Joseph Carson:
Welcome to the 401 Access Tonight podcast. My name is Joseph Carson, chief security scientist at Thycotic, and cohost of the show. This podcast is all about making cybersecurity easy, usable, and fun. Come back every two weeks to listen in and learn about what's the latest news, or even submit your own questions via the community.
Hey Mike, welcome to the next episode of 401 Access Tonight. I'm really looking forward to this one, because it's really, in the Estonia one of the topics that's been happening recently is that as of just last weekend our emergency situation from the government has ended, and now everyone has started returning back to somewhat, actually accelerated back to normality. There was no phased approach, it was just all of a sudden, slam dunk, everyone's back to the office.
Mike Gruen:
Oh, that's interesting, because we're doing a much more phased approach here, where even it's by county. So my county is following a different, because we're on a border, we're following different rules than the rest of the state because we're following DC's, because we're closer to DC. And it's an interesting, so we're doing this very phased, it's across the state in a very bizarre way. I think it makes a lot of sense when you think about it, but so yeah, we're taking a much more phased approach, which is interesting.
Joseph Carson:
So inconsistencies, great. That's what we need. No one follows the same path. So, but yeah, it can raise a lot of concerns. There's a lot of things we have to think about. One that we talked about before was, as people are leaving the office and taking those devices away and are working remotely and working from home, and we've seen a lot of increase in types of attacks has happened using, taking advantage of, I think one of the biggest things that I saw is around remote access, that as a lot of people were taking devices that remote access was being protected from the firewall side of things, and now those devices, as they went outside the firewall, those RDP ports were now actually internet facing. Then you saw a lot of attempted brute force attacks had been able to try and get access to those RDP sessions.
So there's a lot of those risks that were introduced. And now, as we're starting to see, at least in Europe, we're seeing a lot of people now slowly returning, there's a lot of things that organizations need to think about is the health and safety, is that, are they able to provide clean facilities? Are they able to wash them down and disinfect them overnight? Are they able to keep some of those offices which are cram packed with call centers, are they able to keep the space between employees? I know that in a lot of places as well, the food shared locations are not possible as well. So that creates a lot of how do you, how long are the days?
And even so in New Zealand that they are doing the phased approach where it's actually a four day week, where then you have the flexibility of having which days people are in the office and you mix it around a bit. So it's interesting as moving back, but in our view, is one of the things is that as those devices have been out in the open, they've been in people's homes, they've been connecting to other networks. And now as they're returning to the office, who knows what those devices are bringing back?
Mike Gruen:
Right. And then I think one of the things on that is because people, at least from our perspective, what we're looking at is people may be working for a week, the same people in the office for about a week, and then going back and returning to home and a different crew of people coming in for about a week so that we can make sure that we don't have overcapacity. So now it's not just, they're coming back, it's a one time scan. It's, what are we going to do with people whose devices are are on again, off again, on again, off again, and making sure that it's going to be secure and that those devices are ready to rejoin the network every time?
Joseph Carson:
That's interesting. It's shift work but actually...
Mike Gruen:
Week by week, but it's the best way to do so that we can do contact tracing, right? We want to have the same group of people in for a week. We don't want to have to think about all of the, who was in that day. The same days that this person was in, it'll make it a lot easier, which I think also brings up a whole bunch of privacy concerns that I think we're also going to get into in a little bit, but with regard to tracking people and stuff like that, but just from the laptop perspective or computer perspective, the coming and going I think is going to be a challenge for a lot of organizations.
Joseph Carson:
Yeah. That's been actually the biggest topic in at least UK and Europe in the last couple of weeks, is the contact tracing apps and the privacy issues and the decision around having centralized databases versus decentralized databases where it's been calculated and done on the devices where you'll have those databases of just basically references being downloaded. And then you can determine, have you been in contact with anyone who's tested positive? So for me, I'm a bit in favor on the decentralized approach, because it means that the long activity of that database becomes irrelevant. And those centralized approaches, at least the question is how long will those centralized databases be retained for? And it looks like most countries will decide to keep them indefinitely.
So there's a lot of controversies, but I agree that as you mentioned, as you're doing this phased approaches of people coming in in different shifts and different groups, that at least you can minimize the footprint in the office. And at the same time who's been when, and who's been in contact with who, so at least makes contact tracing much more predictable, much more easier.
