Jara Rowe: Gather around as we spill the tea on cybersecurity. We are talking about the topic in a way that everyone can understand. I'm your host, Jara Rowe, giving you just what you need. This is The Tea on Cybersecurity, a podcast from Trava. Welcome to another episode of The Tea on Cybersecurity. On this episode, we're spilling the tea on remote work and access security. We're all super familiar with Zoom calls and sharing files, but we're going to dive into some of the best practices to stay safe while working from anywhere. But as we know, I am not the expert, but I have one with me. I'd like to welcome Onn, one of the brains of keeping us safe at Trava. Hello, Onn.

Anh: Hi, Jara. Thanks for having me. And hello to everybody that's listening. My name is Onn and I'm currently the security engineer at Trava. So I'm responsible for Trava cybersecurity program and pretty much the protection of our employees' data and assets.

Jara Rowe: Super important. And Onn is always so nice to me when I ask him a bunch of random questions.

Anh: That's what I do. Answering random cyber questions.

Jara Rowe: All right, let's go ahead and dive right in. How has the shift to remote work transformed the cybersecurity landscape?

Anh: It actually did that in very significant way. As remote work becomes more popular, companies and cybersecurity professional are now forced to rethink their approach that they have used for the last 20 years to protect their attack surface because that surface now grows, it's exponentially larger. They have to abandon certain traditional defenses that they have previously sworn upon and have to adapt security control.

Jara Rowe: With the increase in remote work like you mentioned, what are some unique cybersecurity challenges that businesses face and then how do they address them?

Anh: So the first challenge would be what I just mentioned, their attack surface grows a lot larger. So instead of having just one network that you can see the exact perimeter for and you put defenses around the perimeter and trust everything inside, you now have a network that can span across country or even across the entire globe. So you can't really put a perimeter around them so you have to start thinking of enforcing security control at the device and at the user level. So check in every access request, that kind of thing. Secondly, because of this wide geographical area of working, people are now needing to rely more on cloud services and SaaS tool to do their work. You can't really just implement a tool, put it in a place and have that tool support everybody anymore. Research suggests that the average company these days use upwards of 250 different tools in their daily layout work. And each one of those tool introduce a path into your network, into your resource. So you got to start thinking about how to protect each and every one of those tools at the individual level instead of just the network as a whole. One more thing is that the traditional lines between corporate and personal network and now pretty much non- existent. You work from home, you're on your home wifi, your kid could be on your wifi doing something else and you think that you're protected. But what we can do is protecting our company devices, but there's nothing that protecting the personal device. And if those devices compromised, then your company devices on the same network is also at risk. And then lastly, we have insider threats. It's not new. It's a concept that's been around forever In the traditional sense, when people think of insider threats, they think of disgruntled or ex- employee that are upset at the company and intentionally do harmful things. But in the remote world age, insider threat also include just regular employee working from home and just become carelessness and negligent because they're so comfortable and they do things that unintentionally also caused harm to the company.

Jara Rowe: Right. So I have two follow- up questions. First, you mentioned attack surface. Can you explain what that is?

Anh: Sure. So attack surface is essentially the exposure of your company environment to cyber attack. So it include all the possible entry point for attacker to get into your network and access your resources, all the possible vulnerability that exists in your environment. It's like a door to your network, right? As the remote work grows, that door become bigger and bigger and there's just a lot of different points that attacker can exploit to get access.

Jara Rowe: Terrifying. Okay. And then I was going to ask this a little later, but I think it's fitting to ask now. So you just mentioned how we work from home and a personal is becoming blurred. So what are some tips you would give someone to secure their home networks?

