On-Demand: Cyber Action Plan--Computing Security
June 03, 2020
EisnerAmper and Lenovo discussed how endpoint devices (smart phones, laptops and such) now comprise a majority of a company’s network, along with key considerations companies with a remote workforce need to consider.
Rahul Mahna:Great. So, to just give us a little bit of a 30 second primer, can you tell everybody what you do today for Lenovo, and what are some of the insights that you are able to see in regards to security at the desktop level?
Nima Baiati:Sure. So my team is responsible for everything that we do from a device hardware security standpoint. So we look at the current threats and the emerging threats below the operating system against firmware, against bios, against really attacking that hardware platform, all the way across to the types of advanced solutions that we can deliver to our customers, whether that's around AI of the end point protection, through ownership of our ecosystem, our security ecosystem that we have. We've got a number of deep partnerships, both across Silicon Valley as well as in Israel in the security space. And so we spend a lot of time talking to customers. We spend a lot of time trying to break things, which is one of the fun parts of the job. And we spend a lot of time talking to the VC community and spending time in the startup scene, because they can help provide a bit of a leading indicator in terms of where the market's going, right? Kind of follow the money to see where the market's going.
Rahul Mahna:I think that's pretty awesome. And I'm really excited to have you here and to be able to chat about a lot of the things that our clients have been asking us over time. Just a quick note, if anybody has any questions, please use the Q&A little widget that's there. We'll try to get to some of them at the end of this session, and if not, Nima and I will follow up with you afterwards as well. So Nima, we all started working from home in a flash. Tell me, what did your team start seeing as we started working from home?
Nima Baiati:Sure. So being a security person coming from the software world, I've personally been working remote for about a decade now, and my team is all remote. I mean, I can't remember really the last time that I didn't have a team that wasn't remote, kind of globally dispersed. And I think one of the things that we immediately started saying and hearing from customers, was most organizations, if you look nationally across the US, prior to COVID-19 it was about 3.8, 3.9%, depending on what statistics you look at, of employees that were remote. Now, in some organizations that number is going to be significantly higher, right? I think I saw something from Pat Gelsinger, who's the CEO of VMware, and he said just over the weekend in an article I read, prior to COVID-19 about 20% of their workforce is remote.
And now he's anticipating the office worker, you know that person who's going in every day to this as a co-location, is going to be the exception rather than the norm. And this is all to say that, what we significantly saw was you typically had the smaller percentage of worker that was working remote, who knew how to work remote, who was comfortable working remote. So then all of a sudden, really almost overnight in some cases, you went from maybe 10%, 15% in some organizations, to close to a 100% working overnight in a remote fashion. What that does is, one, from an actual hardware standpoint, right, so do your employees have a comfortable home set up where they can productive, right? Do they have the right equipment that they need? Do they have the monitor?
For a couple of days, for all of us who travel or used to travel before all this happened, you can get by working on a laptop for a couple of days on a plane, in a hotel room, at a conference. I guess your everyday it gets a little uncomfortable. And so, those employees have the monitors at home. Do they have the docs? Do they have that equipment? From a security standpoint, we saw a tremendous uptick, and this is reflected by statistics if you look coming out of the SDI in North America since COVID hit, of cyber attacks. You see a lot of phishing attacks going after organizations, of saying, "Hey, we're the CDC, we're sending you information on what's happening. And this is how to protect yourself." Or even attacks against individuals, which targeted phishing attacks have always been a thing, and it's far more easier for me if I'm an attacker to steal your credentials, Rahul, than to try and break into the EisnerAmper network.
And so, one of the tactics that we saw really escalate here was, especially as we went into this lockdown with a lot of us being parents and not knowing what the situation was at school, and how schools were dealing with it, and, "How's my kid going to get his books?" Or this, or that? Was, attackers saying, "All right, I'm going to target some senior executives at this company," and because we all like to share things on social media and many of us overshare in what we should, it's pretty easy to find out what the names of somebody's kids are. It's pretty easy to find out where they live, and you can discern through some simple open source intelligence work, what school district that they go to. And then you can very easily then craft a PDF document, and include that in an email, and spoof an email address, and send it to an exec somewhere saying, "Hey, click on this email attachment to figure out how little Johnny or whoever can come and pick up his books at school."
