Many information security threats stem from vulnerabilities presented by outdated workstations, network devices, and mobile devices such as tablets and smartphones.
These objects are embedded with software, electronics, and sensors, enabling these devices to transmit, store, and exchange information over the internet and enterprise networks.
However, support for these devices is limited since vendors are constantly releasing upgraded versions of these devices and abrogating support or slow release of security patches, antivirus software updates, and a lack of consistent new application updates for systems and IoT devices.
Any weakness, such as Central Processing Unit (CPU) flaws like Meltdown and Spectre, allows malicious and determined attackers access to protected information stored in systems kernel memory—resulting in the disclosure of sensitive information like passwords, cryptographic keys, enterprise proprietary information, and sensitive email.
Increase of mobile workforce
The number of remote workers has increased exponentially due to COVID-19 safety measures taken by the federal government and state, territorial, local governments, and corporations. Additionally, most of the workforce utilizes their home network to access organizational network infrastructure resources through a virtual private network (VPN). Using any unpatched organization-issued system, personal mobile device, or home computer may introduce vulnerabilities that hackers such as the Nation-State, Lone Wolf, or Organized Cybercriminals, can exploit.
End users and gateway vulnerabilities are the key catalysts for BYOD and Remote Access vulnerabilities. The fundamental problems with VPNs are the trusted tunnel between the remote employee and the corporate networks that can be easily exploited through malware, ransomware, and remote access trojan (RAT). Additionally, VPN gateways are exposed to the entire world via the internet and require continuous monitoring and adequate security patching.
Poor Patching Practices and the Travelex Incident
Furthermore, poor patching practices by organizations can lead to vulnerabilities that are exploited. In December 2019, a UK-based organization Travelex paid a $2.3 million ransom to restore operations. However, this attack cost $30 million more in operations impact due to inadequate patching of its gateway VPN.
There are many security and privacy issues to consider when using outdated devices that vendors no longer support.
If you cannot update the operating system for your personal computer or mobile device, it is time to buy a new one or get a company-issued device with adequate security controls.
However, the financial impact, regulatory violations, and damage to the organization’s reputation could be detrimental. Hence solid vulnerability management and risk mitigation strategies, including robust security awareness training and continuous patching, should be the de-facto standard to secure the enterprise network and client systems.
Dr. Daniel Harrison
Dr. Harrison is a Doctor of Computer Science in Information Assurance, Chief Information Security Officer (CISO), Chief Privacy Officer, and Executive Board Advisor. Dr. Harrison is US Army Combat Veteran with expertise in Local Government, Industrial Control systems, Laboratory Information Systems, DoD Information Systems, and Enterprise Network Security.
Dr. Harrison is a solution-oriented, transformational CISO with expertise across all information security facets. A cybersecurity expert with top US security clearances and a record of exemplary service building and leading multiple cybersecurity task forces across various US military branches, local government, and highly regulated industries. A change agent and servant leader who drives needed organizational transformations and turnarounds that optimize the security of mission-critical data, systems, and people and inspire individuals and teams to learn more, achieve more, and serve as a vessel for service excellence to others and the organization.