If 2020 has been anything, it has been a stress-test on the ability of organizations to adapt to rapid and disruptive change. Some organizations are waiting to a return to normal, while others have accepted the present state as the new normal. Regardless of which outcome you are experiencing, one thing is almost certain certain; the dynamic of teleworking has changed.
Once solely the domain of steely road warriors, teleworking opportunities have increased as communications technology has improved. In data released by the Bureau for Labor statistics for 2017-2018, around one-third of all workers from high-school age and up said that they could work from home, albeit many of them weren’t working from home in an official capacity. This might have been to catch up on something that didn’t get completed during regular working hours. A smaller percentage had a formal approval to work from home. Most people who telecommuted tended to be in the top 25% of wage-earners in the United States (Guyot & Sawhill, 2020).
I recall my first telework experience in 2001. At that time I was working as field engineer and the IT department for a small company in the trade show business. When I was on the road, there was no one in the office to manage the network. I had to plug my data-less, not-very-smart phone to the laptop via a USB cable and use it as a modem to connect to a dialup Internet service. I was able to check my email at a blazing 56 kbps. Within the year, I had implemented VPN capability back at the office, and where WiFi was available (which in 2001 definitely wasn’t everywhere) I was able to remote in and do some of my admin duties. Fortunately we have had significant improvements in communications technology in the past two decades.
Everybody is a Teleworker Now
Enter COVID-19. Organizations had the capability for a number of employees to telework, but very few organizations were prepared for essentially their entire staffs to telework. The infrastructure wasn’t ready to support that kind of load. We all experienced the connectivity issues, which generally weren’t on the remote end. While there are occasional hiccups still, as of this writing, those issues have been more or less resolved.
What remains is the elephant in the room: the interconnectivity between unmanaged home networks and managed corporate networks. To be sure, there are security controls in place. Many VPN clients will perform some type of triage on the corporate asset that is VPNing into the enterprise before allowing the connection. This provides a minimum assurance that at least that device has some protection. What about the myriad of other devices that constitute the network that the trusted device is connecting from? One of the great things for the worker is that he or she can connect in from anywhere. One of the bad things for the IT department is that the worker can connect in from anywhere. How can we ensure that the trusted device hasn’t been compromised somewhere along the way? The triage process is one way. Hardening the device is another.
Improve Your Cybersecurity Posture
What can we, as tech workers, do to protect this tool of our livelihood? Foremost is practice good cyber hygiene. There are countless articles that provide some form of guidance on that vast topic, but I want to focus on protecting your home network.
One of the first steps to take in improving your security posture is to get familiar with the latest version of the Center for Internet Security (CIS) Controls. There are twenty controls broken down into three categories: Basic, Foundational, and Organizational (Center for Internet Security). Some are more applicable to a home environment than others. We’ll focus on a few of those below.
Know What’s Out There
The first two controls called out in the CIS Controls is Inventory and Control Hardware Assets and Inventory and Control Software Assets. The first step in protecting your home network is knowing what’s on it. DSL/Cable modem. Check. Work laptop. Check. Smartphone. Check. Doorbell. What? Take inventory of everything that is pulling an IP address on your home network. There are great commercial tools to manage this task in an enterprise environment, but you’re a little more limited in a home environment. You could log into your DSL/Cable modem and document all the devices that it has assigned IP addresses to. This will give you a rough device count, but it really won’t tell you a whole lot about them. You need a better way to inventory.
One free tool is the Spiceworks, which has the ability to inventory hardware, as well as view software, patches, and services that are on each device. Spiceworks is a Windows application, and as a side note, it installed Nmap and WinPCAP as optional components. It is able to inventory Windows systems via WMI, MacOS/Linux/Unix via SSH, and other devices via SNMP. By having login information, Spiceworks is able to do a deep-dive on the devices (Spiceworks). You may still have to manually inventory software on other devices, such as smartphones, tablets, and Internet of Things (IoT) devices, though.
