Surge in Remote Working: Coping with Vulnerability Management 

In the span of a couple months, the world as we knew it was turned upside-down. As scientists across the globe conduct experiments in search of the COVID-19 vaccine, the labour market has found itself within its own experiment. That is, the experiment of remote working on a massive scale 

In an effort to slow down the spread of the virus, millions of employees around the world are being told to write their emails, compile their spreadsheets, and hold their meetings from the confines of their dining room table or makeshift office space at home. Whilst in 2018 hardly 13% of companies encouraged remote working, this has since increased substantially to 45% in mid-March 2020. In the UK alone, the British Chambers of Commerce revealed that at least 54% of businesses have resorted to remote working “to maintain business continuity”. Admittedly, this trend has been growing steadily over the years. However, business security teams simply could not have anticipated its recent sharp spike, prompted by the pandemic. Undoubtedly, this sudden change, plus the added uncertainty of the pandemic itself, has created the ideal playground for bad actors. 

As people frantically search for answers, less attention is being paid to sources or credibility of information in circulation. This facilitates the notorious tactic of phishing as they are less likely to think twice before clicking a malicious link. Indeed, Barracuda Networks reported a 667% upsurge in phishing emails since the end of February. Such emails have varied from scammers offering to sell non-existent cures or face masks, to donation requests for fictitious charities. In other instances, authorities such as the World Health Organisation or local hospitals have been impersonatedIn one example, it was suggested that an individual had contracted the virus and needed to download a compromised document, before proceeding to an emergency clinic.  

Thesstrategies have not been restricted to emails either, but has expanded to popular messaging apps. In fact, AT&T Alien Labs recently discovered that webhooks were being employed to send convincing phishing messages through Slack. Just one mis-click and a business system could be jeopardised. Preventing this alone can leave many of the best security teams overwhelmed. 

On top of that, said Marco Rottigni, Chief Technical Security Officer at Qualys, with employees connecting to corporate networks from home almost simultaneously, IT departments will also have to manage the proliferation of access points forthwith available to hackers. Where they may have previously overseen security in one office block with stationary desktops, they are now having to supervise the transition to dispersed laptops.” This is a completely different challenge that necessitates more than a couple of days, or even weeks, to realise. The risks are further exacerbated when employees begin to interchange the use of their private and corporate devices. It is not so inconceivable either that parents may go insofar as loan their corporate laptops to their children in the evenings. From there, the child would only need to download the wrong game for malware to take root. Perhaps, the risk simply comes from a user neglecting to update their security software. The opportunities for complication abound.  

Truth be told, while increased security risks could be attributed to a heightened probability of human error, downloading the wrong attachment is not often serious enough to cause a company-wide incident. The recipe for disaster is when malware meets vulnerability; and it is clear that software and applications used by organisations have presented significant issues of their own. It has been estimated that ZOOM has accumulated more than 2.22 million monthly active users thus far in 2020, compared to 0.64 million during the same period last year. Yet, they too have experienced difficulties adjusting to the unexpected escalation in users and have failed to implement the necessary security measures. Indeed, the video conferencing app has admitted that it does not actually utilise any end-to-end encryption 

More recently, Microsoft released its April 2020 Patch Tuesday updates revealing 113 vulnerabilities, 19 of which were categorised as critical and 94 as important. That is in addition to the 405 security vulnerabilities Oracle disclosed this week as well. This puts a considerable amount of pressure on security teams to prioritise and apply all the necessary patches within the 24 or 72 hour window before hackers successfully take advantage of these loopholes,” highlights Rottigni. When VPN bandwidth and concentrators are already being stretched, adding the deployment of patches may no longer be a feasible option.  

Rather, we might wish to find a means of deploying patches that bypasses the use of VPN altogether. Fortunately, Qualys’ latest service VMDR® – Vulnerability Management, Detection and Response – could be that solution we desperately need as we enter this new Work-From-Home era. Moreover, it has the ability of collating on a single platform all data gathered across the digital landscape. It can identify, prioritise and tackle threats efficiently, if not instantaneously, and automate processes at scale. As Georges Bellefontaine, manager of vulnerability management at Toyota Financial Services, assertVMDR raises the maturity of our Vulnerability Management program to its next level. It allows additional monitoring of the infrastructure to identify vulnerabilities and weak asset hardening effectively, accurately and in real time to better prioritise needed remediation.” Moreover, Ryan Smith, vice president of product at Armor further affirms that “VMDR from Qualys also delivers unprecedented response capabilities including options for protecting remote users, which has become a top priority for CISOs in the current environment.” 

To give back to the community, Qualys has also enabled a standalone version of the cloud-based solution, Qualys Remote Protection, which is available for free for 60 days. It gives security teams instant and continuous visibility of remote computers so they can easily see missing patches for critical vulnerabilities and deploy them from the cloud. The patches are delivered securely and directly from vendors’ websites and content delivery networks to ensure there is little to no impact on external VPN bandwidth.  

To showcase the solution’s innovative approach to vulnerability management, Qualys is hosting an online event, VMDR Live, featuring an in-depth demo and Q&A on April 21, at 11 am PT (6 pm, GMT). Register at https://www.qualys.com/2020/vmdr-live/.

We may have gone into ‘hiding’ but cybercriminals have come out to play, leveraging our fear and ill-equipped security posture to execute their next hit. So what is your organisation going to do about it? 

 

M. Rottignoni

Marco Rottignoni is Chief Technical Security Officer, EMEA, at Qualys