KuppingerCole Blog

Ransomware During the Pandemic Crisis

It is really astonishing how quickly the word “pandemic” has evolved from a subject of obscure computer games to the center of everyone’s daily conversations… However, when discussing the latest news about the coronavirus outbreak, one should not forget another pandemic that’s been causing massive damages to businesses, governments, and individuals around the world for several years already.

Since its initial emergence in Eastern Europe about a decade ago, it has quickly evolved into one of the largest global cyberthreats, crippling hospitals and entire cities, bringing large corporations to a total halt, costing the world billions in economic losses. We are, of course, talking about ransomware.

What is ransomware anyway?

Actually, the answer is directly in the name: ransomware is a kind of malicious software that’s designed to prevent you from accessing your computer or specific files on it until a ransom is paid to the attacker. Usually, ransomware is disguised as a legitimate document or program, and users are tricked to download them from a website or to open as an email attachment.

Most modern strains of ransomware encrypt valuable files, such as office documents and images, on affected devices, others merely lock the victims out of their computers – both however demand a payment to restore the access.

Contrary to the popular belief, ransomware attacks are not diabolically clever creations of elite hacker groups: since they don’t need to evade detection for a long time to achieve their goal, even novice cybercriminals can launch successful ransomware attacks with minimal resources.

Ransomware evolution

Early ransomware types were usually limited to a narrow geographical region, where attackers were able to collect their money via premium SMS messages or even prepaid cards. However, the explosive growth of anonymous cryptocurrencies like Bitcoin made them the perfect tool for much larger global extortion campaigns.

Within a few years, ransomware has become a highly lucrative business for cybercriminals, providing high reward and low risk with minimal investments. Many criminal groups even offer Ransomware-as-a-service, where the earnings are shared between malware creators and their “affiliates”.

Things turned ugly in 2017 when several strains of ransomware appeared, which utilized a highly dangerous Windows exploit believed to be developed by the NSA and later leaked by a hacker group to spread across computer networks without any user interaction.

WannaCry attack has affected over 200,000 computers across 150 countries including the entire British National Healthcare System. NotPetya malware, originally targeting Ukrainian companies, has spread uncontrollably around the world within days, affecting many large enterprises: the shipping company Maersk alone estimated their losses to be around $300 million.

Ransomware was no longer just a lucrative criminal business: it has turned into a cyberweapon of mass destruction.

Ransomware identification

As opposed to most other cyber threats, ransomware manifests itself within minutes of the initial infection. Whether you have clicked a link to a malicious website, opened a suspicious email attachment, or were affected by a drive-by download (such as an infected online ad), at the moment when you see a note on the screen telling that your computer is blocked or your files are encrypted, the damage is usually already done and the only thing you can do is to try to minimize it.

First, don’t panic – not all such notes are a sign of real ransomware, especially if they appear in your browser. Check whether you can still switch to a different program or browse a folder with your documents. If not, you might be a victim of locker ransomware.

If you can still browse your documents, but cannot open any of them because of data corruption, it might be a sign of the worst-case scenario – your files are encrypted and the only way to get them back is to pay the ransom. At least that’s what the attacker wants you to believe.

Dealing with a ransomware attack

Whether you decide to pay the ransom or not, your first action should be disconnecting your computer from the network and external drives: you really don’t want ransomware to spread to other devices or cloud services. It is also advisable to take a photo of the ransom note – this will help identify the malware strain that hit you.

Should you pay? Most security experts recommend against it: not only there is no guarantee to get your documents back after paying, but this will also encourage more ransomware attacks in the future. However, if critical business records are at stake, and you do not have any copies left, paying the ransom might be a sensible (even though morally questionable) option.

It cannot be stressed enough that you’re not alone against the attacker in any case: there are multiple resources that will help you identify the specific type of ransomware, let you know whether the encryption can be reversed and provide additional guidance. Of course, every notable antivirus company offers its own tools and services to deal with ransomware attacks as well.

However, in many cases, the only viable option left to you is to cut your losses, do a clean operating system reinstall on your device and to restore any available files from a backup. Before doing so, however, check whether your backups weren’t encrypted, too.

Finally, it’s highly recommended to submit a report to your local police. This is not just necessary for filing an insurance claim but will also help the authorities to stay on top of malware trends and might even help other victims of later attacks.

Protecting against ransomware

If the scenario above looks too grim then by now it should be clear to you that the most painless method of dealing with ransomware attacks is to prevent them from happening in the first place.

Arguably the most important preventive measure is to have proper backups of all your documents. A popular rule of thumb is to create three copies of your data, store them on two different media, and keep one copy off-site. And, of course, you have to actually test your backups regularly to ensure that they are still recoverable. Having an off-site backup ensures that even the most sophisticated ransomware that specifically targets backup files won’t render them useless.

