Back in March 2020, at the start of the first lockdown, companies scrambled to increase their remote access capacity as employees started working from home where possible, and this increase in remote working, virtual collaboration and rapid deployment of new tools did of course also increase the attack surface.
In particular, VPNs need special attention such as two-factor authentication, because if compromised they can give an attacker a tunnel into the heart of your environment, particularly if users authenticate using their normal domain logon.
However, just as important is the fact that many employees were not used to working remotely, and it is harder to provide support to home workers and for them to ask colleagues around them for help, so they are more likely to make mistakes, or take short cuts to get the job done.
Collaborating with parties outside of your own organisation is another problem, particularly when they use different collaboration tools, or when hosting, or joining webinars or virtual conferences. Can you trust the remote systems that want to execute code on your PCs and how can you be confident to share sensitive data when you don’t know how the server you are connecting to is secured, or who else can connect to it?
While for some virtual meeting tools there is the option to admit users who are not on the meeting invite, outside your own domain, or who dial in, this needs to be configured and can you be sure you really know who they are.
Authentication of participants outside your own domain is one of the biggest issues for virtual events. Last November, a Dutch journalist managed to join a classified EU Defence video conference by guessing part of a PIN, showing the weakness of access control methods, but also the benefits of video and webcams as an authentication measure.
If someone does get into a virtual meeting, they can record the discussion (using their own software), and take screen shots of anything that is shared. Webcams are often seen as a security risk, because they can be used by an attacker, or inadvertently reveal a sensitive document. However, they can also provide a means of visual authentication, so you can at least be sure who you are talking to.
No going back
As we move into 2021, it is clear that we will not go back to former working practices and indeed many companies have already announced that some of all of their staff will continue to work from home no matter what happens and offices are already being downsized. This could lead to a drive to further reduce costs through bring your own device schemes with containerised endpoints on home workers own PCs and a continued increase in two-factor authentication as defences are reinforced.
Attackers will however continue to exploit remote working particularly when using their own devices and VPNs with poor access control. There may also be an increased risk of supply chain attacks involving webcams and USB headsets.
The market will continue to grow for calibration tools and providers will add more features, but probably not much more security. One of the providers’ major concerns is ease of use, so any security feature that in any way impacts the user experience is unlikely to get traction.
Unfortunately I don’t anticipate much in the way of interoperability either, though some form of third party gateway, or gateway service between virtual conferencing tools may be a possibility. This could provide some additional security controls at the boundary and provide better authentication, but may not be popular with the major providers.
I would also like to see an improvement in the current access control and guest management features if only to make those existing ones easier to find.
Data loss prevention
What I think we will see is more sophisticated data loss prevention (DLP) products, some aimed at virtual conferencing. These would need to monitor what is shared inside virtual meeting applications, so may be difficult to develop without the support of the providers.
Also, there is currently work being done to use artificial intelligence for knowledge management and automatic classification of knowledge that could be used to inform DLP decisions. This in turn could result in more fine-grained classification and automatic labelling of files for DLP purposes avoiding the false positive frustrations we can get today.
With the start of vaccinations taking place we should be experiencing normality, whatever that turns out to be, in the second half of 2021. This will probably consolidate much more home working than before the start of the lockdown, even though there will be a return to the office for many, even if only part-time.
We have become more dependent on remote working and collaboration tools even before lockdown in 2020, which accelerated that increasing dependency. This will continue, so we need to make sure it’s all appropriately secured.