In line with many other large organizations, Aon transitioned to a working from home policy for all staff several weeks ago. For our cyber security teams this has caused minimal change as we have had the capability to support all core client services, remotely, for some years. However, for those that have not worked with us remotely, we wanted to share some of the many ways we are continuing to support our clients with their cyber security needs while the current crisis continues.
The simplest case is where the work we do for clients has always been done remotely, or where the environments we operate in can be provisioned for easy access. Some types of work – such as penetration testing for systems hosted in the cloud, or for incident response work involving cloud-based environments (such as Office 365) – have always been delivered this way. Also included are much of the intelligence and due diligence based services that have always focused on open source resources.
Additionally, some types of work we perform are traditionally carried out in person but can be delivered effectively via conferencing software such as WebEx, Zoom, and Skype – as with much of our security advisory consultancy services. While working remotely, we are endeavoring to use video conferencing as much as possible, however in some cases a traditional conference call may suffice if video is unstable or unavailable.
We are also working with clients to open up firewall rules to the fixed set of IP addresses that our traffic originates from. So, where an environment is internet facing but access is controlled via Access Controls Lists (ACLs), we can continue to deliver services after being added.
Finally, for many of our services, after an initial phase of data collection, which can generally be done as described, the bulk of the work is done in our lab and data centre environments. Those environments have long been designed to facilitate remote access and working, and we continue to operate within them as we have done previously.
Our penetration testing teams have a solution for delivering onsite network penetration testing – the “BatBox.” This is a physical solution that we ship to a client’s site, but we also have virtual solutions where we provide a Virtual Machine image to host on internal virtualization infrastructure. In both cases, these are solutions designed to provide access to a client’s internal network or applications, in a secure manner and under the control of their IT staff, if there is not a suitable existing remote access solution.
Virtual Private Network (VPN)
For some types of work, we can deliver services entirely remotely by utilizing the same type of VPN solution in place for a client’s employees. Bearing in mind that these solutions may currently be highly utilised with staff working from home, for some clients there will still be sufficient capacity meaning that VPN access is the quickest means of providing access for our colleagues to deliver the services needed.
Existing Remote Working Solution
Similar to VPNs, larger clients may have remote working solutions such as Citrix or other virtual desktop solutions. This may be a practical way of providing access – especially if there is a process for fast tracking the approval and/or installation of some of the specialist tool-sets that we may need to be deployed onto the environment. We can also use screen sharing technologies such as WebEx to accomplish some of our work. A similar caution to VPNs would apply at this moment around resource constraints, however this can also be a quick way of provisioning access.
Secure File Exchange
In some cases, we find that our clients’ existing solutions for secure file transfer aren’t designed for a remote working scenario – for example, pushing 20GB of data through an already overloaded VPN may not be optimal. Which is why we have several different solutions we can use for different scenarios – largely depending on what our client can support at the other end. For simple and small cases, we can support PGP or S/MIME encryption over email. For larger and more complex situations, we have multiple secure file sharing platforms that provide encrypted web-based file transfer. We also can access data through traditional file sharing protocols like WebDAV, SFTP/FTPS, etc.
Where it is essential that services are delivered onsite, we continue to support this type of work – subject to our internal guidance for our employee safety and local restrictions and lockdowns. In line with local regulations and government guidance, we continue to deliver onsite work where there are no other options, and we are able to perform a risk assessment and determine that is safe for our employees to do so.
CyberScan / CyQu
CyberScan is a cloud-based managed service for vulnerability assessment. Even though it is cloud-based it can be used for both external internet scanning of networks, web applications and APIs, as well as for internal systems (via a CyberScan appliance we supply). This service is remote by design, including the manual review of the findings included in the solution licensing. As the reporting dashboard is accessible via the cloud, it is very effective to deploy in a remote working scenario.
CyQu (Cyber Quotient Evaluation) is an online cyber risk assessment which is delivered in a questionnaire format and hosted on our internet-facing cloud platform – as such it is accessible for clients to complete providing they have basic internet access.
Ready to support you
We use all these remote working tools regularly – often in tandem – and fully expect that nearly all the client requests we traditionally respond to can be handled remotely. We are also happy, where it makes sense for both you and us, to discuss additional remote assistance formats in addition to those covered above. While the current crisis is challenging for all businesses, we are ready and willing to help and support you for all your cyber security needs and challenges.
If you or your business have reason to believe that you have been compromised, contact Aon to help you identify and mitigate the risk to your organization.
This material has been prepared for informational purposes only and should not be relied on for any other purpose. You should consult with your own legal and information security advisors or IT Department before implementing any recommendation or guidance provided herein.