What began as a two-week remote working environment, due to COVID-19 has now stretched past the nine-month mark for many. The impact of telework on organizations can be felt across departments, including IT and security, which drove the almost overnight digital transformation that swept across the globe.
While organizations across various sectors were faced with the challenge of maximizing their telework posture, those in government services had the extra burden of supporting employees who needed remote access to classified information.
The technology investments spurred by the pandemic also left organizations open to new and increasing threats, with KPMG reporting that “more than four in ten (41 percent) of organizations have experienced increased [cybersecurity] incidents mainly from spear phishing and malware attacks.”
So, while organizations have always been encouraged to evaluate their security posture, patch their VPNs, and prioritize Zero Trust architectures, the pandemic forced them to accelerate the adoption of these measures and evaluate their security posture more seriously. In fact, KPMG also found that most CIOs believe the pandemic has permanently accelerated digital transformation and the adoption of emergent technologies.
By observation, this digital transformation and security transition has happened in what can be defined as three stages, originating when the pandemic first hit in March, spanning through the rest of 2020 and into 2021.
Stage 1 – Acclimating employees to their new remote workspace
Many organizations had to figure out how to increase capacity for critical technologies like VPN. While large consulting firms and IT services companies generally had the technology and procedures in place to make the transition, government and financial institutions were much further behind. With both industries operating in an environment not conducive to telework pre-pandemic, IT leaders had to onboard large amounts of employees onto the VPN network – in some cases going from 10,000 employees on a VPN to 150,000.
Updating technology to accommodate that scale is no easy feat and other hurdles like supply chain issues – e.g., technology coming from foreign nations that were already in lockdown – presented unexpected obstacles. Lessons learned from this pertain to having a disaster and response plan as well as understanding that you might have to build in more time to effectively solve these types of issues.
Stage 2 – Investing in new tech
Once companies could better support their remote workforce, they needed to further understand the additional controls needed to continue providing a secure remote work infrastructure in the long term. In response to this need, there were significant spikes (as much as 80% according to Okta) in the usage of tools like multi-factor authentication as organizations began to rethink the way employees should access networks.
There has also been an increase in DNS being added to the roster of “easy to implement” security tech geared towards a distributed workforce.
Stage 3 – Developing a permanent remote IT infrastructure
As organizations currently undergo planning and budget allocation for 2021, they are looking to invest in more permanent solutions. IT teams are trying to understand how they can best invest in solutions that will ensure a strong security posture.
There’s also a greater importance in starting to understand the greater need for complete visibility into the endpoint, even as devices are operating on remote networks. Policies are being created around how much work should actually be done on a VPN and by default creating more forward-looking permanent policies and technology solutions.
But as security teams embrace new tools for security and operations to enable continuity efforts, it also generates new attack vectors. COVID-19 has presented the opportunity for the IT community to evaluate what can and can’t be trusted, even when operating under Zero Trust architectures. For example, some of the technologies, like VPN, can undermine what they were designed for.
At the beginning of the pandemic, CISA issued a warning around the continued exploitation of specific VPN vulnerabilities. CISA conducted multiple incident response engagements at U.S. government and commercial entities where malicious cyber threat actors have exploited CVE-2019-11510—an arbitrary file reading vulnerability affecting VPN appliances—to gain access to victim networks.
Although the VPN provider released patches for CVE-2019-11510 in April 2019, CISA observed incidents where compromised Active Directory credentials were used months after the victim organization patched their VPN appliance.
This exploitation was a textbook example of cybercriminals adapting their attack methodologies to the increased use and scale of new technologies for remote workers. This concentrated adversarial effort caused security teams to reevaluate the tools they have put into place, and the scale at which they have done so. The four areas that security teams are putting a critical focus on include:
- The best process for reducing remote access to sensitive data
- The identification gap between commercial and classified data
- The security of collaboration tools across an organization
- Visibility of endpoints, even when they’re not on my network
At the end of the day, security is a journey, not a destination – what might have worked prior to the pandemic needed to best suit the evolving threat environment. But just because you have a security solution in place, doesn’t mean that won’t become your next exploitation. It’s imperative for security teams to continuously advise their organizations on the changing threat landscape, always looking to stay one step ahead of the attacker.
As organizations grapple with stage three of addressing their security posture, they must get inside the mindset of today’s cybercriminals who are working around the clock to maliciously exploit new technologies and workflows implemented by companies today.
Automation will play a major role in shaping cybersecurity attack and defence activities in 2021, WatchGuard predicts.
Traditionally a high-investment, high-return targeted attack, in 2021 automation tools will replace manual techniques to help cybercriminals launch spear phishing campaigns at record volumes, by harvesting victim-specific data from social media sites and company web pages.
Automated spear phishing attacks to prey on fears
And as society continues to grapple with the impact of COVID-19, it is likely that these automated spear phishing attacks will prey on fears around the pandemic, politics and the economy.
Conversely, the research team believes that automation will also help cloud-hosting providers such as Amazon, Microsoft and Google to crack down on cybercriminal groups abusing their reputation and services to launch malicious attacks.
Threat actors commonly host website HTML files designed to mimic a legitimate website like Microsoft 365 or Google Drive to steal credentials submitted by unsuspecting victims. But in 2021, these companies will deploy automated tools and file validation technologies that will spot spoofed authentication portals.
In its annual look ahead to the next 12 months, the tumultuous events of 2020 will impact the threat landscape next year and for years to come. Other predictions include:
Attackers swarm VPNs and RDPs as the remote workforce grows
As more companies adopt VPNs and Remote Desktop Protocol (RDP) solutions to provide secure connections to employees working from home, attacks against them will double in 2021. If an attacker can compromise VPN, RDP or remote connection servers, they have an unobstructed path into the corporate network.
Security gaps in legacy endpoints targeted
Endpoints have become a high priority target for attackers during the global pandemic and many personal computers are still running legacy software that is difficult to patch or update.
With Microsoft just ending its extended support program for Windows 7, organizations are warned to expect at least one major new Windows 7 vulnerability to make headlines in 2021.
Services without MFA will suffer a breach
Authentication is the cornerstone of strong security; but with billions of usernames and passwords available on the dark web and the prevalence of automated authentication attacks, no Internet-exposed service is safe from cyber intrusion if it isn’t using multi-factor authentication (MFA). In fact, any service without MFA enabled is highly likely to be compromised in 2021.
“But our Threat Lab team along with other researchers around the world have an increasing level of analytics and insight to make well-informed guesses. Cybercriminals always look for the weak links, so the growing ranks of home workers are an obvious target and when it comes to new technologies such as automation and AI, what can work for good, can also be exploited for malicious activity. It’s just a case of trying to stay one step ahead.”
As COVID-19 lockdown measures were implemented in March-April 2020, consumer and business behavioral changes transformed the internet’s shape and how people use it virtually overnight. Many networks experienced a year’s worth of traffic growth (30-50%) in just a few weeks, Nokia reveals.
By September, traffic had stabilized at 20-30% above pre-pandemic levels, with further seasonal growth to come. From February to September, there was a 30% increase in video subscribers, a 23% increase in VPN end-points in the U.S., and a 40-50% increase in DDoS traffic.
Ready for COVID-19
In the decade prior to the pandemic, the internet had already seen massive and transformative changes – both in service provider networks and in the evolved internet architectures for cloud content delivery. Investment during this time meant the networks were in good shape and mostly ready for COVID-19 when it arrived.
Manish Gulyani, General Manager and Head of Nokia Deepfield, said: “Never has so much demand been put on the networks so suddenly, or so unpredictably. With networks providing the underlying connectivity fabric for business and society to function as we shelter-in-place, there is a greater need than ever for holistic, multi-dimensional insights across networks, services, applications and end users.”
The networks were made for this
While the networks held up during the biggest demand peaks, data from September 2020 indicates that traffic levels remain elevated even as lockdowns are eased; meaning, service providers will need to continue to engineer headroom into the networks for future eventualities.
Content delivery chains are evolving
Demand for streaming video, low-latency cloud gaming and video conferencing, and fast access to cloud applications and services, all placed unprecedented pressure on the internet service delivery chain.
Just as Content Delivery Networks (CDNs) grew in the past decade, it’s expected the same will happen with edge/far edge cloud in the next decade – bringing content and compute closer to end users.
Residential broadband networks have become critical infrastructure
With increased needs (upstream traffic was up more than 30%), accelerating rollout of new technologies – such as 5G and next-gen FTTH – will go a long way towards improving access and connectivity in rural, remote and underserved areas.
Better analytical insights enable service providers to keep innovating and delivering flawless service and loyalty-building customer experiences.
Deep insight into network traffic is essential
While the COVID-19 era may prove exceptional in many ways, the likelihood is that it has only accelerated trends in content consumption, production and delivery that were already underway.
Service providers must be able to have real-time, detailed network insights at their disposal – fully correlated with internet traffic insights – to get a holistic perspective on their network, services and consumption.
Security has never been more important
During the pandemic, DDoS traffic increased between 40-50%. As broadband connectivity is now largely an essential service, protecting network infrastructure and services becomes critical.
