As COVID-19 weakens, Chief Security Officer Phil Richards and Head of Endpoint Security Product Management Chris Goettl chat cybersecurity strategies in the brave new post-COVID working world.
Shaped by the "new normal" of remote work and fueled by robust, hybrid security for both on-premises and cloud-based user experiences, their discussion reviews:
As COVID-19 weakens, Chief Security Officer Phil Richards and Head of Endpoint Security Product Management Chris Goettl chat cybersecurity strategies in the brave new post-COVID working world.
Shaped by the "new normal" of remote work and fueled by robust, hybrid security for both on-premises and cloud-based user experiences, their discussion reviews:
Ivanti Insights
Adrian: Hello, everyone. Welcome to this episode of Ivanti Insights. Gentlemen, I believe this is episode four. I'm Adrian, along with Phil and Chris. Now, we've gone through some personal highlights in previous episodes to get to know what makes Phil and Chris tick. So if you want to know that, go back to one of our earlier episodes. Today, why don't we dive right in?
Guys, so President Biden, he announced on March 2nd, there's going to be enough COVID vaccine available for all adults by the end of May. Maybe there is a little light at the end of the tunnel at last, in terms of this COVID world that we've been living in for a while. But of course there's always a but. But let's put our IT security caps on and boy, really no light at the end of the tunnel there. Really, we have a lot of pandemic-driven reasons to be concerned that will continue for the foreseeable future and even well beyond.
Guys, what's really the issue here when we talk about not just the current pandemic world, but even potentially the post-pandemic world, looking ahead?
Phil: Boy, I think that's a great question. There's a lot to unpack, I guess. What we've been experiencing over the past year, while we've been working from home, is a general amount of increased activity among criminals that are specifically pointing toward home-based workers. And there's a bunch of reasons too for that, I suppose.
One of the major reasons is because when we're at home, for whatever reason, we believe that we don't have to obey the rules at work that we had to obey at work. Maybe we go to websites that we hadn’t ought to and wouldn't go to, if we were in the office. Maybe we use some other devices that aren't entirely 100% reliable to log onto and look at our email that we wouldn't do if we were working from home.
Because of some of these lax behaviors, the criminals latch onto that. And then when the criminals latch on, their ability increases over time. And that's really what we're seeing right now.
Chris: Yeah. I think this is one of those things where the tactics that threat actors are using right now, haven't changed between last year. There's some minor changes. There's some more sophisticated attacks that have happened, but the general attacks that we're seeing are not widely different. They're just being more successful at it because they're taking advantage of the situation we're in.
These topics were being struggled with pre-COVID. Companies were having trouble struggling with vulnerability management. They were having trouble with managing users being phished. None of that has changed.
What has changed is it became even harder because everything is now off the network. Everything has shifted more towards personal devices than normal. And as Phil said, we've put all of this now into people's comfort zones. We're a year into this, and people have now gotten to the point where they're used to working in their office. They're used to working on their personal device and in a different way than they did. 13 months ago.
Phil: The other things, Chris, just to jump in. One of the other things that we're seeing a lot of is, as you mentioned, everybody is working from home. And one of the things that does is it expands your office network. Everybody's office network now includes whatever other devices might be residing at home. If you're logged in from your home, those other devices now participate in an office network, potentially.
Chris: So thinking about that, and I know Phil, this is one of those scary topics. BYOD and securing those devices. Do we allow them to access corporate applications, assets, data from their personal device? I think that's one of the questions that we have to come back to. And I still think it's hanging out there as one of those things that are still sometimes taboo.
Phil: Yeah.
Adrian: Sorry, Phil. I was going to say, yeah, I think that's a great question, Chris.
I did want to allude to and introduce to our listeners out there. So, we have some stats. When you guys talk about the lax behavior on the part of remote workers now, we have some data to back that up.
So we have a report that Ivanti just released in late February. It is called the 2021 Secure Consumer Cyber Report. It was more than 2,000 people working from home who were surveyed in both the United States and the United Kingdom, to understand how their habits may have changed in this pandemic world. I want to throw some stats out to you guys and have you react to that and we'll get into that whole BYOD environment too, Chris.