However, backups alone won’t save you from locking ransomware or from the latest trend of “ransomware doxing”, when attackers threaten to publicly reveal sensitive stolen data unless the ransom is paid. It is, therefore, crucial to keep your users (employees, colleagues, family members) constantly informed about the potential threats. They should be trained to always check the addresses of incoming emails and not blindly click on any links or attachments. More importantly, however, they must be provided with clear actionable guides for dealing with a ransomware attack on their computers.

Endpoint protection solutions are the primary line of defense against ransomware, but the exact capabilities may vary between different products. Modern solutions rely on behavior analysis methods (sometimes powered by machine learning) to identify and block suspicious encryption-related activities before they damage your documents. Others will transparently keep copies of your original files and revert any malicious changes to them automatically. Even the Windows Defender antivirus that comes bundled with Windows 10 now provides built-in ransomware protection – however, you might want to check whether it is enabled on your computer already.

Keeping your operating system and critical applications up to date with security patches is another key prevention measure. Remember, the only reason why WannaCry was so devastating is that so many companies did not apply a critical Windows patch in time after it was released months before the attack. Besides Windows itself, applications like Internet Explorer, Adobe Flash, and Microsoft Office are notorious for having the most commonly exploited vulnerabilities.

Finally, a word about the cloud: there is a popular belief that keeping work documents in a cloud storage service like OneDrive or Dropbox is an efficient preventive measure against ransomware attacks. To be fair, there is a grain of truth in it. Most of these services have built-in versioning capabilities, allowing you to restore a previous version of a document after it gets corrupted by ransomware. Also, if your computer is locked, you can easily continue working with your document from another device (or even from a remote desktop session if your company uses a virtual desktop infrastructure).

However, these considerations only apply if you are not synchronizing your cloud files with your computer: those local copies will be compromised by ransomware and then automatically copied to the cloud in a matter of seconds. Remember, file synchronization services are not a replacement for a proper backup!

Ransomware during the pandemic crisis

Looking at the latest media reports, it seems that many workers are going to work from home for a substantial period. How does it affect the overall resilience against ransomware attacks? Recently, several large cybercrime gangs have publicly promised not to target healthcare organizations during the pandemic. Also, staying away from corporate networks might substantially slow the spread of malware from one device to the others.

However, security researchers are already reporting an uptake in malicious attacks exploiting coronavirus fears. Also, even for every slightly altruistic cybercriminal, there are at least a thousand of others without ethical reservations. For individuals working from home, especially when using personal devices not protected by enterprise-wide security tools, the risk of becoming a ransomware victim is, unfortunately, higher than ever.

For an alternative to office-based security gateways, companies should look at the security solutions delivered from the cloud, especially those that do not require any additional hardware or software deployment.  However, the most efficient protection against ransomware is still your own common sense: do not open unsolicited email communications, avoid clicking suspicious links and attachments, stick to trusted websites for the latest news. Remember, your cyber hygiene is just as critical for your security as literal hygiene is for your health.

 

KuppingerCole Analyst Chat - Our New Regular Podcast

Today we're officially launching KuppingerCole Analyst Chat - our new soon-to-be-regular audio podcast.

In the pilot episode Martin Kuppinger and I are discussing Identity & Access Management challenges so many are facing now while having to work from home.

At the moment, you can subscribe to our podcast on Spotify or watch new episodes on our YouTube channel. Other platforms will follow soon.

Stay tuned for more regular content from KuppingerCole analyst team!

AI and Healthcare

AI's role in reducing the impact of future pandemics

As the coronavirus spreads fear and panic across the world, it’s perhaps timely to take a step back and consider the future of healthcare and how AI will help. But first let’s consider that the coverage and spread of the virus shows us precisely just why reliable data is needed to help us cope with new diseases. At time of writing, most official advice on coronavirus is not based on hard data led evidence on how the virus spreads, the best way to contain it, who is most vulnerable, what is the incubation period and so on. Instead we have been left with mostly guesswork and conflicting stories in newspapers.

My colleague wrote this excellent blog on the don'ts of IT in times of crisis, you should check it out to get an overview on what to do and what to avoid.

Imagine instead that an AI platform had been built ready to analyze the breakout of the virus when it was first discovered in Wuhan, China. If algorithms had been prepared earlier to screen those falling ill to an early stage of a new virus, who they were, their movements etc. - we might have gone further in containing the virus some two months ago. Of course, data and privacy are inextricably linked, and societies need to balance the safety and health of all in emergencies against possible infringement of data privacy laws. Careful use of AI and enhanced data security, along with consensual use of tracking apps, could help us in achieve the first and avoid the second – but one feels this is work that needs to be done to prepare for any future pandemic.

