How secure is working from anywhere?

 
As the pandemic passes the year mark, and people have been working from home or wherever they can, the big question is: how are organizations dealing with the many new security issues brought about by supporting a remote workforce? What are the priorities for protecting the network and data? What are the best strategies for protecting this expanded attack surface and the loss of the traditional network perimeter? To find out, Nucleus Cyber/archTIS commissioned Cybersecurity Insiders to conduct a survey of security professionals. The report entitled “The 2021 State of Remote Work Security”, tells us what they found.

Perhaps, not surprisingly, the majority of those surveyed (86%) said they intended to continue supporting their remote workforce even after the pandemic is officially declared over. However, despite this large proportion, three-quarters of respondents noted that they still had serious concerns regarding the security risks of their remote workforce.

In addition, they found that the applications that organizations are most concerned with securing include, file sharing (68%), the web (47%), video conferencing (45%), and messaging (35%). More than half of organizations see remote work environments having an impact on their compliance posture (70%). GDPR tops the list of compliance mandates (51%). Organizations prioritize human-centric visibility into remote employee activity (34%), followed by next-generation antivirus and endpoint detection and response (23%), improved network analysis and next-gen firewalls (22%), and Zero Trust Network Access (19%).

Let’s have a look at their findings in more detail.

Network access (69%) tops the list of security concerns when it comes to securing remote employees. Bring Your Own Devices (BYOD) and personal devices (60%), applications (56%), and managed devices (51%) are also a concern for a majority of organizations.

The applications that organizations are most concerned with securing include file sharing (68%), the web (47%), video conferencing (45%), and messaging (35%). This is not surprising because these are fundamental business applications that all organizations rely on for a productive workforce.

Security breaches at the endpoints are a source of concern for many organizations as they look to secure their corporate assets. Therefore, it is no surprise that organizations are most concerned with exposure to malware or phishing risks (39%) followed by protection of data, especially when accessed by unmanaged endpoints (36%).

The biggest security concerns due to the shift in the numbers of remote workers include data leaking through endpoints (68%), users connecting with unmanaged devices (59%), and access from outside the perimeter (56%). This is followed by maintaining compliance with regulatory requirements (45%), remote access to core business apps (42%), and loss of visibility of user activity (42%).

Key security challenges cited include user awareness and training (57%), home/public WiFi network security (52%), and sensitive data leaving the perimeter (46%).

The main reasons that make remote work less secure are: users start to mix personal use and corporate use on their work laptops, increasing the risk of drive-by-downloads (61%); users are more susceptible to phishing attacks at home (50%); the organization no longer has visibility since most remote workers operate outside the corporate network (38%); and users that are furloughed pose an increased risk of data theft (25%).

Just about three-quarter of organizations see remote work environments having an impact on their compliance posture (70%). GDPR tops the list of compliance mandates (51%).

When organizations were asked about security controls, most are using a variety of security controls to protect remote work scenarios. A majority of respondents (80%) use antivirus/anti-malware. Other results for use were: firewalls (72%), virtual private networks (70%), multi-factor authentication (61%), endpoint detection and response (56%), and anti-phishing (54%), among others.

Respondents were asked to rank the importance of different cyber technologies to protect their organization from these threat vectors? The survey found that organizations prioritize human-centric visibility into remote employee activity (34%), followed by next-generation anti-virus and endpoint detection and response (23%), improved network analysis and next-gen firewalls (22%), and zero trust network access (19%).

This report is based on the results of a comprehensive online survey of 287 IT and cybersecurity professionals in the US, conducted in January 2021, to identify the latest enterprise adoption trends, challenges, gaps, and solution preferences for remote work security. The respondents range from technical executives to IT security practitioners, representing a balanced cross-section of organizations of varying sizes across multiple industries.

It's a really interesting report. I did find myself wondering what else organizations should be worrying about with their employees working from home. There’s always the problem of employees using risky apps that they might have downloaded and software that they may have unwillingly downloaded after visiting high-risk web sites. There’s also the issue of cloud-based attacks, with malware being delivered over cloud applications such as OneDrive for Business, SharePoint, and Google Drive.

