Analyst Chat
Analyst Chat #73: Cybersecurity Vulnerabilities of Remote Work
Shikha Porwal and Matthias Reinwarth have a coffee conversation over the security risks of working remotely. They talk through the vulnerabilities of a home network, and touch base with the pandemic related end point security threats, employee behavior and finally, Zero trust.
Welcome to the KuppingerCole analyst chat. I'm your host. My name is Mathias Reinwarth. I'm a lead advisor and senior analyst at KuppingerCole analysts. My guest today is Shikha Porwal. She is an advisor with KuppingerCole usually working out of Frankfort Germany. Hi Shikha.
Hi Matthias. Thank you so much for having me
Great to have you. And when I say that you are usually working out of Franklin, you are doing what many of our colleagues do, because on the one hand, we are really a, an organization that is really international and spread around the world. So we have John working from Seattle and we have Graham working from Brisbane and Paul will be with me next week. He's working out of London. Um, where are you right now? Right
Now? I'm, I'm in the middle east. I'm working from Byron as all of us. A lot of us have now moved, uh, for a long time to work from home. And so I'm here right now in the middle east, enjoying the hot sun, right?
So you are working from home and this is the third episode in a series of episodes that are circling around the topic of cyber security and the cyber security threat landscape in a working from home scenario. So that fits nicely in there. So happy to have you for this episode, Annie and I, we did the first two episodes in the series, so let's dig a bit deeper into that topic. So when we were talking about home network, that could be any type of network. It's not necessarily home. It could be something like a shared office or an office space in general, but it could be also the usual home network. So we're talking about security about the cyber security threat landscape. So what would be the vulnerabilities of a home network?
Well, Mathias, when we talk about, uh, the vulnerabilities of home network, especially during the pandemic that there are countless of them and the reason being, uh, we are connecting a lot of our personal, as well as other devices to the enterprise network. Now, the enterprise network being your company's network, or for example, a school's network or that of a hospital. So in that sense, these devices do not have proper firewalls or do not have any antivirus services or probably they do have that, but it's not updated and they're using default passwords that can easily be compromised. So in that sense, when we talk about vulnerabilities from home network, it is basically sort of a lot of devices that are now outside the hardened or the defined perimeter of the security. So we have like a security per meter, but now there are many other, uh, items or end points that get added to this it ecosystem, but that actually outside the security perimeter. So when we go into details of vulnerabilities, they're just endless, there could be a lot of different technologies and applications that have been downloaded, which do not have adequate safeguards or do not have proper instructions from the ID team. And a lot of boards are risky that a lot of services that are exposed on the internet facing assets and unpatched VPNs. So due to the increase of endpoints that are many vulnerabilities, that for example, that the ones I mentioned have, have come up
Right, and many security experts including us already have claimed before that, that actually, um, is no longer this well-defined perimeter for an organization. And I think the pandemic has clearly shown that this is really true and it has dramatically shown that organizations and people need to adapt to that very quickly. Um, are there any, any figures that you see from the experience, um, and from research that proves that attacks have increased in overtime? Um, Annie mentioned some of those already, but when it comes to people really working from home using, I don't know, remote services, is there anything that you would like to point out where really there is proof for this trend of, um, vulnerabilities being also exploited?
Yes. Yes. There's so many researchers and so many, uh, uh, trends that we have seen. And the research that we did because of the whole bring your own device environment that has come up during the pandemic. One of the example is, uh, what we see as an attack or breach of the remote desktop protocols, um, as a technology, which is also one of the biggest endpoint security vendors actually saw that the number of attacks per day, via RDP draws from 65,000 a day in December of 2019 to 1100 thousand per day by may of 2020. So this is just one example of showing how, just because the shift has been from normal everyday work in my mental, uh, home environment, the shift has caused so much vulnerability, even in 2020, a study of the us health care organization found out that 49% of the devices, laptops, or other devices to the employers and the healthcare work had risky ports and services exposed to a lot of other endpoint vulnerabilities. And when we talk of healthcare data, this is really like a goal in mind for cybercriminals to use it against the organization or the government or the country. So in that sense, increased use of VPNs in many ways. Many studies have shown has increased security challenges for all of us,
Right? While VPNs are not the easiest thing to use and are not really convenient and come with more or less bad user experience, that it's really something that offers room for improvement and offers room for security improvement. We've been talking about the traditional end point device though. That would be the, the laptop, the home computer that would be maybe some tablet or such type of things. If you think of other devices, IOT devices, um, do they also contribute to the increase in cyber attacks? Are there other devices we should look at?