Agile and cost effective DDoS detection and automated mitigation are becoming paramount mechanisms to protect service provider infrastructures and services.
As we near 2021, it seems that the changes to our working life that came about in 2020 are set to remain. Businesses are transforming as companies continue to embrace remote working practices to adhere to government guidelines. What does the next year hold for organizations as they continue to adapt in the age of the Everywhere Enterprise?
We will see the rush to the cloud continue
The pandemic saw more companies than ever move to the cloud as they sought collaboration and productivity tools for employee bases working from home. We expect that surge to continue as more companies realize the importance of the cloud in 2021. Businesses are prepared to preserve these new working models in the long term, some perhaps permanently: Google urged employees to continue working from home until at least next July and Twitter stated employees can work from home forever if they prefer.
Workforces around the world need to continue using alternatives to physical face-to-face meetings and remote collaboration tools will help. Cloud-based tools are perfect for that kind of functionality, which is partly why many customers that are not in the cloud, want to be. The customers who already started the cloud migration journey are also moving more resources to public cloud infrastructure.
People will be the new perimeter
While people will eventually return to the office, they won’t do so full-time, and they won’t return in droves. This shift will close the circle on a long trend that has been building since the mid-2000s: the dissolution of the network perimeter. The network and the devices that defined its perimeter will become even less special from a cybersecurity standpoint.
Instead, people will become the new perimeter. Their identity will define what they’re allowed to access, both inside and outside the corporate network. Even when they are logged into the network, they will have minimal access to resources until they and the device they are using have been authenticated and authorized. This approach, known as zero trust networking, will pervade everything, covering not just employees, but customers, contractors, and other business partners.
User experience will be increasingly important in remote working
Happy, productive workers are even more important during a pandemic. Especially as on average, employees are working three hours longer since the pandemic started, disrupting the work-life balance. It’s up to employers to focus on the user experience and make workers’ lives as easy as possible.
When the COVID-19 lockdown began, companies coped by expanding their remote VPN usage. That got them through the immediate crisis, but it was far from ideal. On-premises VPN appliances suffered a capacity crunch as they struggled to scale, creating performance issues, and users found themselves dealing with cumbersome VPN clients and log-ins. It worked for a few months, but as employees settle in to continue working from home in 2021, IT departments must concentrate on building a better remote user experience.
Old-school remote access mechanisms will fade away
This focus on the user experience will change the way that people access computing resources. In the old model, companies used a full VPN to tunnel all traffic via the enterprise network. This introduced latency issues, especially when accessing applications in the cloud because it meant routing all traffic back through the enterprise data center.
It’s time to stop routing cloud sessions through the enterprise network. Instead, companies should allow remote workers to access them directly. That means either sanitizing traffic on the device itself or in the cloud.
User authentication improvements
Part of that new approach to authentication involves better user verification. That will come in two parts. First, it’s time to ditch the password. The cybersecurity community has advocated this for a long time, but the work-from-home trend will accelerate it. Employees accessing from mobile devices are increasingly using biometric authentication, which is more secure and convenient.
The second improvement to user verification will see people logging into applications less often. Sessions will persist for longer, based on deep agent-based device knowledge that will form a big part of the remote access experience.
Changing customer interactions will require better mobile security
It isn’t just employees who will need better mobile security. Businesses will change the way that they interact with customers too. We can expect fewer person-to-person interactions in retail as social distancing rules continue. Instead, contact-free transactions will become more important and businesses will move to self-checkout options. Retailers must focus more on mobile devices for everything from browsing products, to ordering and payment.
The increase in QR codes presents a great threat
Retailers and other companies are already starting and will continue to use QR codes more and more to bridge contact with things like menus and payment systems, as well as comply with social distance rules. Users can scan them from two meters away, making them perfect for payments and product information.
The problem is that they were never designed for these applications or digital authentication and can easily be replaced with malicious codes that manipulate smartphones in unexpected and damaging ways. We can expect to see QR code fraud problems increase as the usage of these codes expands in 2021.
The age of the Everywhere Enterprise
One overarching message came through clearly in our conversations with customers: the enterprise changed for the longer term in 2020, and this will have profound effects in 2021. What began as a rushed reaction during a crisis this year will evolve during the next as the IT department joins HR in rethinking employee relationships in the age of the everywhere enterprise.
If 2020 was the year that businesses fell back on the ropes, 2021 will be the one where they bounce forward, moving from a rushed reaction into a thoughtful, measured response.
COVID-19 and the subsequent global recession have thrown a wrench into IT spending. Many enterprises have placed new purchases on hold. Gartner recently projected that global spending on IT would drop 8% overall this year — and yet dollars allocated to cloud-based services are still expected to rise by approximately 19 percent, bucking that downward trend.
Underscoring the relative health of the cloud market, IDC reported that all growth in traditional tech spending will be driven by four platforms over the next five years: cloud, mobile, social and big data/analytics. Their 2020-2023 forecast states that traditional software continues to represent a major contribution to productivity, while investments in mobile and cloud hardware have created new platforms which will enable the rapid deployment of new software tools and applications.
With entire workforces suddenly going remote all over the world, there certainly are a number of specific business problems that need to be addressed, and many of the big issues involve VPNs.
Assault on VPNs
Millions of employees are working from home, and they all have to securely access their corporate networks. The vast majority of enterprises still rely on on-premises servers to some degree (estimates range from 60% to 98%), therefore VPNs play a vital role in enabling that employee connection to the network. This comes at a cost, though: bandwidth is gobbled up, slowing network performance — sometimes to a crippling level — and this has repercussions.
Maintenance of the thousands of machines and devices connected to the network gets sacrificed. The deployment of software, updates and patches simply doesn’t happen with the same regularity as when everyone works on-site. One reason for this is that content distribution (patches, applications and other updates) can take up much-needed bandwidth, and as a result, system hygiene gets sacrificed for the sake of keeping employees productive.
Putting off endpoint management, however, exposes corporate networks to enormous risks. Bad actors are well aware that endpoints are not being maintained at the same level as pre-pandemic, and they are more than willing to take advantage. Recent stats show that the volume of cyberattacks today is pretty staggering — much higher than prior to COVID-19.
Get thee to the cloud: Acceleration of modern device management
Because of bandwidth concerns, the pressure to trim costs, and the need to maintain machines in new ways, many enterprises are accelerating their move to the cloud. The cloud offers a lot of advantages for distributed workforces while also reducing costs. But digital transformation and the move to modern device management can’t happen overnight.
Enterprises have invested too much time, money, physical space and human resources to just walk away. Not to mention, on-premises environments have been highly reliable. Physical servers are one of the few things IT teams can count on to just work as intended these days.
Hybrid environments offer a happy medium. With the latest technology, enterprises can begin migrating to the cloud and adapt to changing conditions, meeting the needs of distributed teams. They can also save some money in the process. At the same time, they don’t have to completely abandon their tried-and-true servers.
Solving specific business problems: Content distribution to keep systems running
But what about those “specific business problems,” such as endpoint management and content distribution? Prior to COVID-19, this had been one of the biggest hurdles to digital transformation. It was not possible to distribute software and updates at scale without negatively impacting business processes and without excessive cost.
The issue escalated with the shift to remote work. Fortunately, technology providers have responded, developing solutions that leverage secure and efficient delivery mechanisms, such as peer-to-peer content distribution, that can work in the cloud. Even in legacy environments, vast improvements have been made to reduce bandwidth consumption.
These solutions allow enterprises to transition from a traditional on-premises infrastructure to the cloud and modern device management at their own speed, making their company more agile and resilient to the numerous risks they encounter today. Breakthrough technologies also support multiple system management platforms and help guarantee endpoints stay secure and updated even if corporate networks go down – something that, given the world we live in today, is a very real possibility.
Companies like Garmin and organizations such as the University of California San Francisco joined the unwitting victims of ransomware attacks in recent months. Their systems were seized, only to be released upon payment of millions of dollars.
While there is the obvious hard cost involved, there are severe operational costs as well — employees that can’t get on the network to do their jobs, systems must be scanned, updated and remediated to ensure the network isn’t further compromised, etc. A lot has to happen within a short period of time in the wake of a cyberattack to get people back to work as quickly and safely as possible.
Fortunately, with modern cloud-based content distribution solutions, all that is needed for systems to stay up is electricity and an internet connection. Massive redundancy is being built into the design of products to provide extreme resilience and help ensure business continuity in case part or all of the corporate network goes down.
The newest highly scalable, cloud-enabled content distribution options enable integration with products like Azure CDN and Azure Storage and also provide a single agent for migration to modern device management. With features like cloud integration, internet P2P, and predictive bandwidth harvesting, enterprises can leverage a massive amount of bandwidth from the internet to manage endpoints and ensure they always stay updated and secure.
Given these new developments precipitated and accelerated by COVID-19, as well as the clear, essential business problem these solutions address, expect to see movement and growth in the cloud sector. Expect to see an acceleration of modern device management, and despite IT spending cuts, expect to see a better, more secure and reliable, cost efficient, operationally efficient enterprise in the days to come.
