Remote Access during Covid-19

The coronavirus pandemic has forced businesses, schools, and governments into an unprecedented situation…having a business deliver its expected products and services in as normal a way as possible when most or all of their users are not in the normal facility. Owners and managers need to be realistic about their expectations, and they MUST pay attention to security.

Expectations

• Expect things to not proceed smoothly - remote work and remote school has never been attempted before on this scale and we are asking our staff to work in new ways, using technology which is new to them, over networks which likely have never been stressed to this level.

• Expect that both remote access networks (VPN, GoToMyPC, etc.) and content delivery services (Zoom, GoToMeeting, etc.) will periodically struggle due to the load being put on them. The only solutions may be to add internet bandwidth for VPN, or to wait as the services add capacity which is happening at a furious pace. This will take some time, so set expectations relatively low to start.

• Students and teachers will struggle with lesson delivery at the start…with practice and routine, the situation will improve over time. It may be found that there are some “off-peak” hours which work better. It is of course unrealistic to expect students (or teachers) to be able to tolerate school days which are as long as normal. The situation we are in now is anything but “normal”.

• From a protection standpoint it may not make sense to have only a portion of the staff work remotely. COVID-19 is so contagious that staff who consistently come into the office after having been in public will likely bring the infection into the office. Having all users work remotely may actually help in terms of net income preservation because the illness is less likely to be spread among staff.

• If a staff member does become infected their symptoms will potentially be severe enough that they struggle to work from home at all during their illness. COVID-19 patients report severe respiratory pain and exhaustion from even walking to the bathroom…definitely not a situation in which you want them doing mission-critical or sensitive work.

Security

The bad guys always use any advantage they can gain…and the combination of social stress, fear, and remote access will really be a significant help to them. The only way to counteract this is for management teams to do their best to enforce good security.

Passwords

As with any business-critical service, ensure that all GoToMyPC, LogMeIn, VPN, or other access methods use strong (8+ characters), complex (upper case, lower case, numbers and special characters) passwords. Remember that you are giving remote access to your data and applications…weak passwords will be easily and quickly exploited.

Ensure that accounts are set to lock after 5-8 failed attempts at access.

Multifactor authentication (MFA) and one-time passwords (OTP)

Most cloud services and remote access allow for the use of either MFA or OTP. MFA normally ties to a user’s cell phone and sends a text message with a code to allow the user to complete their authentication to the relevant service. OTP often ties to a users email address and provides a code which needs to be entered to complete authentication…this means that email to their phone would need to be configured.

Remote access structure

Normally the device onsite which a user remotes into is referred to as the HOST - it is the device which “hosts” the data or application the user needs. The device at the user’s fingertips is referred to as the CLIENT. All that it does is connect the user to their work environment. Businesses who allow the use of VPN also need to control the security of the client device…if they don’t then an infection on the CLIENT will travel across the VPN tunnel to the HOST, potentially resulting in the destruction of all of the data the HOST can connect to.

Email and COVID-19 phishing

Statistics show that the percentage of current phishing emails related to COVID-19 is substantial. Have your users treat ANY email referring to coronavirus or COVID-19 with suspicion.

Test, train, and harden

Remote work and remote teaching are new experiences for most users. In the process of doing the setup and testing for this circumstance, there is a strong temptation to use weak credentials “just until we’re running”. The problem is that in 90% of these cases, the weak credentials are never fixed with strong, complex credentials.

The bad guys are after your data…they are re-doubling their efforts now when users and systems are stressed. Don’t make it easy…have the users go back and eliminate any simple credentials.

Be sure to note lessons learned from this experience - add the lessons to your goodie bag so that when we have to go to remote work again, you don’t have to endure the pain of re-learning.