Of course, any device, any device that our home appliances that are many other, uh, devices of phone, for example, especially you, a lot of them who are doing remote schooling has resulted in higher risk of unintentionally downloading malicious software as well. So it just does not come to laptops or tablets, but also this cannot be extended for example, to printers also, which do not have up-to-date browsers plugins or PDF viewers, even the office tools might not be as per the security measures and the installation of a lot of these new applications to support work from home has resulted in a lot of vulnerabilities. And what happens is these points lead to a lot of data leakage, which has been more challenging to handle in 2020 in comparison to 2019. So this is, this is also come up in a lot of surveys where it professionals have stated that employees working remotely or other people using more IOT devices, it could be children, it could be, anyone has really increased the whole vulnerability to data leakage or incidents of data leakage.
Okay. Um, this is episode 70 something of this podcast and then a very, very early episode in, in, in March or April, I assume I did together with Martin Kuppinger our colleague. We talked about how we could, um, work towards getting more of an awareness in our, in our employees and how we could change the rules for using these devices to ensure a secure and safe use of home devices in a corporate environment. What has been the impact since then on employee behavior, on security policies, on the way that people use their home network for accessing corporate systems? Are there changes some visible?
Yeah, definitely. There's a lot of data in order to support this, uh, statement of yours Mathias, a lot, many corporate security policies in 2020 has put more emphasis on securing the employees work from home and environment. And even the NISD has acknowledged that the increase in IOT devices in a company's ID system brings more security challenges. A lot of data has shown for example, a report, uh, in the U S said that 23% of employees do not know what security settings or products are installed on the devices they're using for work. And I'm talking about almost 50% of the people who responded to these surveys actually have never even done work from home before. So if the, do not know if the security settings properly, they might not use the security functionalities to their full, full potential. And even another survey said that around 54% of the employees do seek workarounds.
If security policies prevent them from actually accomplishing their tasks. And here, I would say Mathias, even some of us have faced these kinds of challenges and that we are unable to accomplish a task. And for a second mind think of a workaround. So this is something I think all of us are familiar with that has even been warnings that say that there could be a risk of intentional insider threat, just because an employee resents, um, pandemic related layer, for example, which could be one of the biggest reasons to do so. So yes, um, in that sense, you can see a lot of employee behavior making or increasing the risk of, uh, security during the pandemic,
Right? But that would be really deliberately. So convening, um, some, some orders, some best practices, some security measures that are in place. There is on the other hand, the threat of people doing something, um, that they actually did not want to do and did not expect to do so I'm talking about phishing. So they click on a link without doing this with this disrespect ground, the malicious attack comes from the outside. So is there a rise there as well? Is this still the case now more than one year into the pandemic,
Of course, uh, fishing, especially targeted fishing has risen highly. I do not have the exact numbers on those, but we see a trend that all the malicious actors, or how to say cyber criminals are easily able to adapt to this new para-dime of work from home and increase in IOT devices. It's like a gold mine for them. But what happens is on the other hand, employees are under a lot of emotional stress. This could be due to the pandemic due to work from home or losing their jobs, but for X and Y reasons they're more susceptible to phishing and business, email compromise, and hence spirit fishing is one of the most prolific social engineering method, especially when you see in 2020. And this has been magnified, especially by the wealth of personal information available online, typically from social media. So yes, targeted fishing and fishing in general has increased a lot during the last one year,
Right? One measure that we at KuppingerCole have in place that our colleagues are really monitoring very closely. These types of males that come in that look very, very closely like a male that could be sent from the inside or actually sent from the outside. There, there are names from colleagues in there. And please click on that because your colleague AE wants to have you confirm this or read that document that is really going on. And our colleagues are on top of what the automatic mechanisms already provide when it comes to identifying malware within males and unusual links within males, they are adding another layer of, of human experience to say, okay, take care of, there is a new wave of a spare fishing males coming in. What else can a company do to prepare itself, to face such disruption?
Monte has such disruptions. I think this is a whole huge social experiment of moving into a remote work environments, but moving to cloud. And in general, you, uh, being able to work from home is something which already, uh, the market has realizing. And everyone at in an enterprise or an organization is realizing that it is increasing from day to day. And for that, although there is no clear single framework that out a few organizations that have tried to deal with cyber security concern and want to do that in the future. And I think the best way forward is to mitigate risk. Remote working arrangement has forced the forms to undergo a lot of cloud transformation and a lot of ID practices that exist has made a challenging to support employee productivity, because they also do not want to compromise on security, but I would say one such approach is the zero trust model, uh, which operates on the principle of never trust and always verify since zero trust model offers the more scalable access management infrastructure for managing network resources.