It was an accomplishment for the ages: within just a couple of days, IT departments hurriedly provided millions of newly homebound employees online access to the data and apps they needed to remain productive.
Some employees were handed laptops as they left the building, while others made do with their own machines. Most connected to their corporate services via VPNs. Other companies harnessed the cloud and software and infrastructure services (SaaS, IaaS).
Bravo, IT! Not only did it all work, businesses and employees both saw the very real benefits of remote life, and that egg is not going back into the shell. Many won’t return to those offices and will continue work from home.
But while immediate access challenges were answered, this was not a long-term solution.
Let’s face it, because of the pandemic a lot of companies were caught off guard with insufficient plans for data protection and disaster recovery (DR). That isn’t easy in the best of times, never mind during a pandemic. Even those with effective strategies now must revisit and update them. Employees have insufficient home security. VPNs are difficult to manage and provision, perform poorly and are hard to scale. And, IT’s domain is now stretched across the corporate data center, cloud (often more than one), user endpoints and multiple SaaS providers.
There’s a lot to do. A plan that fully covers DR, data protection and availability is a must.
There are several strategies for protecting endpoints. First off, if employees are using company-issued machines, there are many good mobile machine management products on the market. Sure, setting up clients for a volume of these will be a laborious task, but you’ll have peace of mind knowing data won’t go unprotected.
Another strategy is to create group policies that map the Desktop and My Documents folders directly to the cloud file storage of your choice, no matter if it’s Google Drive, OneDrive, Dropbox or some other solution. That can simplify file data protection but its success hinges on the employee storing documents in the right place. And if they keep them on their desktop, for example, they’re not going to be protected.
And right there is the rub with protecting employee machines – employees are going to store data on these devices. Often, insecure home Internet connections make these devices and data vulnerable. Further, if you add backup clients and/or software to employee-owned machines, you could encounter some privacy resistance.
Remote desktops can provide an elegant solution. We’ve heard “this is the year of virtual desktop infrastructure (VDI)” for over a decade. It’s something of a running joke in IT circles, but you know what? The current scenario could very well make this the year of remote desktops after all.
VDI performance in more sophisticated remote desktop solutions has greatly improved. With a robust platform configured properly, end-users can’t store data on their local machines – it’ll be safely kept behind a firewall with on-premises backup systems to protect and secure it.
Further, IT can set up virtual desktops to prevent cut and paste to the device. And because many solutions don’t require a client, it doesn’t matter what machine an employee uses – just make sure proper credentials are needed for access and include multi-factor authentication.
Pain in the SaaS
As if IT doesn’t have enough to worry about, there’s a potential SaaS issue that can cause a lot of pain. Most providers operate under the shared responsibility model. They secure infrastructure, ensure apps are available and data is safe in case of a large-scale disaster. But long-term, responsibility for granular protection of data rests on the shoulders of the customer.
Unfortunately, many organizations are unprepared. A January 2020 survey from OwnBackup of 2,000 Salesforce users found that 52% are not backing up their Salesforce data.
What happens if someone mistakenly deletes a Microsoft Office 365 document vital for a quarterly sales report and it’s not noticed for a while? Microsoft automatically empties recycle bins data after 30 days, so unless there’s backup in place, it’s gone for good.
Backup vendors provide products to protect data in most of the more common SaaS services, but if there’s not a data protection solution for one your organization is using, make data protection part of the service provider’s contract and insist they regularly send along copies of your data.
When it comes to a significant disaster, highly distributed environments can make recovery difficult. The cloud seems like a clear choice for storing DR and backup data, but while the commodity cloud providers make it easy and cheap to upload data, costs for retrieval are much higher. Also, remember that cloud recovery is different from on-prem, requiring expertise in areas like virtual machines and user access. And, if IT is handling cloud directly and has issues, keep in mind that it could be very difficult getting support.
During a disaster, you want to recover fast; you don’t want to be creating a backup and DR strategy as the leadership grits their teeth due to downtime. So, set your data protection strategy now, be sure each app is included, follow all dependencies and test over and over again. Employees and data may be in varied locations, so be sure you’re completely covered so your company can get back in the game faster.
While IT pulled off an amazing feat handling a rapid remote migration, to ensure your company’s future, you need to be certain it can protect data, even outside of the corporate firewall. With a backup and DR strategy for dispersed data in place, you’ll continue to be in a position to make history, instead of fading away.
Organizations underwent an unprecedented IT change this year amid a massive shift to remote work, accelerating adoption of cloud technology, Duo Security reveals.
The security implications of this transition will reverberate for years to come, as the hybrid workplace demands the workforce to be secure, connected and productive from anywhere.
The report details how organizations, with a mandate to rapidly transition their entire workforce to remote, turned to remote access technologies such as VPN and RDP, among numerous other efforts.
As a result, authentication activity to these technologies swelled 60%. A complementary survey recently found that 96% of organizations made cybersecurity policy changes during the COVID-19, with more than half implementing MFA.
Cloud adoption also accelerated
Daily authentications to cloud applications surged 40% during the first few months of the pandemic, the bulk of which came from enterprise and mid-sized organizations looking to ensure secure access to various cloud services.
As organizations scrambled to acquire the requisite equipment to support remote work, employees relied on personal or unmanaged devices in the interim. Consequently, blocked access attempts due to out-of-date devices skyrocketed 90% in March. That figure fell precipitously in April, indicating healthier devices and decreased risk of breach due to malware.
“As the pandemic began, the priority for many organizations was keeping the lights on and accepting risk in order to accomplish this end,” said Dave Lewis, Global Advisory CISO, Duo Security at Cisco. “Attention has now turned towards lessening risk by implementing a more mature and modern security approach that accounts for a traditional corporate perimeter that has been completely upended.”
Additional report findings
So long, SMS – The prevalence of SIM-swapping attacks has driven organizations to strengthen their authentication schemes. Year-over-year, the percentage of organizations that enforce a policy to disallow SMS authentication nearly doubled from 8.7% to 16.1%.
Biometrics booming – Biometrics are nearly ubiquitous across enterprise users, paving the way for a passwordless future. Eighty percent of mobile devices used for work have biometrics configured, up 12% the past five years.
Cloud apps on pace to pass on-premises apps – Use of cloud apps are on pace to surpass use of on-premises apps by next year, accelerated by the shift to remote work. Cloud applications make up 13.2% of total authentications, a 5.4% increase year-over-year, while on-premises applications encompass 18.5% of total authentications, down 1.5% since last year.
Apple devices 3.5 times more likely to update quickly vs. Android – Ecosystem differences have security consequences. On June 1, Apple iOS and Android both issued software updates to patch critical vulnerabilities in their respective operating systems.
iOS devices were 3.5 times more likely to be updated within 30 days of a security update or patch, compared to Android.
Windows 7 lingers in healthcare despite security risks – More than 30% of Windows devices in healthcare organizations still run Windows 7, despite end-of-life status, compared with 10% of organizations across Duo’s customer base.
Healthcare providers are often unable to update deprecated operating systems due to compliance requirements and restrictive terms and conditions of third-party software vendors.
Windows devices, Chrome browser dominate business IT – Windows continues its dominance in the enterprise, accounting for 59% of devices used to access protected applications, followed by macOS at 23%. Overall, mobile devices account for 15% of corporate access (iOS: 11.4%, Android: 3.7%).
On the browser side, Chrome is king with 44% of total browser authentications, resulting in stronger security hygiene overall for organizations.
UK and EU trail US in securing cloud – United Kingdom and European Union-based organizations trail US-based enterprises in user authentications to cloud applications, signaling less cloud use overall or a larger share of applications not protected by MFA.
Remote work has left many organizations lagging in productivity and revenue due to remote access solutions. 19% of IT leaders surveyed said they often or always experience network performance and latency issues when using legacy remote access solutions, with an additional 43% saying they sometimes do.
Those issues have resulted in a loss of productivity for 68% of respondents and a loss of revenue for 43%, a Perimeter 81 report reveals.
According to the report, organizations securely connect to internal networks in a variety of ways when working remotely. Some 66% reported using VPNs, 58% said they use a cloud service through a web browser, 48% rely on a remote access solution, and 34% use a firewall.
The many organizations still using legacy solutions like VPNs and firewalls will struggle to scale, face bottlenecks, and lack network visibility.
security solutions and remote work
33% of respondents said a password is the only way they authenticate themselves to gain access to systems. And while 62% of IT managers said they are using cloud-based security solutions to secure remote access, 49% said they’re still using a firewall, and 41% a hardware VPN.
But there are signs of progress, as organizations increasingly favor modern cloud-based solutions over outdated legacy solutions. Following the pandemic and a switch to remote work, 72% of respondents said they’re very or completely likely to increase adoption of cloud-based security solutions, 38% higher than before the pandemic.
“It’s no surprise that companies are increasingly moving to cloud-based cyber and network security platforms. As corporations of all sizes rely on the cloud to run their businesses, they need new ways of consuming security to effectively prevent cyberattacks regardless of their location or network environment.”