And so we saw almost a 300% uptick across the country in cyber attacks, leveraging this uncertainty around COVID-19. What we've seen now, as we've gone through the last couple of months, and especially as we're talking to a lot of customers, is there is this idea that everybody's going to be remote and what's going to happen to productivity and collaboration? Which is really interesting to me looking at it from a technology standpoint, because so much of what we do in technology is about collaboration and making people's lives easier, and yet there is this mindset of the Henry Ford era of getting everybody into a factory, a modern day factory which is the office, and have them work in that regard.
And a lot of companies and a lot of customers that we've spoken to have said, "Hey, productivity hasn't really gone down." I mean, the reality is, maybe it's an uncomfortable reality, that you've got the 80/20 rule. 20% of the workforce, 20% of our employees are the top performers and they're going to deliver. And so those people, you can put them on an Island with Morse code and they're still going to deliver. And so productivity really hasn't gone down, and now I can reduce my office footprint, so I can reduce CAPEX, and I can find really the best talent anywhere that's not restricted to a 40-mile radius of San Jose, or Manhattan, but I can really go and get the best SEO optimization person in the world that I can find, or I can go and get the best cybersecurity person in the world that I can find, and leverage that talent.
Rahul Mahna:I think we're seeing the same thing, we're echoing it. A lot of our offices, people identify themselves that they're an EisnerAmper New Yorker office, or EisnerAmper New Jersey office employee. But now we're really thinking, "We're an EisnerAmper employee. We could go sit in the Miami office or the California office. It doesn't matter where we sit, we just have to have the ability." But this brings me back, and I want to get a little granular, a little technical now. It's the security that's going to matter.
When you give so much of that ability to your employees, we're really picking up the mantra of secure the person. That's really where our mindset is right now, is our security team. So can you talk us through some of the little bit of the weeds? Like you mentioned the word bios, I don't think many people know what a bios is. When you get to a bios, then you get to a hard drive. How can you secure a bios? How can you secure a hard drive? How can you secure a computing device itself, whether it's a desktop? Give us some of your thoughts around those nits and gnats?
Nima Baiati:Sure. So I think the first thing is, we've got to really understand that the concept, or the way in which we look at security in my estimation, has changed. Where we traditionally viewed security as securing your network and your network is your perimeter, we still need to maintain a focus on the network. But really, the endpoint has become an extension of the network. And now me sitting in my house working, that's the corporate network now. And so, what are the controls that are in place on that device? So when we look at things like bios, below the operating system we've known, all of us in security, is a challenging place to apply security and gain visibility. We do a pretty good job at the operating system level and above. Below becomes pretty challenging because it's hard to get visibility, It's hard to get all those pieces working together.
And so, one of the things that we look at is how do we add resiliency to the bios? So the bios is that engine, for those of you who may not be familiar. It's that engine, it's that component that makes your device, makes your computer work. And so the moment that you push your power button on your device, the thing that's turning on is that bios, is that basic input-output system of that computer that's firing up everything else. And that bios has code that needs to run. It's a very basic code, it's low level code, but that code needs to run. And as an attacker, if I can inject into that code, if I can put a root kit into that code, I own you. Plain and simple. Because you've got God privileges at that level.
And so, one of the things that we've looked at and one of the things that we've done, for example, is something we call self healing bios, right? And so what we do is, when you power on that device, that bios that's being loaded is actually being compared to a golden image of the bios in a secured space, to make sure that what's being loaded matches that secured golden image. And if they do, then it allows the machine to continue booting.
And so that's one area of security that we need to look at. The other is, we look at the other end of the spectrum of working from home, is things like Wi-Fi security, right? So you're sitting at your house, and many of us again, because we're now working from home almost around the clock at this point because we can't really go anywhere else in some States, is, is the Wi-Fi network that you're on, that you have at your house, that before maybe you were jumping on every once in a while to do some work, and you're really leveraging to use social media and watch Netflix, and now you're passing all your corporate traffic to it through that. And by the way, you don't necessarily need to be on a corporate VPN.
