Locking Down Your Virtual Office: Cyber Security for Remote Workers with Anh Pham

Jara Rowe: Gather around, as we spill the tea on cybersecurity. We are talking about the topic in a way that everyone can understand. I'm your host, Jara Rowe, giving you just what you need. This is The Tea on Cybersecurity, a podcast from Trava. Welcome to another episode of The Tea on Cybersecurity. On this episode, we're spilling the tea on remote work and access security. We're all super familiar with Zoom calls, and sharing files, but we're going to dive into some of the best practices to stay safe while working from anywhere. But as we know, I am not the expert, but I have one with me. I'd like to welcome on one of the brains of keeping us safe at Trava. Hello, Anh.

Anh Pham: Hi Jara. Thanks for having me, and hello to everybody that's listening. My name is Anh, and I'm currently the security engineer at Trava. I'm responsible for Trava's cybersecurity program, and pretty much the protection of our employees data and access.

Jara Rowe: Super important, and Anh is always so nice to me when I ask him a bunch of random questions.

Anh Pham: That's what I do do, answering random cyber questions.

Jara Rowe: All right, let's go ahead and dive right in. How has the shift to remote work transformed the cybersecurity landscape?

Anh Pham: It actually did that in very significant way. As remote work becomes more popular, companies and cybersecurity professional are now forced to rethink their approach that they have used for the last 20 years to protect their attack surface, because that surface now grows as exponentially larger. They have to abandon certain traditional defenses that they have previously sworn upon, and have to adapt security control that are more fitting of a wider, and pretty much moderless network.

Jara Rowe: With the increase in remote work, like you mentioned, what are some unique cybersecurity challenges that businesses face, and then how do they address them?

Anh Pham: The first challenge would be what I just mentioned, their tax surface grows a lot larger. So instead of having just one network that you can see the exact perimeter for and you put defenses around the perimeter and just everything inside, you now have a network that can spend across country or even across the entire globe. So you can't really put a perimeter around them. So you have to start thinking of enforcing security control at the device and at the user level. So check in every access request, that kind of thing. Secondly, because of this sort of wide geographical area of working, people are now needing to rely more on cloud services and SaaS tool to do their work. You can't really just implement a tool, put it in a place and have that tool support everybody anymore. I think research suggests that the average company these days use upwards of 250 different tools in their daily live work and each one of those tools introduce a pat into your network, into your resource. So you got to start thinking about how to protect each and every one of those tools at the individual level instead of just the network as a whole. But one more thing is that the traditional lines between corporate and personal network are now pretty much non- existent. You work from home, you're on your home wifi, right? Your kid could be on your wifi doing something else and you think that you're protected. But what we can do is protecting our company devices, but there's nothing that protecting the personal device. And if those devices compromise, then your company device is on the same networks also at risk. And then lastly, we have insider threats. It's not new, it's a concept that's been around forever. In the traditional sense, when people think of insider threats, they think of disgruntled or ex- employee that are upset at the company and intentionally do harmful things. But in the remote world age insider threat also include just regular employee working from home and just become carelessness and negligent because they're so comfortable and they do think that inaudible also call harm to the company.

Jara Rowe: Right. So I have two follow up questions. First, you mentioned attack surface. Can you explain what that is?

Anh Pham: Sure. So attack surface is essentially the exposure of your company environment to cyber attack. So it include all the possible entry point for attacker to get into your network and access your resources or the possible vulnerability that exists in your environment. It's like a door to your network, it's a remote workload that door become bigger and bigger and it just a lot of different point that attacker can exploit to get access.

Jara Rowe: Terrifying. And then I was going to ask this a little later, but I think it's fitting to ask now. So you just mentioned how we work from home and a personal is becoming blurred. So what are some tips you would give someone to secure their home networks?

