state of cybersecurity in 2021

covid-19 changed the world, risks evaluated diffently, top trio of most critical scenarios for companies are business interruption for sure pandemic outbreak (again or further) and gain a top concern are cyber incidents

source: https://www.agcs.allianz.com/news-and-insights/reports/allianz-risk-barometer.html

every 39 seconds happens a cyber attack, on average, 2,244 times a day – your should be aware of and please don’t use common useraccounts and passwords

source: https://eng.umd.edu/news/story/study-hackers-attack-every-39-seconds

protact private devices, utalize BYOD and enable your workforce, take care with data loss prevention against insider as well as external attacker

source: https://pages.bitglass.com/cd-fy20q3-bringyourowndevice_lp.html?_ga=2.235220038.618124391.1595289181-1524125646.1582567517?&utm_source=blog&hsCtaTracking=cd233e49-f2ba-4af6-82ba-924b704c2fe9%7C4f956294-2451-4a11-bee2-609ab19d370c

NCSC warns for VPN vulnerabilities, get up-to-date and prepare for future demands, 60% of companys will eleminate VPN in favour of cloud until 2023

source: https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities

source: https://www.gartner.com/teamsiteanalytics/serveP DF?g=/imagesrv/media-products/pdf/Qi-An-Xin/Qi-An-Xin-1-1OKONUN2.pdf

cloud first, when your users aren’t inside your perimater, why should the data, prepare to migrate as 80% other will shut down datacenter until 2025

source: https://blogs.gartner.com/david_cappuccio/2018/07/26/the-data-center-is-dead

new changes, news technologies – support your workforce and prevent credential related attacks with passwordless technologies #ZeroSignOn

source: https://enterprise.verizon.com/resources/reports/2020-data-breach-inves tigations-report.pdf

as well, all facts are shown in video below (german)

iOS VPNonDemand gets “inactive”

recently we noticed VPN wasn’t working, could be the disabled connect on demand option – nope – the entire VPN configuration was inactive?!

a bit history: apple introduced VPN on demand (VPoD) still in iOS 5, it’s required setup certificate authentication – at first it was just possible to define single domains, over the years it advanced to ignore, evaluate or disconnect for certain domains – along with iOS 7 apple intoduced Per-app VPN to connect specific apps – since iOS13 it is even possible to tunnel just mail/calandar/contacts domains

noticed that this just happed for VPoD configuration, even if a single domain overlap in OnDemand rule, always the last pushed VPN configuration is active

even though all other obsete profiles are remove, the VPN config stays in it’s current state, even if it’s the last remaining configuration

you either manually enable the desired config or repush the config via MDM to remote enable

secure private cloud

secure your private data as secure as enterprises – accessing a synology nas for private or small and medium-sized businesses

authentication

enable for admin and other sensitive accounts the 2-step verification – read more @multi-factor authentication

dns

add some kind of dynamic dns service to access your changing public ip address like dyndns, changeip, strato, etc.

certificate

secure encrypted connection should mandatory, at least since edward snowden leaked information about “security” agency’s

1. redirect traffic from http to encrypted https – be aware of public wifi, read more about ssl strip @attack vectors
2. add a public trusted certificate to your system, letsencrypt.org provide free certificates – request via control panel at your synology

This slideshow requires JavaScript.

firewall

active port forwarding for vpn connection to your nas/vpn server

vpn

to access private data from remote, configure devices vpn settings or download an app, enter you external ip address or full qualified domain

This slideshow requires JavaScript.

additionally you can add higher security if you authenticate via certificate from your device – read more @blog.centurio

profile

create a vpn profile in apple configurator with you account information and connection secret, send to your apple devices

we’re done

 

android (almost) enterprise

…launched in 2015, renamed in 2017 from android for work and now it’s time for enterprises to adopt android’s modern device management

approach of google to manage devices, regardless of any vendor, to better integrate android in enterprise

device admin api’s started deprecating some features, emm system unable to reset device passcode for android 7.0 devices, google will deprecate further in android “p” release in 2018 and stop working with major release of android in 2019

not yet – tested a lot of android’s feature to get a markable footprint in enterprise, realized use cases to bring value for customers but unfortunately android enterprise can’t replace device admin, that’s why…

enrollment – apple’s devices can centralized ordered, prepared and assigned to an emm system via dep (device enrollment program) – google’s pendant zero touch enrollment is currently just available for android 8.1 and pixel devices – samsung got it’s own knox mobile enrollment (kme) which depends on the installed knox version and is for sure just available for samsung devices – a fully managed samsung device via android device owner needs at least knox version 2.8, otherwise you need to prepare all devices locally via qrcode or nfc

certificate authentication is a basic requirement for a secure enterprise deployment, with am emm you’re able to enroll client certificates and distribute via android enterprise to mobile devices – but with current emm tools it’s further possible to achieve a seamless authentication with kerberos constrained delegation, the continuous synchronisation is provided even a user change his password

vpn started a full device tunnel for windows notebooks, beginning with ios is was possible to configure dynamic vpn based on domain rules, even vpn connection can secure a single app, with android enterprise it is possible to setup the vpn just for work content – was missing? a simple “on demand” could stop draining battery life from “always on” vpn or prohibit mistakes if forgot to “manually” enable it

reliability – inconsistent experience noticed – depending of build version, huawei ignore that device passcode is already set – lenovo yoga missing android enterprise enrollment capability – when sending a (private) picture via (secure) mail, login to work container, attachment lost in mail – honor device completly ignore passcode policy for work container – convert phone number to link in gmail is just working sometimes @theverge 

use cases could realized with android enterprise, e.g. silent app and unattended certificate installation is possible for non-samsung devices could , comparing to device admin, but there’s space for improvement…