Does your home Wi-Fi have the default password on it or have you changed the password? Does it have the right certificates? Has the firmware on that device been updated? And beyond that, it's applying the same mentality, the same logic, to wireless security that we do in a corporate office setting to our home setting, of, "Is the device that I'm logging on to that says it's my Comcast device or my AT&T device or whatever it may be, is it actually that device? Or is it a rogue access point that's been set up?" Now I'm not arguing and saying that every employee in your organization runs the risk of a rogue access point, but maybe if it's somebody who's running R&D, and if I'm an attacker who's trying to get IP from your organization, I do a little bit of social engineering and I can figure out, "Okay, I'm going to go and camp out and set up a rogue access point outside of this VP of R&Ds house, and roll the dice and see if he or she is going to get on."
So it's those kinds of things, as well as making sure that things like end point protection are in place, right? Making sure that you're running some kind of advanced endpoint protection solution that's leveraging AI, that's leveraging contextual AI, where it's able to map data points that it's collecting, to be able to identify against both known and unknown malware and attacks.
Rahul Mahna:Wow. So let me take a breath here and try to bridge this. So we start at the bios, which is what your computer runs off of, and there's ways to secure that. You have an operating system, which we all list. For example, say we're running Windows, you can get patch management and you can get updates from Windows to secure your operating system. Then you can put on top of it a type of antivirus, where traditionally antiviruses would download updates, download the signatures. But now you're talking about an AI tool, which is an advanced form that will see different patterns and be able to adjust on the fly to different techniques for hacking. And then connectivity, Wi-Fi, where you're saying, "Hey, you don't have to be on the same Wi-Fi as your kids that are on gaming sites from China and there might be a threat that might breach its way to your work computer. You should maybe segment your Wi-Fi and offer a different type of security for your business activity."
Those make a lot of sense to me. What about, as you said again, back to securing the employee and the way we think about it, what about as people are going to start shifting? As you said, your office is your computer. It might be at home. Maybe it'll be in a WeWork type of space. How can we think about securing the computer itself, right? Because that computer might be at a family member's house, wherever you go. How do you protect the data that's on that hard disc itself? Is there any thoughts you have on the physical device and the hard drive itself?
Nima Baiati:Yeah, so that's a great point. I mean, at the end of the day, what's valuable is the data. I mean, I've worked at organizations where if an employee lost their computer, the company did not want the computer back. If that device was out of your possession, we don't want it back. It's cheaper and easier for us to write it off as OPEX and give you a new device than it is to take the chance of re-introducing something back into the network. So it does come down to the data. Now, to answer your first part of your question on the physical device, physical attacks are something that we look at on a regular basis, and we work across our chip partners in being able to bring to market new technologies that mitigate against some of those physical attacks.
And then there is also some proprietary things that we do when we look at the physical device itself. For example, when you're looking at a device, does that device have a physical tamper switch, right? If I'm looking to try and do a side channel attack onto your device, or I'm going to leverage some kind of physical means to get permissions onto your device, maybe I'm going to start off with or maybe I need to remove the back panel of that device, right? And a lot of modern devices, we no longer have removable batteries. Everything's kind of contained inside, and so you've got a back panel. So things like a physical switch. So when that back panel is removed, that device should brick itself, right? There's no conceivable reason why a typical user ever needs to remove the back panel of a device, right? It's only going to be really IT.
And so, that's one aspect of physical device protection. The other is, are you putting in place things like, depending on who your user is, a USB port permissions, right? Whether you're locking down USB ports, what type of read- write permissions you're giving on those USB ports. When it comes to data, it's kind of still crazy to me, but it's a challenge in a lot of organizations just doing the fundamental sometimes, right? And those fundamentals are really around encryption, right? Full disk encryption. Making sure that you've got, and you mentioned it, Rahul, right? Making sure that you've got the necessary patches rolled out onto your device. And of course, there's a way to roll out patches. You're not going to go and pull the trigger and roll out patches across a hundred percent of your fleet.