The future should give us hope

Even without a global pandemic to worry about, and of course it will pass, AI is increasingly going to pay a large part in providing better, and more cost-effective healthcare in major economies,  whatever model of funding is in place. And it’s something not lost on developers and investors looking for the next big opportunity. According to the Financial Times, some 367 AI healthcare US start-ups received around $4bn in funding in 2019. Many of these start-ups are developing AI assisted applications and tools that help with diagnosis and treatment of conditions or allow sensors to be placed onto non-critical patients freeing up a hospital bed.

Real time data from potentially thousands of patients can be put in front of algorithms to spot early signs of deterioration in a patient rather than wait for the patient to turn up in ER. At the same time, the accumulated data from connected patients will be invaluable to create future algorithms and learn more about how diseases behave, and how some people may be more at risk. 

How AI in healthcare should help us reduce waste

AI can help us not just with clinical issues in health industry but also in reducing waste and improving efficiencies – the bane of all health systems. Appointments and clinic attendance are a regular bottleneck in delivering efficient care to outpatients. Resources are spent on phone calls, appointment letters and then the routine check in/check out at the appointment. The process has not changed in decades and still clinics suffer from abandoned appointments, which then have to be followed up manually or people turning up at the wrong time. Altogether it’s one of the biggest avoidable costs in healthcare yet the biggest advance has been to send SMS messages to remind patients of upcoming appointments.

However, we have no data on missed appointments, repeat offenders, how far people may have to travel to get to appointments and even if they need to an appointment at all. Many are routine and repeated periodic checks done often to fulfill insurance rules and that have no prior data on the condition of the patient. Again, sensors that can read vital signs may rule out the need for routine appointments and instead recommend appointments if conditions signal risk to the patient. The advice often given to patients is to turn up between appointments if they “feel ill”, resulting in more people in clinics with inaccurate self-diagnosis wasting resources and time. 

Clustering of data from patients

Preventative medicine has been talked about for many years, but this has mostly to educate people to change lifestyle, cut down on alcohol, get more exercise, stop smoking etc. But AI will help societies deliver genuine advances in preventative medicine by monitoring data from patients that already have disease or may be at risk of developing diseases. Such data can also be used to discover disease clusters that may develop due to environmental or social conditions. While we know (or think we know), that poor diet or lifestyle choices can increase the risk of life-threatening conditions without AI we know little as to how other factors come into play. For example, a group may use the same public transport networks, live in a certain type of building, perform a certain occupation or share similar activities.

The potential for AI to reveal hitherto hidden health data and patterns is massive, there is just so much we don’t know about what factors contribute to good and poor health. By adopting AI technologies now, we can take a big step forward into better healthcare for all, including dealing with future pandemics. 

Learning more about AI

KuppingerCole has an increasing body of research on the impact of AI will have on other sectors and integration with legacy architecture.

Reports include the following:

You can also contact one of our expert analysts for more specific information on an AI application or trend.

Top 5 Work from Home Cybersecurity Recommendations for Enterprises

As the business world moves to rapidly enable work-from-home (WFH), enterprise IT teams need to shift resources and priorities to ensure that remote workers are protected. Already we see malicious actors adapting and targeting remote workers more. My colleague Alexei Balaganski published a list of recommendations for small businesses.

The Situation

  • CheckPoint reports 4,000 domains related to coronavirus have been registered since January 2020, of which 3% are malicious and 5% are suspicious. Phishing attacks are increasing, which aim to capture remote workers credentials.
  • VPNs are under attack. Many companies utilize VPNs to allow remote access to on-premise computing resources. US-Cert reports that attackers are finding and exploiting VPNs as a method to get into organizational resources.
  • WFH does not mean users should send sensitive information to their personal accounts, but it’s happening. Enterprises need to retain control as much as possible. Even if your organization allows BYOD, devices which handle company info have to be protected. As Matthias notes, a quick move to the cloud may be a good course of action but it must be managed properly, with security in mind.

Recommendations

  • MFA ASAP – turn on Multi-Factor Authentication now. VPNs and webmail are easy targets if only protected by password authentication. MFA should be enabled for all applications as soon as expedient. FIDO is an excellent standard for MFA, which increases phishing resistance and preserves privacy. Provide simple, illustrated guidelines on how to use MFA.
  • Endpoint Protection – every device needs anti-malware capabilities. Keep endpoint clients up to date. Provide simple, illustrated guidelines to your users on how to check and turn on.
  • Patch everything – turn on automatic patching. Some organizations still prefer to do in-house OS and app patch testing, but for remote workers this can no longer be an option. If your users are using personal devices, urge them to allow automatic patching. Patch your VPNs. Patch your mail servers. If you’re using SaaS mail, opt for extra screening.
  • Security Training – warn your WFH workers that they are at increased risk to phishing and other attacks. Update your training and increase frequency of reminders. Provide short videos explaining the most important challenges.
  • Update or deploy DLP (Data Leakage Prevention) and CASB (Cloud Access Security Brokers). As work becomes more distributed in response to this crisis, it will become more difficult to identify and protect information. If your organization uses these types of solutions, they may need to be tweaked to accommodate a massive relocation of workers.  If your organization does not use DLP and CASB, it should be considered as a potentially strong risk mitigation strategy. Deploying these kinds of tools won’t happen overnight, but now is the time to consider them.

