With the world being forced into a massive work from home experiment, cybersecurity expert Gus Evangelakos (Director of North American Field Engineering, at XM Cyber) discusses with Digital Journal the need for an effective way to remotely assess the security of the millions of new endpoints being introduced to the workforce.
Digital Journal: How fast is remote working growing?
Gus Evangelakos: We have seen a lot of our customers deploying thousands of new laptops being pushed into the workforce to enable users to work remotely as a result of the coronavirus.
DJ: What are the key cybersecurity risks associated with home working?
Evangelakos: There are a few but primarily its the expanded attack surface, the focus on speed vs security and no control over who uses the devices. When you are in a situation where you need to support hundreds if not thousands of users working remotely, the focus on speed and getting things running is priority. Mistakes will be made just like you might forget to lock your door if you are running out of your house.
Specifically, you might be using outdated images to set up new laptops, not having enough time to patch them, adding users to local admin accounts so they can make changes as they need. This is to help get things moving but what will put your assets at risk. As these devices go outside your network, they also lose the protections in your perimeter such as a firewall, DNS filtering, proxies that would often prevent attackers from coming in and also preventing users from visiting risky websites.
These solutions can be set up for remote workforces but many customers do not have this enforcement, and when those devices are handed to family members that want to watch videos, install plugins for school, or play games, the potential of an attacker landing on that endpoint is much higher. With good endpoint security you might be able to stop some of these attacks but oftentimes many will be successful. Once that malware is on that system and the VPN connection is established back to your network, the attacker now has the communication he needs, the credential he can harvest and move latterly in your network.
DJ: Are there many coronavirus related cyber-scams?
Evangelakos: There are many scams targeting people who want to simply get more information. Because of the heightened alerts, attackers use that to their advantage. There are numerous articles and sites about the daily barrage of COVID-19 scams from phishing, website infections, malware and others. Users must just be aware and taught not to visit or open files they do not recognize and if they want to find information to look at the CDC and other reputable websites.
DJ: Are some technologies more vulnerable than others?
Evangelakos: Yes, endpoint devices are more vulnerable because these are what everyone that needs to access data or a service is using to do so. Attackers target endpoint devices because of this reason and because the attack footprint is large. They can be targeted with malware, phishing, run scripts, and have vulnerable software that can give attackers different ways to infect them and use them for their needs. Putting a focus on protecting and hardening your endpoints while your users are at home is important.
DJ: How can security be strengthened?
Evangelakos: Utilizing cloud-based next-gen endpoint security will help manage and protect wherever those endpoints are. Additionally, having behavior-based protection enabled will protect better than basic AV. Review the policies you have to ensure you are not only detecting, but also preventing behavior attacks. Another thing to consider is having visibility into your attack surface and how devices and user accounts can be used in your environment to target assets. Being able to proactively determine the attack paths to your assets will help you identify misconfiguration and IT Hygiene issues in real-time and remediate them before they can be exploited.
DJ: To what extent can the security process be automated?
Evangelakos: There are many things that can be automated, including something as basic as changing policies for your Endpoint Detection and Response (EDR) from detection to prevention. This will stop the malicious behaviors instead of just detecting them and relying on an analyst to review and then make a decision. Automating risk identification is also important.. Platforms exist that help scan your attack surface continuously to identify vulnerabilities, user behaviors, and IT Hygiene problems that can be exploited.
Automating these capabilities will allow users to react to changes quickly in order to close gaps as they are identified. This is crucial when constant changes are made within the environment. It is not easy to identify what changes will put your network at risk unless you have real time visibility into how those changes affect business continuity. XM Cyber focuses on the matter specifically and found our customers are more equipped to identify risk in rapid change scenarios and do it continuously.