By Zoltan Balazs and Leonardas Marozas
The recent world crisis has significantly changed how people work nowadays. In the past, only a small number of employees were able to work from home all week; others were allowed to work from home only once or twice per week (and many, not at all). This old way of working turned upside down in just weeks, and now wherever possible, people have started working from home.
Some were provided company devices like notebooks while others had to use their personal computers to work. Many notebook dealers reported record sales in recent weeks. This transition is a significant change in people’s lives and comes with major IT security implications.
Remote work was a dream come true for people who decided to freelance or did IT-related work that allowed such possibilities. With the COVID-19 pandemic putting the whole world in quarantine, it seems that this dream-come-true is not a dream at all for most—certainly not for industries tied up in specific infrastructure, regulations, or work natures. For example, in the banking sector, the infrastructure is designed to be distributed between regions and continents. But work from office is the de facto standard because of regulations and compliance associated with the financial sector. Parts of governmental sector businesses can be executed remotely; however, access to classified data cannot be easily transformed for work from home, with or without interruptions.
Nevertheless, home networks need an overhaul to be transformed into home offices with twists of corporate protection layers while still remaining flexible enough to keep other household members going on with their day-to-day activities, gaming, streaming media, and online shopping. This is where the challenge becomes especially tough—how to offer tight protection and, at the same time, stay flexible to each user’s security needs?
The problem: work from home vs. work from office
Despite existing functional differences between specific environments and needs that are driving architecture and infrastructure, work environments are set up in a way that is compliant with strict requirements.
The main goal when switching environments is continuous operation—to establish the workflow without interruptions for clients and without losing money. Some areas like education might move student holidays to create a buffer zone for teachers and lecturers to prepare their work environments enough to continue operation and teaching for upcoming months. But most industries and areas do not have the capabilities to create buffers or adequately prepare for significant changes to the work culture. It is no surprise that, with the focus on continuous operations, security might not be the top priority. A typical work-from-office architecture looks like the following:
During normal business activities, the office infrastructure is aimed at and optimized for protection, and strict corporate or governmental networks might even be oriented toward a whitelisting approach—allow the use and access of specific services, addresses, or endpoints, and forbid everything else. However, endpoint protection and protection against malware distribution, phishing websites, and spam are the bare minimum.
Incoming and outgoing emails are checked by email filters, and daily web browsing activity is filtered by a web proxy. Companies usually use these web proxies to filter out malicious and phishing websites. Some companies even deny access to non-malicious websites like social media sites, mainly in the name of less bandwidth and more productive working hours.
Fast and reliable connection for the average household is no longer a surprise but rather an everyday tool for work and entertainment. The features on top of this reliable high-speed network matter now. Does an average household use any means to protect the data, or do ISPs offer any solutions? Or are people still relying on various experimental, cutting-edge technology startups?
To some extent, ISP solutions sitting on a local area network perimeter do offer additional functionality and protection, such as browsing protection against visiting sites with malicious intents, remote access, or anti-DDoS protection. However, one aspect that is usually missing and plays an important role in current work-life scenarios is the identification of high risk, end-of-life devices that might be ticking cybersecurity time bombs in users’ homes. It is important to detect the weak parts in home networks and notify users, asking them to take action and solve the issue, and providing means of protection in the interim.
Whenever people work from home, there are two typical scenarios of how they can access company resources in recommended ways with the help of virtual private networks (VPN). One is called the full-tunnel VPN scenario; the other is the split-tunnel VPN.
In a full-tunnel VPN scenario, whenever the user connects to the enterprise network, all network connections go through the enterprise network. Whenever the user starts a new YouTube video or Netflix movie, all network packets traverse through the enterprise network. From a security point of view, this is great, because all web page visits are inspected and filtered by the web proxy. But from a network or performance point of view, sometimes this solution is not feasible. This traffic can easily overload the VPN servers, firewalls, and network equipment, which can lead to availability and connectivity issues at the enterprise.
