Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

6/21/2019
10:00 AM
Tim Brown
Tim Brown
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Patrolling the New Cybersecurity Perimeter

Remote work and other developments demand a shift to managing people rather than devices.

The consumerization of IT has eroded the traditional line between "work" and "play." Propelled by the bring-your-own-device (BYOD) era, our personal devices are commonly used for work.

This is especially true as more companies embrace the flexibility of working remotely, and as new devices and networks are used for work purposes. Personal smartphones are loaded with business email accounts, and personal computers and laptops used for remote work have business software, email, and documentation that may contain confidential information.

To top it all off, we aren't just using work devices in the office. We're using them on airplanes, at client offices, in coffee shops, and at home. All this means that the idea that protecting a perimeter is outdated. Instead, as "the workplace" becomes impossible to define as a physical location, technology professionals and IT teams must shift from managing devices to managing people, in order to stay one step ahead of such a rapidly evolving reality.

Protect the Crown Jewels
One easy way to begin implementing this new risk management strategy is to follow the Pareto principle (also known as the 80/20 rule), where companies treat 80% of the people one way while treating the riskier 20% of users with a higher level of security. Access should only be allowed via corporate devices, where multifactor authentication is mandatory, behavioral analytics is applied, and full auditing must be carried out regularly.

For example, the head of HR will be able to access data on all employees within an organization — and accessing this information from an untrusted, insecure device presents a huge risk. In this scenario, an organization's IT team will want to ensure that the device is controlled and that it hasn't been compromised.

Essentially if a person within an organization has the keys to the kingdom, it's crucial to make sure that his or her device isn't dirty, the network isn't compromised, and activity is completely monitored. There then needs to be a division between most of the staff and the VIPs, and between most data and the "crown jewels" (in other words, the most important and most sensitive parts of a business that would be most appealing to an attacker).

Zero Trust: Suspect Everyone
At the same time, by doing away with a perimeter-based security model, where those inside the perimeter are trusted, organizations now need to implement a new model that better matches the vulnerabilities inherent to today's mobile workforce. We must suspect everyone — we can't afford not to.

A Zero Trust policy assumes untrusted actors exist both inside and outside the network and, as a result, every user access request must be authorized. When implemented correctly, Zero Trust networks can improve security while also increasing productivity. What's key to true Zero Trust environments are adaptive controls that are contextually aware. Without context, we always need to put the strongest possible security in place; with context, we can adapt the level of security based on risk.

For example, there should only be a prompt for additional credentials when a user comes from an unknown machine, an unknown location, or when performing a sensitive function. Businesses need to understand their user's behavior, and if things are normal, allow for minimal authentication — if things have changed or the risk is greater, add additional checks.

Still, Zero Trust is a work in progress. Until it's mainstream, password management products that offer complete privileged management systems to password vaults will help to reduce the complexity of users remembering multiple passwords while encouraging stronger password use.

What Comes Next: Cyberhygiene
We know the modern workplace is no longer in one fixed location. At the same time, the nature of cyberattacks are shifting because of how efficiently cybercriminals get paid. From a hacker's perspective, fewer steps equals faster profitability — and all too often, organizations with remote work policies are ripe for attack. 

There are more devices to compromise, which means more machines that will likely be unpatched and not secure. Identities may be implemented in a weak fashion and allowed too much access. Similarly, the rise of collaboration tools such as Slack presents new opportunities to infiltrate networks and take advantage of liabilities. These types of accounts often do not get terminated — so when that user eventually leaves a company, their account remains active and open to infiltration or exploitation by cybercriminals. The more software there is, and the more people experiment with new ways of working, the greater the attack surface will be.

For these reasons, implementing basis cyber hygiene within your organization is critical as the workplace continues to evolve and become increasingly distributed. To meet the basic tenets of good cyber hygiene, organizations should always:

  • Understand the IT environment: Produce a comprehensive understanding of IT environments to uncover hidden data risks and help explain key elements to business leaders.
  • Educate business and IT leaders: Tell them about the risks to their data and implications of a breach — including showing data risk in financial terms.
  • Implement threat monitoring and detection: Deploy the right IT security management tools to detect and respond to potential threats.
  • Use data to show the value of IT efforts: Use data to understand an IT environment, get useful insights, solve problems faster, and demonstrate value.
  • Establish a solid security process: Ensure your organization is completing routine security updates such as managing and patching machines, ensuring a backup is in place, etc.

To stay ahead of this rapidly changing workplace paradigm, technology and security professionals alike should combine good cyberhygiene best practices in concert with additional strategies like Zero Trust and the 80/20 rule. Ultimately, employees need to be the new "endpoints," with the risk they pose to the organization assessed rather than simply determining them as safe depending on whether they are inside or outside a perimeter.

Related Content:

Tim Brown is the VP of Security for SolarWinds, with responsibility spanning internal IT security, product security, and security strategy. As a former Dell Fellow, CTO, chief product officer, chief architect, distinguished engineer, and director of security strategy, Tim ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
6/24/2019 | 3:08:12 PM
SECURITY can be learned by anyone
Case study: last year my wife, daughter and her daughter, 3 year old Cariana, came to visit my workplace.  They were given visitor badges and enjoyed the cafeteria ( Cariana loved pizza ) and met my colleagues.  Then it was time to leave and in the lobby little 3 year old Cariana said THESE HAVE TO BE RETURNED and gathered up their visitor badges and walked them TO THE SECURITY DESK on her own.  Amazing.  They wanted to adopt her on the spot.  Lesson: 3 year old got the concept of perimeter security BETTER than half the employees get it. 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...