Mike Gruen:
Right. And one of the other things I think, because now you can't all be in the same ... Your desk might not be your desk anymore during this period of time where we're probably going to be doing hoteling and other things. So that's other considerations to have in mind, is not just limiting access but making sure people are spread across the office and not right next to each other. And so that also brings up some challenges and I think some concerns about your own personal security and privacy of stuff that now you basically don't leave stuff on your desk or in drawers. I think that the clean desk policies all of a sudden have a deeper meaning, because you don't know who's going to be at your desk. I guess I can't leave that sticky with my password on there anymore.
Joseph Carson:
Underneath the keyboard.
Mike Gruen:
Underneath the keyboard. It's okay. It just says password.
Joseph Carson:
But there was a big question raised as well, there's a lot of companies now who's now putting in, you may have had CCTV cameras or cameras at the front doors of offices, and some of those cameras would have been equipped with, for example, thermal reading. And a lot of those companies are now turning them on, now to try and determine which employees have high temperatures or not.
And it brings me back, I've been through… before, and I myself, I actually had H1N1. I was a victim of H1N1 years ago when I was returning back from Peru. But going back well before that, I was in Malaysia during SARS. And I remember I was in a bus, and the bus had no air conditioning, and it was like 40 degrees Celsius, so whatever that is, it's over a hundred in the US, in Fahrenheit. And you're boiling hot, you're sweating. And then all of a sudden they're taking the people off the bus. And they're saying, there's a big sign saying, we're now checking your temperature to see if you have a high temperature for SARS.
Mike Gruen:
Of course I do.
Joseph Carson:
And you see that, are you going, "Hold on. I just came in from a bus that felt like a sauna. It's hot, I'm sweaty, and humidity was just crazy." So you're actually in higher dry heat, and now they're going to take your temperature to see if you got a high temperature. I was just like, "You know what? I do have a high temperature. I don't know how accurate this is going to be." But as I was thinking about that and then thinking about it as companies are putting in temperatures, that there's a lot of things, temperature doesn't just mean that you might be positive for COVID. You might have many other things. So as companies do that, there's a big question that gets raised here, is that if you do test positive, or that if you do have another illness and your company is now becoming your primary doctor in some sense, does that mean your company is going to become responsible for not just health insurance, but also become also responsible for treatments, your health? How much responsible are they going to take on?
Mike Gruen:
Right. And then on the plus side, at least in the States, the liability issues I think in most States have been routed out as, it's not the company's problem if you get sick. You really have to prove that it was because of your company's policy put you in a position where you got sick before there's any liability issues on the company. But I still think people as a company, I care about all of the staff. So how do I make sure that everyone as a whole is protected, but at the same time protecting the individual and their privacy, their individual rights? And I think in addition to just the temperature ones, I think companies that don't have those are probably not going to run out and buy them. Maybe they will, maybe some can. I just looked into them, just curious how much they are. It seems like it would be cheaper just to hire a guy with the thing-
Joseph Carson:
With a monitor?
Mike Gruen:
With a monitor than to actually install this thing and hook it up to our door. But we have a guest system, right, where guests have to sign in. We might actually end up implementing a system where everybody has to use that system to sign in so that we know who came in that day, getting back to the like tracking. Or the system we use also said, hey, we're doing this beta test of a wellness check. My guess is the wellness check is going to be some questions, three, four questions, like have you had a fever? I don't know.
But again, it gets into that same invasive, I don't know that I ... How much do I want my company to know? And this is a SAS platform, so where's this data going and how long is it going to be retained for? I think it's all the same thing. So it goes, I think, even beyond the thermal scans. It's any type of wellness check coming in. I also think there's going to be way more attendance. I know we're looking at having people, we have a common area, it's a kitchen. And what we're going to have is someone who's, we're hiring a cleaner who's going to be cleaning it way more frequently than the once a day that it was getting cleaned before, and wiping down surfaces. And so I'm guessing that there's going to be more attendance in more places, making sure the men's room doesn't get overcrowded or all these different things. I think just generally speaking, you're going to be watched more. So I think-
Joseph Carson:
Yeah, observed and monitored and lots of metrics that relates to that.
Mike Gruen:
Exactly.
Joseph Carson:
It might even be, one thing that I did, I did a TEDx talk a number of years ago and it was all about the future of work. And the whole thing was, I did a lot of work in autonomous shipping projects and automation. And the whole purpose of those was to take people out of harmful jobs and locations. And it wasn't about eliminating jobs. It was about changing where those jobs are located. And for example, it meant that if you were the captain of a ship that you wouldn't be sitting on the bridge of the ship, you'd be sitting on the bridge of a simulation that could be in a office location, it could be at your home. You could be sitting with a bridge simulator working from your laptop at home. And the purpose was to make people not being disconnected for long periods of time on open sea, and harmful waters are, being exposed to even pirates, modern day pirates. And the whole idea is that going to the office might even not be considered as a situation where…
Mike Gruen:
A hostile work environment.