Other key findings
- 74% of respondents are adopting cloud-based security solutions over hardware due to security concerns. 44% are doing so due to scalability concerns, and 43% cited time-saving considerations.
- 61% of organizations believe that having to protect new devices is the greatest security concern in light of remote work, while 56% said their greatest concern was lack of visibility into remote user activity.
- 39% of respondents reported that scalability is their greatest challenge in securing the remote workforce, while 38% said budget allocation was their greatest challenge.
Earlier this week SonicWall patched 11 vulnerabilities affecting its Network Security Appliance (NSA). Among those is CVE-2020-5135, a critical stack-based buffer overflow vulnerability in the appliances’ VPN Portal that could be exploited to cause denial of service and possibly remote code execution.
The SonicWall NSAs are next-generation firewall appliances, with a sandbox, an intrusion prevention system, SSL/TLS decryption and inspection capabilities, network-based malware protection, and VPN capabilities.
CVE-2020-5135 was discovered by Nikita Abramov of Positive Technologies and Craig Young of Tripwire’s Vulnerability and Exposures Research Team (VERT), and has been confirmed to affect:
- SonicOS 22.214.171.124-79n and earlier
- SonicOS 126.96.36.199-4n and earlier
- SonicOS 188.8.131.52-93o and earlier
- SonicOSv 184.108.40.206-44v-21-794 and earlier
- SonicOS 220.127.116.11-1
“The flaw can be triggered by an unauthenticated HTTP request involving a custom protocol handler. The vulnerability exists within the HTTP/HTTPS service used for product management as well as SSL VPN remote access,” Tripwire VERT explained.
“This flaw exists pre-authentication and within a component (SSLVPN) which is typically exposed to the public Internet.”
By using Shodan, both Tripwire and Tenable researchers discovered nearly 800,000 SonicWall NSA devices with the affected HTTP server banner exposed on the internet. Though, as the latter noted, it is impossible to determine the actual number of vulnerable devices because their respective versions could not be determined (i.e., some may already have been patched).
A persistent DoS condition is apparently easy for attackers to achieve, as it requires no prior authentication and can be triggered by sending a specially crafted request to the vulnerable service/SSL VPN portal.
VERT says that a code execution exploit is “likely feasible,” though it’s a bit more difficult to pull off.
Mitigation and remediation
There is currently no evidence that the flaw is being actively exploited nor is there public PoC exploitation code available, so admins have a window of opportunity to upgrade affected devices.
Aside from implementing the offered update, they can alternatively disconnect the SSL VPN portal from the internet, though this action does not mitigate the risk of exploitation of some of the other flaws fixed by the latest updates.
Windows users looking to install a VPN app are in danger of downloading one that’s been bundled with a backdoor, Trend Micro researchers warn.
The trojanized package in this specific case is the Windows installer for Windscribe VPN, and contains the Bladabindi backdoor, which is able to:
- Execute commands from a remote malicious user (e.g., downloading, executing, and updating files)
- Log a user’s keystrokes
- Take screenshots of the user’s screen
- Collect information about the computer (OS, username, machine name), the running AV product(s), and passwords stored in browsers
The trojanized installer is offered on third-party download sites and users who download and run it are unlikely to notice that something is wrong with it.
“The bundled application drops three components to the user’s system: the legitimate VPN installer, the malicious file (named lscm.exe) that contains the backdoor, and the application that serves as the runner of the malicious file (win.vbs). The user sees an installation window on their screen, which possibly masks the malicious activity that occurs in the background,” the researchers explained.
Trojanizing legitimate software
Bundling malware with legitimate apps is a popular technique for compromising computers and mobile devices.
In Bladabindi’s case, there’s even a publicly available hacker tool (NJ Rat) that can help create variants sporting a “benign” icon designed to mislead users into running the file:
Users who don’t stick to official download centers and app stores are at greater danger of downloading malware, although attackers have been known to bypass app stores’ protections and compromise official developer sites to deliver malware.
“Enterprises and individual users alike employ VPNs to bolster their system’s protection. However, inadvertently downloading an installer bundled with malicious files does the exact opposite of this as it exposes systems to threats,” the researchers concluded.
Critical vulnerabilities in several industrial VPN implementations for remotely accessing operational technology (OT) networks could allow attackers to overwrite data, execute malicious code or commands, cause a DoS condition, and more.
“Exploiting these vulnerabilities can give an attacker direct access to the field devices and cause some physical damage,” Claroty researchers noted.
Since COVID-19 stepped on the global stage, enterprise-grade VPN installations have become a must for any organization that relies on a remote workforce. Simultaneously, they’ve become great targets for criminals looking for a way into company’s IT networks and assets.
This situation has spurred the researchers to search for vulnerabilities in industrial VPN solutions used by remote operators and third-party vendors for accessing, maintaining and monitoring field controllers, programmable logic controllers (PLCs) and input/output (IO) devices deployed at oil and gas installations, water utilities and electric utilities.
These include Secomea’s GateManager M2M Server, Moxa’s industrial VPN servers with an all-in-one secure router, and HMS Networks’s eCatcher VPN client.
Secomea’s GateManager, which is an ICS remote access server deployed worldwide as a cloud-based SaaS solution with many general-purpose and white-label instances deployed, has been found to have several flaws, all pretty serious:
- CVE-2020-14500 – arising from the improper handling of some of the HTTP request headers provided by the client, it could be exploited – remotely and without authentication – to execute malicious code and effectively gain access to a customer’s internal network
- CVE-2020-14508 – an off-by-one error bug that may allow an attacker to achieve RCE or cause a DoS condition
- CVE-2020-14510 – hardcoded telnet credentials
- CVE-2020-14512 – weak hash type that could reveal users’ passwords
Moxa’s EDR-G902 and EDR-G903 series secure routers/VPN servers sport a stack-based buffer overflow bug (CVE-2020-14511) that could lead to RCE.
Finally, there’s a stack-buffer overflow bug (CVE-2020-14498) in HMS Networks’ eCatcher, a proprietary VPN client that is used to connect to the company’s eWon VPN device, which allows machine builders and factory owners to remotely monitor the performance of their equipment.
This bug can be triggered by tricking targets into visiting a malicious website or opening a malicious email with a specifically crafted HTML element.
“By sending socially engineered emails that embed specifically crafted images capable of exploiting CVE-2020-14498, an attacker could execute code with the highest privileges and completely take over a victim’s machine just by making the victim view the malicious email,” the researchers demonstrated.
“The exploitation phase occurs immediately when the email client (e.g. Outlook) is loading the malicious images.”
With ransomware attackers increasingly looking for ways to disrupt mission-critical systems for force companies to pay hefty sums, we can predict that, sooner or later, they will exploit vulnerabilities in OT-specific solutions.
“We would also like to emphasize that these vulnerabilities reinforce the unique risks inherent to OT remote access,” the researchers noted.
“While the security features of most VPNs make them generally well-suited and secure for IT remote access, such features tend to be less comprehensive than the stringent role- and policy-based administrative controls and monitoring capabilities required to secure OT remote access connections and minimize the risks introduced by employees and third-parties.”
Palo Alto Networks has patched a critical and easily exploitable vulnerability (CVE-2020-2021) affecting PAN-OS, the custom operating system running on its next generation firewalls and enterprise VPN appliances, and is urging users to update to a fixed version as soon as possible.
The US Cyber Command has echoed the call for immediate action, saying that nation-state-backed attackers are likely to try to exploit it soon.
Please patch all devices affected by CVE-2020-2021 immediately, especially if SAML is in use. Foreign APTs will likely attempt exploit soon. We appreciate @PaloAltoNtwks’ proactive response to this vulnerability.
— USCYBERCOM Cybersecurity Alert (@CNMF_CyberAlert) June 29, 2020
About the vulnerability (CVE-2020-2021)
CVE-2020-2021 is an authentication bypass vulnerability that could allow unauthenticated, remote attackers to gain access to and control of the vulnerable devices, change their settings, change access control policies, turn them off, etc.
Affected PAN-OS versions include versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL). Version 7.1 is not affected.
Also, the vulnerability is exploitable only if:
- The device is configured to use SAML authentication with single sign-on (SSO) for access management, and
- The “Validate Identity Provider Certificate” option is disabled (unchecked) in the SAML Identity Provider Server Profile
“Resources that can be protected by SAML-based single sign-on (SSO) authentication are GlobalProtect Gateway, GlobalProtect Portal, GlobalProtect Clientless VPN, Authentication and Captive Portal, PAN-OS next-generation firewalls (PA-Series, VM-Series) and Panorama web interfaces, and Prisma Access,” Palo Alto Networks shared.
While the aforementioned configuration settings are not part of default configurations, it seems that finding vulnerable devices should not be much of a problem for attackers.
“It appears that notable organizations providing SSO, two-factor authentication, and identity services recommend this [vulnerable] configuration or may only work using this configuration,” noted Tenable researcher Satnam Narang.
“These providers include Okta, SecureAuth, SafeNet Trusted Access, Duo, Trusona via Azure AD, Azure AD and Centrify.
