Security Architecture, Endpoint/Device Security, IoT, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Beware CISOs: attack vectors are coming from inside the house

A full staff working from home presents two challenges to chief information security officers. One, of course, is the need to securely connect home workers to the office. The other, which gets talked about a little less, is the need to secure an office computer from the home.  

During a webcast last week, Carbon Black provided one example for why securing company devices is needed: an uptick in users using their work machines for gaming during the COVID-19 crisis.  

That in itself may seem harmless enough, but the same could easily be true of visits to scam websites playing on COVID fears or promising stimulus checks, Rick McElroy, head of security strategy at VMWare Carbon Black told SC Media. Users could be plugging work laptops into the same network as wildly unsecure connected devices.  

“When you go to work you have this mindset of awareness around security – whether that’s knowing there are controls on the computer or just not clicking certain things,” Elroy said.  

That’s in addition to the realities of sharing home computers across an entire household, and a workday that blurs into personal time outside the structure of an office.  People may be more likely to use a work computer for personal use during quarantine, he added.  

But as employees work beyond an office network, CISOs may lose a lot of the critical visibility into network traffic.  

“We’ll be able to see the really long tail of the things that snuck onto work laptops and find out what people were doing when they return to work with those laptops,” said VMWare Carbon Black’s McElroy.  

It is not just how people act that is a problem; it is the home itself. A CISO’s years of strict controls on what devices can go on an office network do not apply to the home network. A wayward employee may have installed internet-connected TVs, security systems, or lightbulbs long before any remote working mandate.  

“Before COVID, attacking someone’s home through [internet of things] was interesting. Now, it’s a real threat,” said Brad Ree, chief technology officer of ioXt Alliance, an industry group working on IoT standards.  

Internet connected devices offer a range of security quality. They often make good footholds for attackers to enter a network and infect work computers. 

“A couple of years ago, when I went to check on my kids’ internet usage, I noticed that a smart plug at my house had sent 1.8 gigabytes of data into the cloud,” admitted Ree. “As I was spying on my kids, someone was spying on me.”  

The solution to the home as an attack vector is, in part, to follow through on some of the things CISOs have been saying for years. If there was no perimeter pre-COVID, there is even less of one now. McElroy suggests moving to cloud-based security options to capture home workers in their natural habitat.  

Ree emphasizes that companies without virtual private networks in place need to start using them soon. And both suggest teaching home workers to segment home networks to keep devices, guests and home traffic separate from work traffic.  

“Just like Starbucks is untrusted," Ree said, "people’s homes are untrusted.”  

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.