A recent study by Ivanti found that 66% of IT professionals have seen a rise in security issues due to the shift in remote working, with the majority coming from malicious emails, non-compliant employee behaviour, and software vulnerabilities.
To understand more about these security threats and others, we spoke to Ivanti ANZ sales engineering manager James Ley.
The company focuses on the security, stability, and visibility of all IT assets – helping customers understand what hardware and software they have, and how to secure it. That is more important than ever now that many people have had a taste of working from home, and many want to roll out a flexible working model long term.
“Now that users are capable and can be trusted to work from home, there will be a shift, but it comes with challenges," says Ley.
The Ivanti survey also found that organisations name VPNs as an area of particular concern.
“As soon as a machine leaves a network, it's a black box. Unless the user connects to that VPN, an IT or security team has no visibility into the status. They don't know if it's getting antivirus updates. They don't know if it's getting patch updates. They don't know if all security software is running," says Ley.
VPNs aren't the only tool in the arsenal in order to protect people, processes, and devices. Many organisations might use Microsoft System Center Configuration Manager (SCCM) for device management – but that becomes more of a challenge with remote environments.
“Some organisations that are more advanced, or more mature in their journey towards modern workplaces, are able to leverage modern services such as device management cloud-based security tools. These tools can provide some visibility into what's happening outside the network.
“For others, their tools are still on-premise, so they face more challenges in terms of being remote and not connected. Remote management has been more challenging for those that either don't have the budget or haven't started their cloud migration yet.
While remote workplaces existed before the immediate pandemic emergency, many organisations have adopted remote working to cover immediate operational needs. If flexible workplaces with remote working gain traction, organisations will need to start thinking about long term goals and the security requirements.
“As we move to an environment where people are maybe spending one or two days in an office, organisations will need to balance user experience with security and the right controls," says Ley.
“Cloud-first platforms that deliver the capability for those remote workforces is going to be a key part of that. We've had lots of conversations with customers about you get a consistent level of service to your users - whether they are in an office, or whether they are remote.”
Remote working brings heightened security risks – fileless malware is a great example of how a threat can pierce a machine easily, and then stay undetected for a long period of time.
Ley points to the Australian Cyber Security Centre (ACSC) Essential Eight guidelines, which includes application control as one of the essential eight strategies. This recommends organisations should prevent the execution of unapproved/malicious programs including .exe, DLL, scripts (e.g. Windows Script Host, PowerShell and HTA) and installers.
“One of the things they recommend in the maturity scale is blocking tools that users shouldn't be using. Why would you ever want a user spawning PowerShell from a browser, or spawning PowerShell from an email or a Word document?” Ley asks.
When tools are blocked from the start, it's far harder for fileless malware to start an attack.
Additionally, users who don't need to have admin privileges on a machine shouldn't have them, because fileless malware can use these privileges to gain greater access and move laterally.
"While advanced capabilities like endpoint detection and response and threat intelligence are great, many organisations I speak to don't have those basic hygiene practices like the Essential Eight in place."
“It's all very well detecting an incident, isolating it, and figuring out how it got in. But wouldn't it be better to block it before an attacker gets a foothold?"
However, if an organisation is going to allow potentially risky tools, they should make sure that they're patching regularly in order to reduce the risk of attack.
One of the reasons patching cycles are slow is because of a lack of staff. Ley stresses that application whitelisting, privilege management and patching can all be management heavy, which is why some operations teams may not be as expedient with security requirements as security teams would like.
Automation and automated whitelisting for any deployment can mean lower cost overheads and an increased security posture. Ley says that organisations can automate patching to make the process less admin-heavy.
“Patch automation might be as simple as scanning a network, downloading the required patches, and putting them on a file share ready to deploy. Or a scan could create a change process workflow ready for approval. Once approval is granted, the patches are rolled out.
“Organisations should consider how they integrate with other tools. We have the ability to integrate with vulnerability management tools, like Rapid7 or Tenable and pull threat information in and allow you to get a direct feed of what's being scanned with those tools, and then push patches out.
Ley concludes, "It's all about getting a strong security posture. I believe that organisations and the industry need to automate security to help out IT operations teams.