In the post-pandemic era, more and more employees are forced to work primarily from home, thus the way people get connected and the way people accessing corporate resources has changed forever. Now that the network perimeter is no longer fixed in the office, securing a distributed network infrastructure to support a more fluid type of working has become a challenge for IT professionals.
SETUP/STEP BY STEP PROCEDURE:
1. Reduce the attack surface
Whenever you provide Internet-facing services, there definitely comes with a risk of security breach. We start by investigating what services or applications are mandatory to open for remote access. Because of the new WFH culture, lots of SMB need remote access for administrative login to network equipment, as well as allow employee access to office network via SSL VPN.
Configure your perimeter firewall correctly based on least privilege principle. For example, if remote admin access/SSLVPN is required, then we can implement a list of restricted geo-IP while explicitly allowing access from a set of source IP or country. If you are using a Zyxel firewall, here is a link about how-to
If you are determined to completely lock your network from remote access, and there is no WebGUI/SSL VPN tunnel required, you can move the default rule (WAN_to_Device) as the first rule and keep the last rule as “deny”.
(Allowed services are for IPSec VPN/VRRP/GRE)
Make sure there is no HTTP/HTTPS WebGUI service port in service group.
2. Patch! Patch! Patch!
The vast majority of cyberattacks take advantage of known software and hardware vulnerabilities (not to mention unsuspecting users!). The 2015 edition of the Verizon Data Breach Investigations Report revealed 70% of successful cyberattacks
exploited known vulnerabilities from software with available patches. This means that many victims could have prevented a data breach if they’d only updated their OS and apps. Think of a software patch as an armor that repels attacks and protects against various exploits. However, with the sheer number of vulnerabilities being exposed all the time (hundreds of millions of new pieces of malware released each year), many IT professionals struggle to keep pace in the arms race between the hackers discovering security holes and the “good guys” releasing patches to cover them up.
Though it’s difficult, bear in mind that unpatched software can be a magnet for malware and viruses, especially on widely used app like Adobe Flash or Microsoft Office. A classic example of this is a global wave of cyberattacks and data breaches that began in January 2021. After four zero-day exploits were discovered in on-premises Microsoft Exchange Servers, attackers gained full access to user emails and passwords, administrator privileges, and access to connected devices on the same network.
There are tons of network inventory tools that can help IT professionals spot out unpatched endpoints or servers, and even make life easier by automating the patching process!
3. Be wary of phishing
Cyber attackers use phishing techniques such as spam emails and phone calls to find out information about employees, obtain their credentials, or infect systems with malware.
The basic defense can be simple and consists of only two steps:
- Get a properly configured spam filter and ensure that the most obvious spam is always blocked.
- Educate your employees about popular phishing techniques and the best ways to deal with them.
Luckily, education and awareness training do work, and people now are much more aware of cyber threats. Verizon’s 2018 Data Breach Investigation Report highlights that 73% of people didn’t click on a single malicious email in 2017, is a good example.
4. Use two-factor authentication
Two-factor authentication (2FA, aka 2-step verification) is an additional layer of security to ensure only authenticated users gain access to an online account. Initially, a user will enter their username and a password, as usual. Then, rather than gaining access straight away, they will be required to provide additional credential.
This second factor could be one of the following:
- Something you own: a code from an authenticator app on your mobile phone, or a code sent by SMS to your phone.
- Something you are: a biometric indicator, like your fingerprint (Touch ID) or facial recognition (Face ID)
With 2FA, a potential compromise of the password will not compromise the account itself. As a result, even if your password is stolen, or your mobile phone is astray, the chances of someone else having access to both factors is unlikely to happen.
5. Back up your data
Backing up data is one of the best practices of information security that has gained increased relevance in recent years. With the advent of ransomware, having a full and current backup of all your data can save your business when bad things happen.
You can handle backups by making sure that they’re well protected, encrypted, and frequently updated. It’s also important to divide backup duty among several people to mitigate insider threats. The United States Computer Emergency Readiness Team (US-CERT) provides a document detailing different data backup options.
6. Raise employee awareness
Leaving an office network means missing out on some basic security protections provided by the company's security products that run on corporate networks, many of which are invisible to the employee. We would like to share best practice advice for all employees on how to keep devices and data secure when working from a location other than the office network.
First off, employees must consider the environment they are working at. For many, "home" means working from a location where they will not be overlooked and are at no immediate risk of having a device stolen or tampered with. But the unfortunately reality is your home may not be as safe and secure as you may think it is.
Ten tips that will greatly help you improving security level:
- Those working in shared or public locations should lock their screens when not in use and always have physical possession of the device.
- A VPN should always be used when working from home.
- Do not allow family members or friends to access work devices for non-work tasks.
- Create and maintain strong passwords. Do not write down the password on a post-it.
- Always apply new security updates to operating systems and applications immediately!
- Update the security of other devices on the home network, such as the home router, with the latest firmware and always change the default password.
- Do not connect non-work USB drives to your work device.
- Do not transfer data from personal devices to work devices or vice versa.
- Use a headset to avoid having calls overheard.
- Know how to contact the company IT for advice in the case of suspicious activities.
These steps could prevent your netork attacks from internet.