“Anything goes” is not enough

In these times of health crisis, quite a few CIOs and CISOs call us to request assistance with the new scenario of mass remote work: some because they need remote control, and others for help securing their infrastructure or organizing the flood of incidents and requests received from their users. But of all the discussions that took place during these days, there is one that made my hairs stand on end with a categorical assertion that “Anything goes as long as operations continue”. I’m sorry, pal, but I don’t agree with you on this.

To be sure, the highest priority is to protect people (ourselves and those around us, especially older people), and with this precondition as highest priority, then we can begin to think about continuing operations of our organizations. Let’s take this as a guiding principle...

Well then, in reality, “anything goes” is not enough for IT either… If we allow the idea of “anything goes” to take hold in our minds, in the end we will be only a single step away from a complete tragedy for our networks, and if you don’t believe me, let this simple example serve as a lesson.

Continuing operations with “anything goes” can be as easy as our users leaving their company PCs on and allowing any of our users’ home devices to access the network via VPN. Isn’t that easy? This is not much of a mystery. In that case thanks to “anything goes” we have just connected to our network various unknown devices, perhaps in multiples of 10. Or perhaps in multiples of 100. They may not be updated or may lack antivirus, (or worse) be full of viruses, browsing through pages of downloads plagued by every type of malware,... This path is easy, but it is much more dangerous.

The other option for “anything goes” “anything goes” if we do not want home PCs to enter our network via VPN, is to make public the remote desktops via Internet, and in this manner the devices can access them without being connected to the VPN, which enables us to eliminate the risk indicated above. Of course, we are opening another door to non-security since the remote desktops are an excellent attack vector (and if you don’t believe me, remember the people suffering from WannaCry attacks and similar types of attack)

No, “anything goes” is not enough. “Anything goes” is an approach that will only lead to the self-destruction of our networks, and then what we have accomplished is that the continuity of operation has lasted only a few days, and then is interrupted for weeks until we clean up the mess. Is it preferable to wait one more day, but then continue operations securely for an indefinite time, or to run the risk that there is downtime only a few weeks later because we gained a single day at the beginning?

It is clear to me. Quite clear. Crystal-clear.

Best regards,

Alejandro Castro, Proactivanet’s Technical Director

PS: I promise that the reflections are based on real conversations 🙁 although fortunately those involved reflected and looked for alternatives in time 🙂