The most recent Pwn2Own (Fall 2021 Pwn2Own Austin) includes more IoT entries than ever. This gives us an opportunity to probe today’s largest and newest enterprise attack surface: the home office.
The hybrid model for employee engagement, working from home most of the time, is no longer an interim model. According to research by Gallup published in May 2021, seven in ten white collar workers are working at home and the number isn’t shifting much. (See Seven in 10 U.S. White-Collar Workers Still Working Remotely, Gallup, for more information.) Employees prefer it, reporting greater job satisfaction – and achieving significantly higher productivity, according to managers. Many organisations plan to continue using remote workers, and those that have mandated return to office have found considerable push-back from employees.
Remote workers rely on home office equipment for their connection to the enterprise. That equipment is exceptionally diverse: no two homes have the same IT and IoT configuration. Our research has shown how vulnerable home networks are to attack. CISOs are now dealing with the radical extensions to the enterprise attack surface this new pattern of work is bringing. Organizations already provide their employees with PCs or smart devices for connectivity; but the context in which these devices run may be quite vulnerable. Many home IoT devices monitor the home environment continuously – smart thermostats, doorbells, TVs, lighting, and assistants (Alexa, Siri, and the like) – and report what they observe back to their corporate owners. Too often these devices have primitive security capabilities, allowing bad actors to take over these devices and coopt them. Recall the problem in 2019 with hackers taking over baby monitors? Simply adopting a longer password, and keeping up to date with software updates, can resolve many of these kinds of attacks. Some home users are willing and able to go it alone, taking care of everything they can as a normal part of running a household. Many do not.
The risk to enterprises is that as the home becomes the principal workplace, those minor annoyances in the home become a vulnerability to the enterprise. If 70 percent of the employees work from home, their cumulative IT overwhelms the physical infrastructure in the corporate data hub. Home users run multiple services concurrently, and the degree of segmentation within home networks is nil. Shadow cloud – cloud services that home users have but did not procure through corporate purchasing – present an attractive path for corporate data exfiltration. Corporate services can become hosts for cryptomining, and phishing attacks can introduce ransomware into the environment. IoT traffic is difficult to analyse for vulnerabilities. Few conventional cybersecurity firms cover both traditional IT and ICS traffic seamlessly. Yet malware can traverse flat networks of mixed technologies easily, evading conventional detection.
What steps can the CISO take to manage this heightened risk profile? Few employees would consent to having their homes constantly scanned for vulnerabilities. But most people want to be secure, so organisations should support that want. The help desk may help tighten up security and provide tools the users can run to keep things secure. Along with conventional awareness and training, organisations can offer classes on running a safe home. Some vendors offer products to improve cyber-resilience; the organisation might offer selected products at a discount to employees as a benefit. In some cases, measures that appear to improve security may do the opposite – such as third-party VPNs that grant unconditional access to all corporate resources. A stronger approach may be to upgrade corporate services to incorporate multi-factor authentication. That way, the employee must positively authenticate themselves prior to accessing a capability like email, for instance. Incidentally, this particular technique would align with a zero-trust strategy.
A more comprehensive approach may be to replace the corporate PC with a virtual machine, or a remote browser, through which the employee accesses corporate resources without ever bringing the information down to the local device at all. One benefit of this approach is if a device is lost, the corporation does not lose data, and restoring the user following a breach or a disaster means simply getting them a new VDI connection. This does nothing for security the home environment; rather, it isolated the device from the home environment – relying only on the network connection. Securing the network connection starts with using a strong (read: long) password and keeping current with security updates as they come along. But this measure tells the employee that their environment is unsafe and cannot be trusted. Better to say their environment can be strengthened.
This year’s Pwn2Own gives us a valuable look at today’s hottest attack surface. Armed with these new revelations, enterprises can take important steps to managing their risk profile. Cybersecurity is a social issue, with wide-ranging consequences. Education and technology, properly deployed, can improve corporate security, and boost employee satisfaction. Why not start today?
Let me know what you think @WilliamMalikTM.