Michael Zinn of Micro Systems Management (msmctech.com) talks to The Anchor about cybersecurity and protecting sensitive data in a remote work environment. Michael is a systems engineer & certified forensic examiner who has done extensive high-level network security work for both commercial and national defense.
This is Ryan Boder with The Anchor. Today I’d like to welcome Michael Zinn with Microsystems Management Technology Consultants. He is a systems engineer and certified forensic examiner in Northern Ohio. He’s going to talk to us today about the work from home paradigm shift and how companies are starting to distribute their workforce, not only around the globe but outside of the business environment and into people’s personal homes where things might not be nearly as secured or locked down.
Welcome Michael, how are you doing today? Thank you, Ryan. I’m doing great. Thanks. How are you? Very good. Very good.
How do you get the data from the business into somebody’s house or into somebody’s work from home office securely and how do you make sure that it’s going to be kept safe in that environment?
When you have data that’s being accessed remotely, whether it’s G Suite, Office 365, Egnyte, Dropbox, Box, whatever it is, a lot of those collaboration document storage services have tools that are built in to give you additional security measures, to be able to restrict who can access them and how it can be accessed and how it can be consumed. But in many cases, only the paid versions give you those features or only the paid versions give you specific advanced features. I was speaking with someone earlier this week that they were using a cloud storage service, and they’re a nonprofit they’ve been using the free version. They wanted to be able to more granularly restrict who within the organization could have access to certain folders and certain files, and be able to remote that and be able to have an audit log of who is accessing those files and when. Basically they were told by the service provider, those are all features in our paid product, which you are not a subscriber to. If you’d like those features, it’s going to cost you this much per seat per month. And they hadn’t budgeted for that. They hadn’t planned for that. They just expected that the free version of that software is going to carry them through for their business model. Now they’re realizing that might not work.
Can you tell me what size companies you’re normally working with? Is this a problem that only exists for very large companies? Is this a problem that exists for smaller and medium sized businesses? Who needs the most help here, who needs to pay attention to this, or is it really just everybody across the board?
It really is everybody across the board. And, and here’s the reason that I would answer it that way. Criminals are not targeting a specific demographic in many cases. A lot of times criminals are casting a very wide net and they’re just looking for victims. Sometimes, there are criminal groups out there that will make targeted attacks against a specific organization or a specific demographic for a particular purpose. But in many cases, if the motivation for the crime is elicit financial gain, then casting a wide net is oftentimes the strategy that’s employed. When that happens, if you’re a larger company, there are probably, as we would make the assumption at least, that there probably are more robust controls and organizational policies and oversight. Small businesses, a lot of times, tend to view that as unnecessary bureaucracy and red tape. I certainly can understand their frustration with that, but at the same time, there are benefits to those policies and procedures in place and being enforced.
You might say, well, I just need this program and it’s perfectly safe. I trust it and I’ve used it before in the past, I’m just going to install it on this work computer that I took home. And it’s no big deal. However, in your office, maybe you have additional security systems in place that are doing things like scanning that file as it comes in from the internet and goes across your network, before it reaches your computer. Maybe the IT department doesn’t allow you to install things on computers in the office, and they have a known good image and they say this is what we’re going to deploy to these machines. If you want something else installed, you have to request it. That gives them the ability to review, to make sure that software is safe to do scans, to make sure there’s nothing malicious that’s been added into it.
Frankly, that brings up the SolarWinds hack recently, where it was a legitimate piece of software, companies all over the world using it. It was trusted, but there were malicious elements that got inserted into an update. As people were doing the updates, the malicious code entered their network. Because it was from a trusted vendor for a legitimate product that their department had approved, it slipped past a lot of those defenses in many cases. Even with that “bureaucracy”, you still have risk, but the name of the game is not get risk down to zero. It’s how do we appropriately manage risk for our organization?
Okay. Yeah, that’s a good point because it’s probably impossible or incredibly expensive to get risk down to zero. So how much is worth doing for what your business is working with and what you’re willing to invest, or what you’re capable of investing, what kind of business are you actually running? I’m curious then, can you tell me anything about… I would assume, and I’m making an assumption here, but I would assume that in the past when attackers are casting a wide net, if they’re going after residential, if they’re going after people in their homes, they’re probably expecting that they’re going to find ways to get access to people’s personal information and potentially extort those people personally. I wonder, do you feel like there’s going to be a shift where they’re actually casting a wide net and trying to break into people’s homes for the specific reason that there might be somebody working from home and they might be able to get corporate confidential information if they’re able to find a vulnerability?
