Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

5/4/2021
01:00 PM
Ian Pratt
Ian Pratt
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Can Organizations Secure Remote Workers for the Long Haul?

By focusing on protection instead of detection, organizations can defend against targeted attacks without compromising security or productivity.

Remote working is here to stay, as at least 70% of the workforce will work remotely at least five days a month by 2025. While the rapid shift to remote work enabled business continuity in 2020, it will continue making life difficult for security teams. Today, organizations must review whether the temporary changes they made to help employees work remotely are sufficient in the long term.

The Vanishing Perimeter
When the first lockdowns began, many organizations had to rapidly adopt new technologies and processes, such as scaling virtual private network (VPN) deployments and switching to cloud-based solutions. The organizational perimeter vanished, leaving security with the challenge of gaining visibility across huge networks of remote workers accessing data from almost anywhere at all times of day. Changes in IT infrastructure exposed employees to technical challenges, like remote access inefficiencies and home network vulnerabilities. The rush to business transformation also confused data security processes, with security often added as an afterthought. It's no surprise 46% of C-level IT leaders are worried about maintaining security and compliance for remote workers.

Related Content:

How to Secure Employees' Home Wi-Fi Networks

Special Report: Tech Insights: Detecting and Preventing Insider Data Leaks

New From The Edge: 10K Hackers Defend the Planet Against Extraterrestrials

As the perimeter melts away, securing the endpoint is more important — but it is harder. For a start, there is less visibility and control over how people connect to services. The lines between personal and professional have blurred as employees are mandated to work from home. As a result, more people are using work devices for personal uses — for example, online shopping or children playing video games. Trying to police such behavior is unlikely to go down well with staff; people have allowed work to encroach on their personal space, so being told how to behave in their own homes may be a step too far.

The Rise in COVID-19 Cybercrime
The shift to online has been a boon for hackers, widening the attack surface and creating new social engineering opportunities. Again, the endpoint and the user have been in the spotlight. Cybercriminals are using social engineering attacks, including sophisticated lures related to COVID-19, to trick users into clicking on attachments, links, and downloads. Attackers are also working on ways to ensure malicious emails can bypass email gateways and detection tools, land in employees' inboxes, and increase the chances of being clicked on. For example, a recent phishing campaign used Microsoft Office's legitimate "encrypt-with-password" feature to conceal malware until the user opens the document and enters the password. As the malicious file is password-protected, it prevents detection tools from scanning the malware.

Additionally, cybercriminals are using tactics such as thread hijacking to improve their odds and expand access within (and between) organizations. The technique automates the creation of spear-phishing lures by stealing email data from compromised systems. Stolen data is used to reply to conversations with messages containing malicious attachments, downloads, or hyperlinks, making them appear very convincing. We will continue to see cybercriminals create targeted and sophisticated attacks focusing on users and endpoints.

While user education is important, it will never be completely effective. Some users must engage in "risky" behavior to conduct their work — e.g., finance opening invoices or HR opening resumes. It's bad business to lock users down, and they shouldn't have to bear the burden of security.

Building Security From the Hardware Up
Detection tools can't be relied on to catch everything, nor can overburdened security teams and users. Sooner or later, an endpoint will be compromised. Clearly, a more architecturally robust process is needed to help secure remote workers.

Organizations should apply sound engineering principles to secure critical systems, adopting a zero-trust approach applied to the network and the endpoint. This will combine the principles of least privilege, strong identity, mandatory access control, and strong isolation to protect what organizations care about most and prevent attackers from escalating their access. When it comes to strong isolation, just as you can have microsegmentation of a network, you can have microsegmentation of applications and data within an endpoint or server. This creates layers of compartments isolated from each other, preventing malware from spreading even if one compartment is compromised.

Application isolation is central to this approach. Running risky activities — such as opening email attachments, clicking on links, or downloading files — in micro virtual machines (VMs) greatly reduces the attack surface. This means organizations don't have to worry about vulnerabilities in Word, the Web browser, or even the operating system. It doesn't matter if vulnerabilities exist if any exploitation takes place within a micro VM. The malware cannot persist and will be evicted as soon as the user closes the document or navigates to a different website. Rather than worrying about malware evading detection and persisting on the network for months, organizations can contain it within the micro VM, with no documents or credentials to steal and no ability to move laterally.

From a user perspective, it's business as usual. The technology is transparent, and users can click on links in emails, visit webpages, download files, and open documents, knowing that any malware is rendered harmless.

Microvirtualization also has unique advantages for collecting threat intelligence, arming the security operations center (SOC) with detailed knowledge of attack methods and indicators of compromise that can inform detection-based tools how to spot the latest attacks. Isolation means you don't need to stop the attack immediately, instead letting it play out within the VM, knowing no harm can occur. This means organizations can mobilize an army of endpoints to capture threat intelligence and harden their overall security posture.

Time for a Long-Term Solution
As remote working persists and malicious actors continue successfully targeting users, organizations can't keep trying to plug the gaps with detection tools or employees spotting threats. They need a more architecturally robust approach to security that applies the sound engineering principles of zero trust. By focusing on protection instead of detection, organizations can defend themselves and their employees from targeted attacks without compromising security or productivity.

Ian Pratt is currently Global Head of Security at HP Inc. He heads a new security business unit that is building on HP's strengths in hardware, systems software, ML/AI, and ability to deploy at massive scale to create industry-leading endpoint security solutions that are ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-38095
PUBLISHED: 2021-08-05
The REST API in Planview Spigit 4.5.3 allows remote unauthenticated attackers to query sensitive user accounts data, as demonstrated by an api/v1/users/1 request.
CVE-2021-32598
PUBLISHED: 2021-08-05
An improper neutralization of CRLF sequences in HTTP headers ('HTTP Response Splitting') vulnerability In FortiManager and FortiAnalyzer GUI 7.0.0, 6.4.6 and below, 6.2.8 and below, 6.0.11 and below, 5.6.11 and below may allow an authenticated and remote attacker to perform an HTTP request splitting...
CVE-2021-32603
PUBLISHED: 2021-08-05
A server-side request forgery (SSRF) (CWE-918) vulnerability in FortiManager and FortiAnalyser GUI 7.0.0, 6.4.5 and below, 6.2.7 and below, 6.0.11 and below, 5.6.11 and below may allow a remote and authenticated attacker to access unauthorized files and services on the system via specifically crafte...
CVE-2021-3539
PUBLISHED: 2021-08-04
EspoCRM 6.1.6 and prior suffers from a persistent (type II) cross-site scripting (XSS) vulnerability in processing user-supplied avatar images. This issue was fixed in version 6.1.7 of the product.
CVE-2021-36801
PUBLISHED: 2021-08-04
Akaunting version 2.1.12 and earlier suffers from an authentication bypass issue in the user-controllable field, companies[0]. This issue was fixed in version 2.1.13 of the product.