Even the PAN-OS 9.1 user guide instructs admins to disable the “Validate Identity Provider Certificate” option that when setting up Duo integration:
The PAN-OS 9.1 user guide, which was apparently last updated 4 days ago (June 25), instructs admins to do just that when setting up DUO integration.
“Disable Validate Identity Provider Certificate, then click OK.” pic.twitter.com/KLd78oImzs
— Will Dormann (@wdormann) June 29, 2020
Palo Alto Networks says that there is currently no indication of the vulnerability being under active attack.
But given that SSL VPN flaws in various enterprise solutions have been heavily exploited in the last year or so – both by cybercriminals and nation-state attackers – it is expected that this one will be as soon as a working exploit is developed.
What to do?
As mentioned before, implementing the security updates is the best solution.
Enterprise admins are advised to upgrade to PAN-OS versions 9.1.3, 9.0.9 or 8.1.15 if possible. Palo Alto Networks has provided instructions for doing that in a way that doesn’t break the authentication capability for users.
If updating is not possible, the risk can be temporarily mitigated by using a different authentication method and disabling SAML authentication.
Admins can check for indicators of compromise in a variety of logs (authentication logs, User-ID logs, GlobalProtect Logs, etc.)
There’s a massive amount of complexity plaguing today’s enterprise endpoint environments. The number of agents piling up on enterprise endpoint devices – up on average – is hindering IT and security’s ability to maintain foundational security hygiene practices, such as patching critical vulnerabilities, which may actually weaken endpoint security defenses, Absolute reveals.
Also, critical endpoint controls like encryption and antivirus agents, or VPNs, are prone to decay, leaving them unable to protect vulnerable devices, data, and users – with more than one in four enterprise devices found to have at least one of these controls missing or out of compliance.
Increasing security spend does not guarantee security
In addition to heightening risk exposure, the failure of critical endpoint controls to deliver their maximum intended value is also resulting in security investments and, ultimately, wasted endpoint security spend.
According to Gartner, “Boards and senior executives are asking the wrong questions about cybersecurity, leading to poor investment decisions. It is well-known to most executives that cybersecurity is falling short. There is a consistent drumbeat directed at CIOs and CISOs to address the limitations, and this has driven a number of behaviors and investments that will also fall short.”
“What has become clear with the insights uncovered in this year’s report is that simply increasing security spend annually is not guaranteed to make us more secure,” said Christy Wyatt, President and CEO of Absolute.
“It is time for enterprises to increase the rigor around measuring the effectiveness of the investments they’ve made. By incorporating resilience as a key metric for endpoint health, and ensuring they have the ability to view and measure Endpoint Resilience, enterprise leaders can maximize their return on security investments.”
The challenges of maintaining resilience
Without the ability to self-heal, critical controls suffer from fragility and lack of resiliency. Also, endpoint resilience is dependent not just on the health of single endpoint applications, but also combinations of apps.
The massive amount of complexity uncovered means that even the most well-functioning endpoint agents are at risk of collision or failure once deployed across today’s enterprise endpoint environments.
IT and security teams need intelligence into whether individual endpoint controls, as well as various combinations of controls, are functioning effectively and maintaining resilience in their own unique endpoint environment.
Single vendor application pairings not guaranteed to work seamlessly together
In applying the criteria for application resilience to same-vendor pairings of leading endpoint protection and encryption apps, widely varied average health and compliance rates among these pairings were found.
The net-net here is that sourcing multiple endpoint agents from a single vendor does not guarantee that those apps will not ultimately collide or decay when deployed alongside one another.
Progress in Windows 10 migration
Much progress was made in Windows 10 migration, but fragmentation and patching delays leave organizations potentially exposed. Our data showed that while more than 75 percent of endpoints had made the migration to Windows 10 (up from 54 percent last year), the average Windows 10 enterprise device was more than three months behind in applying the latest security patches – perhaps unsurprisingly, as the data also identified more than 400 Windows 10 build releases across enterprise devices.
This delay in patching is especially concerning in light of a recent study that shows 60 percent of data breaches are the result of a known vulnerability with a patch available, but not applied.
Relying on fragile controls and unpatched devices
Fragile controls and unpatched devices are being relied on to protect remote work environments. With the rise of remote work environments in the wake of the COVID-19 outbreak, as of May 2020, one in three enterprise devices is now being used heavily (more than 8 hours per day).
The data also shows a 176 percent increase in the number of enterprise devices with collaboration apps installed as of May 2020, versus pre-COVID-19. This means the average attack surface, and potential vulnerabilities, has expanded significantly across enterprises.
The recent pandemic created a new normal that redefines the way business operates by eliminating security and physical work borders. An Avertium study found that having employees work from home during the pandemic saved U.S. employers more than $30 billion per day.
The study also predicts that 25-30% of the workforce will be working from home for multiple days per week by the end of 2021. For IT Security teams, this poses many new challenges.
“As we move forward with increasingly complex and fragmented business models, it’s crucial to fully assess and protect business assets from new and emerging cybercrimes,” says Paul Caiazzo, senior vice president, security and compliance at Avertium.
“The goal is to prevent a wide array of online threats and attacks, including data breaches, ransomware attacks, identity theft, hacking at home, business, cloud and hybrid cloud locations and online predators. Work with cybersecurity professionals who understand the increased threats in our new, post-COVID world, and can increase security to mitigate risk.”
Organizations losing visibility into their business network traffic
Many organizations’ security monitoring infrastructure is based upon the assumption that most employees are connected directly to the corporate LAN. By collecting data from Active Directory domain controllers, the perimeter firewall, server and workstation event logs, endpoint protection logs and other key on-premises based data sources an organization can maintain a high level of visibility into activity within their network.
But since many employees have moved outside of the network perimeter, whether by using mobile devices or working from a home or remote environment organizations have lost visibility into a large percentage of their business network traffic.
Cybercriminals have pounced on the chance to leverage the resulting distraction for their own gain by turning up the volume of their efforts. Bad actors have recently made news by stealing personal data from unemployment benefit applicants in several states, waging ongoing COVID-19-themed phishing campaigns, and creating a 238% surge in cyberattacks against banks.
With so much at stake, it’s important to establish ways of monitoring telework security in a world with disappearing network perimeters.
Telework redefines the network perimeter
With a fully remote workforce, many organizations have been forced to make choices between usability and security. Existing VPN infrastructure was not designed to support a fully remote workforce.
Adoption of split-tunnel VPNs has been widely recommended as a solution to the VPN scalability problem. However, while allowing Internet-bound traffic to flow directly to its destination, instead of over the corporate VPN, increases usability, it does so at the cost of security and network visibility.
Cybercriminals are capitalizing on this opportunity. The United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) recently issued a joint alert noting an increase in cyberattacks exploiting VPN vulnerabilities.
With unmonitored connections to the public Internet, a remote workforce’s laptops can become compromised by malware or a cybercriminal without detection. These devices can then be used as a stepping stone to access the corporate environment via their VPN connection. For a remote workforce, employee devices and home networks are the new corporate network edge.
Securing the endpoint from the cloud
With the network perimeter shifted to teleworkers’ devices, securing the enterprise requires shifting security to these devices as well. Organizations require at least the same level of visibility into activity as they have on the corporate network.
By deploying agents onto the corporate-owned devices used by teleworkers, an organization can implement endpoint detection and response beyond the confines of the corporate network. This includes the ability to prevent and detect malware, viruses, ransomware, and other threats based upon signature analysis and behavioral analysis of potentially malicious processes.
However, an organization also requires centralized visibility into the devices of their remote workforce. For this purpose, a centrally-managed cloud-based solution is the ideal choice.
By moving security to the cloud, an enterprise reduces load on the corporate network and VPN infrastructure, especially in a split-tunnel connectivity architecture. Cloud-based monitoring and threat management also can achieve a higher level of scalability and performance than an on-premises solution.
A cloud-based zero trust platform can also act as an access broker to resources both on the public internet and the corporate private network.
Zero trust agents installed on telecommuters’ devices can securely and dynamically route all traffic to a cloud-based gateway and then on to the target resource in a way that provides the same or better control and visibility than even a well-configured traditional full tunnel VPN solution. By uniquely identifying the use, device and context, zero trust provides fine-grained precision on access control for the enterprise.
Data from the cloud-based ZTN gateway can additionally be used to perform behavioral analytics within a cloud-based SIEM platform, enhancing security visibility above and beyond traditional networking approaches.
Ensuring employee privacy while monitoring telework security
Monitoring telework security can be a thorny issue for an organization from a privacy and security perspective. On the one side, an organization requires the ability to secure the sensitive data used by employees for daily work in order to meet regulatory requirements. However, deploying network monitoring solutions at employees’ homes presents significant privacy issues.
An agent-based solution, supported by cloud-based infrastructure, provides a workable solution to both issues. For corporate-owned devices, company policy should have an explicit consent to monitor clause, which enables the organization to monitor activity on company devices.
Agents installed on these devices enable an organization to exercise these rights without inappropriately monitoring employee network activity on personal devices connected to the same home network.