Anh: Yeah, some of these are probably familiar with most people by now, but one of the basic thing is to change the default network name and administrative credentials to your wireless router. So every time you get a new router, there's a label on the side of that router that show the default SSID, which is a network name and it also has an admin default credential. So first thing you should do is change those. Change the default networking, change the default credential. Once you do that, then you need to change the default password because it's also printed on that label. When you pick a password, make sure for wireless encryption protocol you pick WPA two or higher. So on a regular router you will see three or four different option from WEP to the BPA two and now there's the BPA three. Never pick the first two, WEP and UPA. Always stick to the BPA 2 or higher, if you're router support. Something that's a little more technical for the more technical savvy folks is if your wireless router support it, and most modern routers will support this, is to create a dedicated network for your work device at home so you can have one network where only your work device connect to and then another network where all of your home device connect to. And when you create this network by default they are isolated. So traffic between them cannot cross that border. And then following similar concept, if you use smart devices at home like Alexa or Google Assistant or Apple Assistant, have a separate network for those devices, right? Don't put your smart light on the same network as your work device. You never know what could happen to those lights. And then lastly, use a VPN when working away from a trusted network or in public places. If your company can have a VPN, use that. If your company doesn't provide one, just ask your security team to provide recommendation on a personal VPN options that you can use.

Jara Rowe: All right, awesome. So again, I've learned all about auditing and assessments and all the other fun things when it comes to cybersecurity, but I was thinking that people working remotely has to change this auditing process since there's not really a file cabinet with files and things like that. So how has remote work changed the auditing process?

Anh: The process remain the same. Some of the methods and the approach change a little, as you said. The recommendation in remote work when it comes to file and content is just not to print them out if you don't use them. Try to avoid printing anything out if you can. If you do, then you've got to have a lock cabinet to store them and then making sure you have a way to secure destroy them when you're done. When it comes to remote auditing and login, because you now no longer have a trusted network where the device sit in and you have a central place to store all your audit logs, you now need to rely more on tools that have really robust auditing and login capability. So you ship all that advanced capability from a central tool to these little software that sit on employee devices. So pay attention to those when you source the tool. But overall, auditing process hasn't changed. You still need to do them, you still need to do your access review and all of that.

Jara Rowe: Great. So again, when I think about auditing, you want to make sure that certain people have access to the things that they need to have access to, which leads me to my next question. In the context of remote work, how can organizations ensure that the right individuals are accessing sensitive resources? And then what role does identity management play into all of this?

Anh: You do that by starting with having a really clearly defined policy, access management policy. Make sure in that policy you define at a very high level who can access what and then the approach that you'll use to grant and revoke access if needed. And then from there, you started building out the process and the tool. Obviously having a good identity and asset management tool in place is very important. It will reduce a lot of the administrative overhead, it will make your job a lot easier. You don't have to start, view out manual things yourself. You just create a role, assign necessary permission to it and then you assign those rollout to a different group of people. And then one other thing too with IM2 and remote work is you want to look for those that support event features such as allowing you to enforce very strong password, allowing you to enforce and implement MFA verification, support SSO integration to different tool and services because as I said, you very well could be using 250 different tool in your company. And then if possible, look for a tool that also provide security check and security enforcement at the device level, not just the user level.

Jara Rowe: Got it. And listeners, there was MFA mentioned, I really feel like that's been mentioned in every single episode, so make sure you enable MFA where it is available. So can you talk more about single sign- ons and the benefits of that or if there is a benefit for managing that when it comes to remote work?

Anh: Yeah, so single sign- on is basically what it sounds like. It's the ability to log in only once and what I meant by log in only once is you only providing your username and password once and then able to use that session to access all the different software that are SSO integrated. SSO is particularly important for remote work because of the inherent use of SaaS tool. As I said, you have to use a lot of different tools during the day and instead having to remember hundreds of different passwords to each of those tool, you now only have to remember one and then be able to log into all of those tools. From an administrative perspective, security administrative perspective, it's important for well onboarding and offboarding. If an employee leaves organization, the security administrator no longer has to go into every single one of those tools and disable the account, you disable one central account and then that get applied to all of those tools.

Jara Rowe: I never thought about how beneficial that would be for someone like you when it comes to onboarding and offboarding to really only have to deactivate something once. Yeah, that could be really time- consuming. Or you could potentially miss one.

Anh: Yeah, exactly. So usually that's the case. You make mistake with 10, you make even more mistake with 200.

Jara Rowe: Wow. We are definitely going to dive into this next question more on a future episode, but I really want to talk to you about it when it comes to remote work. So how important is user education in preventing breaches related to remote work access? And what are some best practices you would give someone when it comes to education?

