37% of remote employees have no security restrictions on corporate devices

ManageEngine unveiled findings from a report that analyzes behaviors related to personal and professional online usage patterns.

security restrictions devices

Security restrictions on corporate devices

The report combines a series of surveys conducted among nearly 1,500 employees amid the pandemic as many people were accelerating online usage due to remote work and stay-at-home orders. The findings evaluate users’ web browsing habits, opinions about AI-based recommendations, and experiences with chatbot-based customer service.

“This research illuminates the challenges of unsupervised employee behaviors, and the need for behavioral analytics tools to help ensure business security and productivity,” said Rajesh Ganesan, vice president at ManageEngine.

“While IT teams have played a crucial role in supporting remote work and business continuity during the pandemic, now is an important time to evaluate the long-term effectiveness of current strategies and augment data analytics to IT operations that will help sustain seamless, secure operations.”

Risky online behaviors could compromise corporate data and devices

63% of respondents report that their organization has provided them with a corporate device to utilize while working remotely.

Interestingly, 37% of those respondents also say that there are no security restrictions on these corporate devices. Therefore, risky online activities such as visiting unsecured websites, sharing personal information, and downloading third-party software could pose potential threats.

For example, 54% said they would still visit a website after receiving a warning about potential insecurities. This percentage is also significantly higher among younger generations – including 42% of people 18-24 years and 40% of 25-34 years.

Remote work has its hiccups, but IT teams have been responsive

79% of respondents say they experience at least one technology issue weekly while working from home. The most common issues include slowed functionality and download speeds (40%) and reliable connectivity (25%).

However, IT teams have been committed to solving these challenges. For example, 75% of respondents say it’s been easy to communicate with their IT teams to resolve these issues. Chatbots, AI, and automation are becoming increasingly more effective and trusted.

76% said their experience with chatbot-based support has been “excellent” or “satisfactory,” and 55% said their issue was resolved in a timely manner. As it relates to artificial intelligence, 67% say they trust these solutions to make recommendations for them.

The increasing comfort with automation technologies can help IT teams support both front and back-end business functions, especially during times of increased online activities due to the pandemic.

ManageEngine ADSelfService Plus now supports MFA for VPNs to protect remote workforce

ManageEngine announced that ADSelfService Plus, an integrated Active Directory (AD) self-service password management and single sign-on (SSO) solution, now supports multi-factor authentication (MFA) for VPNs to protect organizations’ internal networks from unauthorized access.

By adding an extra authentication step, ADSelfService Plus makes it extremely difficult for attackers who depend on password cracking or compromised credentials to gain access to the network resources.

Amid the COVID-19 outbreak, enterprise VPN solutions have become indispensable for organizations with employees who work from their homes yet need to access resources on their organizations’ internal networks to get their work done. As a result, VPNs have become the focus of hackers such as the one who reportedly published a list of plaintext usernames and passwords, along with IP addresses for more than 900 Pulse Secure VPN enterprise servers.

To prevent attackers from using compromised credentials to access VPN servers, the US Department of Homeland Security recommends implementing MFA on all VPN connections to increase security.

“VPN gateways are directly accessible through the internet and are prone to brute force and other types of attacks. Relying on credentials alone to protect VPN access to vital resources could result in immeasurable losses,” said Parthiban Paramasivam, director of product management, ADSelfService Plus.

“Implementing MFA for VPNs ensures that employees have a second layer of defense even if their credentials are compromised. ADSelfService Plus presents a MFA solution that is both secure and easy to use for employees.”

Securing VPNs with MFA via biometric authentication and security tokens

The 2020 State of Password and Authentication Security Behaviors Report found that biometric-based authentication was the top preference among users when it comes to authentication. ADSelfService Plus supports a wide range of secure and user-friendly authentication factors, including:

  • Fingerprints
  • Face ID
  • Push notifications and TOTPs via the ADSelfService Plus mobile app
  • YubiKey OTP
  • Google Authenticator
  • Microsoft Authenticator

Additionally, ADSelfService Plus seamlessly integrates with Active Directory (AD). Since many organizations already use AD credentials for VPN authentication, implementing MFA for employees requires only minimal configuration.

Apart from MFA, ADSelfService Plus also supports creating strong password policy rules that prevent dictionary words, palindromes and common patterns such as 1234, asdf and qwerty. Similarly, ADSelfService Plus integrates with Have I Been Pwned? to prevent users from setting their account passwords to previously compromised passwords.

