[BreachExchange] COVID-19 offers a unique opportunity to pilot zero trust, rapidly and at scale

[Destry Winant]

https://www.csoonline.com/article/3533353/covid-19-offers-a-unique-opportunity-to-pilot-zero-trust-rapidly-and-at-scale.html#tk.rss_news

The COVID-19 pandemic has caused a forced work-from-home situation
that many organizations and businesses were likely not prepared for.
>From dealing with undersized VPN infrastructure, insufficient
bandwidth and not enough managed devices for employees to take home,
IT departments are scrambling to limit the impact on productivity and
enable access to corporate resources and applications their colleagues
need to perform their job duties.

Unfortunately, mounting pressure from management to set up remote
working capabilities as quickly as possible could result in IT teams
cutting corners and ignoring existing security policies and practices.
This could have major implications for business continuity in the long
run.

Imagine the disruption an attacker could cause by gaining access to
the company's private network through an exposed service or a remote
employee's personal device, then moving laterally and infecting
internal servers with ransomware at a time when the IT and security
teams are also working remotely and can't take a hands-on approach to
remediate the problem.

This is the type of scenario where one person's access could literally
wreck an entire infrastructure in no time.—Chase Cunningham

It would be extremely difficult to recover from such a situation,
Chase Cunningham, principal analyst serving security and risk
professionals at Forrester, tells CSO. "This is the type of scenario
where one person's access could literally wreck an entire
infrastructure in no time."


Attacking remote workers

In the past there have been many cases of companies exposing Remote
Desktop Protocol (RDP) services directly to the internet and those
services being hacked and used as entry points for cybercriminals.
Unfortunately, during the COVID-19 crisis, incidents involving
insecure configurations of services and firewalls are likely to
increase as people take shortcuts to enable remote access.

Last week, researchers from Bitdefender warned that TrickBot, a
credential-stealing Trojan, added a new module to its arsenal that
uses infected computers to launch RDP brute-force attacks. Companies
from the telecom, education and financial services sectors in the
United States and Hong Kong were on the target list seen by the
researchers. TrickBot also has modules for stealing OpenSSH and
OpenVPN credentials, which are typically used for remote access, and
is a known delivery platform for the sophisticated Ryuk ransomware.

Experts agree that these kinds of attacks will continue and intensify
as attackers jump at the opportunity to target the large number of
workers who are now accessing corporate resources from outside their
protected corporate network perimeters and potentially from their own,
less secure, devices.

Criminals will always respond to circumstances and develop techniques
that work and continue to get better, Kevin Curran, an IEEE senior
member and professor of cybersecurity at Ulster University, tells CSO.
We now have many situations where people have moved out from
environments where they were protected by the simple fact that there
were firewalls in place and warnings and procedures and they had to
have certain versions of operating systems or their software updated.
They are now using their personal laptops which, for all we know,
could be running Windows XP, he says.

Enter zero trust

One potential method of avoiding some of these security issues and
limiting the risk is to adopt a zero trust security model, where
access to business applications, including legacy, is done through a
secure web-based gateway following least-privilege principles with
support for multi-factor authentication (MFA) and device security
checks. Such systems are more scalable than VPNs without added
infrastructure costs, can easily integrate with existing single
sign-on (SSO) platforms, and allow for granular access control
policies that define who may access what from which device.

This is the future of the workspace and now they have an opportunity
to test that stuff out for free in lots of instances and continue to
grow from there. If it was me, I would be jumping on this as fast as I
could.—Chase Cunningham

The good news is that some vendors in this space in response to the
COVID-19 crisis are now offering extended free trials for their
products. Content delivery company Akamai is offering complimentary
60-day usage of its Enterprise Application Access (EAA) solution as
part of its Business Continuity Assistance Program. Cloudflare is
offering small businesses six months free use of its Cloudflare for
Teams product, which includes Cloudflare Access for zero-trust access
to internal apps and Cloudflare Gateway for DNS filtering and network
monitoring. Cisco's Duo Security also offers new customers free
licenses to its zero-trust and MFA platform. CSO is maintaining a list
of free work-from-home technology offerings from security vendors
during the crisis.

"All those [business] leaders that have been trying to justify the
reasons for remote work now have a reason to do it," Cunningham says.
"But the reality of it is VPNs are not going to work at this scale, so
they should be taking advantage of these [zero-trust access] offerings
and, if nothing else, use them for pilot purposes to try and figure
out where they're going to be. This is not just going to be something
that is done for the next couple of months. This is the future of the
workspace and now they have an opportunity to test that stuff out for
free in lots of instances and continue to grow from there. If it was
me, I would be jumping on this as fast as I could."

Zero-trust models gaining popularity

Many companies were considering switching to the zero-trust network
security model even before this crisis hit. A newly published survey
of IT managers across 100 small- and medium-size enterprises and
Fortune 500 companies found that 31% are considering it, 19% are in
the adoption phase, and 8% have already implemented it in their
organizations.

Work Transformation Is Crucial for Digital Transformation

Work transformation fosters human-machine collaboration, enables new
skills and supports a dynamic environment. With AI-enabled solutions,
workers are able to focus on higher-value activities....

Fully deploying zero-trust security across the entire corporate
network is not an easy task. It requires a phased approach that
involves pilot programs, gathering metrics, tweaking access policies,
making sure various products integrate seamlessly, making changes to
internal data flows and training employees. However, companies could
start now on the remote access side and then build from there.

"If you asked me a year ago 'Could you roll out a zero-trust network
if a pandemic hit and the company had to switch within a few weeks?' I
would have said: 'No, that's impossible'," Curran says. "To be honest,
these cloud-based systems seem to be the most seamless way to get to a
semi zero trust network in a rapid time. I wouldn't say these are true
zero-trust networks, but they do a damn good job."

"I would encourage companies to go down this route actually because,
in some ways, this is really privileged access management, which is
the starting point for building a zero-trust network," Curran says.
"You can build out the other things later. There are some policy
changes needed and a bit of training, but it's a good system [...] and
it is stronger than any VPN."

Advice for moving to zero trust

When developing their access policies, companies should make a clear
distinction between managed devices they give to their employees and
the unmanaged personal devices that some employees might use to access
the company's applications. Ideally, if they're faced with a BYOD
scenario, companies should ask their employees to install a mobile
device management (MDM) solution on their personal devices.

Cloud-based zero-trust access gateways generally perform some security
checks for connecting devices through the browser, like verifying the
patching state of their OS and other software, but that might not be
enough, especially if this forced work-at-home situation lasts for
months. The longer a device remains unmonitored, the higher the
chances of a compromise.

"Obviously, in a perfect world they would eventually get to an end
state where they have agents on the machine so they can actually do
something, but right now this is about putting the fire out or
controlling the fire rather than having the optimal state," Cunningham
says. "We're not ready for optimal. We're ready for 'keep people
working and keep the economy moving'."

It's likely though that companies that had at least some remote
workers before this forced work-from-home situation already use some
MDM solution. In that case, they would only have to talk to their MDM
vendor and buy additional licenses.

Legacy apps should be run in virtualized environments or containers
and should be segmented from the rest of the network so that if
they're compromised, attackers can't pivot and move laterally to
compromise the rest of the infrastructure.

"Back to the whole viral deal, it's a guarantee that there's going to
be some infection, but we don't want to have massive
infrastructure-wide infection because of something simple like an old
app that got hit," Cunningham says.