I think that’s a logical progression. It wouldn’t surprise me at all if that became the case or even is the case in some circumstances already. They’re going to go for where they can get in. From an attacker’s point of view, if you have an organization that’s well-funded, well-resourced, takes cyber security seriously, has a lot of security in place in your organization. If the weakest place is a person, maybe the attacker calls the person on the phone in person in the it department to try to get them to give up a password. Attackers will always go to the side and try to go around the security mechanisms rather than trying to go through the most well defended part of the wall. If people are working at home and company documents are stored on computers that are home and those home computers don’t have full disk encryption, and there’s little to no auditing on them, and maybe they don’t even have a password set on them and the user can install whatever software they want… Yeah, I think a logical and unavoidable consequence is that, yes, there are going to be companies that are ultimately going to have data breaches and have loss as a result of people at home being compromised.
What about removable storage devices? What about USB drives, thumb drives? What about people emailing files to themselves? What are the challenges that exist with getting data from one computer to another or from the company to somebody’s home via mechanisms like that?
That’s a great question. We’ll start with the removable media, talking about flash drives, and if you don’t mind, we can look at the email and then maybe some of the cloud storage too. Sure.
There are capabilities within Windows server to allow you to restrict, and say, removable media can be read or written to only if BitLocker is enabled and the device is encrypted with BitLocker. That is an option. You can restrict it so that only devices for your organization can be used. An extra mobile device, even though it’s BitLocker encrypted, can’t be brought in.
Again, we’re talking about a Windows specific solution for Windows clients. If you give that to someone with a Mac, how are they going to open it? If someone is a Mac user and they’re going to save something to a flash drive, how are they encrypting it? Are they using an Apple solution to encrypt that drive and then can a windows client open that if you’re using windows inside of the office. This all comes back to standardization and control and how much administration and oversight does the IT department have over the workforce and how they use technology resources.
I’ve found a number of times people say, okay, why don’t you have this adapter to make this other monitor work with my computer? What do people do? They go to Amazon. And then they look up, hey, I need HDMI to VGA or whatever it is, and find the adapter.
There’s a particular adapter I had ordered and it was USB to VGA. The really weird thing was when I plugged it in, it actually popped up a window and said, would you like to run this exe to install the drivers for that device? Well, wait a minute, where did this exe come from? And because it was a USB to VGA, they actually partitioned it so part of it was a storage device and part of it was an adapter. I took a look at the exe and I threw in a VirusTotal and it came back and said, no, that’s a malicious executable. I said, really? Where’d it come from? And they gave me this name of a company that’s different from the name of the company whose name is on the converter. And I’m like, that’s interesting! I did some digging and it turns out that there are multiple different brands on Amazon that make this same adapter. All had the exact same executable made by this third party. That third party is a Chinese company. You got this Chinese company who’s making this driver update that VirusTotal says, yeah, it’s malicious. It’s being distributed across multiple different brands of video adapters that are all sold on Amazon. Of course, they all have the lowest price for that adapter. Yeah. You can’t even just go and order your own equipment and expect that you can trust that you can plug it into your computer because USB devices can potentially install software on your computer. I just took it and threw it in the trash. I bought a $60 different adapter from an American company and you don’t have to install anything. The drivers are built into windows and it just works. That is super interesting. I’m glad you told me that. The price difference was $10 versus $60. Yeah, well, there’s a different reason why they’re trying to get you to buy it.
You had mentioned next you would talk to us about encrypted email. What are the challenges that we face there? How do you recommend going about, or going forward with encrypted email in a safe way or in a smart way? XXX
For encrypted email there’s really two types of encryption you’re dealing with. One is for the transport of the email itself. That’s commonly referred to as transport layer security (TLS). The servers are the ones that negotiate, I would like to use a secure connection… Yes, I support a secure connection. Here’s what I support. Okay, well I support this one. All right, we’re going to go ahead and establish a secure connection. That way, as the email is transferred from one point to the other data is protected while it’s in transit.
I feel like that’s pretty much a given too. It would be hard pressed to find a reasonable email service that’s not doing that today. Right?
Well, I wish that were the case. There are some email services that will actually indicate whether the email was sent using TLS or not. It is still surprising to see how many emails come in with a broken red padlock icon next to it, indicating that no, this email did not use TLS to be sent. Then you look at what the organization was that was sending it. Sometimes that’s even very shocking of who it is that’s using these services. You’re like, no, that shouldn’t be allowed.
Maybe that’s an opportunity to reach out and find a customer.
