Designing a company network to be secure isn’t that difficult: A firewall here; a DMZ there; some next-generation technologies liberally sprinkled around; and a set of policies to ensure that systems are built securely and operated securely. At which point, you kick back in your chair, and bask in the sea of green that are your security dashboards. Sorry, you’re not allowed to have it that easy, so here’s a pandemic for you to deal with; and by the way, all your staff will now be working from home for the foreseeable future.
If your company issues all its staff with devices allowing them to work remotely, then you can likely stop reading here – It doesn’t matter where in the world they are, their system will be up to date and protected against malware. What if your company relies on staff of third parties to use their own systems to connect to your network however? Now you have a problem: Those systems are now your perimeter, and if that is the Windows 7 laptop of Bob from Accounting, you could be rolling out the red carpet to cyber criminals.
Let’s be clear, this isn’t a new risk that has popped up. If you allow users to connect to your systems using their own computers, then you should have a risk in your register covering compromised remote endpoints being used to infiltrate company systems. What has changed is the likelihood of this risk as we’ve gone from some staff working remotely some of the time, to everyone working remotely all of the time. The bad guys have seen this too and are working hard to exploit it.
What are we dealing with?
Infosecurity Magazine report that Covid-19 has driven up phishing emails by 667% in less than a month, and personal email accounts are also being targeted with The Register reporting that Google is blocking 100 million phishing emails per day. The epidemic and mass remote working has opened up a new avenue of attack – compromise the user’s home PC which is outside the remit of the company and corporate-grade security tools.
There are two main threats to the company’s systems and data: The first is that the attacker uses the company VPN and a remote desktop connection to gain privileged access to company systems using a vulnerability such as BlueKeep or DejaBlue to compromise remote desktop connections; or they restrict their compromise to the user’s computer, installing key loggers and screen recorders to capture company data as it’s accessed.
If your company provides education and awareness around phishing emails and dangerous website to staff when they are at work, do they know to apply the same level of caution to their internet activity at home? Do they understand that even if their computer is up to date, if other users are connected to the network with an insecure device, they could still be compromised?
Furthermore, criminals are targeting insecure and unpatched devices on user’s home networks, be they routers, Smart TVs or IOT devices (Because that Internet Connected Fridge was such a great idea!). A lack of security-by-design, a lack of updates (or auto-updates) and a lack of awareness by users means these devices provide a way for attackers to get onto a home network, without any user action or knowledge.
What’s the solution?
This is where you’re likely to find yourself between a rock and a hard place. The best solution would be to give the user a company-issued device that is locked down and auto-updated; but this runs into issues of cost, and potentially disrupted supply chains (although there is evidence that this is starting to ease.) If you can do this – do it!
The other option is to look at using Host Policy Compliance tools (if they are part of your company VPN solution) to mandate the user’s computer meets a minimum level of compliance before being allowed to connect to the company VPN. As a minimum, this could require that the operating system is a supported version of Windows 8.1, Windows 10, OSX, or Linux; and that anti-malware software is installed and active.
While this would work on a technical basis, you’re now running into a litany of potential HR issues including:
- Does the company have a right to tell staff how they can use their home computers?
- Who’s responsible for bringing the computer into compliance if it is not configured correctly?
- If bringing the computer into compliance, who is responsible for the cost?
- If the company is telling staff how they should be using their computer, so they be paid for it?
In this case, consider turning on Host Policy Compliance in a logging mode in order to get an understanding of the scale of non-compliance prior to taking further action. If the problem’s small enough, some one-to-one conversations, and perhaps some helpdesk support will get them back into compliance. Where the problem is more widespread, then a risk-based decision should be made how to proceed. Finally, consider providing awareness materials targeted at your staff to help them understand why home security is important and what they need to do.