Um, COVID-19 has pushed most of the forms to actually adopt a zero trust security model. However, when we talk about the migration towards zero trust model, there are a lot of challenges and a lot of, uh, forms of identifying identity and access management as one of the major challenges. So a lot of work to be done on the fundamentals. So to say the prerequisites of doodle trust by any enterprise that wants to adapt to it, but having a pet in meter less. So to say security architecture is something that zero trust can assure. And I feel that this model is something that can actually help the enterprise get rid of a lot of these risks and vulnerabilities or reduce them to a very minimum level.
Absolutely. And when you say that zero trust relies very much on, um, on a well-executed identity and access management, I think that is very true. Of course, identity and access management is very close to my heart and to my experience of my professional life and these strong and reliable identities are at the core of zero trust because it does not mean that you don't not trust anything. That's not zero trust. It's you only trust in very basic, very, um, strong and reliable, um, aspects and that our device identities that our personal identities and that our service identities. So this triangle always make sure that there is a proper communication and you have something that you can verify all the time. That would be one approach to protect the systems. Also in this work from home scenario, because every connection is encrypted and every connection is trusted because verified, do you have any recommendations where our audience could have a look at when it comes to learning more about this topic of protecting their own organization? There's something at KuppingerCole dot com that you would recommend where to start? What would be a starting point here?
Well, the best way for our audience to find out about zero trust is actually go to our website and go to the research section just by typing zero trust. You will find a sea of resources that whose heading would actually lead you to what you're looking for. And you could actually get started on that. And it's just not based on theory, but also events and as well as trends related to security and zero trust. So it's a well thought through a resource section for our avid listeners and readers. Perfect.
Thank you very much. And, uh, as this is the third episode in a series of podcasts around this working from home cyber security landscape, we will pick up another topic next week, Paul Fisher, and I will do that and we will look at what you've mentioned already. We will look at privileged access management, you and Annie, um, provided the groundwork so that we can build upon that. And there will be surely more episodes around that working from home cybersecurity topic on top of that, um, for the time being, thank you very much, um, Shika for being my guest today. And I'm looking forward to having you as a guest very soon.
Thank you, Mathias. It was my pleasure. It's nice talking to
You and my pleasure and great to have you on board at KuppingerCole. So, bye.
Thank you. Bye-bye.
Hi Matthias. Thank you so much for having me
Great to have you. And when I say that you are usually working out of Franklin, you are doing what many of our colleagues do, because on the one hand, we are really a, an organization that is really international and spread around the world. So we have John working from Seattle and we have Graham working from Brisbane and Paul will be with me next week. He's working out of London. Um, where are you right now? Right
Now? I'm, I'm in the middle east. I'm working from Byron as all of us. A lot of us have now moved, uh, for a long time to work from home. And so I'm here right now in the middle east, enjoying the hot sun, right?
So you are working from home and this is the third episode in a series of episodes that are circling around the topic of cyber security and the cyber security threat landscape in a working from home scenario. So that fits nicely in there. So happy to have you for this episode, Annie and I, we did the first two episodes in the series, so let's dig a bit deeper into that topic. So when we were talking about home network, that could be any type of network. It's not necessarily home. It could be something like a shared office or an office space in general, but it could be also the usual home network. So we're talking about security about the cyber security threat landscape. So what would be the vulnerabilities of a home network?
Well, Mathias, when we talk about, uh, the vulnerabilities of home network, especially during the pandemic that there are countless of them and the reason being, uh, we are connecting a lot of our personal, as well as other devices to the enterprise network. Now, the enterprise network being your company's network, or for example, a school's network or that of a hospital. So in that sense, these devices do not have proper firewalls or do not have any antivirus services or probably they do have that, but it's not updated and they're using default passwords that can easily be compromised. So in that sense, when we talk about vulnerabilities from home network, it is basically sort of a lot of devices that are now outside the hardened or the defined perimeter of the security. So we have like a security per meter, but now there are many other, uh, items or end points that get added to this it ecosystem, but that actually outside the security perimeter. So when we go into details of vulnerabilities, they're just endless, there could be a lot of different technologies and applications that have been downloaded, which do not have adequate safeguards or do not have proper instructions from the ID team. And a lot of boards are risky that a lot of services that are exposed on the internet facing assets and unpatched VPNs. So due to the increase of endpoints that are many vulnerabilities, that for example, that the ones I mentioned have, have come up
Right, and many security experts including us already have claimed before that, that actually, um, is no longer this well-defined perimeter for an organization. And I think the pandemic has clearly shown that this is really true and it has dramatically shown that organizations and people need to adapt to that very quickly. Um, are there any, any figures that you see from the experience, um, and from research that proves that attacks have increased in overtime? Um, Annie mentioned some of those already, but when it comes to people really working from home using, I don't know, remote services, is there anything that you would like to point out where really there is proof for this trend of, um, vulnerabilities being also exploited?
