02/23/2021 | News release | Distributed by Public on 02/23/2021 13:21
Let's give credit where credit is due. Few organizations were prepared last March when the number of employees working from home (WFH) surged from 9% to 77% in a matter of weeks due to the COVID-19 lockdowns. The transition to remote work was so sudden and unexpected, employers were forced to support employee-owned devices whether or not they had strategies in place to do so. Tactical deployments of WFH tools and technologies were rolled out globally. The fact that so many of these deployments were initially successful is a testament to the dedication and ingenuity of an already overstressed IT workforce.
Now for the bad news. The legacy tools and technologies used for some of these deployments may have been riddled with critical vulnerabilities that are actively being exploited by threat groups. The underlying WFH infrastructure is immature in many instances and doesn't adequately protect employee privacy. Personal data on employee-owned devices is routinely exposed on corporate networks. And many organizations still lack bring-your-own-device (BYOD) acceptable use and security policies.
Overall, legacy approaches for supporting remote workers are often overly complex, expensive to maintain, and difficult to manage. It's time for a new, no compromise approach that more ably meets BYOD and WFH security, productivity, and privacy standards.
For decades, organizations relied on virtual private networks (VPNs) to provide secure encrypted communications between remote endpoints and enterprise data centers. It should come as no surprise, then, that global VPN deployments surged by an unprecedented 27% in 2020, a trend chiefly fueled by the urgent need to support remote workers. Unfortunately, VPNs are not as secure as once believed, often possessing design flaws and structural vulnerabilities that can be exploited relatively easily by crafty adversaries.
On April 24, 2019, for example, Pulse Secure issued an out of cycle advisory reporting multiple critical vulnerabilities in its VPN products. This included flaws that enable attackers to obtain private keys and passwords (CVE-2019-11510), and inject malicious code (CVE-2019-11539). Once systems are compromised, attackers can drop malware, conduct reconnaissance, and move laterally across the victim's network. Pulse Secure also released a set of software patches that the company urged customers to install immediately. Yet, a year later, the Cybersecurity and Infrastructure Security Agency (CISA) found it necessary to issue a new alert warning that, 'unpatched Pulse Secure VPN servers continue to be an attractive target for malicious actors'.
Several of these unpatched servers belonged to Travelex, a British foreign exchange company headquartered in London. On December 31, 2019, the Sodinokibi cyber-crime group exploited the Pulse Secure vulnerabilities to mount a devastating ransomware attack that cost Travelex an estimated $2.3 million in bitcoin payments.
Of course, VPN security issues are not confined to Pulse Secure products alone. Similar flaws have been reported for Palo Alto Networks' GlobalProtect™ (CVE-2019-1579), Fortinet® FortiOS® (CVE-2018-13379), and Citrix® (CVE-2019-19781).
VPNs also pose vexing employee privacy issues that make them a poor fit for many use case scenarios. For example, if the VPN client is running on an employee's personal device, then the employer has full access to both the employee's work files and their personal information. Likewise, if an attacker obtains an employee's credentials by compromising the employer's VPN, they can easily drop malware on the employee's system and steal their personal data.
VPN clients perform many complex calculations, so they need hosts with enough memory and computing power to run them efficiently in near real time. That can cause major performance bottlenecks for workers with under-powered mobile phones and tablets.
Microsoft®, VMWare®, Citrix, and others offer VDI solutions hosted on physical servers in the customer's data center or on virtual servers hosted in the cloud. VDI solutions have the potential to provide secure containerized applications and workspaces to almost every kind of remote device. However, they are also costly, complex, and difficult to manage. The IT team must handle purchasing, deploying the virtual desktops, staffing a help desk, and monitoring, securing, and upgrading the infrastructure on an ongoing basis. The administrative overhead can be especially burdensome for small and mid-sized businesses contending with tight IT budgets and understaffed IT teams.
Like VPNs, VDI solutions are not immune to digital tampering or compromise. On November 23, 2020, for example, VMWare issued an advisory on a critical command injection vulnerability affecting a group of VMware Workspace ONE® products. Tracked by CISA as CVE-2020-4006, the vulnerability allows a malicious actor with stolen admin credentials to, 'execute commands with unrestricted privileges on the underlying operating system'. A month later, the U.S. National Security Agency (NSA) issued a Cybersecurity Advisory warning that Russian state-sponsored threat actors were actively exploiting the vulnerability. The agency urged network administrators at federal agencies to make updating the affected servers a top priority. Similar critical vulnerabilities have also been reported for Citrix appliances, and applications that utilize Apache web servers.
In addition to security challenges, VDI solutions also pose daunting privacy issues, especially in mobile BYOD scenarios. Nearly 60% of the IT experts responding to a Bitglass survey said their organization requires physical access to a mobile device before it can be used for work. Another 51% require the device's PIN. Others demand root access, passwords to cloud and backup accounts, and more. While necessary to monitor and manage security, this level of oversight is intrusive for employees and a clear threat to their personal privacy.
Although VPN and VDI can secure a network connection, the costs associated with licensing, hardware, software, infrastructure, and help desk support add up quickly. These legacy technologies also fail to effectively safeguard employee privacy or protect devices against new forms of malware and other cyber threats. It's time to consider a new approach.
BlackBerry® Digital Workplace is a robust, self-contained platform that provides employees, contractors, and partners with secure 'anywhere' access to behind-the-firewall resources with continuous threat protection using artificial intelligence.
From an IT perspective, the BlackBerry approach is a four-win proposition.
Learn how BlackBerry® BYOD solutions can help your organization optimize the security, productivity, and privacy of your remote workforce.
Baldeep Dogra serves as Director, Product Marketing at BlackBerry.