Border control: cyber security when your staff are at home

Video conferencing became the key to keeping in touch as the lockdown got under way, but it was not long before weaknesses in the software and the way people use it were exposed. Zoombombing quickly becoming one of the more famous exploits as uninvited guests crashed meetings.

You can look at zoombombing as being no more than an iteration of the old-fashioned griefing that has plagued online gaming, public chatrooms and pretty much every social technology ever invented. In this case, the zoombombers took advantage of the decision by many users to not use meeting passwords by default. If you could guess a valid meeting ID, you could join it. But it dented the reputation of a service that had suddenly been thrust into the spotlight.

Opinions still differ on whether Zoom is secure enough to use. A number of large organisations have banned its use for sensitive communications. Various healthcare trusts have told their staff to avoid it, generally because the privacy issues around Zoom’s integration with social-media platforms conflicts with stringent legal safeguards.

A large number of companies are continuing with Zoom, although sometimes with modifications to procedures they see as offering the protection they want. For example, at the peak of the lockdown, Teledyne-e2v had 75 per cent of its workforce operating from home. Zoom has formed a substantial part of the mix of communications products the company uses.

Laurent Monge, vice president and general manager of Teledyne-e2v, says: “We have been conducting a thorough assessment of the Zoom app. The way we’ve been using it, with some add-ons, is providing safety according to our IT experts. We are using embedded passwords, so no one can connect without an invitation, for example. We believe we are using it in a safe manner.”

Though stories about Zoom security became as well-known as the company’s service itself, it might be the tip of the iceberg. There has been a sudden shift from an environment where most users are behind the firewall of the network to where pretty much every employee with a company computer is working at home on a Wi-Fi connection to a router supplied by their own internet service provider. They might not even have a company computer but instead run software on their own machines.

James Stickland, CEO of biometric-authentication specialist Veridium, says: “The Covid-19 crisis has forced a number of firms into taking dangerous shortcuts on security as well as falling foul of regulations such as GDPR, placing them at greater risk of fines and data breaches. This is an inevitable consequence of companies who have been pressured into adopting technology in order to stay afloat, without conducting the usual rigorous assessments.”

A major issue with the move to homeworking is that many of the assumptions made about security rely on the idea of maintaining good perimeter protection. Systems that watch for intrusion run inside the corporate core network; many of the protocols used across the network do not have the same level of encryption as those used to access systems over the internet. One easy way to extend the perimeter is to use a virtual private network (VPN), though many companies diverted some of their traffic to services that could dispense with it to avoid overloading the corporate backbone.

Kevin Cornish, senior vice president of design consulting services for surface transportation at civil engineering company Aecom, says in the early stages of the lockdown the VPN was used to serve up project-management files from internal servers. Some projects were already using a cloud version of Bentley’s ProjectWise, which does not rely on a VPN. “We accelerated that dramatically to move other projects up into the cloud.”

The core issue with the VPN is that, although it provides an additional level of protection for messages passed over the channel, it continues an approach to security that perpetuates the idea of perimeter-based security. Things outside the perimeter can be blocked, but once you are inside it is possible to access a wide range of services without any attempts to block the activity.

‘It took Google seven years to build BeyondCorp and that was dealing with just a small part of the system, which is cloud.’

As people are working at home, it does not make them less trustworthy, even though there are plenty of managers who believe they need to ‘keep an eye’ on their workforce not just metaphorically but physically. The sudden rise in homeworking increases the chances of possibly less-well-protected machines falling prey to spam that ranges from the inconvenient to the dangerous. If anyone thought cyber criminals might desist in the face of a healthcare crisis, they were wrong. The World Health Organization itself saw cyber attacks double as the pandemic spread, and a vaccine-testing facility said it had been targeted with ransomware.

At Cisco’s Security Operations Days in January, Jamey Heary, a distinguished security architect at the comms-equipment maker, described how so-called spear-phishing, messages designed to fool individuals or groups of staff in a target company, can so easily open up an entire corporate network.

In an environment where companies are looking for new suppliers and customers, often in completely different sectors if they are retooling for Covid-related products, they can far more easily fall prey to the phishing spam masquerading as requests for quotes, invoices and shipping updates. In addition, on home systems the standard anti-malware defences may not be in place. “That email got through; Bob clicked on it and now they’re inside, harvesting credentials the whole way and bringing the data out.”

Once an attack succeeds, the VPN stops offering protection and acts as a fast track to the core of the corporate network. Though the VPN has provided a mechanism for making homeworking feasible for organisations, it is in the front line of security technologies that seem likely to be displaced and maybe even faster than the trend before the lockdown.

Gartner predicted last year that by 2023, more than half of enterprise users would have phased out their use of VPNs in favour of a different environment. The concept has a relatively new name: zero trust, coined by former Forrester analyst John Kindervag, who then moved to supplier Palo Alto Networks as field CTO. But the concepts date back 15 years to the Jericho Forum, set up by a group of security specialists working in major UK companies and led by David Lacey, then head of information security at Royal Mail.

The forum developed 11 commandments. In a speech at the RSA Conference on cyber security last year, Paul Simmonds, CEO of the Global Identity Foundation, who worked at AstraZeneca when the forum was set up, said it was a source of some irritation that they could not get the list down to ten.

The core idea behind the Jericho Forum’s recommendations, or commandments, was that the perimeter security was failing to protect corporate systems and data even then. Once an attacker had broken into the network, they could simply poke around until they were discovered or found something they could compromise or steal. The forum proposed moving all systems over to inherently secure protocols rather than having data moving around in plaintext form even within the confines of the office. Even stored on a server, sensitive data would need to be encrypted. Only if data had no value to an attacker would it be left unsecured. In effect, they would consider the corporate network to simply be an extension of the common internet.

Another tenet was the idea of basing access control not on a single set of login credentials but on a fine-grained approach that considered not just whether a user might have access but whether that user on that machine running that application or any other combination of attributes could have access. In the zero-trust environment, this idea has morphed into the concept of ubiquitous least-privilege access. Every request is handled using the lowest level of access possible: there is no ‘allow-all’ setting, no matter where it is, unless there is a very good reason for having it. Even a public website may operate a blocklist to help fend off denial-of-service attacks.

The trend is toward a system already common on social media. “We recommend you use multifactor authentication. We know because we have breach data: every single one of them has lost or stolen passwords. Every single one,” says Heary.

The difference between the multifactor authentication used on social media and that proposed for zero trust is that it does not just rely on combining a password with a biometric reading or one-time code entered on a separate, approved device. It may involve individual certificates for applications and data, the actual machine being used, locations and times.

Although interest in the concept of zero trust has, naturally, increased again, implementing it in real life is tough. The landscape has numerous vendors, many of them working on individual pieces of the overall problem. Heary says: “It took Google seven years to build BeyondCorp and that was dealing with just a small part of the system, which is cloud.”

Legacy systems represent a problem as many are not easily replaced. One option is to put dedicated firewalls in front of them with a far narrower, more readily defined set of rules than those that are needed in full corporate firewalls. Micro-VPNs can provide a level of protection for situations where it is impossible to convert the server protocols to secure versions.

In the meantime, organisations may find their security position gets worse before it gets better - and they have no quarantine period to rely on to fix the issues.