So, the report revealed that the employees are engaging in high-risk behavior, as you pointed out, even when they're given company-issued computers to use at home, or if they're using their own. Here's an example, 25% of those surveyed admitted to using their work email or password to access consumer websites and apps like DoorDash, Amazon. Even dating apps, match.com, eHarmony.
So, 25% are out there using their work credentials to access these consumer sites. React to that guys. Phil, let's start with you.
Phil: I wish I could be surprised about that. I guess the surprise is that it's only 25%. And maybe the word ‘admitted to’ is, hopefully.
Adrian: I would agree. Yeah. I think you have to assume it is a higher percentage. Yeah.
Phil: There's a lot of reasons why you don't want to do that. Obviously, the big reason is because your company credentials become available for thieves to steal on all these other websites. It's not that your company is necessarily going to be impacted, but all the other websites. The Amazons and the DoorDashs and all those other places where you're putting those credentials, they could potentially have those credentials compromised. And that means that your work credential might be compromised as well.
One of the things that you can do to try to help mitigate that is there's a great website put together by a Microsoft researcher called HaveIBeenPwned.com, and we'll put a link to that on the blog. That's a great place to go to determine if those credentials that you have seated around all these different places, if they're available on the dark web for criminals to be able to access.
Adrian: I'm sorry, give that to me again. Have I Been … What was that last word that you used?
Phil: P-O-W-N-E-D. That's what the cool kids in cybersecurity call it nowadays, when your credentials have been stolen.
Adrian: I am not the cybersecurity pro that you two are. That is the first that I've heard of that term, so I'm learning something already. Chris, so Phil says he's surprised it's 25%. If you were to spitball, what would you say that percentage in all likelihood may be?
Chris: I think that I agree with Phil, first of all, that it doesn't surprise me that it is a problem. It surprises me that the percentage is as low as it is, but I would expect that it had been a little bit higher as well.
Honestly, the number of people where they use the same password all the time, this is not anything new. This is the same tactic that threat actors have been using for a while. They're just able to capitalize on more because this situation has made us lose a level of control.
Personal life, but in talking to my wife and my kids, they all know that if they're going to get another account, like my son came to me asking if he could get a Discord account. I'm like, “Okay. This means you got to sign up for something. So, what does that mean?” And he rolled his eyes at me. He's 12, by the way. “So I've got to use a different password than all my other ones. I've got to have it be this long.” My wife walks over and she's, “Seriously, you are so anal about this. Why?” I'm like, “Do you not know me at all?” This is just my immediate family, but this is not any different than our average users.
The biggest problem we've got in cybersecurity is we've got a serious weakness within any of our infrastructures, and that is the end-user. We can't eliminate the end-user, though. We can't take them out of the equation. We have to focus on what the weakness in that user is, and it is their credentials.
Humans don't have the capacity to remember 50 different passwords that are all 13-plus characters with complexity. We just don't have that capacity. So, their first thing they're going to do is simplify. “Okay, I would use the same email, the same password as I do in dozens of other places.”
I've read other incidents before, and Phil you've probably seen the same. “Oh, hey, Amazon was breached. My account got compromised.” Actually, no, Amazon responded back. They're good to go. What happened was this little rinky-dink e-commerce site that you also used the same email address and password for did get compromised. But the threat actor knows human behavior is the same everywhere, and they use that to attack your Amazon account and your other accounts.
Phil: That human behavior is so well-known and so well-understood by the criminals that there are entire categories of attacks that basically depend on that behavior. There's a whole category of tech called credential spring … Stuffing, sorry. Credential stuffing. In that whole category, lots of different kinds of attacks in there, but it's all based on the fact that humans tend to use the same password over and over again.
Adrian: Okay. So, speaking of passwords, I joined Ivanti just a couple months ago as a result of the MobileIron acquisition. When I first came into Ivanti, when I was asked to set up my Ivanti credentials, the password … Boy, what's the right word that I'm looking for? The password requirements, that's what I was looking for, at Ivanti were much more stringent than anywhere else I've been, even at MobileIron. My password has to be 15 characters minimum at Ivanti. So, that guarantees I'm never going to use that to go shopping on Amazon or use it on Netflix or eHarmony.com or anything like that.
