Kirill Kasavchenko, Principal Security Technologist, CTO Office NETSCOUT
2020 has seen many organisations make rapid adjustments to their IT infrastructure in an effort to support the sudden increase in “home workers”, as COVID-19 has spread around the world. Now that the rush to upgrade VPN concentrators and increase unified communication licenses is over, it’s time to discuss what working from home will bring us in 2021. What are the longer-term implications of remote working from an IT security point of view? What can enterprise IT do to make employees more productive and secure?
The security risks of remote working
Many previously office-based employees haven’t seen much change in how they interact with the applications and services they use day-to-day. They are sat at home accessing the same SaaS applications. However, there is a big change under the hood, as they are now doing this directly, without traversing the layers of security implemented on their business’ corporate networks.
To make matters worse, their devices may not be 100% dedicated to business use, being used for personal email, social media etc. And, they are connected to the same home WiFi as a plethora of smart devices which likely still have default passwords, with other members of their households, who may have a more laissez faire attitude to Internet hygiene than their business expects.
In most cases the increase in home working is not exposing businesses to a range of new, sophisticated and previously unseen security risks – it’s exposing them to a lot of well-known risks in a largely undefended environment, where they have next to no visibility and control.
Security at the price of visibility
To manage these risks across large numbers of home-workers, enterprise IT teams are looking to technologies such as CASB (Cloud Access Security Broker) and SASE (Secure Access Service Edge) to extend security monitoring and policy enforcement across their distributed user-base – and this trend will continue and likely accelerate through 2021. However, selecting and implementing these technologies is complex and there are still risks around performance and security that are difficult to manage without the right visibility.
Traditionally, enterprise IT teams could, metaphorically speaking, “see” the traffic of users, which allowed them to take responsibility for performance and security. This responsibility hasn’t gone away, but in many cases home working has made the visibility that drives these capabilities vanish. Some of this visibility can be delivered by various SaaS, cloud, and CASB vendors as a part of their service, but this is very limiting. For example, if users report problems around the performance of a specific service, or see unusual behaviors that they think are suspicious, how fully can the IT team rely on ‘just’ the data from these same services to investigate any issue? With just this data it will be difficult to have an informed discussion with service vendors about problems that may be occurring within their environments.
To overcome this there is a growing need for network and security operations teams to get end-2-end visibility into the experience of home-workers, so that they can have a meaningful, detailed and fact-based conversation with their SD-WAN, SASE, and SaaS providers when there are issues. This need will continue to grow in 2021, as for many businesses a greater degree of home working is here to stay.
DDoS: home version
Another security risk associated with home working that has been overlooked in the past but has come sharply into focus this year, is the increased impact of DDoS attacks against both VPN concentrators and home workers themselves (well, actually their customer premises equipment [CPEs] and home routers). Attacking an enterprise VPN concentrator while everyone is at home seems to be a sweet spot for threat actors looking to disrupt business continuity, as many finance, HR, engineering etc., applications can only be accessed via an organisation’s VPN.
Launching DDoS attacks directly against home workers may also become a more common tactic in 2021. DDoS attacks targeting broadband subscribers are nothing new, with almost continuous low-level gaming related attack activity on most networks. Imagine you are in the last round of the game, one stop away from the victory and someone suggests kicking your competitor out of the game at a cost of five US dollars… If you think “what a tempting idea”, please know that you are not alone….
Similar ideas might come up among threat actors going after large businesses. To launch a DDoS attack you may think that an attacker would have to find out a specific IP address to target – which would be true if they cared about collateral damage. Unfortunately, launching attacks against a larger population of subscribers, targeting hundreds if not thousands of them simultaneously, is pretty easy and has been happening for a while. Such DDoS attacks are commonly referred to as “carpet bombing”, since they involve sending traffic floods to ranges of 100s or 1000s of IP addresses. With this technique it is not necessary to know the exact IP address to attack, just to know which Internet Service Provider you victim is using – and attack it as a whole.
Speaking more broadly, at present threat actors have not yet fully exploited the expanding attack surface associated with home working. We have provided a few examples here, but there are others waiting to be weaponised and applied at scale. Ensuring productivity and security is not going to be easy for enterprise IT organisations in 2021. There are interesting times ahead.