A year ago, we would step into the office each morning, swipe our badge at reception. We'd pass the security cameras, and sit down at our desks beside our colleagues. The safety-savvy IT department -- home to complex security technologies, bottomless coffee cups and handy tips -- was mere steps away. Today, we skip the commute and the morning chit chat and fire up our computers from our kitchens or living rooms. In so doing, we up-end years of well-honed corporate security practices. And we face the trickery of phishing and ruthlessness of ransomware while still battling the fog of sleep.
Even worse, our home networks are generally less equipped to meet the demands of constant connection to the office, with its flow of proprietary information, customer secrets and sensitive data. The protection we rely on at home comes in the form of antivirus and maybe a VPN. These security tools, though, are added on top of a network typically consisting of a mix of old and new hardware jumbled together. Home infrastructure staggered last year under the sudden load increase as government-imposed lockdowns prompted a surge in network traffic, with peaks in April and November. On top of the new demands of working from home, people started spending more of their free time online too.
After a tumultuous 2020 and the chaos unleashed by COVID-19, enterprises in 2021 are now starting to realize that they must close the considerable cybersecurity gaps of living room-based hardware. Some fixes, though, are only possible in the long term, such as improved industry-wide regulation. Some quicker fixes do exist. For example, ISPs are discovering they could implement security solutions directly in customers' routers. Even that, though, won’t address the problem overnight.
Unpatched Home Routers
A quest for a solution must start by examining the most serious problems. In 2020, home router security has got even worse than people imagined. Most of the routers are either powered by Linux or had no updates in the previous year, and many are afflicted by hundreds of vulnerabilities. Such routers are common in people's homes.
And now they have to protect employees when they connect to the company’s infrastructure from home. The same network also hosts other home devices, such as other laptops and PCs, smartphones, consoles, smart TVs and security cameras.
Misconfiguration Is a Hacker’s Best Friend
A work-computer may be more secure than a personal one, but it still resides in a dangerous neighbourhood. Attackers often use lateral movement inside a network to pivot to other devices after compromising more exposed hardware.
As if the security problems in people's homes weren't enough, misconfigurations at the company level present another rash of threats. In many situations, an enterprise security policy is confusing and scattered. Thus, allowing unsecure remote desktop sessions (RDP) or permitting users to run macros, one of the hackers' main tools.
Malicious actors gain entry through endpoint misconfigurations. Issues related to accounts, password storage and password management are among the most common problems; but internet settings come a close second.
The most significant issue employees face is phishing. People working in their pyjamas might not be as acutely aware of the threats lurking in their email client. When the pandemic hit, malicious campaigns proliferated, particularly phishing and business email compromise attacks. More worrisome, most employees, are not sure what a phishing attack is.
Even Garage Doors Can Present a Risk
Many of these issues don't require massive cybersecurity investments. Organizations could solve them with employee training, helping them spot phishing emails and teaching about the perils of a modern smart home. The most common vulnerability, by far, is a denial of service, which attackers use to disrupt a particular service or functionality. Buffer overflow vulnerabilities are also common, affecting a quarter of monitored IoT devices, along with memory corruption and privilege escalation.
Since most homes are now full of these smart devices, they harbour various vulnerabilities. The only way to find, and possibly mitigate them is via endpoint risk analytics and a powerful security solution to lord over the home network. There’s no silver bullet. But using the right tools in the right place can help restore security to the level of the old days of subway rides, badge swipes and morning chit chat at the office.
To do even better than that, companies must remember, even in this era of social distancing and face masks, that people are their main asset. Employees that are competently educated on security matters are the closest to bullet-proof that a company can come. Even if those employees work in their pyjamas.