Monitoring BYOD security
For personal devices used for remote work under a BYOD policy, the line between privacy and security becomes blurrier. Since devices are owned by the employee, it may seem more difficult to enforce installation of the software agent, and these dual-use devices may cause inadvertent corporate monitoring of personal traffic.
All organizations employing a BYOD model should document in policy the requirements for usage of personally owned devices, including cloud-based anti-malware and endpoint detection and response tools as described earlier.
The most secure way to enable BYOD is a combination of corporately managed cloud-based anti-malware/EDR, supplemented by a ZTN architecture. In such a model, traffic bound for public internet resources can be passed along to the destination without interference, but malicious activity can still be detected and prevented.
Greek philosopher Heraclitus said that the only constant in life is change. This philosophy holds true for securing enterprise network resources. Network security has been and is constantly evolving, often spurred by watershed events such as the 2017 NotPetya ransomware attack that crashed thousands of computers across the globe with a single piece of code. These events prompt changes in network architectures and the philosophies that underlie them.
The internet initially lacked security because there were bigger problems to solve at the time of its creation. Internet pioneer Dan Lynch remembers that time because he led the ARPANET team that made the transition from the original NCP protocols to the current TCP/IP-based protocols. “When we were first starting to test the first internet, we looked at security and thought that it would be too difficult to include at this phase because we were just trying to get it to work at all,” he said. “Once we got it working, we could add security then. Bad choice, eh? We never looked back until it was too late.”
For decades, network security philosophy focused on securing the inside from threat actors on the outside, which was the same philosophy the Romans relied on to protect their frontier. Defining perimeters made sense in the early days of network security and aligned with the basic principle of defense-in-depth — protect internal resources from external forces. It worked because employees were office-bound, and the office walls defined the perimeter that protected the resources they were trusted to access.
Step outside, and employees became intruders if they tried to access those very same resources. While traditional perimeter security was clunky, by and large it worked, despite chokepoints that became flypaper for middleware appliances, which used largely static security policies.
But security best practices and go-to devices eventually fall out of favor or become obsolete, as next-generation practices and technologies rise to replace them — until a pivotal crisis occurs. In these times, the driver for change has been a non-digital virus: COVID-19.
The new VPN workplace
The global pandemic has forced a seismic shift in how and where work gets done, and for now it’s unclear when workers will be able to return to the office. According to a recent Gartner survey, 317 CFOs and finance leaders don’t think that it will be anytime soon. 74 percent also expect teleworking to outlive the pandemic and plan to move at least 5 percent of their previously on-site workforce to permanently remote positions after the pandemic ends.
For decades, organizations have relied on VPNs to provide employees the ability to perform their jobs securely while out of the office, but VPN budgets have generally supported about one-third of workers using VPN services at any one time.
In mid-March, VPN providers reported that traffic soared over 40 percent worldwide, peaking at 65 percent in the United States, days before the signing of the $2 trillion stimulus package. Some enterprises conducted stress tests on their networks (i.e., bandwidth capacity, VPN stability) before allowing the majority of their employees to work from home. Others scrambled to implement VPNs or buy more licenses. In a study conducted by OpenVPN, 68 percent of employees from 300 different U.S. companies claimed that their company expanded VPN usage in response to Covid-19, and 29 percent of employees became first-time users.
While VPNs are relatively quick and less expensive to implement than a network architecture reboot, VPNs are not a panacea. The encrypted VPN communications and data tunnel still adhere to the basic premise that there is a protected perimeter a remote user needs to tunnel through to gain local access privileges to enterprise resources. VPNs also don’t prevent lateral movement or eliminate insider threats.
CISOs worry that IT personnel might cut corners when implementing VPNs, ignoring crucial security policies. They also worry about security analysts becoming fatigued by an increasing number of alerts, many of them false positives. Like the harp that woke up the sleeping giant in Jack and the Beanstalk, the sharp rise in VPN traffic has roused advanced persistent threat (APT) groups to curate new payloads and exploit existing vulnerabilities.
A UK security bulletin issued in January, for example, alerted companies to hackers exploiting a critical vulnerability in the Citrix Application Delivery Controller (ADC) and Citrix Gateway. Researchers also found a rise in scans looking for vulnerable Citrix devices. CISA issued an alert in March that encouraged enterprises to adopt a heightened awareness about VPN vulnerabilities and recommended multi-factor authentication and alerting employees of phishing scams that steal VPN credentials.
The re-emergence of zero trust
Reality demands that enterprises rethink perimeter security because employees and their laptops and smartphones and other devices are now literally all over the place, shifting the network perimeter to wherever a user is located. The network security paradigm that is designed to meet the dynamics of a mobile workforce is a perimeter-less network, or zero trust architecture (ZTA). At a high level, ZTA is less about network topology and physical location and more about strategy and guiding principles. The underlying philosophy is to replace the assumption of trust with the assumption of mistrust: everyone can be a threat and the network is always under attack.
To prevent or limit breaches, implied trust shrinks down to the level of data — not users, enterprise devices (assets) and infrastructure (though ZT tenets can be used to protect all enterprise assets). The “trust but verify” proverb that is synonymous with perimeter security becomes “never trust, verify and trust, then re-verify and keep re-verifying until zero trust is achieved”.
ZTA seems like a logical progression from perimeter security, just as smartphones became a logical progression of the landline. As is true with the adoption of any new technology, the story is as much about components and peripherals as it is about the psychosocial constructs behind the design principles. To psychoanalyze ZTA is to understand the root of trust. To trust is human and develops at infancy, so when humans first designed network security, it made sense that they would draw on relationships of trust to create a perimeter that created a big zone where everyone and everything were trusted and had access to each other. Beating cybercrime and working in an interconnected world, however, calls for a paradigm of mistrust. ZTA characterizes mistrust as a positive quality that makes computer sense in the global landscape of machine learning.
The notion of zero trust has undulated within the security community since the Jericho Forum published its vision on the topic in 2005. After more than 2,500 cyberattacks hit NATO in 2012, the U.S. federal government urged federal agencies to adopt the zero-trust model. In 2015, the government sounded the alarm again after the largest data breach of federal employee data.
Who listened? Enterprises seeking more flexible solutions than VPNs or more precise access and session control for on-premises and cloud applications.
Before the pandemic, interest in ZTA was piqued. It has now gained fresh momentum, especially since the technology to support it is becoming mainstream. The PulseSecure 2020 Zero Trust Progress Report found that, by the end of the year, almost 75 percent of enterprises plan to implement ZTA, but nearly half of security professionals said they lacked the expertise and confidence to implement it.
Guidance to help enterprises transition and implement ZTA is coming from the private and public sectors. Startups (i.e., Breach View, Obsidian Security, HyperCube) are capitalizing on the trend to offer zero-trust-related services. On the public front, NIST published in February the second draft of special publication 800-207, Zero Trust Architecture. The following month, the National Cybersecurity Center of Excellence, which is part of NIST, mapped ZTA to the NIST Cybersecurity Framework and offered implementation approaches. Despite the guidance, ZTA is unlikely to find full-scale adoption because the principles of perimeter security may still be relevant for some enterprises.
Figure 1. ZTA High-level Architecture. Adapted from NIST (2020). Special Publication 800-207, Zero Trust Architecture
How it works
Identity and asset management, application authentication, network segmentation and threat intelligence are the main components and capabilities ZTA relies on. Figure 1 shows the core architecture — the policy engine and policy administrator, which collectively create the policy enforcement point. The policy engine runs the security policies, which leverage behavioral analytics to make them dynamic, and the policy administrator executes the decisions made by the policy engine to either grant, deny or revoke a request to access data. With ZTA, no packet is trusted without cryptographic signatures, and policy is constructed using software and user identity rather than IP addresses.
Another way to express the relationship between the policy engine and administrator is that a user communicates information (i.e., time/date, geolocation and device posture) to the policy engine, which calculates a risk score and communicates risk (i.e., the decision) to the policy administrator on how to handle the request. The decision made by the policy engine is described as information-trustworthiness.
To implement ZTA, a “protect surface” is identified. The protect surface is composed of a network’s most critical and valuable data, assets, applications and services, or DAAS for short. Single-point barriers (i.e., micro-segmentation) are erected around trust zones for each piece of data. The trust zones create multiple junctions and inspection points to block unauthorized access and lateral movement. Think of the zones as airline boarding areas — only cleared passengers with a boarding pass are granted access to the desired resource (i.e., airplane). Similarly, ZT security policies authenticate and authorize users as they get closer to a requested DAAS resource.
ZTA has its shortcomings. Although it’s designed to limit and prevent breaches, NIST says in its draft ZTA publication that it is not immune to them. Insider threats loom in ZTA as they do with perimeter security. Any enterprise administrator with configuration access to the policy engine or administrator might change the security rules. To mitigate the risk, configuration changes must be logged and subject to audit.
ZTAs are also prone to denial-of-service (DoS) attacks or route hijacks if a hacker disrupted access to the policy enforcement point (PEP). PEP in the cloud or replicating it across several locations mitigates the risk, but if a cloud provider accidentally took the PEP offline or if botnets hit the cloud provider, the experience would be the same — a disruption of service.
