The model of the fortified castle collapsed. The rise of the cloud and the generalization of teleworking have put an end to the cybersecurity approach that prevailed until then where it was enough to erect walls to secure information assets. So-called perimeter solutions such as antivirus, firewalls and VPNs no longer protect workstations when they access the information system outside the company walls.
“The scope of the IS, which until now stopped at the office, extends to our homes,” observes Arnaud De Backer, Channel Manager of Keeper Security. The porosity between the personal sphere and the professional sphere is all the greater as he notes an increased return to the practice of BYOD (Bring your own device) consisting of an employee using their own digital tools. “Far from the office, employee behavior evolves,” adds Etienne Lafore, Cyber Security senior manager at WaveStone. There is no more visual control, people looking behind his back. This can confer a feeling of impunity and authorize risky behavior. »
New ways of working, new threats
Remote access to IT not only increases the surface area of exposure to risks but creates new vulnerabilities. If the nature of the threats that traditionally weigh on the workstation remain primarily linked to messaging and web browsing with phishing and malicious sites, new attack scenarios are emerging.
The generalization of multi-factor authentication (MFA) has thus given rise to MFA phishing. “In the case of double authentication using a smartphone, the code sent by SMS is intercepted by the attacker,” explains Etienne Lafore. In the case of more advanced attacks, the authentication code is requested on the phone by an attacker. »
Another possible vector of attack: the delegation of rights offered by collaborative suites in cloud mode – Microsoft 365, Google Workspace – to third-party applications to access messaging or the calendar. A cybercriminal can take advantage of this to compromise a workstation and then “later” to progress within the information system.
EDR, ZTA, MDM and ZTE
To combat these new risks, Etienne Lafore is witnessing a shift in cybersecurity solutions from on-premise mode to the cloud. EDR (Endpoint detection and response) replaces traditional antiviruses. “Similarly, the proxy is no longer local but in SaaS mode to ensure filtering whether the workstation is located on the company’s premises or outside. »
Companies are also considering the possibility of removing the VPN to switch to a Zero Trust Access (ZTA) or SASE (Secure Access Service Edge) approach. “This involves constantly ensuring that access to the IS is only given to a workstation and a user identified according to the connection context, location, and the state of the security patches,” explains Etienne Lafore.
Likewise, security rules are no longer applied via the Active Directory but by an MDM (Mobile device management) which will ensure proper compliance with the cyber policy across the entire IT fleet. When deploying terminals, Zero touch enrollment (ZTE) prevents employees from having to physically go to the IT department to collect their position. From a standard PC, it identifies itself and the “master” goes down automatically.
The best password? None
Preaching for his parish, Arnaud De Backer highlights the importance of using a password manager that will automatically generate unique and strong passwords and enforce the company’s security policy.
He recalls that more than 80% of data breaches are due to the compromise of passwords or identifiers. If they have leaked on the dark web, a monitoring tool like BreachWatch from Keeper Security immediately alerts the security manager.
And why not do without…. password ? The “passwordless” trend has been thriving in recent years. Microsoft and Google promote the access key system (passkeys) which is based on a PIN code, a fingerprint sensor or even facial recognition. Windows Hello also uses biometrics.
Man, the weak link
Finally, since humans remain the weak link in any cyber policy, it is necessary to carry out awareness-raising actions among users. “Teleworking is not limited to the home,” recalls Etienne Lafore. An employee can work from a train, an airport, a hotel. There are hygiene rules to follow to reduce the risk of data leaks. »
By placing the employee in a real situation, fake phishing campaigns help raise awareness. Some companies make cybersecurity training mandatory for employees who click on a corrupted attachment or malicious link.