Phil: That's a really good point, Adrian, and that's something that we should probably talk about. One of the things that we are trying to do is we recognize that passwords are hard to manage. They're difficult and we want to do it in such a way that people don't find them unwieldy.
One way to do that, and one of the things that [Mist 00:10:22] has recommended that we do is change our password complexity requirements so that we're not requiring capital letters and lowercase letters and numbers and funky characters and all that kind of stuff, but increase the length of the password.
So yeah, the password is 15 characters, but there's two things that are cool about it. Number one is you can use whole words. You can use whole sentences. You don't have to put numbers and capitals and all that kind of stuff in there. And number two is that credential, unless something happens where you need to change it, it's not going to roll over. It's not going to be required to change every 90 days or something like that.
So we're trying to do a couple of things. Since passwords are the weak point in our ability to maintain our systems actively, what we're trying to do is make it so that we have, number one, strong passwords and number two, passwords where the human factor isn't the weakness of the password, if that makes sense.
Chris: Yeah. I think that's the key Phil is, we've got to take the weakness out of the user, and that weakness is our inability to come up with complex passwords. I tried to explain that to my wife and my son is, “Hey, if all you do is pick three words that you could remember, they don't have to be related in any way. In fact, it's better if they're not. But three words that you can remember easily, that is something like that that's 15-plus characters is stronger than any completely random lowercase, uppercase with numbers and special characters, eight-character password you could ever come up with.”
That's the thing that we're going for is how many combinations of things does an attacker have to guess before they can replicate your password?
Phil: Right.
Chris: And the length is the key to that, right? But now let's take a step further. Phil, this is the thing that would make the IT guy and the security guy both happy, this Nirvana. What if you didn't have a password?
Phil: If we could make it so that we could secure an environment with something that provides good security without needing humans to remember a password, that absolutely is the Nirvana. It's the Nirvana for users and it's the Nirvana for security people.
Chris: Now, okay, that's from the security guy. I can guarantee you that Keith Lutz, he's going to come out and say right away, “If I could eliminate all of my users having to do password resets and handle tickets to reset passwords and get people access.” If I could reduce that volume, what would that do for his overall operation, right?
Phil: It would actually make that a lot better, a lot cleaner, a lot smoother. Because he spends probably 40 to 50% of his IT time resetting credentials.
Chris: Yep. Now, okay, let's talk to the third person in this equation, Adrian. Phil and I are biased. As our non-security biased member of this conversation, what if you never had to type in a password ever again?
Adrian: Nirvana hit the nail on the head, because even having to remember my Ivanti password along with how many others.
I'll admit, on my personal side, I will save stuff into Google or whatever browser I'm in when you have that opportunity to save it. And when I get to a site where for some reason it doesn't pull back up and I can't remember the password, it is absolute pain and aggravation at that point. So a zero sign-on world or a password-less world, absolute Nirvana from my end-user experience.
Chris: And that's what we're trying to strive for is we can't eliminate the user, but we can take the weakness out of the user. We can also make for a better experience as we do this. It's still two-factor. So one of the other things that came up out of the survey was around two-factor authentication.
Adrian: Yeah. Yeah, so let's have you react to this. Nearly half of all respondents in this, I'm going to make sure I get the title right again, in this Secure Consumer Cyber Report that Ivanti released in late February is that nearly half of respondents have not set up two-factor authentication for smart devices in their homes. Phil, what do you think about that? Or Chris? Go ahead.
Chris: Let me throw this one out right away. Phil, you and I have talked about this one a lot. What's the number one way that attackers are starting their attack in a ransomware attack? What's the number one way that they’re getting in?
Phil: They vacillate right now, but the number one way is either RDP or email. But remote desktop is usually the number one. And the number one reason why they're able to get into remote desktop is because users haven't set up two-factor authentication. They haven't in strong passwords in their environment.
