Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/9/2020
10:00 AM
Morey Haber
Morey Haber
Commentary
Connect Directly
Facebook
LinkedIn
Twitter
RSS
E-Mail vvv
50%
50%

Top 5 Identity-Centric Security Imperatives for Newly Minted Remote Workers

In the wake of COVID-19, today's remote workforce is here to stay, at least for the foreseeable future. And with it, an increase in identity-related security incidents.

There is no doubt that the concerns over Covid-19 have created an overwhelming shift to a distributed workforce. All signs (and surveys) indicate the current remote working environment is here to stay. According to a recent Gartner HR Survey, 41% of employees are likely to work remotely at least some of the time post-pandemic. With a substantially larger remote workforce, there is a greater risk for a security incident related to a compromised identity.  Contributing factors include:

Related Content:

Why Threat Hunting with XDR Matters

In a Cybersecurity Vendor War, the End User Loses

● A disrupted work environment that makes employees more vulnerable to a wide variety of attacks including phishing and social engineering since the remote environment (home) is not fully manageable.

● More employees are using personal and BYOD methods to connect to corporate assets, potentially accessing sensitive data with some form of privileged access.

● A greater chance that employees are using an unprotected home Wi-Fi connection that could lead to a variety of attacks vis-à-vis man-in-the-middle, unpatched vulnerabilities, poor encryption, and inappropriate lateral movement.

● Corporate VPNs are not bulletproof; extending trusted networks into untrusted zones (home) and RDP connections leaves remote workers vulnerable to a myriad of attacks.

● Remote work means remote communication, and a greater risk that sensitive information and credentials are being communicated to remote employees, vendors, and contractors using insecure communication methods such as instant messenger, text messages, and email.

Organizations are struggling to educate, train, and penetration test their newly minted home users with security best practices because the concerns of working from home are unfortunately oddly dissimilar to working from within the traditional office environment.  

To address the changing risk landscape and threats that have been amplified by remote work, the Identity Defined Security Alliance (IDSA), a nonprofit composed of over two dozen identity and security vendors, solution providers, and practitioners, has compiled five identity-centric security outcomes that organizations should adopt. (Full disclosure: I am a member of the IDSA.)

1. Grant user access rights according to principle of least privilege
The principle of least privilege is the concept that any user, program, or process should have only the basic access rights required to perform their job function. These access rights take into consideration segregation of duties, job-based roles, policy-based access, and administrative access and entitlements for privileged users, applications, and automation. In many ways, this concept is foundational for zero trust. Following this principle prevents users from having excessive privileges beyond their role and reduces the threat landscape should credentials be compromised.

2. Implement multifactor authentication (MFA)
Relying on username and password alone (single-factor authentication) has proven to be a significant risk due to password sharing, weak passwords, and compromised credentials. Implementing MFA as an extra layer of protection for privileged accounts, VPNs, remote access, and in conjunction with SSO (single sign-on) mechanisms can reduce the risk that a compromised identity can get access to corporate systems. However, be aware that this increases confidence in the user's identity but does not fully mitigate the threat as seen in recent Twitter attacks.

3. Use device characteristics for authentication
Additional access protections can be put in place by taking into consideration information about the device that is being used, specifically if the device itself has been compromised or violates corporate policy. This context helps prevent the spread of malware and limits lateral movement by denying infected or vulnerable systems access to corporate resources. This also limits access to company issued or company managed devices. This security outcome can be achieved through sharing of the user's identity across identity access and security technologies — for example, access management and unified endpoint security platforms.

4. Revoke user access upon detection of a high-risk event 
Security-related alerts or events captured through technologies such as a security information event manager (SIEM) or user behavior analytics (UBA) can indicate that a potential breach of policy has occurred within an environment. These alerts can be used to automatically trigger deprovisioning, block access, or generate a service-desk ticket for remediation or escalation. This security outcome can be achieved through sharing of identity context and alerts across UBA or SIEM (or other tools), to systems that initiate or act on the request, such as identity governance and administration, access management, IT service management platforms, and network access control systems. 

5. Trigger reattestation based on high-risk events
An alternative to automatically removing access, which could present problems if it is a false positive on a high-profile resource, is to initiate an access review. Similarly, a security-related alert or event generated through UBA or SIEM indicating a potential breach of policy could result in an immediate and full reattestation of the offending identity’s access. This would result in a recalculation of the identities confidence for accessing resources and utilize all the solutions controlling identity governance and administration including access management, SSO, MFA, and privileged access management.

It is a foregone conclusion the remote workforce is here to stay, at least for the foreseeable future, and with it an increased risk of identity-related security incidents. A focus on these five identity-centered security outcomes can help organizations stay secure while also focusing on the longer-term problems of building a universal approach to identity-centric security management, identity governance and administration, and best practices for remote workers.

 

With more than 20 years of IT industry experience and author of Privileged Attack Vectors and Asset Attack Vectors, Morey Haber joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. He currently oversees the vision for BeyondTrust technology ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-22539
PUBLISHED: 2021-04-16
An attacker can place a crafted JSON config file into the project folder pointing to a custom executable. VScode-bazel allows the workspace path to lint *.bzl files to be set via this config file. As such the attacker is able to execute any executable on the system through vscode-bazel. We recommend...
CVE-2021-31414
PUBLISHED: 2021-04-16
The unofficial vscode-rpm-spec extension before 0.3.2 for Visual Studio Code allows remote code execution via a crafted workspace configuration.
CVE-2021-26073
PUBLISHED: 2021-04-16
Broken Authentication in Atlassian Connect Express (ACE) from version 3.0.2 before version 6.6.0: Atlassian Connect Express is a Node.js package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Express app occurs with a server-to-server JWT or ...
CVE-2021-26074
PUBLISHED: 2021-04-16
Broken Authentication in Atlassian Connect Spring Boot (ACSB) from version 1.1.0 before version 2.1.3: Atlassian Connect Spring Boot is a Java Spring Boot package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Spring Boot app occurs with a se...
CVE-2018-19942
PUBLISHED: 2021-04-16
A cross-site scripting (XSS) vulnerability has been reported to affect earlier versions of File Station. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 build 20210202 (and later) QT...