A side effect of the Work From Home paradigm shift has been to drastically increase the size of your company’s network perimeter – with the potential for countless new security holes:
“The work-from-home (WFH) paradigm that has become the new normal in the age of coronavirus comes with exacerbated network security risk – as evidenced by growing a number of botnets and automated attacks that are taking advantage of known vulnerabilities in both consumer and corporate IT gear. The situation is forcing IT to adopt new strategies to gain visibility into their network environments.
According to Nate Warfield, senior security program manager at Microsoft, new vulnerabilities found in network and Internet-of-Things (IoT) equipment are being weaponized by cybercriminals within days of disclosure – and sometimes hours. And the attack surface continues to widen tremendously since most office jobs have been reconfigured into telecommuting positions.“
In the past, a lot of IT professionals have had this mindset: “What happens when the user walks out the office door is none of my concern.” That was never true, but it seemed like a harmless enough viewpoint and was certainly an easy way of looking at it. Anyone who has realized the gravity of the above excerpt will have changed their viewpoint by now.
“We’re talking old routers, unpatched routers, possibly hacked routers – but also Samsung Smart TVs and that IoT refrigerator that everybody thought was so cool. Yeah, that’s also on your corporate network now, because it’s connected to your home user’s network and therefore is now a possible proxy back into your corporate network.”
The Internet of Things (IoT) is like a genie. “I wish for my network coffee maker to synchronize with my WiFi toilet, so that the tank is at the most efficient water level for my regular, er – visit – an hour after my last cup.”
The problem: There are evil genies in some bottles. You get what you wish for, but in a way that you later severely regret. Before you know it, you’re spending the next 1000 years stuffed in a lamp with Gilbert Gottfried.
The issue of course is that consumer-grade devices and commodity hardware can suffer from a lack of security-by-design, with issues like default passwords that consumers don’t know to change, as well as security vulnerabilities.
Using tools like the Shodan search engine, Warfield pointed out that it’s a trivial matter to uncover vulnerable devices, many of which are using basic HTTP authentication, no SSL encryption and no two-factor authentication.
“All of the IoT and home media devices are all things you can find on Shodan right now, with just a quick search,” he said.
Obviously, your company is not about to start regulating your home devices and network. They can’t, and they won’t. This is where the old prayer comes into play: “Give me the strength to change the things I can, the peace to accept the things I can’t, and the wisdom to know the difference.”
IT professionals in charge of corporate security can’t change the user’s home IoT or network – but they CAN change how the user is allowed to access corporate assets from home, and how the endpoints are monitored. I make the following three recommendations as great proactive steps that can be taken to secure WFH users facing threats in their own homes:
1. Proper Access Control. Simple: Just because a user COULD connect to something from home – should they? If, for example, a user doesn’t need VPN access to the corporate network – don’t give it to them. User access should be set up according to the principle of least privilege.
2. Multifactor Authentication (MFA) on Everything. Wherever possible, access to corporate assets needs to be secured by MFA. Lone passwords are no longer enough to protect sensitive systems – and home vulnerabilities leave users too open to password compromise in unexpected ways.
3. Managed Detection and Response (MDR). Think about it: for businesses who have sent a lot of their office staff to WFH, all that money spent on office network security equipment may seem moot now. While that isn’t true, it is true that users are now located in networks far less protected than before. The answer to this is MDR:
Managed Detection and Response (MDR) is a managed cyber security service that provides intrusion detection of malware and malicious activity in your network, and assists in rapid incident response to eliminate those threats with succinct remediation actions. MDR typically combines a technology solution with outsourced security analysts that extend your technologies and team.
Using an MDR solution integrated with endpoint management tools on workstations, corporate security is able extend a measure of protection to the computer itself in a way not covered by something like antivirus, looking for suspicious behavior or unusual network traffic on the machine – and take action if any red flags are thrown, such as killing the internet connection until the threat is determined. I attended a virtual cybersecurity convention last week in which the VP of a major cyberinsurance firm flatly said they aren’t interested in covering any businesses not using MDR going forward – so expect this to grow in importance.