Joseph Carson:
Yeah. Because even, it was about even talking about firefighters, removing firefighters from being directly in the fire, or firefighters would be controlling drones that would be then putting the fires out. Construction workers, you would be building buildings using automation, robotics. And this gets into, well, a lot of these positions in the frontline… even delivery mechanisms and retail shops, will you be interacting with humans or will not be replaced with robotics. Where you're now, here, even in the story, there's a lot of zero touch shopping experience. It's a bit like the Amazon, I think the Amazon stores, you just go in, you take your food, you pack it up and you walk out. But of course you're still paying for it. But it becomes much more automated.
So maybe there's a situation where we start seeing those things in the canteens where you're no longer being served by people, or there's no longer people cleaning them, and that these will go through some type of automation, robotics. I saw one where a pub in Spain was pulling pints of beer with a robotic arm. That might be what we see accelerate is, were my TEDx talk was more focused about people in dangerous locations and dangerous jobs and how they will be able to do those, but in a safer location. Someone said that, I think it was Rio Tinto are doing the mining trucks where now they're sitting remotely in an office controlling trucks, hundreds of miles away and ultimately not in those dangerous locations. And it might be that in places where there's high possibility that we might see it advancement innovations more in automation, robotics, where we're really able to continue to do what we're doing, but those high touchpoints will become less and less and reduced through contactless automation.
Mike Gruen:
Yeah. I was thinking about… is going to be one of those things, and what we're going to do around recognition so that it doesn't ... There's easy solutions and there's low tech solutions, but high tech solutions and innovations always seem to be the ones that get the most traction for whatever reason. And so, yeah, we're going to suddenly see the door swipes and key pads replaced with facial recognition and stuff like that.
Joseph Carson:
Even RFID chips in our hands that we'll be waving in order to get access and touchless payments. And that might be a way forward. And even that could be your method of contact tracing as well. Maybe we all get embedded with chips in the future and that becomes mandatory.
Mike Gruen:
Yeah. I feel like at this point, our phones are so ... Our phones are almost to that point where that's the thing that you use, that's what you use to pay. It's what you use to swipe and all that stuff. And so, but yeah, I imagine that at retail, for contact tracing, now is there some obligation to retain that information in a way that's available for law enforcement? Or not law enforcement, available for other purposes than just strictly the typical law enforcement reasons for contact tracing and stuff like that.
Joseph Carson:
I agree with the mobile, the mobile side of things is definitely our ... I will say that humans are almost an extent of the internet already, because we're sensors. We physically have the phone in our pocket, and that phone's measuring your steps, it's measuring your movements, temperature readings around you. That phone is literally, we are sensors and it's basically the sensor collection point. And then it shares it with other internet servers and APIs. But of course the problem with the phone is that you can give it to someone else. You can strap it to your dog in order for your dog to get your steps for you to show that you're healthy. And that becomes the challenge, is that how do you verify that the phone was in that same person's pocket?
I've seen a lot of cases around digital forensics getting into that craziness, where, "Don't touch the phone." You want to make sure that hasn't been ... But this gets in, of course that's why the chips would be more intrusive because it's something that you would have to move it out and back in, it wasn't based on those. But I agree that this really gets into point as well, what if when people's bringing those devices back in, and not just mobile phones but also their laptops, is those devices that may have RDP exposed, they might have shared drives accessing websites, installing software on those devices that are ... And potentially the moment that might be is that those devices might be infected. And as they return into the office and people have connected back in, and it might be waiting for that moment that when that device is connected to a corporate IP address range or sees other types of devices that you might be all of a sudden having some type of Trojan or malware or worm, that's basically going to filter through your networks.
What do you think that organizations should be doing to reduce ... Are they going to, just like the cleaning surfaces and measuring people, are we going to do the same with devices?
Mike Gruen:
Yeah. I think we, for our MDM, we have the ability to do a lot more than we had in the past on the end point, right? We can do it all remotely. And so I think our plan, the nice thing is we can do a lot of scanning prior to them even coming into the office, and so we can know what's going on. And I'm hoping, I think that that's going to be a trend that you can do it more ahead of time rather than waiting for the person to show up and then having to go through some scan process. I think back to my days of going into skiffs, and if you were trying to bring a DVD in or a CD with data on it, you just sat there in line waiting as they like scanned it. And who knows how long it's going to take?
