Best Practices for Secure Remote Development

Remote work and work from home have become commonplace in software development. When done properly, it allows software teams to collaborate from anywhere, which can potentially reduce company overhead, boost productivity, and aid recruitment.

But without the right security measures in place, developing from home can increase an organization’s exposure to security breaches. Some of the common risks that a developer might face when working from home include:

• Malware: any software created with hostile intentions, such as restricting access to data or destroying it completely
• Phishing: a form of trickery aiming to get the user to click on a bad link or volunteer information
• Data theft: attacks targeted at gaining access to private or sensitive data
• Ransomware: software that locks out users from systems and demands a ransom in exchange for not deleting or making data public
• Spyware: software that won’t make itself known to you and will share your activities and data with a malicious actor

How to ensure cybersecurity when developing from home

This article explores some best practices for working from home and how they can help you avoid or alleviate the risks listed above.

Ideally, you should use a work-supplied device when at work. It would be managed and securely configured by your organization’s IT and have the latest antivirus software, firewalls, and a VPN connection to work systems. This also prevents bad actors from installing software that could introduce malware, ransomware, or other malicious software that can compromise the organization.

But sometimes, you must use your own devices, sometimes referred to as “BYOD” (bring your own device). If this is the case, clear policies for personal devices, particularly for the protection of data, are important. Depending on your systems and organization, if you store data that is subject to specific regulations, you might have adequate systems in place to store that data in your data center. But the same may not be true for personal devices that you bring to work.

To attack a Wi-Fi network, a malicious actor must only be within range of an access point, such as the router or hub. Some common attacks against Wi-Fi networks include:

• Spoofing the DNS so that network users on a Wi-Fi network unintentionallyconnect to malicious, fake websites
• Intercepting insecure communications, including users’ login credentials to services they use, such as their email accounts or private software repositories
• Piggybacking (using) an Internet connection without the owner’s knowledge

A good starting point for secure work from home is to run through the following steps to check that the router is securely set up:

• Change the default admin username and password.
• Disable remote administration and access (from the Internet).
• Enable security and encryption, choosing the strongest options available. Wi-Fi protected access 2 (WPA2) is the most common, but WPA3 is also becoming more popular, as it fixes some security flaws found in WPA2.

If a router doesn’t support WPA2, you should replace it with a newer model. Newer routers will also offer helpful security features such as a guest network, meaning that you don’t need to hand over a Wi-Fi access code to visitors, and they restrict guest devices that might not be secure from accessing the main network and gaining access to your devices.

It’s also a good idea to avoid public networks. Only connect work devices to password-protected, trusted networks. If you must connect to untrusted networks, set up a virtual private network (VPN) on the device.

Internal office networks can offer a level of protection by having a clear perimeter. Working from remote locations exposes traffic, as it travels through networks and devices that your organization doesn’t manage, where someone could tamper with or read it.

You should enforce the use of an encrypted VPN to connect to networked services. This acts like a tunnel and protects traffic from prying eyes.

With the increased use of software as a service (SaaS), like the Microsoft Office 365 suite of tools, less traffic must go through an organization’s networks. This might remove the need for a VPN linkup to the organization’s data center, avoiding unnecessary latency. Cloud-based tools, such as a Secure Access Service Edge (SASE), avoid routing traffic through on-premise network security controls and can provide scalable and secure access to organization resources. But if you plan to work on public, unsecured networks, you should employ some form of VPN to reduce the risks from the standard attacks discussed above for Wi-Fi.

A data breach involves unauthorized access to any form of data. When a database of accounts is breached, you have a security problem—even with encrypted passwords. Hackers have accessed a staggering 12 billion accounts in this way.

Once in possession of the account data, attackers can crack the password with the brute-force method of trying possible password combinations. Just a single desktop PC, with a single AMD Radeon R9 280X graphics card, can try approximately nine billion passwords hashed with MD5 in one second. A ten-character password made up of a random mix of lowercase letters does make for a massive number of possibilities—around 141 trillion (calculated as the number of different characters, 26, raised to the power of the length, 10). But even at the relatively slow processing rate of a desktop PC, a hacker could test every possible password in four and a half hours.

An attacker can crack 88 billion passwords hashed with MD5 in one second by upgrading a PC to use three more powerful graphics cards. Imagine what more extensive, complicated systems could do.

