Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/9/2020
10:00 AM
Morey Haber
Morey Haber
Commentary
Connect Directly
Facebook
LinkedIn
Twitter
RSS
E-Mail vvv
50%
50%

Top 5 Identity-Centric Security Imperatives for Newly Minted Remote Workers

In the wake of COVID-19, today's remote workforce is here to stay, at least for the foreseeable future. And with it, an increase in identity-related security incidents.

There is no doubt that the concerns over Covid-19 have created an overwhelming shift to a distributed workforce. All signs (and surveys) indicate the current remote working environment is here to stay. According to a recent Gartner HR Survey, 41% of employees are likely to work remotely at least some of the time post-pandemic. With a substantially larger remote workforce, there is a greater risk for a security incident related to a compromised identity.  Contributing factors include:

Related Content:

Why Threat Hunting with XDR Matters

In a Cybersecurity Vendor War, the End User Loses

● A disrupted work environment that makes employees more vulnerable to a wide variety of attacks including phishing and social engineering since the remote environment (home) is not fully manageable.

● More employees are using personal and BYOD methods to connect to corporate assets, potentially accessing sensitive data with some form of privileged access.

● A greater chance that employees are using an unprotected home Wi-Fi connection that could lead to a variety of attacks vis-à-vis man-in-the-middle, unpatched vulnerabilities, poor encryption, and inappropriate lateral movement.

● Corporate VPNs are not bulletproof; extending trusted networks into untrusted zones (home) and RDP connections leaves remote workers vulnerable to a myriad of attacks.

● Remote work means remote communication, and a greater risk that sensitive information and credentials are being communicated to remote employees, vendors, and contractors using insecure communication methods such as instant messenger, text messages, and email.

Organizations are struggling to educate, train, and penetration test their newly minted home users with security best practices because the concerns of working from home are unfortunately oddly dissimilar to working from within the traditional office environment.  

To address the changing risk landscape and threats that have been amplified by remote work, the Identity Defined Security Alliance (IDSA), a nonprofit composed of over two dozen identity and security vendors, solution providers, and practitioners, has compiled five identity-centric security outcomes that organizations should adopt. (Full disclosure: I am a member of the IDSA.)

1. Grant user access rights according to principle of least privilege
The principle of least privilege is the concept that any user, program, or process should have only the basic access rights required to perform their job function. These access rights take into consideration segregation of duties, job-based roles, policy-based access, and administrative access and entitlements for privileged users, applications, and automation. In many ways, this concept is foundational for zero trust. Following this principle prevents users from having excessive privileges beyond their role and reduces the threat landscape should credentials be compromised.

2. Implement multifactor authentication (MFA)
Relying on username and password alone (single-factor authentication) has proven to be a significant risk due to password sharing, weak passwords, and compromised credentials. Implementing MFA as an extra layer of protection for privileged accounts, VPNs, remote access, and in conjunction with SSO (single sign-on) mechanisms can reduce the risk that a compromised identity can get access to corporate systems. However, be aware that this increases confidence in the user's identity but does not fully mitigate the threat as seen in recent Twitter attacks.

3. Use device characteristics for authentication
Additional access protections can be put in place by taking into consideration information about the device that is being used, specifically if the device itself has been compromised or violates corporate policy. This context helps prevent the spread of malware and limits lateral movement by denying infected or vulnerable systems access to corporate resources. This also limits access to company issued or company managed devices. This security outcome can be achieved through sharing of the user's identity across identity access and security technologies — for example, access management and unified endpoint security platforms.

4. Revoke user access upon detection of a high-risk event 
Security-related alerts or events captured through technologies such as a security information event manager (SIEM) or user behavior analytics (UBA) can indicate that a potential breach of policy has occurred within an environment. These alerts can be used to automatically trigger deprovisioning, block access, or generate a service-desk ticket for remediation or escalation. This security outcome can be achieved through sharing of identity context and alerts across UBA or SIEM (or other tools), to systems that initiate or act on the request, such as identity governance and administration, access management, IT service management platforms, and network access control systems. 

5. Trigger reattestation based on high-risk events
An alternative to automatically removing access, which could present problems if it is a false positive on a high-profile resource, is to initiate an access review. Similarly, a security-related alert or event generated through UBA or SIEM indicating a potential breach of policy could result in an immediate and full reattestation of the offending identity’s access. This would result in a recalculation of the identities confidence for accessing resources and utilize all the solutions controlling identity governance and administration including access management, SSO, MFA, and privileged access management.

It is a foregone conclusion the remote workforce is here to stay, at least for the foreseeable future, and with it an increased risk of identity-related security incidents. A focus on these five identity-centered security outcomes can help organizations stay secure while also focusing on the longer-term problems of building a universal approach to identity-centric security management, identity governance and administration, and best practices for remote workers.

 

With more than 20 years of IT industry experience and author of Privileged Attack Vectors and Asset Attack Vectors, Morey Haber joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. He currently oversees the vision for BeyondTrust technology ... View Full Bio
 

Recommended Readings:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: Exactly
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-6564
PUBLISHED: 2020-09-21
Inappropriate implementation in permissions in Google Chrome prior to 85.0.4183.83 allowed a remote attacker to spoof the contents of a permission dialog via a crafted HTML page.
CVE-2020-6565
PUBLISHED: 2020-09-21
Inappropriate implementation in Omnibox in Google Chrome on iOS prior to 85.0.4183.83 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.
CVE-2020-6566
PUBLISHED: 2020-09-21
Insufficient policy enforcement in media in Google Chrome prior to 85.0.4183.83 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
CVE-2020-6567
PUBLISHED: 2020-09-21
Insufficient validation of untrusted input in command line handling in Google Chrome on Windows prior to 85.0.4183.83 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.
CVE-2020-6568
PUBLISHED: 2020-09-21
Insufficient policy enforcement in intent handling in Google Chrome on Android prior to 85.0.4183.83 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.