Manage Your Devices
The third control is Continuous Vulnerability Management. This is a techie way of saying that you need to make sure all your devices are running the latest updates. There is more to vulnerability management than just pushing patches, but that is outside the scope of this discussion. On a home network, this can be tedious because you might not have tools to automate updates like the IT department in the office has. Each device will have a different way you update it. The steps on a Windows 10 PC are different than an iPhone and are definitely different than a Ring doorbell. Unpatched, each of these can represent a threat to your home network.
What about devices that haven’t had updates in some number of years? There’s an old saying that “if it ain’t broke, don’t fix it”. Well, if a device isn’t supported by the manufacturer anymore, in a cyber context, it’s broke. You need to either implement some mitigation to compensate for it, or decommission it. A great example of why to do this is vulnerabilities in the Universal Plug and Play (UPnP) protocol. According to one researcher, a UPnP vulnerability named CallStranger could allow an attacker “able to exploit this flaw [to] use it to co-opt vulnerable devices for DDoS attacks, bypass data loss prevention security to sneak data out of networks, and possibly carry out port scanning to probe for exposed UPnP devices.” (Dunn, 2020).
Having devices on your network that have been compromised and potentially attacking other systems on the Internet is not only wasting your own bandwidth, it also makes you complicit (in a sense) in cyber crime. I had a friend who runs a small business who once shared with me that he thought the “bad guys” weren’t interested in the data on his network, to which I responded, maybe not, but they are interested in using your systems to attack other people. Just thinking your stuff is too insignificant to target doesn’t make you a target any less.
Secure Your WiFi
The last control we’ll address is Control 15: Wireless Access Control. It’s very important that you secure your WiFi so that it can’t be used by others to do very bad things. Case in point: in 2015 a defense contractor was arrested on Ft. Carson, CO for possession of child pornography. He had been sitting in a parking lot using an open WiFi connection to hide his activities (U.S. Attorney’s Office, 2015). Imagine for a moment that instead of this having been an open WiFi connection on Ft. Carson that it was open WiFi at your house. The illegal activity would have appeared to have been coming from your network. This also could have been any of a number of other crimes. Don’t give others the opportunity to use your network for malicious or criminal actions.
Let’s expand on this idea for a moment as well. Do you allow guests at your home to use your wireless network? How do you know if their device is up-to-date and free of malicious code? You don’t. If you want to extend the courtesy of Internet access to your guests, consider setting up an isolated guest network. Many home routers support this capability, and it will keep your guests cordoned off from the rest of your network.
While you may not be a “cybersecurity expert”, there are things you can do to improve your cybersecurity posture. First you have to know what you have. Then you have to manage those devices. Finally secure your wireless network. These are just some of the things you can do to better secure your home network, which by extension provides better security for the enterprise network you’ll be VPNing into while teleworking.
Center for Internet Security. (n.d.). The 20 CIS Controls & Resources. Retrieved from Center for Internet Security: https://www.cisecurity.org/controls/cis-controls-list/
Dunn, J. E. (2020, June 10). Billions of devices affected by UPnP vulnerability. Retrieved from Naked Security by Sophos: https://nakedsecurity.sophos.com/2020/06/10/billions-of-devices-affected-by-upnp-vulnerability/
Guyot, K., & Sawhill, I. V. (2020, April 6). Telecommuting will likely continue long after the pandemic. Retrieved from Brookings Institution: https://www.brookings.edu/blog/up-front/2020/04/06/telecommuting-will-likely-continue-long-after-the-pandemic/
Spiceworks. (n.d.). Inventory. Retrieved from Spiceworks: https://www.spiceworks.com/free-pc-network-inventory-software/
U.S. Attorney’s Office. (2015, June 17). Colorado Springs Man in Car Viewing Child Pornography on Fort Carson Army Base Sentenced to Seven Years in Federal Prison. Retrieved from Federal Bureau of Investigation: https://www.fbi.gov/contact-us/field-offices/denver/news/press-releases/colorado-springs-man-in-car-viewing-child-pornography-on-fort-carson-army-base-sentenced-to-seven-years-in-federal-prison