Some organizations I've seen roll out patches 10% of the time, kind of see how it goes, and that's fine, right? But make sure that you have a patch management policy, patch management program in place where you're rolling out patches. Configuration management, right? Again, the basics of, you've got a device, does the user need admin rights on that box? In some cases they do. In some cases if you've got a developer who's are using a device for engineering, they're going to need admin rights. But maybe they only need admin rights some of the time. Or does somebody in marketing need access to a shared drive that R&D is using? Or somebody in R&D, do they need access to a shared drive that HR is using? So making sure that you've got the right types of privilege and access controls in place is also very important.
And then when we extend that out further, and you talked about endpoint protection, it's again looking at it holistically and saying, "Am I able to be able to detect both known malware, but at the same time unknown malware, unknown attacks." And that's really where we start. And the organizations and the customers that I've spoken with, the ones who are really starting to get their hands around that, are leveraging AI to do so, because we all know there's a massive shortage of skilled cyber security workers. The problem statement is huge. And so you've got to supplement that or compliment that with some level of automation.
Rahul Mahna: I think that's really well said. And what we're seeing universally across the board is, how do we protect the computing devices, secure the person in where we go? So you're at the front of a very large organization, developing computing devices. I'm starting to see trends as we are moving ahead, and we all agree that the paradigm is going to shift. So we've all been lugging around five pound laptops that went down to maybe a two pound laptop that you can get. Where do you think, in your opinion, where do we go in terms of devices? Is there going to be a change in devices that we carry? Can we all do it off our phones yet? How long are we going to be lugging these big devices around?
Nima Baiati:I think the reality is for many of us, we can do most of what we need to do on our phone. I mean, I would guess, Rahul, if I asked you, "Would you rather be without your phone or your laptop for a day?" You would probably say, "Well, I'd rather be without my laptop for a day."
Rahul Mahna:Yep, that's correct.
Nima Baiati:You can still survive and get by. You can still write an email, you can still view a PowerPoint file. Now, flip side to that is, if you actually need to do productive and do productivity, a laptop or that larger device is what you need, right? I'm not going to sit and try and create a PowerPoint presentation on my phone using the Microsoft Office app. That sounds mind-numbingly excruciating to me. So I think what we are going to see is the continued trend, and what we see of these more lightweight devices. But again, it's going to vary, right? If you've got engineers who are building code heavy applications, they're going to need something like a workstation, where we have a Lenovo or P series. If you've got somebody who's just building PowerPoint presentations every day and doing outlook emails, they may not need something like that. They can get by with a smaller, thinner device.
And so that's the continued trend that we see. I think we are still going to have this multi-device environment where I'm going to have a device that I'm going to have dedicated for work. I'm going to have my phone. I'm going to have most likely a personal device, a personal laptop, for things that I want to do, and whether it's social media, or some people are gamers or whatever it may be, right? Whatever your flavor is. So I think we are still going to have this need, at least towards the midterm, of phone plus at the least, phone plus a laptop, phone plus a workstation. Because productivity at the end of the day is far easier on a device with a keyboard, where you can see things and manipulate.
Rahul Mahna:I agree. I know that Lenovo is creating these all in one devices, where you're going to have a screen and a computer is tacked onto the back and it makes it very simple. And I know a lot of our clients are asking us, "What can we do?" And my hope is, is a little plug one days. Everywhere I go is a monitor and keyboard, and I could just snap my phone into the back of that monitor and I get my full operating system. So I'm only ever carrying that phone everywhere, and I just kind of snap in where I go. But that's a little plug hopefully you can take to R&D, that'd be great. So I'd like to quickly summarize things and then we'll try to get to a few questions and be respectful. I know we started a few minutes late, so I'll add a few minutes at the end. And again, if anybody has any questions please put them in QA.