Anh Pham: Yeah, some of these are probably familiar with most people by now, but one of the basic thing is to change the default network name and administrative credentials to your wireless router. So every time you get a new router, there's a label on the side of that router that show the default SSID, which is a network name and it also has an admin default credential. So the first thing you should do is change those, change the default network name, change the default credential. Once you do that, then you need to change the default password. It's also printed on that label. When you pick a password, make sure for wireless encryption protocol, you pick the WPA2 or higher. So on a regular router and you will see three or four different option from WEP to the WPA2. And now there's WPA3. Never pick the first two, WEP, WPA. Always stick to WPA2 or higher if your router support. Something that's a little more technical for the more technical savvy folks is if your wireless routers support and most modern routers who support this is to create a dedicated network for your work device at home. So you can have one network where only your work device connect to and then another network where all of your own device connect to. And when you create this network by default they are isolated. So traffic between them cannot cross that border. And then following similar concept, if you use smart devices at home like Alexa or Google Assistant or Apple Assistant, have a separate network for those devices. Don't put your smart light on the same network as your work device. You never know what happened could happen to those. And then lastly, use a VPN when working away from a trusted network or in public places. If your company can have a VPN use that. If your company doesn't provide one, just ask your security team to provide a recommendation on personal VPN options that you can use.

Jara Rowe: All right, awesome. So again, I've learned all about auditing and assessments and all the other fun things when it comes to cybersecurity, but I was thinking that people working remotely has to change this auditing process since there's not really a file cabinet with files and things like that. So how has remote work changed the auditing process?

Anh Pham: The process remained the same. Some of the methods and the approach change a little. As you said, the recommendation in remote work when it comes to file and content is just not to print them out if you don't use them. Try to avoid printing anything out, if you can. If you do, then you've got to have a lock cabinet to store them and then making sure you have a way to securely destroy them when you're done. When it comes to remote auditing and logging, because you now no longer have a trusted network where the device sit in and you have a central place to store all your audit logs, you're now need to rely more on tools that have really robust auditing and logging capability. So you ship all of that advanced capability from a central tool to these little software that sit on employee devices. So pay attention to those when you source the tool. But overall auditing process hasn't changed. You still need to do them, you still need to do your access review and all of that.

Jara Rowe: Great. So again, when I think about auditing, you want to make sure that certain people have access to the things that they need to have access to, which leads me to my next question. In the context of remote work, how can organizations ensure that the right individuals are accessing sensitive resources? And then what role does identity management play into all of this?

Anh Pham: You do that by starting with having a really clearly defined policy, an access management policy. Make sure in that policy you define at a very high level who can access what and then the approach that you will use to grant and revoke access if needed. And then from there you start muting out the process and the tool. Obviously having a good identity and asset management tool in place is very important. We'll reduce a lot of the administrative overhead, it will make your job a lot easier. You don't have to start view out manual things yourself. You just create a role, aside necessary permission to it and then you assign those rollout to a different group of people. And then one other thing too with IMM two in remote work is you want to look for those that support inaudible features such as allowing you to enforce very strong password, allowing you to enforce and implement MFA verification, support SSO integration to different tool and services because as I said, you very well could be using 250 different tool in your company. And then if possible, look for tool that also provide security check and security enforcement at the device level, not just the user level.

Jara Rowe: Got it. And listeners, there was MFA mentioned, I really feel like that's been mentioned in every single episode, so make sure you enable MFA where it is available. So Anh, can you talk more about single sign- ons and the benefits of that or if there is a benefit for managing that when it comes to remote work?

Anh Pham: Yeah, so single sign- on is basically what it sounds like. It's the ability to log in only once and what I meant by login only once is you're only providing your username password once and then able to use that session to access all the different software that are SSO integrated. SSO is particularly important for remote work because of the inherent use of SaaS tool, as I said, you have to use a lot of different tools during the day and instead having to remember hundreds of different passwords to each of those tools, you now only have to remember one and then be able to log into all of those tools. From an administrative perspective, secure administrative perspective, it's important onboarding and offboarding. If an employee leaves the organization, the security administrator no longer has to go into every single one of those tools and disable their account. You should disable one central account and then that get applied to all of those tools.

Jara Rowe: I never thought about how beneficial that would be for someone like you when it comes to onboarding and offboarding to really only have to deactivate something once. Yeah, that could be really time consuming or you could potentially miss one.

Anh Pham: Yeah, exactly. So usually that's the case. You make mistake with 10, you make even more mistake with 200.

