There are many arguments on either side of remote work, including whether it impacts an organization’s cybersecurity posture. While most people perceive risks to be higher while people are working from home, this is generally driven by a fear of the unknown. In reality, while some risk factors have changed in some cases, risk is often reduced in a remote working scenario.
In fact, it is often this fear of the unknown that causes employers and employees to take additional precautions and implement additional security measures for remote working which are lacking in an office environment. Companies generally trust their office environment; they take the simplistic view that everything inside is trusted and everything outside is not.
Offices are a known quantity; people feel warm and fuzzy and overlook the risks because “it’s always been like that.” Working from home is new, people feel scared.
When employees are working from home, their home network is generally considered untrusted and a zero-trust approach is usually taken to protect corporate devices against attacks coming from the local network, for instance by enforcing the use of a VPN and blocking all other traffic. By contrast, corporate networks are generally trusted, and endpoints are often open to attack from a rogue device connected to the local network. Unencrypted network protocols are extremely common on a corporate network, whereas they are extremely rare for a user working from home.
Portable devices like laptops also normally employ encryption and pre-boot authentication, while desktops and servers far more frequently do not because they are perceived to be protected by the physical access controls at the office or data center where they are located. The presence of unencrypted data, either stored electronically or in printed form, is far more likely in an office.
Corporate networks are also often considered trusted by external cloud-based services. A common scenario is that users will require multi-factor authentication if accessing services from outside, but this requirement is dropped if they are accessing the same services from the office network.
In terms of a physical attack, a centralized office generally provides a much more attractive and often much easier target than someone’s personal residence. This is because:
- It is easy to find an office location, much harder to find the personal residence of an employee of a particular company.
- An office is going to have many employees, a great deal of equipment, and potentially tons of data such as documents lying around, unlike a residence which will only have one person’s equipment and data.
- Attacks such as tailgating are far more likely to succeed in an office environment, especially a large office where employees don’t immediately recognize each other and might not spot a stranger entering. Tailgating into someone’s home on the other hand is extremely unlikely to succeed.
- As mentioned previously, gaining access to an office network is far more likely to yield useful information to an attacker than a home network.
- Since access to physical offices is often possible for vendors, customers, and interviewees, the scope for an attacker to gain entry posing as one of these is much higher.
Offices also pose other risks that make it harder to separate information. Employees or even guest visitors may overhear information they shouldn’t or see sensitive documentation laying around or displayed on a screen. In some cases, information can even be overheard in the background when an office-based employee is conducting a telephone call to an external party.
Perceived Security vs. True Security
A perfect example that we recently ran across points out how too many organizations view security through the wrong lens.
We were dealing with a company recently, which told us they did not want to discuss the case being conducted via email because “email is not secure.” Instead, the client wanted me to communicate via telephone or by post.
In one manner, the client was correct. In its default state, email is not secure. The messages may be transmitted unencrypted between my mail server and the client, where someone with access to the right infrastructure could intercept them.
But then how is the alternative proposed – telephone or through the postal system – more secure than email?
A telephone call is carried over a network in the same way as email, the call will route from the user to a telecom provider, who will then route it to the telecom provider used by the organization being called, who will then route it to the organization themselves. It effectively follows the same path as email and is subject to the same attacks. But worse than that, if you are using an analog telephone line, all that’s needed is to open the telco’s switch box on the street and tap the wires to listen to the call. A trick any spy novel fan should certainly know.
However, intercepting email requires a bit more knowledge.
Post is routed much the same way via physical providers but intercepting the post doesn’t require specialist knowledge or access – hiring a thug to beat up the postman and steal his bag would work perfectly well. Or for the less violent, an attacker could pry open an office mailbox or just grab the mail off a receptionist’s desk.
Email on the other hand…
It is true that the basic SMTP protocol used for inter-server email communication is designed for plain text communication. However, this applies between servers – i.e., from your provider to the target’s provider.
Client to server communication does not necessarily use SMTP, in fact doing so is rare these days – most users will access their mail service over HTTPS (e.g. Gmail, Hotmail etc). Thus, intercepting the last mile is useless, because the traffic is encrypted.
Even if the email was unencrypted, intercepting the last mile is harder because it requires specialized equipment. An attacker can’t just tap the wires under the street like you can with an analog phoneline, they need to be able to decode the signalling.
While SMTP can operate in an unencrypted mode, it can just as easily operate over SSL. All of the major providers support SSL these days and will default to it. There are also ways to publish policies to ensure that communication will never fall back to unencrypted SMTP.
There are also standards such as S/MIME (https://en.wikipedia.org/wiki/S/MIME) which allow for end-to-end encryption of email using the same PKI infrastructure used for HTTPS websites. It’s widely supported by most email clients but is sadly not widely used.
Conclusion
What all these scenarios prove is that what is considered common knowledge is often wrong. Offices are not safe just because they have always been perceived as such, and just because an older form of communication might not be hackable through the internet does not mean that it is safer.
An organization should not rely on the old “tried and true” system it has always used, just because it has always been used.