There are many other possible actions to take, but these five are a good place to start to reduce risks of data breaches. For solutions reviews and comparisons, see our research. For actionable guidance, our team of advisors can assist you with developing tactics and strategies.

5G and Identity

5G Identity and Authentication

5G is the next generation of cellular mobile communications intended to support the massive increase in capacity and connectivity that will be required for the future cloud of things and to provide the enhanced bandwidth needed for new mobile data services.  The security of both depend upon being to identify not only the people but also the things that are using the network services.  Organizations need to act now to take account of how 5G will impact on their identity and access management governance and processes.

5G identifiers

First it is important to understand how identity is handled by public cellular networks.  This is because many “things”, including cars delivery vehicles and others, will use 5G and identify themselves in this way to access the network.  The original objective for this identification was for the network provider to ensure that only the authorized customers have access to the service and that this use cannot be repudiated.  How this is achieved has evolved over time to meet the increasing challenges of fraud and cybercrime.  

There are 2 primary identifiers for a cellular device.  The first is the IMEI (International Mobile Equipment Identifier) – this identifies the phone and is used to block access by stolen devices.  Within the device is a SIM (Subscriber Identity Module) – which is a trusted tamper resistant hardware module.  The SIM contains two key pieces of data – the IMSI (International Mobile Subscriber Identity) which is sometimes known as the SUPI (Subscriber Public Identity) and a shared key Ki.  This key is used in the AKA (Authentication and Key Agreement) protocol when the device connects to the cellular network.

5G Authentication

The device would normally connect to the Home Network (i.e. the network with which the user has a contract) and be authenticated directly.  However, when the user is roaming the device could connect via a Serving Network.  One of the weaknesses of 4G and earlier was the involvement of the Serving Network in the authentication process and one of the key changes at 5G is that the authentication decision is always made by the Home Network.

The authentication process starts with the device requesting access by sending its IMSI / SUPI to the network.  Previously this was sent unencrypted, posing a threat that it could be intercepted and reused, in 5G this is always encrypted using the public key of the Home Network.  The Home Network responds to this request by sending a Authentication Vector (a large random number) to the device.  The device must encrypt this using the shared key Ki and send this as the response.  Since the Home Network has a copy of the key it can check that the decrypted response corresponds to the value that was originally sent.  Prior to 5G this check could be made by the Visited Network that held a copy of the expected response.  5G and 4G also provide mutual authentication allowing the device to authenticate the network using the AUTH (Authentication Token) returned by the network and the shared key.

Once the device has been authenticated in 5G the protocol goes on to agree how the traffic will be encrypted and subsequent messages use a SUCI (Subscriber Concealed Identity) to identify the device.  In 5G traffic is encrypted throughout the infrastructure whereas in earlier generations it was only encrypted over the radio link.

Figure 1: 5G SIM based Authentication Overview

5G Extensible Authentication Protocol

However, not all devices under all circumstances may want to use the 5G-AKA protocol.  For example, in a private 5G network a large manufacturing plant may wish to use a central directory of devices to control access.  To enable this the 5G architecture provides a unified authentication framework that makes 5G authentication both open and network agnostic.  It supports access through other kinds of network including Wi-Fi and cable via the N3IWF (Non-3GPP Interworking Function). 

For specific use cases such as IoT and private 5G networks EAP-TLS (Extensible Authentication Protocol Transport Layer Security) is also supported. These other forms of authentication could be useful for very cheap IoT devices, for example small sensors, for which it would be prohibitively expensive to require SIM cards.  In addition, the 5G system can be deployed as a replacement for Wi-Fi in an enterprise or factory setting and this can reuse the existing public key and certificate infrastructure for network access authentication.

When selected as the authentication method EAP-TLS is performed between the device and the AUSF through the SEAF which transparently forwards EAP-TLS messages back and forth between the device and the AUSF.  For mutual authentication, both the device and the AUSF can verify each other’s certificate.  This makes it possible for the AUSF to implement any of the common enterprise authentication protocols including RADIUS, Kerberos or others.