Jara Rowe: Wow. We are definitely going to dive into this next question more on a future episode, but I really want to talk to you about it when it comes to remote work. So how important is user education and preventing breaches related to remote work access and what are some best practices you would give someone when it comes to education?

Anh Pham: Sure. So it's actually very vital. As I said, employees are more comfortable at home. That's just the way it is. And when you're comfortable you become a little careless and sometimes a little negligent. You do things that are more comfortable natively. And in the remote world when you cannot rely on traditional network and defenses anymore, you now have to rely more and more of your employees to do their own follow on security guidelines and do their own thing at home to make sure that the device secure the resource, that they access is protected. So proper education is very important. One of the most effective ways due to have a very good and very well designed security awareness and training programs, making sure you customize the program to train your employee of common cybersecurity threat, but also remote work related cyber threat as well because there's a lot of those. Make sure you do regular phishing simulation exercises and pay attention to the statistic that you get from these exercises. If you're the tracking of this exercise, then over time you'll see that for certain kind efficient, your employment perform better or worse. And then you can decide follow- up training to enforce and improve that. Have really clear policy and communicate those policy very clearly to all of your employee. Make sure they thoroughly read and attest to every single one of them and then do a refresh every once in a while, semi- annually or annually. And at the same time as administrator, you should also review and update their policy. Lastly, when in a remote work setting, it's pretty much impossible for employee to run over to the security team or to the IT department and say, " Hey, something's going on." So you make sure you establish really good reporting channel for employee to report to suspicous activity. It's a good idea to provide different channel either via email, text, Slack, ticketing portal or wide range of different general so your employee can use whichever it's better for them.

Jara Rowe: Awesome. That is great information. You were just mentioning phishing and I know that is one of the social engineering tactics. So can you talk about how the human factor in social engineering and phishing attacks come into play when considering remote work access security?

Anh Pham: With remote work, the one thing that employees are now missing is that face- to- face sort of connection and conversation. So when you're at home, you're just inherently more vulnerable to attack opposing as colleges or IT support people or supervisor mainly because you may not know it, but you feel somewhat isolated at home, even though you may say you're comfortable, but when you get somebody reaching out, you just inherently want to talk to them and most of the time you may forget to verify their identity, as you're more vulnerable to phish. On the other side of that, they also have to deal with distraction at home that could lead them to make a mistake. But if you get a call from an attack posing as your supervisor and your kids are screaming in the back, you probably will forget to verify that it's a legitimate call. So those are the risks of the human risks that come with remote work. Some tip I have is to always be wary of unsolicited communication. Make a sticker note on your monitor, double check everything. Treat all unsolicited communication as malicious unless you can prove otherwise. Even if it come from your manager, if it wasn't unsolicited, just make sure that you do your due diligence and to project that. Verify all urgent requests, particularly those that ask you to provide sensitive information, or perform very risky tasks. This is like the oldest trick in the book, but they still work. And then really scrutinize email addresses and domains. And when you get an email from a strange looking domain, just make it a habit to always look at the sender, hover over the link, make sure the domain look correct, that kind of stuff.

Jara Rowe: Yeah, we definitely have to make sure we're not distracted by laundry and the kids when we're working from home to make sure we keep ourself and our company safe for sure. As remote work continues to evolve, what trends do you foresee in terms of cybersecurity needs, particularly in the realm of remote access management?

Anh Pham: So one of the thing that we have actually already started seeing in the last five to seven years is the concept of zero trust. And basically what it says, you just assume everything and everyone is not trusted until proven otherwise. So before remote work, a lot of these zero trust solution would build to fit into a corporate network. But as the remote work age grow, I see a lot of these tool will have to innovate and start to produce offering easier to deploy in the Y area network and that span across geographical locations. I also see the rise of passwordless authentications in tools. So we live in a password age and remote work just make password easier to steal and compromise than ever. inaudible on the rise of a loft tool is going to start moving to passwordless authentication where instead we relying on password that can be stolen, that will relies on keys and digital certificate, they're a lot easier secure, they're a lot more secure. Another new thing is array of SASE's tool, SASE, and it's called SASE. So these are basically tool that can buy security networking into a single solutions that can be deployed anywhere, anytime to support remote access and remote work. So traditionally you have to deploy network and you have to lay your security tool on top and making sure the two connect. These tools just sort of do all of the legwork for you. You detect the platform, you put it up and you're done. You're ready to run a remote work environment. In term of endpoint, Unified Endpoint Management is very important. It's actually more important than ever because your device could be anywhere for whatever you can get. So you want to make sure that you can manage the devices whether they laptop or mobile devices or tablet. And then EDR, Enterprise Detection Respond tool is also very important because you no longer have a traditional network where everything is in one place, when you can lay a tool on top to watch over the traffic. I have to rely on EDR tool or EDR agent with advanced capability to watch each and every single one of your device. So you use compact all of that very event network level feature into this single agent that sit on employee device.