Better hashing algorithms can significantly slow things up for the attacker, but length and complexity are key. If you just change your ten-character password to include a mix of numbers, uppercase letters, lowercase letters, and symbols, it could have seven quintillion possibilities for the cracker to try.

You must use best practices for choosing passwords, with minimum criteria enforced by the identity system. Having software to securely store access credentials, such as Password Manager by Trend Micro, makes it easier to work with complex passwords.

User authentication can be broken down into the following categories:

• Knowledge: information only a user knows, such as a password, PIN, or the answer to a secret question
• Possession: physical items, like keys for locks, that entitle users to access a system. This can be a mobile phone to receive SMS verification codes.
• Inherence: things that are intrinsic and unique to a user, such as their face, voice, and fingerprints for biometrics

Historically, many systems were secured by just one knowledge factor: the login and password combination. This is single-factor authentication. Many of those systems also use an additional piece of knowledge, such as a secret question, to protect sensitive actions. But this does nothing to prevent a malicious actor from gaining access to the system if they have the user’s password.

There are many ways to compromise one authentication factor. So, if you are accessing your organization’s internal systems from outside the organization’s networks, it’s essential to use multifactor authentication (MFA). One very common form is to use a username and password, then also require a user to respond with the code sent to a device they have, such as a mobile phone.

Updating to the latest operating system not only unlocks the newest features but also provides you with the latest protection from security threats. Older systems that are out of vendor support are at greater risk of being breached via an unpatched vulnerability. You benefit from application upgrades in the same way.

Rotating sensitive keys and credentials is an unforgiving manual task, especially when done regularly, so invest upfront to automate the process. How often you need to change keys and credentials depends on the computing power that hackers have access to and the size of keys and passwords (the latter’s complexity also matters). Administrators should expire them before bad actors can compromise them, as discussed above. Admins can increase the minimum length and complexity requirements for the password to increase the time it would take to crack.

Secure shell (SSH) keys are a useful way of automating the login process to remote systems so that users don’t have to input their passwords every time they connect. At a minimum, a 2,048-bit key based on the RSA algorithm should work. However, a 4,096 bit-key is even better. Following best practices for creating and storing SSH keys and using the correct file permissions all contribute to keeping your systems safe.

Don’t forget to implement a policy for changing keys or locking credentials if you suspect someone has compromised them.

Security audits can take many forms, from internal audits to more formal contracted penetration testing. Collectively, they’re a thorough assessment of an organization’s security policies and practices. They differ from the routine testing and assessments conducted by an organization’s security team, in that the reports they produce are for less technical stakeholders and management to consume.

There are also informal measures that you can take to audit security. One tactic employed by some organizations is to use phishing tests, where a company creates mock phishing emails that they send out to employees to find out who might be at risk of real-world phishing. Further training can then be based on the results.

Providing someone with more privileges than they need can significantly increase security risks. What if you granted admin access to a user who had no need for it, and then a hacker compromised their account? By granting users the least amount of access required to carry out duties, you can limit the potential damage of any security breach. This is referred to as the principle of least privilege.

In addition, you can implement a zero-trust policy. With zero-trust, you should consider any device, user, or piece of network traffic a threat. This is a strategy that breaks away from the traditional, misguided belief that any internal traffic is trustworthy.

Security is dynamic. It’s not something that you can afford to get complacent about. There will always be a new threat, and you can’t pre-empt them all. The reassuring thing is that for every malicious actor, there’s also an army of security experts keeping the IT community informed. They do this by speaking at conferences, blogging, and recording details in databases like the National Vulnerability Database (NVD), podcasts, and more.

The job of security personnel in organizations is to tune into these information sources and keep up to date with the latest threats and their mitigations. They should make sure everyone knows of items relevant to the organization. The challenge is to ensure that remote workers receive notice as well.

Conclusion

To protect your organization from cybersecurity threats, ensure that all staff members are well-trained in security when working remotely and that policies are up to date for remote work so that everyone is clear about the expectations.

There are lots of tools available to help mitigate the risks introduced by developers working remotely. Be sure to research solutions that use cutting-edge artificial intelligence techniques like the machine learning employed by Trend Micro. These will keep you one step ahead of the malicious actors and protect you from known and unknown threats.

Read More HERE