In the rear-view mirror of history, the state of cybersecurity will not take top billing away from the COVID-19 pandemic. However, the one has been significantly affected by the other, and only time will tell what the full fallout will be. The first six months of 2020 saw significant developments across the cyber-threat landscape, and it’s important for future defense strategies to take a look at what’s already come to pass.
Most significantly, the work-from-home (WFH) mandate created a dramatic inverse of corporate networks almost overnight, which cyber-adversaries immediately started to use to their advantage. This led to the growth of exploit attempts against consumer-grade routers and internet-of-things (IoT) devices. In the first half of this year, exploit attempts against several consumer-grade routers and IoT devices were at the top of the list for intrusion-protection systems (IPS) detections. And then there were the malware botnets.
Mirai and Gh0st
Mirai had become the most active botnet by early May, presumably driven by attackers’ growing interest in targeting old and new vulnerabilities in consumer IoT products. This trend is important because it suggests that cybercriminals are looking to establish a beachhead in enterprise networks by exploiting devices that WFH employees might be using to connect to the enterprise network. In a way, the corporate network perimeter has extended to the home — and that is not a good thing.
Attackers also have been using Gh0st, an old malware-botnet crime family, for campaigns targeting WFH users and applications. Gh0st is a remote-access botnet that allows a bad actor to take full control of the infected system, log keystrokes, provide live webcam and microphone feeds, download and upload files, and perform other activities.
Ramifications
The presence of vulnerable devices on home networks significantly expands the attack surface for organizations with a large number of remote workers. Therefore, organizations should evaluate options for achieving the same level of protection for WFH employees as they had in the office.
Because organizations are still primarily operating on a remote-work basis, it seems that remote work will play a significant role in business through 2020 and beyond. Whether companies are still under restrictions and are unable to send people back to the office, or they have created more flexible remote-work policies to better accommodate the needs of their employees, these businesses must ensure that their teleworker strategies can support and secure remote connectivity long-term.
As organizations transitioned to a WFH mandate, many were simply not aware of some of the weak spots and bottlenecks in their infrastructures. Businesses made changes and additions to their environments so quickly that it was impossible to understand the downstream effects. The costs now are only beginning to come to light in the form of interoperability challenges, data-privacy concerns, performance degradation and increased complexity. IT staff that were already daunted by managing the status quo now have even more to contend with in tools and services that were not built with integration and automation in mind.
Some organizations are deploying small firewalls directly into the homes of their “super users” to create a secure enclave, protecting an organization’s critical data from the home network. This use of a firewall directly in the home office can provide users with the same kind of wired and wireless connectivity they would have in the office, with the full protection of a corporate enterprise firewall, all managed remotely so the IT team has complete visibility over numerous network edges. This enables super users to conduct business as usual from their home office while ensuring the highest levels of protection, explicitly because home networks are such a weak underbelly in this whole system. If organizations aren’t protecting against that threat vector, they are leaving themselves exposed, which is what CISOs are learning and is why they are adopting long-term solutions for remote workers.
Additionally, organizations are placing a significant emphasis on the concept of zero-trust network access. There are two reasons: first, they are using many VPN tunnels that need to understand and confirm who the users are; and second, they have users on many different types of devices that now have access to the corporate network.
Finally, there is a recognition of the need for more tightly integrated network and security functions, and the need to properly secure dynamic multi-cloud environments. Network infrastructure should allow for dynamic change and new technology integrations and must have integrated (and automated) security functions to increase efficiency and reduce complexity. This approach needs to extend from branch to edge, and data center to cloud, with a consistent policy and centralized visibility and management throughout.
Filling in the Gaps
The pandemic has changed how we work and how we secure our networks – possibly forever. Defenders must contend with not only more vulnerabilities across their networks, but more vulnerabilities that are actively being exploited in the wild. Organizations need solutions that enable business continuity, supporting employees as they work from alternate locations, while ensuring the highest level of security. Consider the ramifications and best practices noted above, and then take stock of what security gaps might need to be filled.
Aamir Lakhani, is cybersecurity researcher and practitioner for Fortinet’s FortiGuard Labs.
Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting past contributions.