But yeah, I'm curious to think about what other larger organizations that maybe ... We already were fairly like work from home friendly. We had a lot of this in place. And so I haven't had to think about it from that perspective for organizations that have really gone through this transformation, and now what are they going to do, and how are they going to make sure that things are secure? I can imagine for a lot of them, I assume a lot of them have the same MDMs capabilities and pushing out profiles and saying, hey, you know what, when they come back to the office, until we've run the scan we're going to have them join a separate network, this DMZ or guest network or whatever you want to call it, where we can perform all these scans. And then they get the clean bill of health and they're allowed to join the actual corporate network.
Joseph Carson:
Yeah, I think that's the smart approach. I was also thinking the same as that, the way I would have had the network segmented is you would have those guests networks should have the BYOD zone where the personal devices were, and then you'd have your operational network and your IT and UAT and dev and whatever. So having it segmented accordingly, and of course just for this period of time, even when you're doing these phased approaches of people coming in and going back out, you might actually just have them being connected to that BYOD or DMZ.
Mike Gruen:
Yeah. I was thinking either BYOD or guest network, rather than standing up yet another, do I really want to stand up yet another environment? I might as well, those other environments are just as hostile, so might as well. Yep.
Joseph Carson:
But it also means that there's a lot of companies out there that don't have those types of protections as well. So they might, those companies who are late to doing digital transformation or in this whole process, or have only done it, for example, for certain devices, but in this current situation I've seen people actually taking desktops out.
Mike Gruen:
Right. I've definitely seen that. And then I'm curious, what recommendations would you make for people? Because I think it's pretty easy to not get those separate networks configured properly. And you think that, oh, it's a separate network, but it turns out there's ways to get from point A to point B. Any recommendations you have?
Joseph Carson:
Definitely, one of the things is having it from… perspective is really having a good segregation, having it properly separated. A lot of mistakes, what happens is that ends up, you'll have one machine is configured for both, and that becomes a crossover. And that ends up, all of a sudden somebody has a VPN connection open and they end up being the gateway for all communication back and forward. So it's really important to make sure that you've got it properly segmented. Doing it from an access control perspective is that people have to, before you just allow any IP address or network device to connect to it, that it must go through some type of authentication, some type of access control, or be previously known beforehand. And so making sure that you're not all of a sudden just seeing a device all of a sudden connects into one port, and that's just misconfigured, and it's on the corporate network, and all of a sudden you've got that device being a crossover.
So it's always be careful as well, and even situations where I remember where people were going in between corporate network and into, for example, conference rooms. One of the things they would have been doing is connecting to that conference room network as well while they were still connected back into the wifi network, and all of a sudden now those devices are also creating a crossover as well. And the purpose of doing that was the guest network was not being filtered, they get access websites and they get, actually sometimes it's faster. So it comes down to making sure that you don't have those scenarios where devices, once you connect to one you're severed from another, you're not creating those moments of having the networks being joined from endpoints. It should be made sure that's done at the router's, at the proper access points, and you make sure that any device that's coming on is a previously known device. And if it's not, you throw it into the… until it goes through the proper controls.
Mike Gruen:
Yeah. I think for the physical network, the ports that you're plugging into, I think for a lot of organizations that's going to be the hardest part. Because depending on when you made that investment, you might have a bunch of dumb switches and not really the ability to have the fine grain controls. Even if you have smart switches back in the main area, you might have to turn off a whole set of desks, or you don't really have the fine grain control to say, this port, and when this machine by some authentication we know should join the rest of the network. And I think that that's probably going to be one of the bigger challenges that ... Wifi and wireless networks are fairly easy to do this with, but wired networks, especially the older ones ...
I think back to, I worked at a place where we had, we were a government contractor and we had two networks. We had the company network, and then we had one that was connected directly to our government agency that we were working with. And I can't tell you how many times people, of course the government agency one wouldn't let you get out to nearly as many sites as the company one. I can't tell you how many times people would just switch which port their computer was plugged into, in order to access the raw internet and similar to that conference room. And so I think that's going to be one of the bigger challenges of really around the wired networks.
Joseph Carson:
And if you were like some people, they bring their own basically switch and plug into both.
Mike Gruen
Right, exactly right.
