Work From Home is now the new normal, and we need to consider this more than before in the cybersecurity threat landscape and security assessments.
Most companies are forced to establish the IT infrastructure as an immediate requirement without going through the required regular risk assessment before enabling their workers to Work From Home.
Internet of Things (IoT)
Any device is vulnerable to attack, and with the Internet of Things (IoT), this is overwhelming to all the security practitioners – and never been easy to the adversaries.
Attacks leveraging IoT devices are growing exponentially, according to SonicWall, 32.7 million IoT attacks having been detected during the year 2018.
IoTs are prevalent in our Home and growing more without our knowledge and awareness.
All homes have internet routers installed by Internet Service Providers (ISP). Mostly, these are managed and installed by the ISP without knowledge or access by the homeowner. Commonly, the service provider will use a common admin password for all their installations, using the old default firmware that will never be updated or upgraded unless ISP provides you a newer device due to hardware failures.
In 2017, IOActive found 7,000 vulnerable Linksys routers in use, although it was also reported that it could be up to 100,000 additional routers exposed to this vulnerability.
Most homes now also are adding cameras and other home automation like light and power plug control. The majority of them are connected to the Cloud – therefore connected to the public Internet.
In 2014, ESET reported 73,000 unprotected security camera with a default password.
New entertainment devices like TVs and Speakers are now having Internet Services built-in like Youtube, Netflix, Spotify, and TuneIn. All of them need to be connected to the Internet.
The list will go on, from Refrigerators, Microwave, Coffee-maker, Washing machine – anything with “smart” in the front – that’s a connected device to the Internet.
Our wall clock is connected to the Internet.
Use Your Own Device (UYOD)
Typically, when users are in the offices, you have full security both in the infrastructure and on the endpoint.
Office network is usually having layered of security from different firewalls, network segment segregations. Some even have network admission control and network behavior intelligence.
All computers used by the users are having all the endpoint protection, including Endpoint Detection and Response (EDR). IT Team also make sure that the OS version and applications installed are the one allowed and supported. IT Team can monitor the security posture of all the computers and enforce company policy to patch vulnerabilities.
Detection, prevention, and immediate response are also active in the network infrastructure inside the company.
When the IT Team is looking for or enforcing any block rule based on Indicators of Compromise (IoCs), they can easily search and correlate logs from Firewalls, Servers, and endpoints when all things are inside the company’s premises.
IoTs inside the offices are also actively blocked, and proper security isolations and controls are deployed in case there’s a need to connect to the Internet.
When you extend the access to Home and don’t have the right strategy starting from the policy to restrict which computer the users can use – as I presume this is the case for many companies – this is now the New IT Security Challenge.
Home network infrastructure is impossible to secure, as I explained above, due to many unaccounted and uncontrolled IoT devices at Home.
Once you allow users to use their own (any) device – this will compound the risk as both the infrastructure and endpoints are not secured.
Home users are more vulnerable to all types of malware, spyware, and ransomware without infrastructure and endpoint security, as the general underlying security is not present to defend the home network and the user’s endpoint.
While in the office, users are usually not allowed to browse to malicious websites even in some companies, access to personal email and other file sharing services are not allowed.
At Home – all things are open. Phishing emails from the personal email is just a click away. Command and Controls are connected to your home network without any detection. Doing data exfiltration and keylogging is now also a new normal for adversaries.
Solutions and Recommendations
You have to go back to the basics and must recognize that your end-users are your weakest link.
Advise your end-users: Don’t use the same password for personal and corporate accounts. Avoid Phishing emails. Not only in the corporate emails but most notably in their personal emails.
Provide also a 24/7 contact information that your end-users can call or communicate in case they have any questions or need to report some security incidents.
You need to do a lot of security awareness by educating and communicating to the end-users what their responsibility when they connect to the corporate resources like email, VDI, and other SaaS applications using their own devices and in their Home.
Technologically, you can keep adding layers of security like extending the Network Admission Control to home connections and allowing only to connect the supplied or authorized (safe) endpoints.
Two Factor Authentication must be enforced to all logins.
Use only a VPN or secure connections.
Ideally, create a policy that will require and will only allow using the company-issued devices.
In the case of Use Your Own Device (UYOD) is allowed, ensure that EDR is installed to all endpoint connecting to the corporate network. If you can add vulnerability and patch management to those endpoints, it will help.
Update your future risk assessment and coverage to include home users.
Update your future disaster recovery and business continuity plan to include home users.
Update your cybersecurity liability insurance and include home users incidents.