Critical ManageEngine ADSelfService Plus RCE flaw patched

A critical vulnerability (CVE-2020-11552) in ManageEngine ADSelfService Plus, an Active Directory password-reset solution, could allow attackers to remotely execute commands with system level privileges on the target Windows host.

CVE-2020-11552

About ManageEngine ADSelfService Plus

ManageEngine ADSelfService Plus is developed by ManageEngine, a division of Zoho Corporation, a software development company that focuses on web-based business tools and information technology.

“ADSelfService Plus supports self-service password reset for WFH and remote users by enabling users to reset Windows password from their own machines and updating the cached credentials through a VPN client,” the company touts.

It also supports sending password expiration notifications to remote users through email, SMS, and push notifications; provides admins with a way to force 2-factor authentication for Windows logons; and provides users with secure access to all SAML-supported enterprise applications (e.g., Office 365, G Suite, Salesforce) through AD-based single sign-on.

About the vulnerability (CVE-2020-11552)

Unearthed and flagged by Bhadresh Patel, CVE-2020-11552 stems from the solution not properly enforcing user privileges associated with Windows Certificate Dialog.

The ManageEngineADSelfService Plus thick client software enables users to perform a password reset or an account unlock action by using self-service option on the Windows login screen. When one of these options is selected, the client software is launched and connects to a remote ADSelfServicePlus server to facilitate the self-service operations.

“A security alert can/will be triggered when ‘an unauthenticated attacker having physical access to the host issues a self-signed SSLcertificate to the client’. Or, ‘a (default) self-signed SSLcertificate is configured on ADSelfService Plus server’,” he noted.

“‘ViewCertificate’ option from the security alert will allow an attacker with physical access or a remote attacker with RDP access, to export a displayed certificate to a file. This will further cascade to the standard dialog/wizard which will open file explorer as SYSTEM. By navigating file explorer through ‘C:windowssystem32’, acmd.exe can be launched as a SYSTEM.”

Patel also published a PoC exploit video (the exploitation part starts at 5:30):

[embedded content]

ManageEngine patched CVE-2020-11552 twice, because the first patch only fixed the issue partially. Admins are advised to upgrade to ADSelfService Plus build 6003, which contains the complete security fix.

Hackers are compromising vulnerable ManageEngine Desktop Central instances

Is your organization using ManageEngine Desktop Central? If the answer is yes, make sure you’ve upgraded to version 10.0.474 or risk falling prey to attackers who are actively exploiting a recently disclosed RCE flaw (CVE-2020-10189) in its software.

About ManageEngine Desktop Central

ManageEngine Desktop Central is developed by ManageEngine, a division of Zoho Corporation, an software development company that focuses on web-based business tools and information technology.

Desktop Central is a unified endpoint management solution that helps companies, including managed service providers (MSPs), to centrally control servers, laptops, smartphones, and tablets.

About the vulnerability (CVE-2020-10189)

CVE-2020-10189 allows for deserialization of untrusted data and allows unauthenticated, remote attackers to execute arbitrary code on affected installations of ManageEngine Desktop Central and achieve SYSTEM/root privileges.

This would allow them to install malicious programs or push malicious updates onto the managed devices, lock them, and so on.

The vulnerability affects Desktop Central versions prior to 10.0.474 and was unearthed by Steven Seeley of Source Incite, who revealed its existence publicly last week through a tweet and security advisory that also links to PoC exploit code.

At the time, the vulnerability was a zero-day (unknown to and unaddressed by the vendor), since Seeley didn’t share his findings with Zoho/ManageEngine prior to the advisory’s publication – ostensibly because “Zoho typically ignores researchers.”

A day later ManageEngine issued a security update (v10.0.479) to correct the flaw and offered mitigation advice.

The danger

Nate Warfield, senior security program manager at Microsoft, used the Shodan search engine to find some 2,300 publicly accessible Desktop Central instances.

But even instances that aren’t exposed externally can be exploited by attackers who have achieved access to the target organization’s through another security hole, allowing them to broaden their presence.

Finally, since the solution is often used by managed service providers (MSPs), compromised Desktop Central instances could result in the simultaneous compromise of many client organizations’ endpoints and, through them, networks.

Organizations who use ManageEngine Desktop Central should upgrade to a safe version as soon as possible.