The risky new world of work

It’s fair to say that 2020 dramatically changed the workplace. Globally, governments mandated citizens to work from home, where possible. Large office blocks emptied as IT teams scrambled to implement technology and systems to support a predominantly remote workforce. As we start to look beyond COVID, organisations plan to permanently adopt these long-term hybrid and remote work models.

As organisations and employees adapt to new working practices, cyber criminals are looking to capitalise on the changes, says David Cummins, VP of EMEA, Tenable.

According to the World Economic Forum’s Global Risks Report 2021, the failure of cybersecurity measures is highlighted as a key short-term risk facing organisations today. Last year there was a dramatic increase in cyber-attacks on government agencies and companies globally many leveraged the COVID-19 crisis to infiltrate networks.

According to the study, the attack volume doubled from the second half of 2019 to the first half of 2020. This year that trend has continued including a number of large scale cyber attacks that have crippled organisations. In January, attackers targeted Microsoft Exchange Servers of organisations globally, in July MSP Kaseya was breached with some reports estimating hundreds of thousands of its customers were caught up in the attack. Headlines are dominated by similar successful threats and breaches.

Organisations must address the new and unmanaged cyber risks introduced from the new world of work to prevent further successful attacks.

How hybrid work introduces risks

Employees en masse are now accessing sensitive intellectual property and data outside the confines of the office. In addition, a hybrid worker could be in the corporate office one day and the next they’re connecting remotely via home routers, or even WiFi hotspots (referred to as the third workspace).

To enable this move to a hybrid work model requires three significant shifts, all of which serve to atomise the attack surface:

  1. Dissolving traditional workplace perimeters and providing technology that enables employees to work from anywhere
  2. Moving business-critical functions to the cloud
  3. Rapidly expanding the software supply chain with new tools for collaboration, communication and productivity.

Given the challenges last year, many organisations were forced to adapt their working practices in a much shorter time frame than would be ideal, including the accelerated migration towards cloud-based applications and Software-as-a-Service (SaaS) models. These changes caused the corporate attack surface to explode.

When forced to choose between operability and security, prioritising usability of IT was often the main driver. However, this rush to support the new work environment may have introduced new critical security risks, with many organisations struggling to understand and address the risks introduced. Given these moves are now permanent, the band-aid security solutions many organisations put in place last year now need to be replaced with scalable, long-term, security strategies.

Anatomy of an attack

The first step to address the new risks introduced, is to understand what we’re facing.

When we look at how attacks play out, in the vast majority of cases, bad actors typically go after the low hanging fruit in networks known but unpatched vulnerabilities. This is a view echoed by the NCSC, alongside a number of international allies, that confirms malicious cyber actors continue to target known vulnerabilities in perimeter-type devices.

Having exploited a vulnerability to gain a toe-hold into the organisation, attackers will pivot focus to Active Directory and the identity infrastructure to escalate privileges, and move laterally, with an aim to target further vulnerabilities, install malware and exfiltrate data.

Once an attacker gains control of Active Directory, they effectively have the “keys to the kingdom” which they can use to access any device or system connected to the network. In addition, if Active Directory serves as the Identity Provider (IdP), a compromise of it could impact your single sign-on (SSO) solution, giving attackers even more access to additional accounts which a user might be configured with access to.

To combat this, organisations must take a multi-layered approach to cybersecurity one that looks to prevent criminals gaining that toe-hold, locks them down if they do get inside, and looks for indicators of compromise to shut down attempts to exfiltrate data and eliminate bad actors from the infrastructure:

Prevent the toe-hold: While it might seem simplistic, basic cyber hygiene plays a critical role and acts as the first line of defence. Organisations need a modern, comprehensive strategy to quickly and accurately identify vulnerabilities and misconfigurations in their dynamic infrastructures, that delivers clear guidance and recommendations on how to prioritise and remediate any risks. Here are some steps to help:

  • Actively detect all assets and identify key processes across the entire attack surface wherever it resides including any assets in the cloud and container environments.
  • Identify all business-critical assets, applications, and services including who within the organisation ‘owns’ them
  • Having identified what is critical to the business, focus efforts here first to find and fix known flaws. This prevents attackers daisy-chaining vulnerabilities which enables further exploitation.

Prevent the Pivot: The dissolution of traditional perimeters makes the configuration and management of user privileges and access more critical than ever before. However, when it comes to Active Directory and identity access management, this is where most organisations struggle. Here is a best practices checklist to help:

  • Make sure only authorised users are accessing data and only the data they are authorised to access. Require the use of multi-factor authentication and strong passwords (25 characters) on service accounts and actively manage the groups they are in. Enforce the principle of least privilege across all endpoints, blocking default administration, denying access from a built-in local administrator account and avoiding built-in groups, which have too many permissions.
  • Clean up the domains in your network and limit the number of privileged users, administrative accounts and permissions in the network.
  • Use technology that continuously scans directories for security vulnerabilities and weak configurations. Monitor events in Active Directory for unauthorised behaviours that could indicate signs of attack. And finally, deploy software updates as soon as possible.

Monitor for deviations: While keeping bad actors out of the environment is the primary focus, it’s also important to plan how to identify and prevent anyone that does. Here are some basic steps to consider:

  • Adaptive user risk profiles based on changing conditions, behaviours or locations allows the organisation to continuously monitor and verify every attempt to access corporate data before granting or revoking the request. For example, someone using a corporate-owned device within the office perimeter during working hours may be deemed a lower risk than someone connecting using their own device over an insecure WiFi hotspot at 2:00 am.
  • Employ network segmentation to prevent uncontrolled lateral movement.
  • Continuously monitor for indicators of compromise. As illustration, a server in the basement used to control the air conditioning if it suddenly starts trying to connect to an external source out of hours then this might warrant immediate investigation.

The new world of work has shattered the corporate network, forcing a move away from perimeter-based security architectures. Organisations need the ability to see into the entirety of the attack surface on-premises and in the cloud. In tandem, they need to determine where vulnerabilities exist and the impact if exploited.

Improving cyber hygiene, having regular patching cycles, developing plans to address out-of-band patches and performing regular backups can all help to prepare your organisation for the next vulnerability that could impact your Active Directory environment. Administrators and defenders must be ready and stay vigilant, implementing policies to reduce their exposure and protect their core.

If cybersecurity strategies fail to keep pace with business changes, today’s risk could become tomorrow’s reality.

 The author is David Cummins, VP of EMEA, Tenable.

Comment on this article below or via Twitter: @IoTNow_OR @jcIoTnow

FEATURED IoT STORIES

9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, iot home automation is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more
RECENT ARTICLES

How can IoT optimise the bearing supply chain?

Posted on: September 24, 2021

In 2020, stock management issues were estimated to cost UK manufacturers 66 billion GBP  because of disruption caused by the pandemic. Consequently, the quest to improve efficiency, cut waste and enhance supply chain operations is one that suppliers know all too well. Here Chris Johnson, managing director at miniature bearings specialist SMB Bearings, explains how the Internet of Things

Read more

Guardara uncovers key zero day vulnerability in IoT message broker software

Posted on: September 24, 2021

Developer-focused code security specialist Guardara announces it has uncovered a Zero Day Vulnerability in open source software from EMQ, the provider of open source software for IoT devices. The vulnerability, which was uncovered by a non-security expert using Guardara’s powerful testing tool, could have significant implications for connected IoT devices depending on NanoMQ.

Read more