But the biggest threat is the one that remains a leading concern for every organization, and that is phishing scams. Verizon’s 2019 Data Breach Investigations Report showed that phishing continues to be the most popular approach for gaining access to systems (followed by stolen credentials). U.S. organizations were the No. 1 phishing target, accounting for 84 percent of total phishing volume, according to a 2019 PhishLabs report.
But the most ghastly statistic is the 667 percent spike in the number of Covid-19-related spear phishing attacks since the end of February. Despite security and awareness training and compensating controls, efforts to patch the last line of defense — users — remains a challenge and is likely to remain that way because the most popular reason to explain the behavior is also the oldest one. Put simply, to err is human.
The COVID-19 pandemic has, in one broad swipe, rewritten the rules regarding our workforce and jobs, with an almost instantaneous transition to remote work for those who were able to. While certain jobs require physical presence, a number of jobs fortunately can be done while working offsite.
For those companies that went into remote work mode back in March, there was little time to prepare and organizations that did not have remote work plans or policies already in place had to scramble to figure things out. Invariably, additional security challenges arose and had to be overcome.
Due to the rapidity of the transition, companies were caught off guard in a number of ways. Not having enough VPN or remote desktop licenses, dealing with higher than expected network traffic because of Zoom video meetings, and trying to provide secure access to internal applications, databases, and other tools that were not designed to be used from outside the corporate network – these are just the tip of the iceberg.
Those who work with sensitive information such as health information, financial data, intellectual property, source code, contracts, agreements, and other documents that require safe handling need a secure messaging platform. And IT security can be challenging for workers who are outside corporate firewalls and using personal computers and devices.
Remaining safe while working remotely
With employees being remote, companies not only have less control over the technology being used by employees, but home environments are much more vulnerable and leave employees susceptible to phishing attacks. This is where VNPs come in handy. VPNs can extend corporate security to protect people outside normal office environments—think of it as a firewall that magically extends to wherever that outside person sits.
But VPNs are not silver bullets. Secure messaging is also a key component as information is now flowing to a node outside the corporate network. Further, any information stored on a device outside the company ideally should be secured with encryption or other means.
While using VPNs is always a solid option, with the growth of cloud services, people can perform many job functions without the use of a VPN. Logging into Salesforce or Microsoft Office 365 can be done through any browser and may be preferred because of the convenience. However, if this is performed on a personal computer that is outside the IT team’s purview or control, the company may be unable to ensure proper security measures are in place.
Employee training as a key component to company protection
Defending against attacks can be enhanced by layering protection—like an onion. Physical defense like VPNs, firewalls, and encryption all help protect information at rest and in transit. But knowledge, education, and training are key components of a holistic security plan. This intangible piece may be the most important of all.
Many attacks target the weakest points of an organization – often its people – and no matter how thick your walls are or how heavy the gate is, if someone opens the door for an attacker, attackers can breach the soft, inner core of your company.
While an attack can happen at any time and in any location, cybersecurity concerns are dramatically higher when working remotely because of IT department’s limited visibility and control over the environment. Workers that have questions around understanding potential threats and how to handle them are ever present, but outside the protection of corporate walls, those threats can be even greater, so additional training or a refresher may be in order. For example, knowing how to identify and foil social engineering attacks, particularly through phishing attempts, is always a good training topic. Watching out for malware is another, as that can compromise a device by installing a keylogger, ransomware, or spyware.
Review budgets and make sure cybersecurity is taken into account
Even as the country starts to re-open to business, and people start to slowly return to offices, the COVID-19 crisis has been a wake-up call to companies to better understand their capabilities to support remote workers. With the possibility of a resurgence in the fall, now is the time to review and make infrastructure investments and upgrades, find more secure ways to share information, and update policies and procedures to cover the shift in work environments and habits.
What many have realized over the last several months is the degree of interconnectedness among businesses that drive the economy, and the need for services and solutions to work in a remote setting while in the midst of a major health threat. Supporting remote workers is a non-trivial problem for many organizations, but one that needs to be addressed. We have been thrust into a new world and way of doing things that has upended many of our expectations and understandings, and it’s important to be flexible, open to ideas, and continue to focus on driving productivity while protecting your employees.
Phishers are impersonating companies’ IT support team and sending fake VPN configuration change notifications in the hopes that remote employees may be tricked into providing their Office 365 login credentials.
Yet another Office 365 phishing campaign
“The sender email address is spoofed to impersonate the domain of the targets’ respective organizations. The link provided in the email allegedly directs to a new VPN configuration for home access. Though the link appears to be related to the target’s company, the hyperlink actually directs to an Office 365 credential phishing website,” Abnormal Security explained.
The phishers are betting on the high possibility that the recipients are working from home and need to use VPN for work-related tasks. They hope the targets will be concerned about the possibility of losing access to company resources and that that concern will override their good sense and anti-phishing training.
The original email headers show that the email has not been sent from the recipients’ organization, but the sender email has been spoofed to say it has.
The phishing Office 365 login page is hosted on a Microsoft .NET platform, with a valid Microsoft certificate, which might be enough to fool some targets.
“Numerous versions of this attack have been seen across different clients, from different sender emails and originating from different IP addresses. However, the same payload link was employed by all of these attacks, implying that these were sent by a single attacker that controls the phishing website,” the researchers noted.
“Should the recipient fall victim to this attack, the user’s credentials would be compromised. Information available with the user’s Microsoft credentials via single-sign on are at risk as well.”
Secure remote working is no longer just a buzzword within the cybersecurity realm – it’s become an integral part of the everyday language for all businesses in the COVID-19 era.
Suddenly having a sizable number of employees working remotely presents a new challenge for those companies whose systems are not originally designed for remote access.
And for many businesses and organizations, the rapid transition of the global workforce working from home means setting up their employees with the same capabilities provided by their physical office environment.
Traditional VPN challenges
To set up a secure work environment at home for remote employees, companies typically instruct their employees to use the company’s VPN.
A business VPN is built to fulfill the security and privacy needs of organizations. More specifically, a business VPN creates a secure virtual tunnel among the company’s resources, systems, and the employees who will be accessing them.
This is very much different for everyday consumers who may utilize a VPN to bypass region blocks or protect their privacy online. Despite all VPNs having end-to-end encryption capabilities to prevent unwanted access to the company’s traffic, there are still security issues companies must watch out for.
Vulnerabilities exist in VPNs. Because VPNs are exposed to the internet, they can become compromised. Unauthorized connections to a VPN, for example, can give hackers privileges to run exploits.
This is not to discredit VPNs as essential security tools. However, companies worried about unauthenticated access should be aware of the potential vulnerabilities that come with some VPNs.
Certain VPN vulnerabilities can potentially allow attackers to retrieve sensitive corporate data, including login credentials to access the VPN itself. In addition, VPNs are not able to track unusual user access or monitor malicious traffic within the network.
Cloudbric has introduced an alternative to traditional VPNs, that monitors and blocks unusual and malicious access.
The company utilized its award-winning cybersecurity technology to develop a remote access solution that provides a cloud-based, secure channel for remote access while blocking out hack attempts, malware, malicious bots, intrusions originating from black IPs, and even DDoS attacks.
This 3-Layer Security, namely Hack Prevention, User Authentication, and Traffic Monitoring act together to provide additional layers of security that other traditional VPNs do not have. Security features such as two-factor authentication and 24/7 monitoring leave corporate web servers and private networks free of vulnerabilities hackers may exploit.
This is an extremely important distinction from traditional VPNs which do not check whether the traffic is malicious or not. The traffic (i.e. data) being sent back and forth may be encrypted via a VPN, but that does not mean the sender of the data has good intentions.
Better traffic monitoring
Cloudbric Remote Access is backed by a triple layer protection that lies between the user and the remote private network. Cloudbric, thus, makes sure that all inbound and outbound traffic is monitored by an AI-powered logic engine to block off bad actors including hackers and malicious bots.
Additionally, the solution requires no additional installation of software or hardware on either the client-side or the server-side, unlike other traditional VPNs. Cloudbric Remote Access is easy to implement for businesses who want to make sure only authorized personnel has access to certain company resources.
Other key features include:
- Secure access to work environment, from anywhere
- 3-Layer Security for increased protection
- Quick and easy set-up with zero downloads and zero installations
- A secure proxy connection with end-to-end encryption
- FREE for a limited time
With these features combined, Cloudbric can grant secure access to employees connecting to their company’s private network. Register your spot here.
Future of secure remote working
Despite the workforce slowly returning to their physical offices, we must prepare for the long-haul.
During the hasty move toward remote working environments, companies may have enabled and configured their systems for the remote working environment – but perhaps without applying the normal considerations for security.
Reverting back to the status quo may be the easier option but with today’s cybersecurity threat landscape, companies should diligently be working to practice proper security protocols regardless of a pandemic.
Furthermore, companies not already using a VPN may want to embrace the trends that we are seeing for a secure remote working environment such as technology integrations like VPNs and remote access solutions and ingraining it into everyday practices.
