The VPN is Back but Don’t Forget Device Hygiene

In an effort to prevent the spread of Coronavirus and flatten the pandemic curve, an unprecedented number of public and private sector employees around the world are now working remotely. The statistics are staggering – 50% rise in internet use, 37.5% new users on Microsoft Teams, 112% increase in VPN usage – in just a matter of days.

Despite the move to cloud-delivered services over the last few years, many common and proprietary applications still reside on-prem. Additionally, employees in government, healthcare and critical infrastructure sectors require access to corporate and operational networks. This leaves organizations reliant on virtual private networks (VPNs) to secure the communication pathway from remote users to a corporate network with an end-to-end encrypted tunnel. Due to the rapid shift to a remote workforce, the humble VPN is back in vogue. But on its own, a VPN doesn’t provide a holistic approach and may provide a false sense of security.

While VPNs secure the communication path to the corporate network, they don’t enforce security on the device itself, nor do they monitor its activity when connected to the corporate network. With a massive work-from-home community and potential security gaps, there are already early examples of threat actors targeting this new attack surface. If organizations do not have established or mature device hygiene practices, they may be putting themselves at risk.

There are several reasons that work-from-home environments require elevated levels of device hygiene:

• Reduced visibility and manageability. When such a large number of corporate devices move from on-prem to off-prem, they carry along all the burdens for IT tasks such as patching, monitoring and security. Over time, despite the use of management and security agents, organizations may have less visibility into how these devices are configured, patched and secured.
• Inadequate network controls. Most home Wi-Fi networks do not have the same network controls as corporate networks (such as NGFW, IPS, ATD, NTA). In corporate campuses, network and device controls work in concert to protect the environment and detect intrusions. With insufficient network controls on home networks, device security and hygiene act as the primary line of defense.
• BYOD (bring your own device). The sudden nature of the transition to a remote workforce, coupled with supply chain challenges, has required organizations to relax restrictions on remote users connecting via personal devices. These devices are less likely to be maintained against known-good images and are more likely to go unpatched, unprotected and unmonitored. Simply installing VPN clients on these devices is insufficient and can lead to undesirable outcomes and represent a threat vector.
• Chaotic environment with more entry points. Work-from-home users may bring compromising behaviors, unapproved applications and high-risk data flow onto corporate networks. Additionally, consumer-grade IoT devices on home networks enable opportunities for lateral movement of threats. Continuous end-user education and communication is essential in such situations.

While it’s hard to predict how long this situation will last, here are a few best practices to keep in mind to secure your workforce:

1. Get complete visibility into all remote devices connecting to your network
   This should be No. 1 priority – you can’t secure what you can’t see. Beyond user and VPN authentication, it is important to be able to identify devices and also categorize them as corporate-issued or personal. This allows you to apply specific security policies to BYOD devices and also monitor their behavior and network traffic if they are regarded as higher risk than corporate devices. Additionally, relying solely on installed agents to gain visibility into corporate devices can be a risky proposition as reduced IT oversight and governance may cause agents to get misconfigured or become out-of-date.
2. Extend the same level of cyber hygiene enforcement to remote devices
   Given the less secure nature of home networks, device hygiene and security posture are paramount – for both corporate and BYOD devices. Essential posture checks need to be conducted before allowing devices on the corporate network, even if they have authenticated correctly via VPN. Are mandated security agents running and up to date? Are remote users running any unapproved or vulnerable applications? Are remote devices patched with the latest security updates? A single vulnerable, noncompliant or compromised remote device on your network can provide an entry-point for threat actors.
3. Enforce access controls and segmentation policies to reduce mean time to respond
   With such a large-scale shift in workforce location, organizations are already operating outside of normal conditions. During this time, continuous monitoring and policy enforcement is essential to prevent cyber incidents. Best practices such as least privilege access should be enforced. Users should be automatically notified about compliance issues via captive web portal and balloon/popup notifications, and VPN connections should be terminated if noncompliance persists. Most importantly, network activity from remote devices should be monitored to detect deviations and ensure segmentation hygiene is being maintained.

While VPNs play an essential role in securing remote connections, solid network access control and device compliance strategies are also crucial to ensure effective device hygiene enforcement. To learn more, read the Forescout Device Compliance Solution Brief.