Then there are issues with patches to applications and even to the firmware in remote (edge) computers. Centralized IT will be informed when there’s a security update to a piece of software. It then has to find a way to get that update to all the edge computers in its PC fleet – even when those laptops may not be switched on. In addition, these days, malware attacks can be against the firmware in a computer. So, again that will need to be able to be patched remotely.

Having said that, it’s still interesting to see what people are concerned with. You can download a copy from here.

That new mainframe job

  

So, either it’s time for you to look for a new job, or you’re looking for new mainframe staff where you work. The question is this: what are the most important characteristics about the new job that you should be looking for, or that you should be offering?

The obvious answer, I guess, is salary. How much does the job pay? That’s usually the biggest criteria. If it doesn’t pay enough, or just more than you’re getting now, then there’s no point applying for it. However, research has found that a higher salary doesn’t make you happier – or not very much happier. The truth is that at the start of your career money is important because you need to pay for things. But once you get enough money to pay the rent/mortgage, food, clothes, holiday, and a bit to spare, then an increase brings less happiness than you might expect. And by the time that you need a pay rise to pay for your second yacht, the increase in pay brings almost no increase in happiness at all.

The second big thing that people like is a good job title. They like to be a senior something, or principal something. Vice-president of something is also pretty good. But really, in most companies, the person who is doing most of the work is the person who doesn’t really have a job title. They are the people who are keeping the company going – without whom, business wouldn’t be as successful as it is. In my experience, people with very long job titles tended to be the most ineffectual at their job. Following the Peter Principle, they had been promoted above their level of competence and were now transferred sideways into a role where they could do little harm. If people are impressed by job titles, they are probably not the sort of people you want working on your mainframe!

So, what should you be looking for in your new job, or what should be near the top of your advert? One answer is work-life balance. Being able to get home to see your child’s performance in the school play, or watch them playing in the school football team is very important for them. So, it’s important for you to be able to schedule your working day around those events. Find a job where you can take a couple of hours off in the afternoon and make up the time in the evening. You’ll be amazed at how much happier you and your family will be.

Training or CPDs are important. How often at conferences did you hear people say that they could only attend for one day because there was no money in the budget for an overnight stay, or to pay for them to attend for all three days. It’s true that there are lots of brilliant online training courses available, but there’s something extra you can get from attending in person for a training course – and I don’t mean the beer that gets drunk in the bar in the evening! Staying up-to-date with the latest mainframe technologies is a very important part of job satisfaction. And finding out what other mainframe sites are doing or planning to do is important too.

Health is important to a person’s happiness. You need to ensure that your new job values your (and your family’s health). So, if you do need some kind of treatment, it is accepted as part of what happens to people in your job.

And that leads on to culture. There was a time, many years ago, when the mainframe employees – operators, systems programmers, DBAs, etc – didn’t really know which company they worked for, they just knew that they worked in IT. For them, they could change to a similar job at a different company, and it would hardly make any difference to them. Hopefully that’s not the case anymore. A company’s culture can be hard to define in words – although most companies do document what they believe/hope their culture is – but employees know whether they like to work there and whether they’d recommend it to their friends. Or whether they simply work there because it pays them and it’s not too far away.

In fact, commute time is one of the biggest things for how happy people are with their job. And, of course, commute time is not just about the distance travelled. If you can get to work in 20 minutes or under, you have the perfect job for commute time. As your commute time increases, this reduces a person’s happiness with their job. This may change as more-and-more people work from home or work from anywhere because the commute into the office may only occur once a week or couple of times a month once the pandemic is over.

Increasingly, people are concerned about how ‘green’ they and the company they work for are. Is this new organization you’re looking to work for carbon neutral? Does it offer hybrid cars for staff to use? Does it have charging points in the car park for staff? And there are many other related questions that can be asked. If the company believes global warming is a myth, is this a company with much of a future. And it’s the same with your current company when you advertise a job. What’s it’s carbon footprint like?

