Trustwave's 2024 Financial Services Threat Reports Highlight Alarming Trends in Insider Threats & Phishing-as-a-Service. Learn More
Get access to immediate incident response assistance.
Get access to immediate incident response assistance.
Trustwave's 2024 Financial Services Threat Reports Highlight Alarming Trends in Insider Threats & Phishing-as-a-Service. Learn More
There are many arguments on either side of remote work, including whether it impacts an organization’s cybersecurity posture. While most people perceive risks to be higher while people are working from home, this is generally driven by a fear of the unknown. In reality, while some risk factors have changed in some cases, risk is often reduced in a remote working scenario.
In fact, it is often this fear of the unknown that causes employers and employees to take additional precautions and implement additional security measures for remote working which are lacking in an office environment. Companies generally trust their office environment; they take the simplistic view that everything inside is trusted and everything outside is not.
Offices are a known quantity; people feel warm and fuzzy and overlook the risks because “it’s always been like that.” Working from home is new, people feel scared.
When employees are working from home, their home network is generally considered untrusted and a zero-trust approach is usually taken to protect corporate devices against attacks coming from the local network, for instance by enforcing the use of a VPN and blocking all other traffic. By contrast, corporate networks are generally trusted, and endpoints are often open to attack from a rogue device connected to the local network. Unencrypted network protocols are extremely common on a corporate network, whereas they are extremely rare for a user working from home.
Portable devices like laptops also normally employ encryption and pre-boot authentication, while desktops and servers far more frequently do not because they are perceived to be protected by the physical access controls at the office or data center where they are located. The presence of unencrypted data, either stored electronically or in printed form, is far more likely in an office.
Corporate networks are also often considered trusted by external cloud-based services. A common scenario is that users will require multi-factor authentication if accessing services from outside, but this requirement is dropped if they are accessing the same services from the office network.
In terms of a physical attack, a centralized office generally provides a much more attractive and often much easier target than someone’s personal residence. This is because:
Offices also pose other risks that make it harder to separate information. Employees or even guest visitors may overhear information they shouldn’t or see sensitive documentation laying around or displayed on a screen. In some cases, information can even be overheard in the background when an office-based employee is conducting a telephone call to an external party.
A perfect example that we recently ran across points out how too many organizations view security through the wrong lens.
We were dealing with a company recently, which told us they did not want to discuss the case being conducted via email because “email is not secure.” Instead, the client wanted me to communicate via telephone or by post.
In one manner, the client was correct. In its default state, email is not secure. The messages may be transmitted unencrypted between my mail server and the client, where someone with access to the right infrastructure could intercept them.
But then how is the alternative proposed – telephone or through the postal system – more secure than email?
A telephone call is carried over a network in the same way as email, the call will route from the user to a telecom provider, who will then route it to the telecom provider used by the organization being called, who will then route it to the organization themselves. It effectively follows the same path as email and is subject to the same attacks. But worse than that, if you are using an analog telephone line, all that’s needed is to open the telco’s switch box on the street and tap the wires to listen to the call. A trick any spy novel fan should certainly know.
However, intercepting email requires a bit more knowledge.
Post is routed much the same way via physical providers but intercepting the post doesn’t require specialist knowledge or access – hiring a thug to beat up the postman and steal his bag would work perfectly well. Or for the less violent, an attacker could pry open an office mailbox or just grab the mail off a receptionist’s desk.
Email on the other hand…
It is true that the basic SMTP protocol used for inter-server email communication is designed for plain text communication. However, this applies between servers – i.e., from your provider to the target’s provider.
Client to server communication does not necessarily use SMTP, in fact doing so is rare these days – most users will access their mail service over HTTPS (e.g. Gmail, Hotmail etc). Thus, intercepting the last mile is useless, because the traffic is encrypted.
Even if the email was unencrypted, intercepting the last mile is harder because it requires specialized equipment. An attacker can’t just tap the wires under the street like you can with an analog phoneline, they need to be able to decode the signalling.
While SMTP can operate in an unencrypted mode, it can just as easily operate over SSL. All of the major providers support SSL these days and will default to it. There are also ways to publish policies to ensure that communication will never fall back to unencrypted SMTP.
There are also standards such as S/MIME (https://en.wikipedia.org/wiki/S/MIME) which allow for end-to-end encryption of email using the same PKI infrastructure used for HTTPS websites. It’s widely supported by most email clients but is sadly not widely used.
What all these scenarios prove is that what is considered common knowledge is often wrong. Offices are not safe just because they have always been perceived as such, and just because an older form of communication might not be hackable through the internet does not mean that it is safer.
An organization should not rely on the old “tried and true” system it has always used, just because it has always been used.
Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.
Copyright © 2024 Trustwave Holdings, Inc. All rights reserved.