4G 5G AKA 5G EAP TLS
Identity SIM SIM Other
Trust Model Shared Symmetric Key Shared Symmetric Key Public Key Certificate

Recommendations

5G will impact on many industry sectors including logistics, manufacturing, transport, healthcare, the media, smart buildings as well as local government.  Managing who and which devices can access what applications and services is critical to ensure security and safety.  Managing vast access by the potentially enormous number of devices adds to the significant existing identity and access challenges.  Organizations should act now to:

  • Integrate your IoT security architecture with existing IAM and Access Governance frameworks.
  • Define authentication and access controls for IoT devices based on the levels of threats to your use cases.
  • Use strong authentication for sensitive devices (consider SIM / embedded SIM or certificates).
  • Take care to secure and remove vulnerabilities from IoT devices – especially change default passwords.
  • Integrate IoT device management with other IT asset management systems
  • Review how your existing PKI processes will be able to support the number if IoT devices.

For more details on this subject see KuppingerCole Leadership Brief 5G Impact on Organizations and Security 80238.  Also attend the Public & On-Premise Cloud, Core IT Hosting, Edge IoT Track at EIC in Munich on May 13th, 2020.

The DON’Ts of IT in the Times of Crisis

Truly we are living in interesting times (incidentally, this expression, commonly known as “the Chinese curse”, has nothing to do with China). Just a couple of weeks ago the world was watching China fighting the coronavirus outbreak as something that surely can never happen in other countries. Today Europe and the United States are facing the same crisis and we’re quickly coming to the realization that neither memes nor thoughts and prayers are going to help: many countries have already introduced substantial quarantine measures to limit social interactions and thus slow down the spread of the virus.

Suddenly, for many companies, the only sensible way to continue their business is to let everyone work from home. Naturally, the Internet is full of recommendations on things you need to do to ease this transition. For a change, I’d like to compile a short and practical list of IT- and security-related things you should avoid doing now to save yourself from regrets later… This is mostly targeted towards smaller companies that, on one hand, probably never had any plans prepared for situations like this but on the other hand can be much quicker and more flexible in actually implementing changes in their processes on such short notice. Check out my colleague John Tolbert's post if you're looking for advice for large enterprises.

Let’s start with a few general recommendations…

The pandemic is not an excuse for GDPR violations

First and foremost – don’t panic (knowing where your towel is wouldn’t hurt either)! It isn’t easy to stay calm and level-headed looking at the sensationalized media coverage from countries like Italy, but making impulsive irrational decisions is the worst possible thing to do in a crisis. This doesn’t only apply to hoarding toilet paper and pasta: if you’re considering actions like purchasing 100 laptops today to issue one to your every employee tomorrow, you might want to think twice…

Don’t think that the pandemic will be a universal excuse for any potential violation of security and compliance regulations, however: the crisis will be over sooner or later, and GDPR or PCI DSS will still apply… Having said that, don’t blindly trust anyone’s recommendations, not even ours! This especially applies to unscrupulous marketing activities of some vendors who might attempt to cash in on the opportunity. Only you can properly assess the risks of enabling remote access to certain types of sensitive corporate or customer data and to adjust your business processes accordingly.

Last but not least, don’t try to build a virtual office for remote workers. With a handful of obvious exceptions (like, for example, accessing legacy on-prem equipment or dealing with highly regulated personal information), people working from home don’t really need to pretend to be in the office. Consider the current situation a once-in-a-lifetime opportunity to radically upgrade your business workflows. Maybe you don’t really need to clock in every employee? Are your daily morning meetings so important that you need to pay for an online collaboration platform to continue them? Again, only you can decide!

Want some more practical advice?

Security from the cloud as a modern VPN alternative

How about this: you don’t need a VPN! Seriously, if you don’t have one already, don’t even think about investing in one. VPNs are not really a modern technology; not only do they not scale for situations like this, but they also introduce gaping holes in security perimeters by giving users full access to whole corporate networks.

With multiple known vulnerabilities in VPN products, which will more likely not be patched in time by overstressed IT teams, malicious actors will get additional opportunities to compromise your security. Instead, consider a more modern Zero Trust approach with software-defined perimeter (SDP) solutions, which enable fine-grained, authenticated and audited access to specific internal services and applications from anywhere without a bottleneck of a VPN. Companies like Zscaler, Akamai or CloudFlare among others are offering such solutions completely delivered and managed from the cloud. The latter even offers its solution for free for small businesses during the pandemic emergency.

Also, if your office security still relies on a hub-and-spoke architecture with firewalls and other appliances filtering all corporate traffic, don’t forget that it leaves remote workers unprotected! This approach has long been proven to be inefficient and hard to scale, so again consider a great opportunity to switch to a cloud-delivered security solution! Whether you’ll opt for a service from Akamai, Cisco or Zscaler among other possibilities, you should choose one that does not require any network changes or software deployment to keep your employees safe working from home, even from their personal devices.

Separating work and private life in home office

However, if you’re still not comfortable with BYOD, you don’t need to compromise! Consider a much more convenient and safer (if somewhat more expensive) enterprise mobility management solution that will maintain a secure air gap between private and corporate things on every employee’s device. Whether you opt for a solution from Microsoft or VMware among others, you’ll maintain full control over security policies regardless of every worker’s current location.

