Corona-induced home office: Bad for security, great for finding out who has an affair with whom
While the white-collar world was hastily relocating into the home office, IT departments were busy getting their hands on all remaining laptops, setting up VPN client software, and hoping that end-users would not require onsite technical support all too often.
Security? No time right now.
Much was written about the increase of phishing attempts that are capitalizing on the current societal anxiety, often impersonating trusted organizations like the WHO. Measurements are for example taken based on new domain registrations related to the Corona virus. These figures might not be totally accurate, since quite a few of these domains might have a begnign purpose: Normal people who want to share their thoughts on the crisis. Nevertheless, they do show a comprehensible trend.
Since in my day-to-day job I have insight into the security monitoring of several international companies I was wondering if I can also confirm the increase in spam-related activity myself.
Turns out: No.
Some weeks ago I had discussed with an acquaintance from Proofpoint that isolation in home office poses additional risks. Instead of asking the colleague “across the desk” if a mail looked like a scam or not, people might “find out” themselves. Together with the additional stress that remote work creates for many who have never done this before, it led us think that people would probably follow more easily such links they should rather not click on.
So, I had a look into the email spam filters that some clients use. There was no visible increase in identified spam. The reason could of course be that these “novel” spam mails are not yet recognized by the filters. While I’m pretty sure that Proofpoint and others were quick to update their threat intelligence, the argument of an increased false negative ratio is of course valid.
But spam filters were not the only thing I checked.
My field of expertise are Security Event and Information Management (SIEM) systems. These gather data from a huge range of systems and check if abnormalities can be found which in turn could indicate a security incident.
What I can say in general: I do not see an increase in security alerts across my clients, but this is not necessarily a good thing in this case.
Sure, indicators of compromise and early-warning data is continuously fed into SIEM systems: Relevant threat intelligence databases are integrating new data within hours or even minutes, such as malicious hashes, suspicious URLs and rogue IPs. Professional SIEM systems are then pulling this information near real-time. This means, a good SIEM solution tends to be up to date basically 24/7.
If we collect DNS records in the company, we can check if employees’ workstations try to connect to known malicious IPs or URLs. But even with a highly increased sensitivity for these monitoring rules, I hardly could find any relevant matches.
Does this mean that these companies are safe? Not so much.
The problem with remote work is not only that people might fall prey to phishing attacks, but also that enterprise security monitoring becomes patchy.
Why is that?
Well, every sane network department will set up VPN clients in such a way that only traffic that is relevant for the intranet will indeed be routed via the company’s intranet servers. All the rest of websites that people are visiting in their home offices are routed directly into the internet. This means that if the employee navigates to intranet-homepage.local on the private IP range 10.0.0.0/8, traffic will indeed be routed through the VPN to the company servers and activity will probably be visible in the security monitoring of the SIEM software. But if that employee then browses to news.google.com, the connection will go through the employee’s private router directly into the internet. A SIEM in the company intranet will not see that connection, unless every workstation’s event logs are forwarded to security monitoring. Due to the sheer amount of – mostly unnecessary – logs this is normally not being done (i.e. usually you only collect logs from servers which then have meta information about client activity).
Let me get this straight: While security departments across the globe are alert but cannot see attacks, the real risk is now sitting in the home office: Untrained and stressed users who are working – sometimes even with their private computers – behind consumer-grade routers that might have an OK firewall but certainly not as carefully tuned as the company’s perimeter firewall they would be using when working from the office.
If these routers do not have auto-updates enabled, their firmware will most likely be outdated and might be vulnerable to numerous exploits. And if something bad happens – let’s say malware is gaining a foothold on the system – security monitoring might not even notice it, because the malicious communication will be routed straight to the internet, bypassing security monitoring and IDS/IPS systems.
With adversaries becoming ever more proficient, dwell time – the time until an intruder is detected – also increases. Crowdstrike reported that in 2019 it took companies on average 95 days to find out they were hacked. 95 days, that’s well over 3 months… let’s see what kind of news we will be seeing in August…
But you know what? Large-scale home office setups are not only a new challenge for security departments across the globe. They also decrease employees’ privacy.
Well, most employees will work with a VPN solution that provides secure access to intranet files. Guess what – whenever employees use such VPNs, login and logoff activities – and more – are logged by the VPN server software, and most likely also in a connected SIEM solution.
This allows employers to draw conclusions about employees’ actual working hours. Fair enough, such information might already have been gathered during the previous “normal office life” and in every case people are supposed to work as many hours as they are being paid for.
What’s we can also infer from VPN logs is who is living with whom – provided that both observed persons are working for the same company. Is Ms. Reed logging in from the same IP like Mr. Morgan, although the latter is supposed to live somewhere else? Why are Oliver and Thorsten working in the same house? Don’t tell their homophobic boss! Oh, and did you now that Mr. William who is married to Ms. William, was accessing the network from Ms. Miller’s home and only logged off at 10pm? What was going on there?
Think this idea is farfetched? Well, by accident while creating new VPN-related security monitoring rules, I actually came across some of these cases.
This crisis is not only a challenge from a healthcare standpoint, but also for IT security – and, less obvious – for our privacy.