Chris: And those credentials could be bought off of the dark web for nickels. I can buy a dozen of them for dirt cheap. And you could pretty much find they're always constantly farming these. So if I want to go and attack XYZ Company, I just go to the shopping center at the dark web and say, “Hey, find me a dozen credentials from company XYZ.” They purchase those and they start using those to try to get in through RDP.
So, two … I won't say simple projects, but two not rocket science-type projects here. Two-factor authentication, and eliminating that weakness in that user.
Phil: Yeah, those are really critical. You, Adrian, asked the question about why is it that people don't set up two-factor authentication, and oftentimes there's really two … I think there's two main reasons for it. Number one is ignorance. I think there's a lot of people that don't recognize or don't understand just how much additional security that really does provide to an environment. If they were aware of that, my feeling is a lot of people would go ahead and take the time.
But then number two, it really has to do with the time. And that is, we're just darn lazy. We as humans, if I don't have to set up another thing and I don't have to look at a bunch of digits and type them in or something like that, then I'm not going to. Between the lazy factor and the ignorance about how much it improves the security picture, I think that covers a lot of uses.
Adrian: Yeah. So we're down the home stretch here in terms of time, gentlemen. So one more stat I'm going to throw out you and then have you take us home. So nearly half of all US respondents in this study that Ivanti recently did say they were allowed to use a personal device, such as a laptop, smartphone, tablet, smartwatch, to access company applications and networks.
So, react to that and then lead into the fact that as we look at a post-pandemic world, there's still a lot more people than who are going to be worked from home. The remote workplace is here to stay. Isn't it?
Phil: Yeah, I think it really is. My first reaction, my first thought on this whole topic of bring your own device is that if you're going to, as a company, allow your employees to bring their own device to work, you need to require that they have a level of security on it.
You can enforce that at the VPN layer. So that way, they're simply not allowed to come in unless they have it. You can require it on mobile devices, like a mobile device management capability and some of those kinds of things. But you need to say, “If you're going to bring devices, you have a level of responsibility to make sure that those devices are clean and secure, because it's our corporate data that's really at risk.”
Chris: Yeah. From my side, I think this whole shift to remote work and the aftermath of all of this, where we're in this more, there are no boundaries. Everything's elastic. We're going to access what we need, when we need it, from the device that we have conveniently available to us. We have to get past some of these challenges. BYOD, are we going to embrace it or not? If we embrace it, we have to secure it. We're into this zero-trust world.
Now, we've been talking a lot about password security. There's really three key things. If you start to think about a larger zero-trust strategy, there is the access request itself. But to fulfill that access request, I've got to validate a few things. I've got to know and validate that user is somebody I can trust.
Most of these breaches, the attacker is masquerading as a user you expect. Because they've stolen that user's identity they're using, they're masquerading as that, how are you going to spot that? Even if you've got EDR in your environment, but if I see that EDR is there and I see that it's Adrian moving across these environments, do I question that? Maybe it's a system that Adrian shouldn't be on. That contextual awareness of what Adrian's asking for, why is he asking for it, even when and where he's asking for it from.
Now, we also have to have the hygiene of the device involved in that. We have to know that device is meeting good security requirements. Is that device one that we know and we own, or is it something that we don't control? If it's something we don't control, is it jailbroken? Is it running a security software of some kind? Mobile threat defense or antivirus, or any type of security controls like that that we can have in place and be able to understand is this device putting us at risk.
But if we can't do that, and if we can't govern the BYOD devices as well as the corporate owned devices, then we're still exposing ourselves to this level of risk that threat actors are just walking straight into the front door today with the breaches and ransomware attacks that are going on. It's very easy for them. We can see that by the number of attacks becoming successful, the number of ransoms being paid, the amount being paid. Those are all lagging indicators of the success that threat actors are having right now.
Adrian: Okay gentlemen, we've just about reached our limit on time. So, I appreciate you joining us again today. We'll do it again in two weeks. Folks, you can go to the ivanti.com website to find this 2021 Secure Consumer Cyber Report that we referenced today. So guys, hope you have a great weekend. And again, we'll reconvene in two weeks. Thanks for joining us, everyone. For Phil, for Chris, I'm Adrian, stay safe. Be secure and keep smiling.