Anh: Sure. So it's actually very vital. As I said, employees are more comfortable at home. That's just the way it's, and when you're comfortable you become a little careless and sometimes a little negligent. You do things that are more comfortable natively and in the remote world when you cannot rely on traditional network and defenses anymore, you now have to rely more and more of your employees to follow their security guidelines and do their own thing at home to make sure that the device secure, the resource that they access is protected. So proper education is very important. One of the most effective ways due to have a very good and very well desired security awareness and training programs, making sure you customize the program to train your employee of common cybersecurity threat, but also remote work related cyber threat as well because there's a lot of those. Make sure you do regular phishing simulation exercises and pay attention to the statistic that you get from these exercises. If you're tracking of these exercise, then over time you see that for certain kind of phishing, your employee may perform better or worse. And then you can decide follow up training to enforce and improve that. Have really clear policy and communicate those policy very clearly to all of your employees. Make sure they thoroughly read and attest to every single one of them and then do a refresh every once in a while. So bi annually or annually. And at the same time as administrator, you should also review and update their policy. Lastly, when in a remote work setting, it is pretty much impossible for employee to run over to the security team or to the IT department and say, " Hey, something's going on." So you make sure you establish really good reporting general for employee to report suspicious activity. It's a good idea to provide different general either via email, text, Slack, ticketing portal, a wide range of different channels so your employee can use, whichever is better for them.

Jara Rowe: Awesome. That is great information. You were just mentioning phishing and I know that is one of the social engineering tactics. So can you talk about how the human factor in social engineering and phishing attacks come into play when considering remote work access security?

Anh: With remote work, the one thing that employees are now missing is that face- to- face connection and conversation. So when you're at home, you're just inherently more vulnerable to attack opposing as colleagues, IT support people or supervisor mainly because you don't know... You may not know it, but you feel somewhat isolated at home, even though you may say you're comfortable. When you get somebody reaching out, you just inherently want to talk to them and most of the time you may forget to verify the identity, you're more vulnerable to phishing. On the other side of that, they also have to deal with distraction at home that could lead them to making a mistake. if you get a call from an attacker posing as your supervisor and your kids are screaming in the back, you probably will forget to verify that it's a legitimate call. So those are the risks of the human risks that come with remote work. Some tip I have is to always be wary of unsolicited communication. Make a sticker note on your sticker on your monitor, double check everything. Treat all unsolicited communication as malicious unless you can prove otherwise. Even if it come from your manager, if it wasn't unsolicited, just make sure that you do your due diligence and double check that. Verify all urgent requests, particularly those that ask you to provide sensitive information or perform very risky tasks. These are the oldest trick in the book, but they still work. And then really scrutinize email addresses and domains. When you get an email from a strand looking domain, just make it a habit to always look at the sender, hover over the link, make sure the domain look correct, that kind of stuff.

Jara Rowe: Yeah, we definitely have to make sure we're not distracted by laundry and the kids when we're working from home to make sure we keep ourself and our company safe for sure. As remote work continues to evolve, what trends do you foresee in terms of cybersecurity needs, particularly in the realm of remote access management?

Anh: So one of the thing that we have actually already started seeing in the last five to seven years is the concept of zero trust. And it's basically what it says. You just assume that everything and everyone not trust it until proven otherwise. So before remote work, a lot of these zero trust solution would build to fit into a corporate network. But as the remote work age grow, I see a lot of these tools will have to innovate and start to produce offering easier to deploy in the wide area network and that span across geographical locations. I also see the rise of passwordless authentications. We live in a password age and just make password easier to steal and compromise than ever. I'm betting on the rise of a lot of tool is going to start moving to passwordless authentication where instead relying on password that can be stolen, they will relies on keys and digital certificates. They're are a lot more secure. Another new thing is arise of SASE tool, S A S E. And it's called SASE. So these are basically tool that combine security networking into a single solutions that can be deployed anywhere, anytime to support remote access and remote work. So traditionally you have to deploy network, then you have to lay your security tool on top and making sure that two connect. These two just sort do all of the leg work for you. You detect the platform, you put it up and you're done. You're ready to run a remote work environment. In terms of endpoint, unified endpoint management is very important. It's actually more important than ever because your device could be anywhere for whatever you can guess. So you want to make sure that you can manage those devices, whether the laptop or mobile devices or tablet. And then EDR, enterprise detection respond tool, is also very important because you no longer have a traditional network where everything is in one place, when you can lay a tool on top to watch over the traffic. I have to rely on EDR tool or EDR agent with advanced capability to watch each and every single one of your device. So you compact all of that very event network level feature into this single agent that sit on employee device.