In a split-tunnel VPN scenario, only packets where the destination is in the company are routed to the company network. In the wake of the coronavirus pandemic, many IT teams chose a split-tunnel VPN architecture to serve the rush of users who would be working from home. In many cases, companies had to switch from full-tunnel VPN to split tunnel due to infrastructure that is incapable of working under the extensive full-tunnel VPN load.
In the past, most devices were protected against malicious websites and phishing sites by three layers of protection: the email filter, the web filter, and endpoint protection tools. Now, many companies have to sacrifice security to get work done. As we saw in the past, some malware and phishing still got through even with three layers of protection, and now at some companies, it only has to get past two layers of protection.
Not to mention: Many users can do their daily job without connecting to a VPN at all. Most company email servers are already accessible without any VPN. As these users will not be connected to any VPN most of the time, there will be no web filter proxy to filter the outgoing web traffic.
Another significant risk is having a piece of work equipment transferred to a potentially unsecured environment and network. Corporate security of connected devices is limited to a physical office location, while users at home have a wide variety of devices connected to the network. There is a good chance that no smart toaster or vulnerable DVR exists in the office network, but home networks are usually polluted with unused, outdated, and no longer supported devices. According to our data, more than 45 percent of the internet of things (IoT) device base existing in home user networks is end-of-life and no longer supported by vendors. And this number is increasing. Existing end-of-life devices on the home network that are listening and interacting on the internet is an unsecured entrance into users’ homes. In March, CUJO AI stopped almost 2 million attempts to scan, access, and brute-force devices with port 23 (telnet protocol), which is highly not recommended to be open to the Internet.
The missing outbound firewall
But it is not just the web filter proxy that is now missing from the network path. Whenever users are not connected to the VPN or only use a split-tunnel VPN, HTTP and any other traffic will skip the company firewall. Traditionally most companies block outgoing SMB access (TCP port 445) commonly used by Windows File Sharing at their edge firewalls. But employees working from home do not have the hardware firewall to protect outgoing SMB communication. This issue can be exploited in leaking encrypted Windows credentials. The attacker can use this to crack the Windows password or authenticate to another Windows service in the enterprise, called the SMBRelay attack. In other attack scenarios, attackers might use remote SMB shares to load their malicious DLL files as part of an exploit chain.
Companies can defend against these threats by using location-aware software firewalls and blocking all nonessential outbound protocols when the user is not in the company network environment. But many companies do not have the software or resources to manage these location-aware software firewall rules.
Diversifying protection: the biggest challenge of spring 2020
We’ve discussed several possible scenarios that are currently visible in the switching landscape of home/office work culture. The fact is that there is no way for companies to ensure full protection for end-users at home on such short notice. Some can do better, some worse, but the rise in criminal activities, scam campaigns related to the pandemic and overall fear work best for cybercrimes to flourish. The work environment must be secure, and the home environment must be protected while at the same time providing freedom of choice for kids and people with different needs. The biggest challenge of spring 2020 lies in diversifying the means of protection. ISPs have one problem arising with increased network usage: increased attempts to compromise, attack, and exploit home internet users who are not fully aware of the dangers hidden in certain parts of the internet.
While working from home was a privilege or free choice for specific types of employers, it became a mandatory harsh reality in the last few weeks. Operations cannot be halted indefinitely, and some security-related problems are too difficult to solve for end-users that might not be tech-savvy or used to the changing conditions dictated by the COVID-19 pandemic.
About the authors
Zoltan Balazs is the Head of Vulnerability Research Lab at CUJO AI, an ethical hacker, and IT security researcher with more than 15 years of experience. Balazs has spoken at DEFCON, SAS, AusCERT, Shakacon, and many more.
Leonardas Marozas is the Manager of Vulnerability Research Lab at CUJO AI, a cybersecurity researcher, and research manager. He has a master’s degree in IT security and years of experience in academia and industry.