You don’t need to spend additional money to stay in touch with your colleagues and business partners: you can continue using whatever online collaboration platform you’re already using. Each has its own small quirks, but in the end, GoToMeeting, WebEx, Google Hangouts, Microsoft Teams or any other tool seem to get their job done pretty well. If you are still unsure which one you prefer the most, have a look at this website: some vendors are offering special extended trials or even free versions of their tools for small businesses.

Protecting the weakest link in your security chain

Don’t forget about the human factor! Every humanitarian crisis gives rise to various social engineering attacks aimed to deceive users into running malicious software or simply hijacking their accounts. Unsurprisingly, security researchers already report various malicious attacks exploiting coronavirus fears. With email still being the most popular (and incidentally the least secure) communication channel for businesses, you probably already have at least some kind of email security solution in place for your employees. However, none of those are impenetrable, and people often fall victim to a simple scam that has nothing to do with malware. Educating your employees about potential risks is a good idea, but proactive protection is more important.

Thus, if you still haven’t deployed multi-factor authentication in your company, don’t wait any longer! According to multiple reports, simply enabling MFA on an online service used by your business can protect your employees from over 99% of credential-based attacks. And it does not have to be expensive as well – most notable online services, including Google, Microsoft, Salesforce or Dropbox, support a range of different authentication options.

Even the simplest One Time Password generated by a smartphone app is vastly more secure than no MFA. For additional security across multiple online services, you may want to consider FIDO2-based authentication devices. The Yubikey is perhaps the most popular one, but Google offers its own Titan Key as well and you can find many more FIDO-certified products on the alliance’s website.

Don't just look at the labels: asking the right questions

Traditional antimalware protection for each endpoint device is, of course, still important, but now that you have to consider the option of letting your employees use their own devices for work, what it is the best product you can buy? To be honest, I don’t have an easy answer for that – whether you’ll opt for a “best-of-breed” endpoint protection product like Kaspersky, an integrated cloud-native protection platform like Carbon Black or a radical AI-powered antivirus replacement like SentinelOne, don’t just look at product labels, ask vendors about supported capabilities and other concrete technical things. You might want to refer to KuppingerCole’s research like this Buyer’s Compass if you need to know which questions to ask. Check out Paul Fisher's post as well for an in-depth view of potential applications of AI in fighting the consequences of the pandemic.

In fact, don’t hesitate to reach out to us for independent, vendor-neutral guidance and support in all things related to cybersecurity. And more importantly, stay safe and healthy. Use this opportunity to relax a bit, be with your family and think of new opportunities after the crisis is over. And don’t forget to wash your hands!

Home Office in the Times of Pandemic – a Blessing or a Curse?

One of the most interesting office work developments of the last 20-30 years, the home office has radically gained new relevance amid the developing coronavirus pandemic. With the goal of limiting the spread of the virus, many companies and employees must suddenly resort to the option of working entirely from home. This is not only self-evident but also urgently necessary and will support many companies in their continued existence at the same time.

Home office as an immediate pandemic quarantine measure

The advantages are clear: social contacts in real life will be reduced to a minimum, while a large number, if not all, of necessary activities, especially in the digital sector, can be continued. The tremendously important goal, which is propagated as #flattenthecurve via social media, i.e. the prevention of further infections especially at a still early stage of the infection, can thus be combined with business continuity for a multitude of organizations. But in practice, companies also face very specific technological challenges. That is because experiences with working from home are not equally distributed.

Different levels of experience

On one hand, there are companies that have often already geared their processes strongly towards roaming users. As "cloud-first" or even "cloud-only" organizations, they are perhaps already using digital corporate services as SaaS or offering secure access to the company's IT systems, even the critical ones, from outside (if such an "outside" still exists at all). Those employees are familiar with new processes, trustworthy handling of sensitive data, and the proper use of endpoint devices (computers, tablets, and smartphones).

Unfortunately, a large group of companies that have not yet taken these steps earlier will be severely challenged by the pandemic. They are facing major operational changes that must be implemented in a matter of days, which will almost inevitably mean that security might be their second priority at best.

A cultural change in only a few days

This surely shows the negative effects of the reluctance of more traditionally structured companies to adopt more recent, decentralized, agile and alternative working models. But considering the underlying causes is now of minor importance. Companies must enable their employees and their IT as quickly as possible by means of necessary processes and access to relevant systems so that the continued operation of their business is guaranteed even in times of crisis.

However, the crisis does not free the companies from their responsibilities regarding compliance, governance, the protection of personal data or critical company intellectual property. What operators of critical infrastructure have continuously prepared themselves for over the past few years is now necessary for virtually every company wishing to continue operating in a meaningful way.

Of course, it is essential to avoid the concrete physical dangers of the disease for individuals. But it is equally vital to carry out a quick, operative and yet sustainable risk assessment of the necessary systems, access routes and end devices of their users as the foundation for the protection of the company, its services, processes, and data.

