When your home is your office: personal networks and devices increase attack surface
The current COVID-19 situation and latest lockdowns have forced many organizations to adapt to keep business and operations running, especially with large numbers of personnel teleworking outside of the corporate network. We published an article in April on vulnerabilities and best practices related to videoconferencing, but there are new risks out there to be aware of, especially now that so many of us are relying on home networks and devices with their riskier information security profiles.
Opportunistic threat actors are using this shift to launch targeted and widespread attacks, as resources privately utilized might not be secure the way they are in an organizational secured infrastructure. With most organizations teleworking, maintaining businesses continuity often outweighs proper security measures.
Non-corporate resources such as home networks, home computers and unplanned-and-unsecured remote work solutions have provided a new attack surface for threat actors, with a broader and easier-to-compromise scope for targeted attacks against the most valuable target: access to corporate and sensitive data.
A new and critical vulnerability leads to a new attack surface
While some organizations provide corporate, secured, and managed resources to their employees, others don’t and, as a result, threat actors have the perfect scenario to leverage access to corporate resources, which from outside the organizational network are unprotected, unmanaged and unsecured.
In a practical view and, as an example, one of the new attack vectors raised during 2019 was related to Remote Desktop Protocol. Due to the latest critical vulnerabilities affecting this protocol and some of its client-related products, home users’ lack of control in terms of regular patching cycles for home devices allowed threat actors to exploit vulnerabilities in unprotected home systems.
Many organizations did not prepare for this eventuality, with greater adaptative measures needed to maintain businesses and operations, or measures in a rush, not considering all the necessary controls for adequate information security.
Low levels of security controls in our home systems encourage threat actors to also target personal email addresses rather than professional ones, leveraging easily-compromised home devices in order to target personal profiles, using the same TTPs (tactics, techniques and procedures) as when professional profiles were in their sights but, in this case, with added vulnerabilities, with lower levels of security controls than in a corporate environment.
Security controls such as 2FA (or MFA, multi-factor authentication) are nowadays available for services and platforms that we use in our personal and professional lives including Gmail, Outlook Live, etc. However, 2FA is not enough! It does not address the main concern: a current and ongoing global security vulnerability that does not exist with a technical appearance, with even more negative global implications and consequences for all of us than the most critical flaw we have ever seen before.
As we normally distinguish between work life and personal life, we should also do the same with what we use for each of them and be aware of their limitations in terms of information security constraints.
If bad actors are able to get into our corporate networks and infrastructure where there are security perimeter levels in place (firewall, IPS, IDS, endpoint security, permissions, etc.), they can even more readily use this new and broader scope of attack, targeting systems and networks with a simple and by-default configured settings and a home antivirus engine. We can expect home and personal targets such as email addresses, home networks and computers, etc. to be a major part of this new and forced attack surface.
What you can do
Some recommendations to be protected against this worldwide security issue include:
- Implement 2FA in the platforms you use in your personal lives. This is something that does not depend on budget and that is publicly available.
- Meet at least minimum-security requirements in terms of complexity and expiration regarding passwords.
- Take security awareness training and apply it to your personal live, taking the same precautions at home as at work when opening an attachment or accessing a website.
- Apply patching of OS updates and anti-virus signatures in your home devices as if you were at work because now, your office, is your home.
- Ask your organization to try to provide managed, secured and corporate devices if teleworking.
- Report any suspicious behavior or action you notice when working from either your home or your corporate device to your Service Desk as soon as possible, in order to take appropriate and timely mitigation and containment actions in case of a possible targeted attack against you or your organization.
- Lean on your organization’s IT department in case of any doubts or questions you might have in order to act responsibly. It is better safe than sorry.