Hackers often lurk inside networks for weeks or months. During this time they gather a lot of information about how the network works, what it looks like and even how it is secured. With people working from home, often on poorly maintained — scratch that — unmaintained networks, that job just became a lot easier. For the hackers. This is especially true if companies allow personally owned devices (including phones).
What is happening?
With work from home becoming the norm, hackers are using the poorly secured – or more accurately – not secured home networks as a launching pad. Compromise one computer on the home network (not picking on anyone), say a student who is doing hybrid learning, and that device can now try and infect the parents’ devices. Or start with one parent’s device and pivot to another device. You get the idea. Once the hacker finds a beach head on any device in the home, the hacker can use that to attack other devices.
Why is this possible?
Think about the typical hardware in an employee’s home –
- Consumer grade
- Often never patched
- Lacking encryption
- Lacking high end security features of corporate devices
- No logging (think about your compliance requirement to figure out how you got hacked after a breach – good luck with that)
- No security operations center at home
You get the idea.
But we use company owned devices!
Okay, let’s say you do.
Does that mean there are zero personally owned devices on the network? Not likely. No Siri. or Google Assistant. Or Alexa.
Let’s assume those personal devices are like most and are poorly patched. Now they are infected. Smart hackers lay in wait.
Microsoft (or anyone else) releases patches. Hackers reverse engineer them. You deploy patches. Wheh!
Well, maybe. The hackers can reverse engineer the patches in 12 hours to at most 3 days. How quickly do you patch. GAME OVER, HACKERS WIN!
What about unrelated Housemates or shared Internet connections?
That makes the problem worse. Now you have even more endpoints and even ways to cross-infect systems.
But I use a VPN!
Okay, that MIGHT BE good. Do you force **ALL** Internet traffic across the VPN all the time? Do you allow the employee to use his or her computer to access the Internet without being connected to the VPN?
If the answer to the first question is no or the answer to the second question is yes, then the VPN gives you some limited protection. But that’s all.
There are some things you can do, but they are likely politically difficult.
If you DO NOT ALLOW employees to use personally owned devices or you only allow an employee to use a local device to connect to a virtual desktop that you control then that probably, maybe, improves security.
If you force ROBUST two factor authentication ALL OF THE TIME AND EVERYWHERE and you TRAIN your employees on what a two factor attack looks like. REPEATEDLY. That likely improves security.
But, it is not easy and you will expend some political capital getting your employees to do what you want them to do.
It is just not easy. Credit: The Hacker News