Preventing the crisis after the crisis

It does not serve anyone's interests if, as a result of this change in the work model, an organization is exposed to an increasing number of unmanaged security risks.These risks are to a large extent to be addressed individually, but they can nevertheless be classified into a number of complex issues that must be considered: device protection (many users will have to resort to the use of private equipment due to the lack of corporate devices), secured communications, secure authentication, and authorization are increasingly important, particularly in such an exceptional situation.

Understanding the modified attack surface

When moving towards home office work as an undisputedly beneficial, alternative way of contributing to corporate processes, one insight is indispensable: This changes the attack surface of a company dramatically: all at once (without protective measures) a multitude of previously personal network access points and home networks become a vulnerable part of an enterprise network. Information and credentials stored therein are under threat and can presumably be used with little criminal energy as a doorway to a corporate network or digital services provided as Software-as-a-Service.

The loss or theft of an unprotected or inadequately protected access device with local data or credentials can be an immediate threat to a company, an NGO or a public authority not just today, but also later when the current crisis will hopefully be just a vague dark memory.

Taking the first appropriate steps

First of all, of course, all the fundamentally important technical measures are still necessary: local hard disk encryption, patching and monitoring of the clients used, securing home networks, scanners for viruses and other malware on the endpoints, secure access paths with multi-factor authentication and appropriate authorization systems, privilege management for securing critical systems and a multitude of other technologies with which we as analysts for Cybersecurity and Identity and Access Management (IAM) deal with on a daily basis.

However, adequate instruction and training of employees who now access critical systems in the company from their home environment, potentially from private devices, should also be included. Knowledge about malware, viruses, and phishing that is communicated swiftly and efficiently should help prevent negligent handling of these threats, which can be somewhere between annoying and costly in the private environment, but which can threaten a company's existence.

Work from home but work in the cloud

Knowing that the measures described above cannot be implemented quickly and in a scalable manner, it may be useful to consider other approaches: An important alternative to the traditional remote use of corporate resources can be a temporary or permanent switch to collaboration and business services in the cloud and provided as a service. In this case, data and processes remain in managed systems and the risks of working remotely will be noticeably reduced.

Some providers are already offering such platforms as an emergency measure (somewhere between practical solidarity and clever marketing) temporarily at significantly reduced costs or even free of charge.The use of such systems might be a mitigating measure to secure our abrupt change to the home office. But “just because” it’s urgent, such a step into the cloud needs to be well defined, aligned with a corporate cloud strategy and based on a risk assessment (compliance, governance and security).

A current and continuing challenge

The switch to working from a home office is a life-saving step for the individual and an important measure for containing the current pandemic. Enterprises are providing considerable support in this respect.

At the same time, however, they must consider and implement appropriate protective measures for today and beyond. KuppingerCole Analysts will continue to cover these topics in our research and in our blog as trusted advisors, aiming at providing actionable and valuable insights to the practitioners’ current challenges.

Malicious Actors Exploiting Coronavirus Fears

Security researchers are discovering a number of malicious attacks designed to exploit public fears around COVID-19, more commonly just called coronavirus. The attacks to date take two major forms: a map which looks legitimate but downloads #malware, and various document attachments that purport to provide health and safety information related to COVID-19.

The coronavirus heat map may look legitimate, in that it takes information from Johns Hopkins University’s page, which is itself clean. However, nefarious actors have created a package for sale on the dark web called “corona-virus-map.com”, which uses AzoRult malware. It can steal credentials and credit card info. Links to sites bearing this malware have been spread through email.

The second type of attack also arrives via email. These contain attachments that look like official information, complete with stolen pictures and logos, on how to prevent coronavirus. Some download trojans and other malware, and others ask victims to verify email addresses and passwords, which are captured by the attackers.

Unfortunately, such attacks and scams are likely to continue in the weeks ahead.

Recommendations

KuppingerCole’s advice is:

  1. Beware of phishing. Remind users not to click suspicious links and attachments. Make enterprise users and friends and family aware of these scams.
  2. Use email security gateways. If you’re using a SaaS-delivered email service, opt for any additional security screening if available.
  3. Use anti-malware products on all endpoints. Keep subscriptions current.

Find out what IT should avoid in times of crisis.

For more information on anti-malware, see our list of publications on the subject.

External Sources

https://www.grahamcluley.com/coronavirus-map-used-to-spread-malware/

https://krebsonsecurity.com/2020/03/live-coronavirus-map-used-to-spread-malware/

https://www.pcrisk.com/removal-guides/17270-corona-virus-map-com-trojan

https://blog.malwarebytes.com/social-engineering/2020/02/battling-online-coronavirus-scams-with-facts/

https://nakedsecurity.sophos.com/2020/02/05/coronavirus-safety-measures-email-is-a-phishing-scam/

https://www.kaspersky.com.au/blog/coronavirus-used-to-spread-malware-online/25737/

High Assurance MFA Options for Mobile Devices

In recent years much of the focus in the authentication space has been on MFA, mobile devices, and biometrics. Many technical advances have been made which also serve to increase usability and improve consumer experiences. There are a few reasons for this.