Jara Rowe: Awesome. So much helpful information. I'm sure all of the listeners are taking notes and everything. I'm going to move into, I have a couple of funner questions for you, I guess not as heavy in the cybersecurity and remote work realm. So first question, do you ever get tired of telling people not to click on suspicious links?

Anh Pham: Yes, I do. When you have to say it over and over, you do get tired of it. But the reality is that people will keep clicking on links. You can tell them, you can send them reminder every day and they will still find some way to do it. So the better practice is move on to what happened after people click the link. So I'm more concerned with what security control we have in place now to protect after user click. If they have click and provide a password, do we have MFA, that kind of stuff. So it's illusion, but it is what it is.

Jara Rowe: I understand. All right. Next, if you could hack into any fictional characters computer, whose would it be?

Anh Pham: Definitely Ironman. I think his computer would have some really interesting tech, does work knowing and being a tech geek, yeah, I just cannot resist the temptation.

Jara Rowe: Yeah, I understand that. All right. Thank you so much for joining me on this episode and talking to me about remote work and access management. But before I let you go, do you have any final thoughts?

Anh Pham: Yeah, I guess something that I could leave is that remote work is here to stay. We see it on the news every day where company are trying to force people back in office work and usually that doesn't work out. We could try to push back against it as much as we can for as long as we can, but reality is that it will not go away. It's really a lot better to start switching our mindset to think of different way that we can support our employee and organization in a new remote world age while still protecting our data and assets. But thanks for having me.

Jara Rowe: Thank you. Remote work is here to stay, so let's make sure we all stay secure. Thanks so much Anh. Now that we've spilled the Tea on remote work and cybersecurity, it's time to go over the receipts. I took a lot away from my conversation with Anh, so let's get into it. First, remote work widens our attack surface. We went from small and contained to issues being globally now and now with us having such distributed teams, we all rely on cloud services and SaaS tools. Anh mentioned that some companies can use up to 250 tools a day. So we need to do our due diligence to make sure that these services and tools that we use to make our lives easier are secure as well. Anh gave a lot of helpful tips when it comes to securing our home network because as he pointed out, personal and professional are now blurred since we all work from home. Some of the things he told us to do is when we get a new router, we need to change the credentials and the passwords on the router. And another thing he also pointed out is to use a VPN when we're out in public just to make things a little more secure. And if you don't know a VPN, talk to your IT professional on your team for tips on that. Anh also talked about how important it is to have a sound access management policy because that will make it easier to know who to give access to for what things. And as we said, now that we're all working from home and through a distributed team, this is more important than ever. We also talked a little bit about the auditing process, so Anh did say that the process is still the same, but when it comes to where you store things, since it's in the cloud and things like that, are a little different. So just make sure that everything is in the right place, the appropriate people have access to it and things of that nature When it comes to auditing, which we know we have to get audited and assessments to get SOC 2 and all the other compliance things. So the last receipt that I have is on talking about zero trust. He mentioned that since we work from home, we're a little more lax and we might be a little more susceptible to certain attacks and threats like phishing and other social engineering. So it's important that we stay focused in when we get an email or a text that may seem a little fishy, have zero trust. You want to assume that this person is not coming from a good place before you know that it's trustworthy. Again, I hope you all took as much away from this conversation about remote work, access management and cybersecurity. I will see you on our next episode of The Tea on Cybersecurity. And that's The Tea on Cybersecurity. If you like what you listen to, please leave a review. If you need anything else from me, head on over to Trava Security. Follow wherever you get your podcast.