Yes. Yes. There's so many researchers and so many, uh, uh, trends that we have seen. And the research that we did because of the whole bring your own device environment that has come up during the pandemic. One of the example is, uh, what we see as an attack or breach of the remote desktop protocols, um, as a technology, which is also one of the biggest endpoint security vendors actually saw that the number of attacks per day, via RDP draws from 65,000 a day in December of 2019 to 1100 thousand per day by may of 2020. So this is just one example of showing how, just because the shift has been from normal everyday work in my mental, uh, home environment, the shift has caused so much vulnerability, even in 2020, a study of the us health care organization found out that 49% of the devices, laptops, or other devices to the employers and the healthcare work had risky ports and services exposed to a lot of other endpoint vulnerabilities. And when we talk of healthcare data, this is really like a goal in mind for cybercriminals to use it against the organization or the government or the country. So in that sense, increased use of VPNs in many ways. Many studies have shown has increased security challenges for all of us,
Right? While VPNs are not the easiest thing to use and are not really convenient and come with more or less bad user experience, that it's really something that offers room for improvement and offers room for security improvement. We've been talking about the traditional end point device though. That would be the, the laptop, the home computer that would be maybe some tablet or such type of things. If you think of other devices, IOT devices, um, do they also contribute to the increase in cyber attacks? Are there other devices we should look at?
Of course, any device, any device that our home appliances that are many other, uh, devices of phone, for example, especially you, a lot of them who are doing remote schooling has resulted in higher risk of unintentionally downloading malicious software as well. So it just does not come to laptops or tablets, but also this cannot be extended for example, to printers also, which do not have up-to-date browsers plugins or PDF viewers, even the office tools might not be as per the security measures and the installation of a lot of these new applications to support work from home has resulted in a lot of vulnerabilities. And what happens is these points lead to a lot of data leakage, which has been more challenging to handle in 2020 in comparison to 2019. So this is, this is also come up in a lot of surveys where it professionals have stated that employees working remotely or other people using more IOT devices, it could be children, it could be, anyone has really increased the whole vulnerability to data leakage or incidents of data leakage.
Okay. Um, this is episode 70 something of this podcast and then a very, very early episode in, in, in March or April, I assume I did together with Martin Kuppinger our colleague. We talked about how we could, um, work towards getting more of an awareness in our, in our employees and how we could change the rules for using these devices to ensure a secure and safe use of home devices in a corporate environment. What has been the impact since then on employee behavior, on security policies, on the way that people use their home network for accessing corporate systems? Are there changes some visible?
Yeah, definitely. There's a lot of data in order to support this, uh, statement of yours Mathias, a lot, many corporate security policies in 2020 has put more emphasis on securing the employees work from home and environment. And even the NISD has acknowledged that the increase in IOT devices in a company's ID system brings more security challenges. A lot of data has shown for example, a report, uh, in the U S said that 23% of employees do not know what security settings or products are installed on the devices they're using for work. And I'm talking about almost 50% of the people who responded to these surveys actually have never even done work from home before. So if the, do not know if the security settings properly, they might not use the security functionalities to their full, full potential. And even another survey said that around 54% of the employees do seek workarounds.