Yeah, exactly. Oftentimes it doesn’t have to do with the resources of the individual or the organization, but more so with the attitude of organization. Is it an attitude of, I can do it myself? I know I can set it up and that’s good enough? Or is maybe there a little bit of an acknowledgement that, this isn’t something that I’m an expert in and there are things that I may not be aware of. I should work with an expert who maybe knows about these other things. Getting back to your question about email encryption… The other part of it is if I were to send you an email and then someone were to break into your email account from a remote computer somewhere else in the world and download that email, they would be able to read it. If it was protected with TLS then it was protected from what I sent it to when it was received.
For certain compliance purposes, some compliance standards may say that counts. Again, that’s encryption for data in transit and that is the data at rest portion. Even if you have full disk encryption enabled on your laptop, where you receive the email, that’s great when your laptop is turned off, that email is secure. But when your laptop is turned on, it’s not encrypted. Because it’s on it has to decrypt the drive and load everything for you. If a criminal is able to get into your laptop and steal those email while it’s running, they have those emails, so they can read them and they can print them and they can forward them and do whatever else with them. How do we protect against something like that? And that is historically where you hear about, SMIME, you hear about things like PGP, and you have some of these web-based encrypted, secure email services that claim to do similar things and maybe to varying degrees, do them well or not.
Maybe you have the ability to audit or at least verify that they’re doing what they say they’re doing to some extent or not. You’re trusting a third party at that point. That’s always made it difficult for normal traditional users to be able to send secure encrypted emails that are not just encrypted in transit but they’re actually, the message content and attachment are encrypted even when they are delivered to the recipient. So that even if a bad actor breaks into that remote computer and steals the emails from it, that email is still encrypted and that you would need some kind of key material or password or passphrase to be able to decrypt that email and read it. That requires users to understand how things like public key infrastructure (PKI) works and manage private keys and public keys and digital signatures. Many times that’s a lot more than the average user is going to be comfortable with.
You’ve done a lot of work in the past that’s highly secure, highly sensitive. You’ve been in this space for a long time. Of the things that you are allowed to and comfortable talking about… What’s the most interesting cybersecurity related incident or situation that you’ve come across? That really kind of blew your mind and you said, wow, that’s unique! Or that’s something that people would like to hear about? What’s something really off the wall that’s happened, or that you’ve been involved with, around securing email, securing data, remote storage, removable storage, or any of these topics we’ve been talking about?
Years ago we had a commercial customer that had recently changed IT providers. There was a lot of documentation we simply didn’t have. They had a very small IT department with very limited resources. That said, they were a fairly large organization doing a large volume of work. We got a call late in the afternoon one day that the files on the main file server were changing the file extensions. Just all of them, sporadically, and that as the file extensions were changing they couldn’t open anything. And I’m like, yeah, that’s unpleasant. That’s definitely ransomware. We started looking and, thankfully, one of the changes that they had allowed to be made shortly after they switched to IT providers was replacing the firewall that they had. They had a firewall previously that really didn’t give them much visibility into the network. And, that had been replaced with a much newer, next generation firewall that let them do a number of things to let them see the applications that were creating the traffic within the network, where it was coming from, where it was going to the employee that session was associated with, how much bandwidth each session was using, whether any of the traffic had tripped the intrusion prevention system. It actually had an intrusion prevention system unlike the firewall before it! So there were a lot of nice features in there.
What we noticed was there was a service account for a printer that apparently was logged into a number of desktops inside the office. You sit there and scratch your head and go, why in the world is a printer logged into all these desktops? With Remote Desktop, nonetheless! I’m like, well, I don’t know any printer that knows how to start an RDP connection so that was a little disturbing. That’s automating your workforce right there, printers doing the job of your employees! Yeah. Precisely. So, we started looking at that and because the right firewall was in place and because it was built out the way that it was, were able to kind of pen the attackers in where they weren’t able to move externally as much as they could and started cutting off what they were reaching back out to the internet to do.
Because obviously once they were in the network, they were still going out to the internet and doing other things online to have effects inside the network. So, we were able to kind of cut some of those things off and kind of build a wall around it. Once we were confident that we had things isolated, so it couldn’t spread more than it already had. Then, we started doing some more physical, on-premise work, where we started actually moving equipment and moving resources, then moving cables around and then really digging in and starting the remediation process and getting everything restored. We actually built out good known images and started re-imaging every device in the office and restoring files from known good backups. And that was a lengthy process! Because their backup posture was good, because their edge security was greatly improved from what it had been, they weren’t able to have everything back up and running in a relatively short amount of time and really the biggest lesson for them that came away from that was that patch management wasn’t a joke. Installing windows updates can be annoying. It can slow you down and be time-consuming, you can interrupt your work but it’s really important to do. It’s really important to keep it up to date.