Joseph Carson:
So they can get the most optimum they possibly can. So, I think there's a lot of things for companies definitely to think about. One is for health and safety of employees, and I know here in Estonia there's definitely been a bit of a mix where there hasn't been really a lot of direction after the emergency ended. And it's really given most people ... To be honest though, in Estonia most people, their normal nature, as I mentioned before, is their social distancing all the time anyway, even in the restaurants and parks and in general within communities. So again, at least people are more aware and more cautious around it. But definitely it's seen as a complete opposite to what it was just a few weeks ago.
So hopefully really organizations are really thinking about, well, for those who are maybe in high risk, that they can continue working from home and working remotely, making the offices as safety and as health focused as possible. But also taking the considerations of privacy and people's opt-in approach, and not ... Of course, we still have to think about what you mentioned earlier, in EU will still be a GDPR scenario, and GDPR still applies. There's exceptions in a emergency situation where the government can do exceptions, but now since our emergencies are ending, GDPR applies back again. So it really comes into really being considered around privacy and around opting in and consent of employees as well.
So I think comfort, health and safety, and also from a security perspective, is that security is also something we should also be considering minimizing as possible. And it might be for this temporary period, that if you have an existing guest or our BYOD networks set up, probably a good idea to use that for the meantime, until you do have an MDM solution, that you can scan those devices, you can pass those devices before bringing them into the network.
Mike Gruen:
That's a great idea. It's just to continue using what you may already have in place. I think the other part of it is to recognize the flexibility. we have a lot of people who, they have children, and so their schedules might not be the same schedule that would normally occur with kids not going back to school. So also designing for that flexibility and the recognition that people are still going to be coming and going, and it might be day in, day out, it might be a week at a time, who knows? And so having that in mind when you're planning it out, that it's not just a one time, okay, everybody's back. We're going to-
Joseph Carson:
Yeah, end it, come back quickly, yes.
Mike Gruen:
Yeah.
Joseph Carson:
It's definitely not going to be ... I completely agree. And here in Estonia as well, at schools, while there's still probably another couple of weeks left, they are not going back. They're still doing remote online schooling.
Mike Gruen:
Yeah, distance learning.
Joseph Carson:
And yeah, which means that, yeah, parents will have ... And you're not going to have babysitters. You're not going to have places to put them. So you're basically going to have to do that or balance it between family. So absolutely yes, organizations will have to be flexible in the how to be aware of definitely… in those situations. So we have to be a lot more conscious and flexible and make sure that people are able to focus. Because the last thing we want to be putting right now in this situation is mental health becomes a major challenge as well.
Mike Gruen:
Definitely.
Joseph Carson:
And this can put a lot of stress on people and we want to minimize that where possible. So we do have to make sure that we support the employees to make sure that their health and safety and comfort is utmost priority. And absolutely, as you said, might be that some people will have to continue working remotely for the foreseeable future.
Mike Gruen:
Right. And I'd also add that testing it ahead of time, making sure that it is as ready as possible before people are coming back, because you don't want to add more to that stress. You want it to be, okay, we know what we're doing. It's not like every day I come in and there's some new policy or what we did yesterday is different. We want it to be as smooth as possible and as tested as possible. And granted there's always going to be gotchas. I know when I have admin rights, it's tough to test every single thing as a normal user. But if you're doing proper segregation of privileges and the other things, you should be able to do all that testing. But sometimes there's some challenges there, but definitely want it to just be as smooth as possible.
Joseph Carson:
I completely agree. Testing, that's the key thing is testing. Don't just run into things without really considering the implications and having good measurements and good testing in place. So that's fantastic. I think this gives our audience a number of things to be thinking about as they're public facing this in the coming weeks. Different countries and different people around the world will probably be having different periods of time where this will be starting to occur. And there might be continuous changes coming. So hopefully this will be a good message, a good things for organizations and people and IT managers, and to really consider what things that they need to be considering as over time, employees will start returning to the office. So Mike, a pleasure as always.
Mike Gruen:
Always a pleasure.
Joseph Carson:
It's great to have you on the show, and really excited, hopefully this will give the listeners something to think about and some ideas that maybe they can even share on social. Contact us and say, share with us if you've got things that you think about that are important as people are returning to the office. So thank you. Awesome.
Mike Gruen:
Yep. Thank you. Always a pleasure.
Outro:
Learn how your team can get a free trial of Cybera for business by going to www.cybera.it/business. This podcast is also brought to you by Thycotic, the leader in privileged access management. To learn more, visit www.thycotic.com.