote productivity, moving to the next order ofvulnerabilities and so on. This might involve extending IT support and patching advice to homeusers on how to secure their home network, how to configure Amazon or Alexa devices or newtools and services for secure note-taking, collaboration, use of newly available standardoperating environment systems and so on. In short, the game of security and privacy will beabout rates of adaptation between asymmetric opponents.The brave new work from home world would be best if it was short lived, but the genie won't goback in the bottle. While the economy will adapt and move on at some point, it's too early to tellwhat percentage of current remote workers will continue to work from home permanently in apost COVID-19 world or if we will return to the tyranny of the commute. Regardless, the lastingeffect of innovation on both attack and defense will persist. As has been said, never waste agood crisis: let's hope that IT, corporate culture, security and privacy all benefit from the currentsituation to make a more productive and humane cyber world when we return to a more normalepidemiological world.Sam Curry is Chief Product and Security Officer at Cybereason.
Ari Schwartz was Special Assistant to President Obama for Cybersecurity and Is ManagingDirector for Cybersecurity Services at Venable.


Read more here


edit: Policy/auto___security_and_privacy_in_a_brave_new_work_from_home_world.wikieditish...

Password:
Title:
Body:
Link | Image | Paragraph | BR | Return | Create Amazon link | Technorati tag
Technorati tag?:
Delete this item?:
Treat as new?:
home << Policy << auto security and privacy in a brave new work from home world