Authored by: Michael Waring, Vice President, Asia Pacific & Japan, Ivanti Security Solutions Group (SSG), Ivanti
Cybersecurity compliance is difficult to achieve when employees are working from everywhere. A lot of staff won’t obey the same rules when working from home as they would in the office. They could visit a website that they wouldn’t if they were in the office, or their device may not be 100 per cent reliable and secure enough to access business data with.
Since the start of the pandemic, there has been a rise in activity amongst cybercriminals that are specifically targeted towards home-based workers. Cybercrime was up 19.1 per cent in 2020 compared to the previous year. According to INTERPOL’s ASEAN Cyberthreat Assessment 2021 study, the main pandemic related cyber attacks are phishing, scam and fraud cases at 59 per cent, malware and ransomware at 36 per cent, malicious domains at 22 per cent and fake news at 14 per cent.
But the tactics threat actors are using haven’t changed. Passwords are still the leading cause of data breaches.
According to Verizon’s 2020 Data Breach Investigation Report, compromised passwords are responsible for 81 per cent of all hacking-related data breaches. Additionally, patches are still leaving holes in business’ security. Recent research found missing operating system or application patches to be the cause of nearly 60 per cent of breaches in the past two years.
Simple but frequent practices like patch upgrades and password resets are only adding to the workloads of IT departments. To create a zero-trust environment, where a user has verified access only to the necessary corporate resources, and to reduce the burden IT teams face daily, both nuisances need to be confronted.
The pain of passwords
Credentials and passwords are a critical flaw within cybersecurity infrastructures. Humans don’t have the capacity to remember 50 passwords containing multiple complexities. The first thing a user will do to overcome that obstacle is reduce the number of passwords they have in circulation. As a result, employees often use the same credentials for personal and business applications. One-quarter (25 per cent) of employees admit to using their work email and password to access consumer websites.
When an Amazon account is hacked, for instance, the credentials are usually taken from a smaller, less protected commerce site. If the use of those credentials is extended to business applications, then the employee could be putting their whole organisation in jeopardy.
Human behaviour is so well understood by cybercriminals that they see an opportunity to attack other accounts. Credential stuffing as an attack vector is entirely dependent on the overuse of passwords.
Instead of relying on insufficient and often forgotten passwords and usernames, companies should strive to use more secure tech that utilises biometric capabilities like facial recognition. This not only removes the burden and the responsibility for an employee to consistently supply and memorise strong passwords, but it also improves the user experience by unlocking Single-Sign-On capabilities.
Eliminating passwords should be tightly coupled with the ability to establish a contextual relationship between the user and the data that they are accessing. It simply isn’t good enough to grant access after the correct username and password are entered.
IT staff should also be armed with the ability to look at contextual attributes like “Where is the employee connecting from?”, “From which type of device, and is it compromised?”, “Which network they are connecting from, is it secure?”, “What’s the time and location?”. For example, if an employee logs in from London, and then tries to log in from New York or Singapore directly after, that should raise an alarm. Only by consistently examining key security attributes that are continuously collected from the user and device can we establish a zero-trust relationship.
Gathering intelligence on patches can be an arduous task. Some vendors, like Adobe and Microsoft, release information on patching consistently on the same day every month: Patch Tuesday. Other vendors release information on patching as and when an issue may arise. The average enterprise utilises 464 applications. Accumulating the necessary patch information for every application from media reports, specialist forums and blogs, and regularly checking them for updates consumes a vast amount of time.
Once a patch is announced, it is a race against time to implement the patch to avoid an exploitation. However, attackers are often quicker than defenders. Remote work has increased the urgency to patch, as devices accessing data are no longer within the control of the corporate perimeter. It typically takes between 100 and 120 days for companies to administer a patch once it becomes available. This means that attackers have three to four months to exploit vulnerabilities.
Patches can be reverse engineered to determine how the vulnerability it solved can be exploited. The situation is even more urgent in cases where a patch closes a previously known or exploited vulnerability. The attackers know that their exploit will probably soon be ineffective and will be keen to use it as quickly as possible.
Staying on top of patching
As companies strive to maximise productivity and minimise disruptions amid remote working challenges and increased security risks, they should explore hyper-automation. Automation is key to a zero-trust environment. Adopting automation reduces complexity, increases accuracy and empowers workforces to focus on more important tasks by deploying AI and ML technology in place of manual tasks.
Not only does it relieve humans of the responsibility of constantly assessing the relationship, between an employee, device, network and application, but automation can also manage the patching process.
Patch management tools that utilise automation allow IT teams to monitor what will be patched in real-time as the patches are gathered from a range online resources. Combining patch management and privilege management in one solution enables devices and applications to be patched via a cloud component when they are outside the company network, so IT departments remain in control of the process.
Once a patch campaign is configured, the campaign automatically repeats each month. For example, if you configure your campaign to begin two days after Patch Tuesday, patch automation will accumulate all patches until the date you chose. More patch campaigns can be added to keep on top of all applications patching vulnerabilities. Additionally, integrating patch management with a unified endpoint management (UEM) platform will allow organisations to control what applications are downloaded to reduce occurrences of shadow IT. Integration will also help ensure applications across an enterprise’s device fleet are regularly patched, no matter where employees are working from.
Security has lagged behind the rapid digital transformation witnessed over the past year. Cybercriminals have continued to take advantage of weak credentials and patches to gain access to business data. Using hyper-automation and Single Sign-On capabilities will contribute significantly towards eradicating those nuisances and creating a zero-trust security environment. As working from everywhere is set to continue, patch and access management practices need to be upgraded now.