Question: How can I test the security of my home-office employees' routers?
John Bock, senior research scientist, Optiv: This can be a challenging question because it depends on your user population and how creative your legal department wants to be. The technical answer is that enterprise vulnerability management products are capable of scanning home office routers, but before doing so you would have to account for several things — namely, some language employees could agree to stating they own their IP addresses to be scanned. They would need to give the organization permission to scan their routers and potentially cause disruptions.
This would provide the most accurate results and integrated visibility into the organization's overall risk, especially if we're now treating the home office as an extension of the enterprise environment. But there are some dependencies in relying on employees to correctly supply their home router IP addresses. There are also potential downsides in terms of privacy issues and mishaps, like scanning an address by mistake. No matter what, the entire effort would have to start with the legal department.
If that approach isn't practical, then you are left with what can be done with a typical user base that ranges across tech skill levels, including individuals who may have never logged into the management interface of their home routers. Starting with the most basic procedure, you can have users check to see whether their IP addresses are showing up in public databases. A quick way to do that would be:
- https://www.shodan.io — paste in your IP and search
- https://search.censys.io — paste in your IP and search
Now, most home users will have nonstatic addresses from their providers, but it's still worth knowing whether the addresses they are coming from is a problem. If you can ask employees to log in to their routers, then the highest priorities are having them update the firmware and validate their firewalls are enabled.
For technical users, this won't be a big deal, but it may be asking a lot for some of your user population. There's no simple way to handle this, but you can facilitate the process by offering links to vendor documentation on the specific actions you want a user to take and by making the help desk available for support. While the support team may not enjoy the increased load, it is worth the one-time resource hit in order to enable automatic updates along with ensuring basic protections are in place.