4 ways employee home networks and smart devices change your threat model

Many employees at businesses worldwide have been forced to work from home because of COVID-19 related social distancing mandates. The security of employee home networks, and of the devices connected to them, are becoming increasingly important considerations for organizations that need to continue to support a large remote workforce for the foreseeable future.

Some one-in-four US organizations now plan on moving at least 20% of their on-site employees to permanent remote positions post-pandemic, a new Gartner survey of 316 CFOs and finance leaders showed. Seventy-four percent plan to do the same with about 5% of their workforce as part of cost-cutting measures. Many have deferred on-premises technology spending and are focusing instead on providing company-issued equipment to work-from-home employees.

The trend heightens the need for organizations to pay more attention to the security of home networks and of the smart-home products and other devices connected to them, analysts say. Home routers, printers, security systems, DVRs, gaming consoles and other smart devices can significantly change the threat model for the corporate network for the following reasons.

More malware infections

A recent study by BitSight found home networks were more than seven times likely than an office network to have five or more types of distinct malware. Twenty-five percent of smart-home products, PCs, printers, cameras and other devices on home networks were directly accessible over the internet; 45% of companies had a device accessing its network from a home network with malware on it.

This issue is exacerbated by the fact that many remote workers still use their own computers for work. A recent Morphisec survey showed that 49% of employees still use a personal laptop while working remotely. That number dropped little from the 57% using personal laptops in 2020. 

Easily accessible management interfaces

“Home networks are fundamentally different than corporate networks, and thus have risks that, while they can be present on a corporate network, are rarer there,” says Daniel Kennedy, an analyst with the 451 Group. He points to home routers and IoT devices with easily accessible management interfaces because of default or weak passwords. “The router is likely exposing services, whether intentionally or unintentionally [that are not] usually allowed by a corporate firewall,” he says.

Weaker WiFi protection

Similarly, the home WiFi network may not be protected as effectively as a corporate network against dangerous behavior by other users on the network. “Most of your office coworkers are likely not playing downloaded games after they finish the day’s work, but employees’ children are,” Kennedy points out.  While it is still more of a theoretical risk, there are also general privacy or confidentiality concerns with the presence of virtual assistants such as Alexa and Google Home on home networks. Such devices can unintentionally pick up speech and business communications that an employee might be engaged in while working from home, Kennedy says.

Increased scale and attack surface

The risks are not all entirely new. Organizations that have supported remote workers have had to deal with some of these issues for years. What’s different is the scale. “A significant percentage of enterprises are predicting increased scale of work from home on a permanent basis,” Kennedy notes. “The question becomes, what does security look like if a significant portion of employees are not accessing corporate services from a company owned network campus?”

Here Kennedy and other security experts offer four tips on mitigating risks to enterprise security from home networks and smart-home devices:

1. Trust nothing; verify everything Treat home networks and devices as untrusted, because they are inherently more vulnerable than a corporate environment. Implement controls for ensuring all access requests from a home network to enterprise systems and data are fully authenticated each time.

“This is when trust models have to be reevaluated,” says Richard Stiennon, principal analyst at IT-Harvest. What was once a carefully contained corporate network now includes everything on each employee’s home network. “Vulnerabilities in home security cameras, smart light switches, smart TVs and tablets belonging to the teenagers are now part of corporate IT’s purview,” he notes.

Access decisions need to be based on more than just someone having the right credentials. Both the device and the user need to be security vetted each time an access request is made. When access is granted, it should be on a least privilege basis and even then only to systems and data the user legitimately requires for work.

Their activity must be constantly monitored and the network response to their activity must be dynamic, Stiennon says. “This is what zero trust is,” he notes. “Do you really want your VP of finance’s smart refrigerator to be responsible for a breach?”

Organizations should deploy multi-factor authentication (MFA) wherever possible says Pete Lindstrom, an analyst with IDC. Although not a silver bullet, MFA can reduce a lot of the risk associated with working from home. Generally, the focus should be on expanding your security controls from the network and closer to your applications, your data and your users, Lindstrom says.

2. Identify the security gaps The security implications of supporting a handful of work-from-home employees is quite different from supporting anytime, anywhere computing at scale. IT environments that extend network connectivity to employee homes are potentially exposing enterprises servers, application resources, and data to new vulnerabilities and risks Lindstrom says.

The best place to begin addressing these risks is to know what questions to ask. “First, do you have all the appropriate security tools on the corporate system to minimize infections?” says Mat Newfield, CISO of Unisys. “Do you have your remote access properly configured and monitored to ensure the corporate system you sent home does not act as a bridge between your company’s network and the employees home network?”

There seems to be room for improvement in this area. According to the Morphisec study, only 52% of the computers used by work-from-home employees connected via a corporate VPN and only 41% of the connections went through a firewall. 

Find out if the people working from home have been given the proper tools and training to ensure their home network adheres to the same security rigors as their work network.  Do they have the necessary guidance to ensure they know what to do if a problem crops up? Don’t forget to determine if you have proper monitoring in place to be able to quickly detect issues through your remote access environment says Newfield.

Visibility is another issue. Certain network based security controls, operating at the edge of the network, cannot fully capture telemetry on employee activity on home networks or be able to act on it. “How is this telemetry captured and where do the security controls move to becomes the question; endpoints, the cloud, or other points of presence?” Kennedy says.

The SANS Institute has a couple of other recommendations. Figure out in advance if you want people reporting security incidents when working from home. If you do, to whom should they be reporting it, how and when?

3. Protect employee endpoints Ensure that any device that is being used to access the enterprise from a home network is protected against potential security threats from vulnerable smart-home products and other connected devices on the network. Make sure your endpoint threat detection and response controls are properly configured and that your VPN connectivity is strong, Lindstrom says.

“Many of the home systems we see are vulnerable to exploitation because they are not properly patched,” Newfield from Unisys says. Many home video game systems, for instance, have running exploits on them that can actively scan environments looking for vulnerable hosts to attack. Organizations that fail to harden their devices against these kinds of threats run the risk of becoming victims to them. “What tools and techniques companies deploy on the devices they are sending home with their employees will directly affect the potential for a corporate cybersecurity incident through that employee’s home network,” Newfield says.

Ensure also that any personally owned and unmanaged device accessing your network from home has adequate security protections as well. For example, show work-at-home employees using their home PCs how to add a new user non-sysadmin account to their home PCs, says John Pescatore, director of emerging security trends at the SANS Institute.

“This will at least segregate files for some protection against ransomware impact, as well as keep browser histories separate and limit privileges,” Pescatore says. Cloud based backup should be offered to all employees working from home too as a precaution against home network vulnerabilities, he notes. “At a minimum make sure they turn on auto update on everything on their home PCs — Windows, browsers, Adobe, Zoom, etc.”

4. Educate your employees  Often employees working from home are unaware of the potential risks of having vulnerable smart-products and other buggy devices on the same network they are using to log into the corporate environment. “It is easy to remember to patch a personal computer if you have set up the machine to notify you when patches are available, but what if you have not,” Newfield asks. “Do you have a regular cadence on verifying and patching your home IoT devices? Have you ever logged into your internet router and verified it is patched and hardened as much as possible?” Users working from home need to be made aware of the increased risks that home networks pose to their organizations and trained on how to mitigate them.

“Provide focused awareness and education around the rise in phishing attacks,” targeted at home users says Pescatore. “If you used to yell across the office to a co-worker to check on the actions some email is requesting, call that same person on a cell phone now.”