Jara Rowe: Awesome. So much helpful information. I'm sure all of the listeners are taking notes and everything. I have a couple of funner questions for you. I guess not as heavy in the cybersecurity and remote work realm. So first question, do you ever get tired of telling people not to click on suspicious links?

Anh: Yes, I do. When you have to say it over and over, you do get tired of it. But the reality is that people will keep clicking on links, right? You can tell them, you can send them reminder every day and they will still find some way to do it. So the better practice is move on to what happened after people click the link. So I'm more concerned with what security control we have in place now to protect after user click, right? If they have click and provide a password, do we have MFA? That kind of stuff. So it's a nuisance but it is what it is.

Jara Rowe: I understand. All right. Next, if you could hack into any fictional character's computer, whose would it be?

Anh: Definitely Iron Man. I think his computer would have some really interesting tech that's worth knowing and being a tech geek, I just cannot resist the temptation.

Jara Rowe: Yeah, I understand that. All right. Thank you so much for joining me on this episode and talking to me about remote work and access management. But before I let you go, do you have any final thoughts?

Anh: Yeah. Something that I could leave is that remote work is here to stay. We see it on the news every day where companies are trying to force people back in office work and usually that doesn't work out. We could try to push back against this as much as we can for as long as we can, but reality is that it will not go away. It's really a lot better to start switching our mindset to think of different way that we can support our employee and organization in a new remote world age while still protecting our data and assets. But thanks for having me.

Jara Rowe: Yeah, thank you. Remote work is here to stay, so let's make sure we all stay secure. Thanks so much, Onn. Now that we've spilled the tea on remote work and cybersecurity, it's time to go over the receipts. I took a lot away from my conversation with Onn, so let's get into it. First, remote work widens our attack surface. So we went from small and contained to issues being globally now. And now with us having such distributed teams, we all rely on cloud services and SaaS tools. Onn mentioned that some companies can use up to 250 tools a day. So we need to do our due diligence to make sure that these services and tools that we use to make our lives easier are secure as well. Onn gave a lot of helpful tips when it comes to securing our home network because as he pointed out, personal and professional are now blurred since we all work from home. Some of the things he told us to do is when we get a new router, we need to change the credentials and the passwords on the router. And another thing he also pointed out is to use a VPN when we're out in public just to make things a little more secure. And if you don't know a VPN, talk to your IT professional on your team for tips on that. Onn also talked about how important it is to have a sound access management policy because that will make it easier to know who to give access to for what things. And as we said, now that we're all working from home and through a distributed team, this is more important than ever. We also talked a little bit about the auditing process, so Onn did say that the process is still the same, but when it comes to where you store things, since it's in the cloud and things like that are a little different. So just make sure that everything is in the right place, the appropriate people have access to it and things of that nature when it comes to auditing, which we know we have to get audited and assessments to get SOC 2 and all the other compliance things. So the last receipt that I have is Onn talking about zero trust. He mentioned that since we work from home, we're a little more lax and we might be a little more susceptible to certain attacks and threats like phishing and other social engineering. So it's important that we stay focused in when we get an email or a text that may seem a little phishy, have zero trust. You want to assume that this person is not coming from a good place before you know that it's trustworthy. Again, I hope you all took as much away from this conversation about remote work access management and cybersecurity. I will see you on our next episode of The T on Cybersecurity. And that's The Tea on Cybersecurity. If you like what you listen to, please leave a review. If you need anything else from me, head on over to Trava security. Follow wherever you get your podcasts.