But to just quickly summarize our very short talk, it's evolving. There's a lot of security issues that are going to happen in this new paradigm shift. The ripple has been created. It's never going to go back. We all can see that and know that now. How do we protect it from your perspective at the computing level? Think about all the different stages. So think about the bios, and how do you prevent and secure that basic core operating system of the machine? Think about the hard disk in your computers. How do you encrypt and secure the data that's being stored there? Think about the operating system and ensuring that it's patched and it's serviced with all the security, latest updates that there are. Think about the protection, the threat detection, and you should look at new tools, as you mentioned, which are more artificial intelligence based, and how those can help prevent things moving forward.
Finally, think about your connectivity and be thoughtful and mindful about what you're connecting to. Who you're connecting with. If you're connecting to free Wi-Fi's, those are big red flags. Think about that security, and what's connecting to you can have large impacts on not only your computer, your organization and where you connect. So I think those are really great points you made. Very thoughtful on how we can think about them. I'm going to try to grab a couple of quick questions here that I see as some interesting ones. So here's a good one here: What is a key logger, and are passwords easy to crack?
Nima Baiati:So key logger is a malicious application, or can be used in a malicious way, let me put it that way, that basically captures your keystrokes. So if I inject a key logger onto your device, as you're typing I'm capturing everything that you're typing. So I can capture your password, I can capture your username. I can capture really, again, everything that you're typing and clicking on I can capture. If you're sitting there typing a love letter to your boyfriend, I can capture the content of that. So that's what a key logger does. Key loggers can either be physical devices, something that I inject or place physically into the USB, or in most cases they can be an application that I drop onto your device. Sorry, the second part of the question, Rahul, was?
Rahul Mahna:No, I think it's one and the same. They want to know what's a key logger. And people use them typically to grab your passwords, is what I'm hearing you say. And then they use that for nefarious reasons. Another interesting one, and I'm just picking quirky ones here for you. Can my company know that I'm working on my computer if I'm on the VPN?
Nima Baiati:Yes. Yeah. Most organizations can, at least for performance metrics. Well, for one they'll be able to see logging, right? So they can see that you've logged into the corporate network. So they'll know that you logged into the corporate network at 7:00 AM, and then you logged off the VPN at 10:00 PM. The reality is in most situations, you don't need to be on a VPN in order to do what most of us need to do. You get into a privacy discussion as well, right? Because different states, different countries have different regulations and requirements around privacy. So maybe they can at the baseline, see, "Hey, somebody from this address logged in, and that address matches this corporate asset." But anything beyond that, you get into a pretty deep privacy and regulation discussion.
Rahul Mahna:Sure. But in general, they know. I guess VPN you're connecting to a firewall, so they have some type of tracking that they know what's going on. I think that's-
Nima Baiati:Yeah. Yeah, they've got logging. Yeah, they'll know somebody logged in from X, Y, Z IP address and that IP address matches this device.
Rahul Mahna:Something else. One other interesting question is, Windows Defender, is that the same as an artificial intelligence endpoint security?
Nima Baiati:Sure, which is now called ATP, or has advanced threat protection, has AI aspects built into it, yes. AI is an interesting topic or an interesting item in security because there are different flavors of AI. And so my guidance and recommendation is, really understand what use case you're trying to solve instead of chasing the shiny objects. And really from what I've seen work effectively in organizations from a security standpoint, is contextual AI. So AI is kind of like that term organic, right? There isn't really any governing body that says what is organic and what's not. Same thing with AI, right? AI can be something as simple as a basic statistical regression model running on the backend, and could be all the way to something as complex as taking a whole bunch of data points that to the naked eye don't mean anything, and then stringing those together to create a story. I would look at, personally, from my standpoint; I'd go towards leveraging the contextual piece, right? Find a solution that has contextual behavioral based AI.
Rahul Mahna:That makes a lot of sense as well. So I think we're at the end of our time. Unfortunately, I don't want to hold this any longer for as many of you who have given us that 30 minutes. This was meant to be a high-level conversation. If you have any thoughts or questions, again, please put them in the QA. If I haven't answered them, we will be sure to answer you directly. Nima, thanks so much for this opportunity.
Nima Baiati:Thank you.
Rahul Mahna:We hope you enjoyed this and hope you come back and share with us some new things in the future. And with that, Lexie, I'll give you the baton b