Billions of people are working from home these days, whether due to the pandemic or because this has been their set-up all along. All depend on their home ISPs to do what they're supposed to: keep them connected to customers, suppliers, and colleagues around the clock.
But ISPs are not known for their security protections. Yes, many now say they're increasing their defenses against attacks, but can small to midsize businesses (SMBs) and remote workers bet their livelihoods on it?
"In a word, no," says Dark Cubed CEO Vince Crisler, once a chief information security officer at the White House. "We are seeing increased focus on security in advertising to small businesses and residential users from ISPs, but so far these are primarily minimalistic capabilities driven by marketing purposes instead of security."
But there's a reason why ISP security capabilities tend to remain minimal or sketchy.
"The typical Internet service provider is primarily focused on delivering reliable, predictable bandwidth to their customers," Crisler says. "They value connectivity and reliability above everything else. As such, if they need to make a trade-off decision between security and uptime, they will focus on uptime."
To be fair, demand for speed and reliable connections was crushing many home ISPs in the early days of the pandemic. For some, it remains a serious strain.
"In the early weeks of the pandemic, when people started using their residential connections at once, ISPs were faced with major outages as bandwidth oversubscription and increased botnet traffic created serious bottlenecks for people working at home," says Bogdan Botezatu, director of threat research and reporting at Bitdefender.
ISPs' often aging and inadequately protected home hardware presents many security vulnerabilities as well.
"Many home users rent network hardware from their ISP. These devices are exposed directly to the Internet but often lack basic security controls. For example, they rarely if ever receive updates and often leave services like Telnet open," says Art Sturdevant, VP of technical operations at Internet device search engine Censys. "And on devices that can be configured using a Web page, we often see self-signed certificates, a lack of TLS for login pages, and default credentials in use. These devices become targets for botnets and can become entry points for attackers to pivot into home networks."
An ISP's Rebuttal
Hold up, say ISPs, which point out that security issues do not rest solely on them. They're right. A lot depends on user behaviors, too. But even so, user expectations of ISP security tend to be high, which is driving ISPs to up their security game despite the challenges.
"Security is a multilevel issue," says Shrihari Pandit, president and CEO of Stealth Communications, an ISP based in New York City and focused on providing connectivity to businesses.
"Perhaps the best way to break this down is by the ISO [layers of communication]," says Pandit, offering the following explanations of typical ISP challenges and fixes:
Layer 1/Physical Layer: "Traffic is unencrypted between the ISP and customer on most ISPs. This is particularly an issue when providers are delivering service via wireless and fiber PON [passive optical network] technologies. These technologies 'broadcast" traffic to all subscribers. Bad actors can 'snoop' the airways or physically tap into the fiber PON network to pick up traffic of other subscribers."
Layer 2/Data link layer (Ethernet): "Like Layer 1, Layer 2 represents a communication path between the ISP and customer; traffic is typically unencrypted and prone to snooping. There have been advancements in this area to better improve security by using technologies such as MACsec. It can secure all traffic on an Ethernet network, including DHCP and ARP, as well as traffic from higher layer protocols, such as HTTP, SMTP, etc. The advantages of utilizing MACsec between the ISP and customer is all traffic is automatically encrypted between the provider and customer. Encryption can be done at line-rate, low-latency compared to encrypting at Layer 3 or higher."
Layer 3/Transport Layer (Internet Protocol): "At the Internet Protocol layer, users and organizations may deploy IPsec to provide end-to-end encryption between two endpoints across the Internet, making it difficult for any potential bad actors on the ISP access network to decode traffic."
Marked security issues lurk in conflicts of interest as well – just maybe not the conflicts one would expect.
"The primary challenge with expecting ISPs to provide security is the idea that privacy and security are in conflict within their business model," Crisler says. "ISP customers expect to be able to use their Internet connections for whatever purpose they want without monitoring by their ISP. However, to provide security functionality, ISPs must pierce the veil of privacy."
Virtual private networks (VPNs) may be the better protector for both security and privacy. Or maybe not.
(Why not? Continue reading on second page.)
(Continued from first page.)
Is This the VPN You're Looking For?
Many users and organizations turn to VPNs to harden security on home ISPs – but they may not be the answer they were seeking.
"There are several challenges when leveraging VPNs while working from home," says Andrew Douglas, a risk and financial advisory managing director in Deloitte's cyber and strategic risk practice. "Not all VPNs carry all traffic, and not all security tools work well across VPN connections. For example, some security tools require regular connections, certain bandwidth, and appropriate configuration, or systems can miss updates and other controls."
Further, Douglas says, VPNs are themselves vulnerable, with a slew of recorded large-scale attempts to exploit and rising instances of employees giving away access credentials in phishing scams.
VPNs are also falling prey to other user behaviors.
"With entire corporations working from home and VPN appliances working overtime, many workers are averse to using the VPN because their bandwidth is limited and all of their work slows to a crawl," Censys' Sturdevant says.
Speeding up their work isn't the only reason workers and SMB owners turn off VPNs, which they often forget to turn back on. Multifactor authentication that counts device/user location as one of the factors – common among consumer financial institutions – also pushes workers to abandon VPNs.
"Banks will increasingly have to deal with location-mismatch data triggering fraud false positives, but it seems counterintuitive for them to push users away from VPNs," says Cameron Camp, security researcher at ESET.
Other security professionals say the use of VPNs to protect consumer financial information and transactions is itself a security issue.
"A VPN is not really a protection for accessing bank accounts because it just changes the exit point to the Internet from a client's ISP to VPN server ISP," says Kevin Reed, CISO at Acronis, a backup software, disaster recovery, and secure data access provider. "In my view, this actually creates more risk than it solves."
Employers with remote workers are turning to other VPN configurations in efforts to avoid users disabling them for work or private business.
"Various VPN configurations can be deployed based on circumstance and need," says Alex Artamonov, systems engineer and cybersecurity specialist at Infinitely Virtual. "Split-tunnel VPNs are common, in part because they can be on at all times and redirect defined traffic only over the VPN. In this example, any traffic for internal company servers would pass through the VPN, while browsing to a banking site would not. This approach avoids having to turn VPNs on and off."
The Final Score
In the final analysis, heightened awareness may be the best path to stronger protections for remote workers.
"My takeaway is that there's no simple answer to the question of remote security, since needs and network architectures vary so widely among companies of all sizes," says Artamonov. "The most important thing may be to correctly understand the challenge remote security presents."
While there is no simple answer, no one-size-fit-all security tactic or tool to deploy, there are some advances to consider from the lessons learned in the great work-from-home migration.
"The full tunnel VPN approach traditionally demands a large capital infrastructure investment to support all users to help manage for poor performance of certain high bandwidth applications," Deloitte's Douglas says. "As a result, full tunneling is becoming more legacy as companies look to reduce the potential for conflict between security and productivity."
Deloitte and other security pros think something else will replace VPNs soon.
"We think the Secure Access Service Edge (SASE) model is the future of remote work security," Douglas says. "Its ability to pull security services away from traditional on-prem limitations and traffic route bottlenecks allows cyber teams to enforce a unified security standard without sacrificing performance is key."
SASE's "user experience and security visibility are consistent, no matter where users connect from – be it home, an office location, or a public Wi-Fi network," Douglas added.