Basically, there’s a lot more to look for when searching for a new job or when recruiting than just salary and job title. So, it’s worth keeping an eye out for these other factors that can make you happy – and make your mainframe staff happy.

Find out more about iTech-Ed Ltd here.

Tell me about zERT

 

We’ve been talking about securing data at rest and data in transit for a long time. It’s just that data in transit is even more important these days as more-and-more information is transferred and the mainframe is an important network hub, and ensuring it is appropriately secure becomes ever more important.

With the introduction of the z14, we got the concept of pervasive encryption and the idea that all data could be encrypted no matter where it was. For data in transit, we’re probably familiar with TLS/SSL, SSH and IPSec cryptographic network security protocols, but how do you know their cryptographic status? That’s the question that z/OS® Encryption Readiness Technology (zERT) answers. And this blog is a very brief summary of what zERT can be used to do.

zERT’s raison d’être is to provide its users with intelligent network security discovery and reporting capabilities. And it does this by monitoring TCP and Enterprise Extender connections, and collecting and reporting on the cryptographic security attributes of IPv4 and IPv6 application traffic.

The data it collects is written to SMF in new SMF 119 subtype 11 and 12 records for analysis. There’s also a new real-time Network Management Interface (NMI) service for network management applications to retrieve zERT SMF records as they are generated.

SMF 119 subtype 11 records contain the full of detail of each session. Subtype 12 captures all unique session types between client/server pairs per interval. They both allow users to see what traffic is protected, and if so, what security protocol and version is used.

With client/server pairs, zERT can be used to track connections between each pair of client and server IP addresses, and information collected includes the port number, job, and userid.

Looking in more detail, we can see that the zERT summary records contain connection and throughput counters, including: the total number of connections; the number of partially protected connections (where encryption was not applied during the entire session); and the number of short (shorter than10 second) connections. It’s worth noting that short connections can be significant for TLS, because establishing the session is expensive in terms of CPU, making them an expensive way to run connections.

There are a couple of limitations to zERT. For example, no information is collected non-EE UDP traffic or traffic using other IP protocols. If you want to see a list of what these other protocols are, have a look at https://en.wikipedia.org/wiki/List_of_IP_protocol_numbers. And zERT only collects cryptographic security attributes for TLS, SSL, SSH, and IPSec protocols, not any other cryptographic security protocols.

When zERT is used with recognized cryptographic protection, it can show which cryptographic protocol is being used, who the traffic belongs to, which cryptographic algorithms are used, the length of the cryptographic keys, and other important attributes of the cryptographic protection. This can be used to determine regulatory compliance and, importantly, for see whether any connections are currently using cryptographic protection that is not robust enough and needs to be increased. It can also provide information for auditors and compliance officers.

Of course, zERT does not collect or record the values of keys, initialization vectors, or any other secret values that are exchanged or negotiated during the session.

In terms of the performance impact of zERT, there are a few things to consider. It’s estimated that the performance impact on the TCP/IP stack is quite small, in terms of latency and CPU consumption. On the other hand, the zERT Network Analyzer can affect system CPU consumption because it is a data-intensive application. However, zERT Network Analyzer is a Java application, and it uses Db2 for z/OS as its data store, so, a lot of the processing is zIIP eligible. There’s also zERT aggregation, which can be used to reduce the volume of zERT-generated SMF data in situations where there are workloads with lots of short-lived connections.

zERT looks like a really useful tool from IBM. zERT Discovery collects and records cryptographic information, and zERT Aggregation groups attributes by security session. As a tool, it provides a way for users to get a grip on the overall quality of the cryptographic protection for their z/OS network. The security team can find out whether they have any security exposures. They can see whether any unapproved protection protocols are being used, or even whether there are some cases where no protection is being used on data in transit.

Find out more about iTech-Ed Ltd here.