MFA

Multi-factor authentication is the number 1 method to reduce ATO (account takeover) fraud and prevent data breaches. We all know password authentication is weak and the easiest way in for malicious actors. MFA has been mandated by security policy in many organizations and government agencies for years. MFA is now also required in the consumer space by regulations. EU PSD2, for example, calls for Strong Customer Authentication (SCA = 2FA + risk-adaptive) for financial app customers.

Mobile devices

Smartphones are commonplace and studies show that consumers tend to protect them better than even their wallets. People have gotten used to using a phone as a 2nd-factor with SMS OTP, although that method has security problems. Phone + PIN is a reasonable 2nd-factor method. Mobile push notifications are also an accepted paradigm. Increasingly we see mobile apps for authenticating users, generally built using SDKs from authentication service providers. In some cases these SDKs allow for the use of security features such as Global Platform Secure Element (SE) and Trusted Execution Environment (TEE).

Mobile biometrics

Apple’s Touch ID and Face ID brought mobile biometrics into the mainstream. Samsung and other Android models also offer native capabilities. More advanced 3rd-party mobile biometric apps are available that add behavioral/passive and other modalities such as voice recognition. From the standpoint of False Acceptance Rate (FAR – the measure of how often an impostor can get unauthorized access) Apple reports an impressive one in a million for Face ID, and one in 50,000 for Touch ID. Though these numbers look great, mobile biometrics remain susceptible to presentation attacks despite vendor solutions using liveness detection methods.

High identity assurance solutions for mobile

Back in 2014, US NIST released SP 800-157 which provided guidelines for the Derived PIV credential. PIV cards are Smart Cards that used by some US government and other agencies for in-person and electronic authentication. The process for obtaining a PIV card is rigorous which allows it to be considered a high assurance credential. NIST SP 800-157 was designed to provide an alternate way of using PIV credentials with mobile devices. Rather than using card readers, a parallel (not a copy) set of credentials including keys and certificates could be issued to and installed on mobile devices. These implementations require the use of security mechanisms such as SE & TEE. The vendors listed below provide compliant solutions:

This Derived PIV Credential approach would also work well in the private sector. Many companies use Smart Cards or other hardware tokens for authentication today. Keys and certificates generated by enterprise PKI could likewise be issued in parallel to employees’ devices. Moreover, the ability to combine high assurance credentials on mobile with FIDO 2 opens many possibilities; for example, using Smart Card strength credentials stored on phones to authenticate to laptops, desktops, and web-based applications.

Recommendation

KuppingerCole believes that companies or other organizations that are looking to modernize IAM solutions in general and authentication services in particular should consider these options. High assurance mobile MFA solutions are suited for organizations that:

  1. Have high identity assurance level requirements, either by policy or regulation
  2. Have existing investments and expertise in PKI
  3. Issue mobile devices to their workforces
  4. Have existing UEM or EMM solutions in place

High assurance mobile MFA can be deployed alongside current Smart Card or hardware token (PKI) infrastructure, allowing for a controlled phased-in rollout. To maintain separation but preserve compatibility, a new intermediate CA (certificate authority) can be installed under the root to issue parallel keys and certificates for mobile devices. In this scenario, there is no need to “rip and replace”.

In the long run, high assurance mobile MFA solutions utilizing FIDO and WebAuthN protocols can increase usability, decrease costs associated with issuing and replacing Smart Cards or hard tokens, and promote interoperability between mobile and traditional computing devices, web apps, and web services.

For organizations that don’t currently have PKI-based IAM solutions, there is no need to build out CAs and issue certificates to mobiles. In this case, it would be more efficient to implement FIDO 2 authentication. A pure FIDO solution provides similar benefits, such as unique key pair generation on a per-application basis and standards-based communication protocols, without the weight of PKI. Many FIDO authenticators available today can provide strong authentication assurance, but only the processes and PKI described in the previous sections can provide high identity assurance.

The authentication market has a plethora of options today. The time is right to upgrade to strong MFA and risk-adaptive authentication. The challenges reside in understanding your business and regulatory environments and choosing the right mix of authenticators, risk analytics capabilities, and management tools.

For more information or assistance in evaluating high assurance mobile MFA solutions or other authentication services, see https://www.kuppingercole.com/advisory.


KuppingerCole Select

Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live trainings.

Stay Connected

Subscribe to our Podcasts

KuppingerCole Podcasts - watch or listen anywhere


How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00