Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

4/9/2020
02:25 PM
Kelly Sheridan
Kelly Sheridan
Quick Hits
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Zoom, Microsoft & NTT Data Leaders Share Work-from-Home Security Tips

Tech leaders encourage organizations to maintain security awareness training and offer advice on how to protect their information.

Many organizations are scaling their remote employee base from a small percentage to nearly 100% and relying on technology to bring workers, clients, and partners together. As they do, tech leaders urge them to put security measures in place to protect corporate information. 

Video calls have been a "game changer," as have technologies such as session sharing and terminal services access, said Microsoft technology strategist Steve Ross in a panel on securing remote work. He joined Zoom CTO and CISO Gary Sorrentino, NTT Data CTO Shamlan Siddiqi, and NTT Data security offer leader Sushila Nair to discuss how companies can overcome new challenges.

"The biggest threat is companies rapidly enabling remote work and lowering security standards," Ross said. "Another big one would be corporate data [that] people are accessing on their own devices, devices that are not managed and protected according to a corporate standard."

Organizations are scrambling to secure remote staff when many haven't had time to plan for it, panelists agreed. Telling people to simply take their workstations home "might work in some cases," Ross explained, "but that almost makes me think of a scenario where an organization is lowering their security standards in order to remain effective and be able to do work."

While it's tempting to do just that, Ross noted it's important to maintain practices like security awareness training. He described one organization that had been sending fake phishing emails to employees but stopped during the pandemic because they felt people were already under a lot of stress. The problem with this decision, he explained, is that attackers aren't hitting pause.

"The people who want to compromise your systems and infiltrate your environment, lock down your data with ransomware … they're not taking the day off because of this pandemic," he said. "Now is not the time to drop your security posture — now is the time to ramp it up," he added.

One way to do this is by continuing to train employees in security practices and train support staff to help them, Sorrentino added. Employees are willing to learn and are open to doing things online. "Since people are already using videoconferencing and webinars, there is no better time to train the population on things that we understand that they need to understand," he said. Support staff can be trained to help them with things such as VPNs and multifactor authentication.

"If we could teach them the value of that in the corporate world, the value of that in the personal world just makes more sense to them," he said of enforcing good security habits.

Sorrentino was also asked about videoconferencing, which is under scrutiny as teams take their meetings online. He pointed to several Zoom controls employees can use to protect gatherings from outsiders. For starters, use a unique ID for every single meeting: "That's something we need to enforce, and we're starting to do that with the schools," he said.

He advised using a password for every meeting and making use of tools like Meeting Room, which lets a host "close the door" when all the intended participants have arrived. Locking the door ensures unwanted attendees don't drop in. Hosts can also limit controls, so the only person allowed to share content is the meeting host. The idea is to take basic commands and apply them to virtual meetings so people can meet the same way they do in person.

To plan for the future, Sorrentino advised taking a risk-based approach to security tools. "For a lot of these solutions, there's a limitation between security and functionality," he explained. Most companies will implement a one-size-fits-all solution, which may not work in today's landscape. Some employees will be working from home for longer than we think, he explained; some might do it permanently. As part of this approach, businesses should choose variable solutions based on what employees need and adjust based on scalability and functionality.

Check out the full webinar here.

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Mobile App Fraud Jumped in Q1 as Attackers Pivot from Browsers
Jai Vijayan, Contributing Writer,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...