I know there are some people that would also use things like the example of the SolarWinds hack and say, but see, because they did an update, they got hacked. That is so very much the exception to the rule. This isn’t about eliminating risk so it doesn’t exist at all. It’s about managing the risk to your organization for the threats that are most applicable to your organization. Not every risk applies as equally to every company in the world. A company that only does business in the United States, or within whatever their country is, probably has fewer of certain categories of risks than other companies in the space that may work internationally with a lot of international travel and maybe employees are using computers or hotels instead of company owned assets. There’s a lot of additional risks… It’s anywhere, right? They might be using coffee shops, they might be using hotels. If the printer is how the attacker gets in… You were talking about an example where the printer was in the office. I imagine that, with the cheap printers that people have at home and probably have never been patched, that’s probably a big risk right there! That’s the way into your house, through your home printer! Well, and we’ve had a few clients that actually engaged us to reach out to their employees who are working from home and work with them to review the configuration of their modems and their firewalls in their homes, and make sure that they have current firmware, that they have things like universal plug and play (UPNP) disabled, and really trying to lock those systems down and keep them secure.
Because for those clients who are cognizant of the risks and are appreciative of them, they want to make sure that their workforce is as secure as they can be when they’re working remotely, and do it causing the least amount of pain to their staff who are working remotely at the same time. They want them to get their work done. They don’t want it to become more difficult, or extraordinarily more difficult, than it normally is. But at the same time they don’t want to give up the level of relative security they’re accustomed to in their work environments. Yeah. That’s one of the things, with our product, we always say that it has to be a seamless user experience. It has to be transparent encryption because otherwise people just work around security tools. That’s one of the biggest challenges. You build the most secure user interface, the most secure product in the world and if it’s not, user-friendly, it’s not easy, then people will work around it and it just doesn’t get used in the first place. So, yeah, that’s a big challenge.
You’re familiar with the Anchor platform. Are there situations in your experience where it would be a good solution for a customer problem that didn’t exist before?
Yeah, absolutely. For customers where they traditionally had physical office space and everyone physically came into work every day and they didn’t have remote workers and they really didn’t take laptops out of the office, and everything was done with something like BitLocker or Apple’s APMS to do the disk encryption, that’s great, but, there’s still some risk there that could be mitigated by actually protecting the data instead of just the disk. Certainly if their workforce is going to be moved outside of the office, to a remote location like a home environment. Now there are a lot of companies out there that will use marketing terms and say things like zero trust, which a lot of companies use to mean we’re going to do two-step or multi-factor authentication for every authentication request. That’s great to safeguard access to a system but that’s still not safeguarding the data itself.
A product like Anchor is really unique in that way because it’s not looking at the disk encryption. It’s not concerned about multifactor authentication in the traditional sense of multifactor authentication. Now anchor uses this concept of boundaries, and rule sets that are applied to those boundaries, which is a completely different way to think of it. So, traditionally, and it’s funny to say “traditional” with multi-factor because for many organizations that’s still a very new concept and a very new service that they use. Even with multi-factor authentication you might go to log to your email, you need a username password, and then you either get emailed a code or sent a code as a text message, or it’s in an authentication app on your smartphone, or maybe it’s even a key fob, in larger organizations, maybe a smart card. Maybe you have a soft certificate that’s installed on the machine. Fingerprint readers, those are all fairly common methods of multifactor authentication. Again, you’re safeguarding the entry into the system, but then once you’re in the system, if you download a document and save it to your computer, the MFA is protecting the access to the system, not the data. You took the data out of the system to which access was protected. Sp how is that data now protected? And in many cases it loses a lot of protection or, in some cases, all of the protection that it previously had. That’s where something like Anchor really shines and provides a capability that other solutions don’t provide. Because with Anchor, not only is the protection going to follow that file no matter where you’re taking it, how you’re consuming it.
This idea of boundaries, it’s not a one-time multi-factor authentication. Okay. At this point in time, I wanted access to a system where data was stored. I had to prove to the system that I am who I say I am, or that I have all the correct tokens to get it. Once you pass those series of verifications, then you’re in. With Anchor, you can set these boundaries such as, you need to be on this wireless network within so many feet of this Bluetooth enabled device coming from this public IP address. There are so many different boundaries that you can create and design. If you work with the Anchor team they can customize a lot of those settings and turn different features on to give you access to additional boundary rules that you can create and design. At that point, if you have a personnel change and someone transitions to another role and the new role doesn’t have that access to those same files, or maybe someone’s being terminated and to secure data and make sure you don’t have intellectual property loss, you want to terminate that access immediately.