If security policies prevent them from actually accomplishing their tasks. And here, I would say Mathias, even some of us have faced these kinds of challenges and that we are unable to accomplish a task. And for a second mind think of a workaround. So this is something I think all of us are familiar with that has even been warnings that say that there could be a risk of intentional insider threat, just because an employee resents, um, pandemic related layer, for example, which could be one of the biggest reasons to do so. So yes, um, in that sense, you can see a lot of employee behavior making or increasing the risk of, uh, security during the pandemic,
Right? But that would be really deliberately. So convening, um, some, some orders, some best practices, some security measures that are in place. There is on the other hand, the threat of people doing something, um, that they actually did not want to do and did not expect to do so I'm talking about phishing. So they click on a link without doing this with this disrespect ground, the malicious attack comes from the outside. So is there a rise there as well? Is this still the case now more than one year into the pandemic,
Of course, uh, fishing, especially targeted fishing has risen highly. I do not have the exact numbers on those, but we see a trend that all the malicious actors, or how to say cyber criminals are easily able to adapt to this new para-dime of work from home and increase in IOT devices. It's like a gold mine for them. But what happens is on the other hand, employees are under a lot of emotional stress. This could be due to the pandemic due to work from home or losing their jobs, but for X and Y reasons they're more susceptible to phishing and business, email compromise, and hence spirit fishing is one of the most prolific social engineering method, especially when you see in 2020. And this has been magnified, especially by the wealth of personal information available online, typically from social media. So yes, targeted fishing and fishing in general has increased a lot during the last one year,
Right? One measure that we at KuppingerCole have in place that our colleagues are really monitoring very closely. These types of males that come in that look very, very closely like a male that could be sent from the inside or actually sent from the outside. There, there are names from colleagues in there. And please click on that because your colleague AE wants to have you confirm this or read that document that is really going on. And our colleagues are on top of what the automatic mechanisms already provide when it comes to identifying malware within males and unusual links within males, they are adding another layer of, of human experience to say, okay, take care of, there is a new wave of a spare fishing males coming in. What else can a company do to prepare itself, to face such disruption?
Monte has such disruptions. I think this is a whole huge social experiment of moving into a remote work environments, but moving to cloud. And in general, you, uh, being able to work from home is something which already, uh, the market has realizing. And everyone at in an enterprise or an organization is realizing that it is increasing from day to day. And for that, although there is no clear single framework that out a few organizations that have tried to deal with cyber security concern and want to do that in the future. And I think the best way forward is to mitigate risk. Remote working arrangement has forced the forms to undergo a lot of cloud transformation and a lot of ID practices that exist has made a challenging to support employee productivity, because they also do not want to compromise on security, but I would say one such approach is the zero trust model, uh, which operates on the principle of never trust and always verify since zero trust model offers the more scalable access management infrastructure for managing network resources.
Um, COVID-19 has pushed most of the forms to actually adopt a zero trust security model. However, when we talk about the migration towards zero trust model, there are a lot of challenges and a lot of, uh, forms of identifying identity and access management as one of the major challenges. So a lot of work to be done on the fundamentals. So to say the prerequisites of doodle trust by any enterprise that wants to adapt to it, but having a pet in meter less. So to say security architecture is something that zero trust can assure. And I feel that this model is something that can actually help the enterprise get rid of a lot of these risks and vulnerabilities or reduce them to a very minimum level.
Absolutely. And when you say that zero trust relies very much on, um, on a well-executed identity and access management, I think that is very true. Of course, identity and access management is very close to my heart and to my experience of my professional life and these strong and reliable identities are at the core of zero trust because it does not mean that you don't not trust anything. That's not zero trust. It's you only trust in very basic, very, um, strong and reliable, um, aspects and that our device identities that our personal identities and that our service identities. So this triangle always make sure that there is a proper communication and you have something that you can verify all the time. That would be one approach to protect the systems. Also in this work from home scenario, because every connection is encrypted and every connection is trusted because verified, do you have any recommendations where our audience could have a look at when it comes to learning more about this topic of protecting their own organization? There's something at KuppingerCole dot com that you would recommend where to start? What would be a starting point here?
Well, the best way for our audience to find out about zero trust is actually go to our website and go to the research section just by typing zero trust. You will find a sea of resources that whose heading would actually lead you to what you're looking for. And you could actually get started on that. And it's just not based on theory, but also events and as well as trends related to security and zero trust. So it's a well thought through a resource section for our avid listeners and readers. Perfect.
Thank you very much. And, uh, as this is the third episode in a series of podcasts around this working from home cyber security landscape, we will pick up another topic next week, Paul Fisher, and I will do that and we will look at what you've mentioned already. We will look at privileged access management, you and Annie, um, provided the groundwork so that we can build upon that. And there will be surely more episodes around that working from home cybersecurity topic on top of that, um, for the time being, thank you very much, um, Shika for being my guest today. And I'm looking forward to having you as a guest very soon.
Thank you, Mathias. It was my pleasure. It's nice talking to
You and my pleasure and great to have you on board at KuppingerCole. So, bye.
Thank you. Bye-bye
Video Links
Stay Connected
Related Videos
How can we help you