Cloudbric’s goal during these stressful times is to fill the security void and help provide a business continuity plan by providing a cloud-based, remote access solution – for free.
More about Cloudbric
Cloudbric provides a cybersecurity solution called SWAP, a cloud-based web application protection tool based on artificial intelligence. SWAP provides industry-leading precision on malicious traffic detection, courtesy of their proprietary logic analysis engine. The company also combines SWAP, DDoS protection and SSL-as-a-service to provide a complete web protection suite.
There’s no doubt COVID-19 set the remote work revolution on a fast track. And on that fast track, VPN usage soared to new heights with no signs of it slowing down. Companies had no choice but to close up shop and send their workers home, and just as quickly had to figure out how to secure that workforce.
But just how big is the spike? In a study conducted by OpenVPN, 30% of employees polled say their company recently implemented remote work capabilities for the first time. 61% already had remote work rules in place.
The accelerated need for virtualization also meant a massive uptick in VPN usage — but not just any VPNs. Business VPNs are booming, according to the study.
“VPNs are critical to our remote minset and provides us with flexibility of being remote.” – a survey participant.
68% of employees say their company expanded VPN usage as a direct result of COVID-19, and 29% say their organization started using a VPN for the first time.
But remote work is not completely new — in fact, it’s been on the rise for some time. Consider these stats:
From 2005 – 2017 there was a 159% jump in remote work. In 2015: 3.9 million U.S. workers were already remote. Today? Over 5 million. And there’s no sign of the surge slowing down now, or ever — especially in the current climate.
The study surveyed workers from 300 different companies across sectors such as technology, energy, education, healthcare, engineering, and construction, and explored how companies are handling the new remote era, during the pandemic.
The study explored how organizations are handling the new COVID-19 remote era — and how they are securing their teams. The study seeks to answer the question: “Is remote work really the future?” If the numbers are any indication, the answer is a resounding YES.
Business VPNs are essential
Businesses are recognizing a layered approach is always the best approach for combating cyberattacks — and a necessary component of this approach is to invest in a reputable business VPN.
Even if every cell phone and laptop comes equipped with a personal VPN in the future, businesses will still need a secure way for workers to access a private network, and they will need an enterprise VPN to do so.
A personal VPN provides you with secure, private access to the internet, which is valuable in its own right — but a business VPN gives you the ability to remotely access private network resources, often essential for completing work, and to securely connect your company’s branches and locations worldwide.
Nearly 70% of employees polled say their companies expanded business VPN usage, and 29% say their organization started using it for the first time. That’s a big boom, mostly due to COVID-19… but is it here to stay?
Surprisingly, not all companies are on board.
Of the 21% of polled employees whose companies have never used a VPN, 71% went on to say their companies are still neglecting to utilize this essential security tool, despite switching to remote work. This suggests many companies still do not have a network security plan in place for remote work, despite the current crisis.
The good news is the companies that have started with secure remote access are almost unanimously in favor of maintaining that protocol: 99% of surveyed employees whose companies use a VPN believe those companies will continue usage after the emergency phase of COVID-19 is over. This encouraging percentage suggests that business VPNs will continue to be an essential part of secure remote access for years to come.
“We have always used VPN for remote work, with 2FA. It would be absolute lunacy to not do so, and there is not a chance on earth that we would discontinue use of our VPN.” – a survey participant.
Is the pandemic pushing organizations to finally go remote?
Employers that have the ability, but have still chosen not to offer their employees remote work capabilities during this time, are falling behind. Those polled describe their employers as uncaring and reckless — willing to risk their health and safety rather than make necessary adjustments.
“My company informed us remote work would be implemented soon. But that doesn’t make up for the fact that so many were furloughed due to lack of preparedness.” – a survey participant.
This illustrates an important point: companies must be prepared, or people will suffer.
Organizations that take the time to establish a secure remote strategy will be far ahead of competitors who choose not to. Offering flexibility can have an enormous impact on companies and the future of their business.
Remote employee: “I have worked from home for five years. Working remotely has given my company and me an edge over other companies that had to suddenly pivot and learn to work remotely. While they still struggle to learn, we have become the leaders and teachers for those who have never done this.”
Office-bound employee: “I think when the economy stabilizes a bit, I may consider finding a different job with a company that provides a safer work environment.”
People have mixed feelings about remote work during this stressful era
According to the study, only 5% of employees claim their company willfully chooses to prevent remote work, despite having the capability to provide it. Of that 5% still working at the office, 53% were worried about increased exposure, 29% claimed more stress and anxiety, and 18% had difficulty procuring childcare, suggesting that working in the office during a pandemic can have immediate and serious consequences for employees’ well-being.
Increased stress and anxiety have been found to have a direct effect on performance at work, which means those few employees still forced to go into the office are likely unable to perform at the level their employers would hope for.
In contrast, 30% of employees report that their company recently implemented remote work capabilities for the first time, while 61% already had remote work capabilities in place.
Of those 91% currently working from home, many report positive impacts on their work: 65% enjoy the flexibility, 40% claim fewer distractions, 36% say working from home lowers their stress and anxiety, and 33% have noticed an increase in their productivity.
Companies that have made this change have happier, less stressed employees — and, of course, the ability to continue operating during these unprecedented times.
Remote work should include secure access
“VPNs/remote access is key to allowing people to work when they can. This is the cornerstone of our business continuity plan.” – a survey participant.
Remote work and business VPNs go hand-in-hand; for your team to have secure access to the resources they need, a business VPN is critical to creating an infrastructure safe from breaches.
Will remote work become the norm? Only time will tell— but COVID-19 has certainly revealed that remote work capabilities often make-or-break a company’s success. Those without the ability to pivot often fall behind — and quickly.
News coverage of the recent uptick in cyber threat activity is showing an incomplete picture. Despite the focus on VPN hacks and attacks at home, computers at more than 50,000 organizations in the US had been infected prior to stay-at-home orders, according to Team Cymru and Arctic Security.
Researchers say they are witnessing previously infected computers being activated now that their malicious communications are no longer being blocked by corporate firewalls.
Failure of internal security tools and processes
The number of compromised organizations in the US, Finland and across Europe has doubled, tripled or even quadrupled, between January and the end of March. Researchers believe this demonstrates a systemic problem facing organizations – a failure of internal security tools and processes and an inability to prepare for mobile workforces.
“Our analysis indicates that the employees’ computers were already hacked before COVID-19 made the news, but were lying dormant behind firewalls, blocking their ability to go to work on behalf of the threat actors,” explained Lari Huttunen, Senior Analyst at Arctic Security. “Now those zombies are outside firewalls, connected to their corporate networks via VPNs, which were not designed to prevent malicious communications.”
This analysis offers an unsettling data point that puts numbers to the foothold threat actors have gained within public and private sector organizations. The findings may also correlate with recent public warnings, such as the FBI’s advisory on March 30 alerting of increased vulnerability probing activity. The implications are serious.
Enterprise doesn’t end at the firewall
These same researchers have also found that many large companies have not managed to remedy the infrastructure vulnerabilities that have exposed them to data breaches in past years.
Experts say this research shines a light on a cyber pandemic and provides an opportunity for organizations to assess the extent of compromise within their organizations, rather than hiding behind a “block and forget” security mentality.
The only way to comprehensively identify whether an organization has been compromised is to observe internet threat traffic from outside the enterprise, monitoring these threat actors in the wild.
“Cybersecurity teams still approach security as though their enterprise ends at the firewall. This has not been the case for a long time, and this massive work-from-home movement has exposed the weakness of that approach,” stated Arctic Security CEO, David Chartier.
Google has made available BeyondCorp Remote Access, a cloud-based, zero trust service that allows employees, contractors and partners to securely access specific corporate resources from untrusted networks without having to use the company’s VPN.
The goal is to help companies with a suddenly massive remote workforce from overburdening the company’s VPN infrastructure.
About BeyondCorp Remote Access
BeyondCorp Remote Access is a subscription-based service that is available through Google Cloud.
“This cloud solution — based on the zero trust approach we’ve used internally for almost a decade — lets your employees and extended workforce access internal web apps from virtually any device, anywhere, without a traditional remote-access VPN,” Google Cloud honchos Sunil Potti and Sampath Srinivas explained.
“Over time, we plan to offer the same capability, control, and additional protections for virtually any application or resource a user needs to access.”
Access to web apps and services is granted (or not) based on user identity, device identity, device security, location, and other metadata and signals collected through the browser or an endpoint agent that is installed on the user’s device (if the customer mandates it).
The web apps that can be accessed through the service can be hosted on Google Cloud, on other clouds, or on the customer’s premises. Enterprise admins can configure access policies for each app.
“For example, you can enforce a policy that says: ‘My contract HR recruiters working from home on their own laptops can access our web-based document management system (and nothing else), but only if they are using the latest version of the OS, and are using phishing-resistant authentication like security keys.’ Or: ‘My timecard application should be safely available to all hourly employees on any device, anywhere,’” the duo explained.
The company’s long term plan is to “offer the same capability, control, and additional protections for virtually any application or resource a user needs to access.”