There are only so many ways to do that with other products out there right now. So, if you have an employee who’s being terminated and as an employer, you say, I want all of their access to cloud storage and cloud email turned off. Okay. Depending on who that cloud service provider is, it may happen immediately. It may happen within a period of 24 hours. Those are things that you have to kind of deal with. What are those capabilities? Where are the limitations? And what’s our plan for how to deal with that? How are we going to put that into our work process? Whereas with Anchor, if you say this account has been terminated, the keys for that user get revoked. At that point, if someone’s using a file and it’s open as part of the Anchor service, that file is checking in with Anchor saying, hey, has anything changed and Anchor says, yeah, access to that file has been revoked, at which point that file closes and it’s encrypted at rest again, and the user can’t reopen it. It also is wiping the temporary files that were used when the file was open too. So it’s doing a fairly substantial amount of work in the background to make sure that only a currently authorized user has access when they meet the defined required conditions for access to a particular file. When any of those requirements are no longer satisfied that access is revoked. Which is really a game changer in terms of controlling access to data.
Yeah. I think you hit on a really good point there too when you talked about how companies are marketing the term zero trust, and we talk about zero trust as well, but it is really, from a marketing standpoint, it’s an incredibly ambiguous term. Different companies mean different things when they say zero trust. Organizations like NIST are trying to kind of standardize that. They’re putting out publications that talk about, here’s what we mean by zero trust, but what it comes down to is making sure that every single time somebody tries to access a resource, that you’re checking that they’re allowed to access that resource and denying access if they don’t meet all the conditions or meet all the rules or aren’t within the boundary to access it. That’s something that traditional encryption solutions don’t really have because once you’ve decrypted the data it’s game over. You now have full control over the data. It’s something you can copy around and it’s no longer a protected file or protected resource. With a real zero trust solution, like Anchor, it’s something where we continually check. We check every single time the file is accessed then even while the file is being used while it’s open, we continue to monitor and check. That’s really important from a zero trust perspective to make sure that you’re not assuming that somebody who may have gained elevated privileges by taking on someone else’s role or identity is going to access the file. In addition to that, making sure that people don’t accidentally, email a file to their personal email account or put it onto a thumb drive, like you mentioned that they get home to work on it, and now it’s no longer protected.
Traditionally. organizations like NIST and other regulatory bodies, oftentimes will make a recommendation, something along the lines of, if you’re going to allow remote access and use a VPN, to not use a split tunnel. Use a full scope, full tunnel VPN, meaning that when you’re connected to the corporate network, that everything you’re doing has to go through the corporate network and you can’t have this secure connection to the company over here and then this unsecure connection to the open internet over here and with your remote computer kind of being the bridge between the two that potentially can introduce additional malicious code into the work environment. There’s a lot of infrastructure that goes around that to make that all work and still doesn’t address the encryption requirements. So, you can say, hey, we’re doing a full scope VPN and we’re making sure that we’re filtering everything. That’s kind of what you would have to do if you wanted to implement policies that are going to be like file control policies, where you say this file has this attribute about it, that it’s a sensitive corporate document and we don’t want it to cross the edge firewall. We’re not going to let it go out to the internet. There are some things that you can do with that. A lot of times it’s based on metadata attributes, like a filename and the words that are in the file name or the type of file.
Maybe you say no PDFs are allowed to leave the network. Okay. If someone converts it to a word document can it leave the network now? You say, oh, well, we block any file that has these words in the name of the file. Okay. If the user knows that’s the mechanism you’re using and you change the name of the file, can it leave the network now? There’s a lot of administrative work involved in those traditional systems and they’re limited in scope many times. The systems that don’t have those limitations are, generally speaking, extremely expensive. Just in terms of acquisition and not to mention in terms of maintenance and administration. Whereas with a product like Anchor, it doesn’t care about that. It’s not looking at the edge firewall. It’s not looking at the type of VPN that’s being used or how traffic flows between different areas.
It is really that security is built into every data file. It’s really making sure that those boundaries are enforced and when they’re not it’ll tell you in the log files, it’ll show the administration team what’s going on, and that file for the end user, it gets closed and temporary files get securely erased, so that’s hugely different from what’s been done traditionally.
All right. Well, thank you Michael, for your time again. I really appreciate you taking the time to chat with me today. Once again, this is Ryan Boder at the anchor. Michael Zinn from Microsystems Management Technology Consultants. Thank you, Michael. Have a wonderful day!