As COVID-19 quarantine restrictions ease, many companies are implementing plans for when their employees return to the workplace. And for good reason: Come September, the majority of senior technology executives expect more than half of their workers will be heading back to the office, according to a recent CNBC Technology Executive Council survey of senior technology executives.
While many variables are still to unfold between now and September, organizations that do scale up in-office work are focused on safety protocols, including social distancing, face masks, and temperature reading for employees. But they may be overlooking another risk: the devices heading back into corporate walls after months of operating on home networks.
"Many CISOs lost most of their ability to control what hardware devices were used by their remote employees," says Yossi Appleboum, CEO of hardware device security firm Sepio Systems and a former hardware security intelligence agent. "Many of these employees have connected uncontrolled peripheral devices to their corporate laptops. These peripherals are potentially cyberattack tools used by bad actors to gain access to secured organizations and, in most cases, cannot be seen by the installed endpoint security tools."
Unsurprisingly, device use and access across households dramatically increased over the past several months – as well as the opportunity for devices to be compromised due to open networks. The fact is, corporate-own devices on home networks simply could not be as tightly controlled by IT. And research shows home networks are much less secure.
Research from Bitsight, for example, recently revealed that home networks are 3.5 times more likely than corporate networks to have at least one malware family — and 7.5 times more likely to have five or more distinct types of malware. The survey also found 25% of devices on home networks, including PCs, network-attached printers, and smart home products, had one or more services exposed on the Internet.
"Routers and wireless access points are notorious for being compromised," says Jim Matthews, a security software engineer at JumpCloud. "The user's system may fall out of the specified configurations. It may not be able to be controlled remotely so will drift from supported and protected baselines."
Employee-Owned Devices Add to Security Uncertainty
The blending of both personal and work use on employee-owned hardware is also going to present a problem when people return to on-site work.
"Thousands of people, at the very least, are using their personal computers for work. These devices are probably not running the security solutions used by their company, or being actively monitored, and they might even have already been compromised by malware and other exploits," says Shivaun Albright, chief technologist, printing security, print hardware systems, at HP. "Then you've got the increased chance of staff mixing passwords between personal and professional accounts on their devices – it all adds up to increased security risks."
Other so-called smart devices in the home may also have led to hardware problems, Sepio's Appleboum says. The very interconnected nature of our lives, and the same technology used for both personal and professional reasons, further complicate things. Devices such as third-party cameras and speakers used and connected to company laptops during quarantine may have led to an exploit. And hackers, he says, are increasingly targeting other kinds of hardware that previously were considered unexploitable.
"The laptop is always the immediate suspect, so it's not a good attack practice to use it as your attack tool. Peripheral devices are mostly considered dumb devices that cannot cause any harm," Appleboum says. "But let's think about it for a second: What is the difference between an IoT device and a mouse or a keyboard? Both are small 'computers' with access to the secured network, data, and infrastructure. The blindness in the industry and the lack of tools are creating a great opportunity to the attackers."
He also says security managers should keep an eye out for employees who have grown comfortable using their own stuff and want to keep using it – even in office.
"We've seen that some employees, used to working with their home peripheral inventory, were bringing it with them to their office buildings," Appleboum says.
Scrub Hardware for a Secure Return
CISOs and other security managers should prioritize a plan for how to get a handle on the various vulnerabilities that devices could be introducing to the office environment, Appleboum advises.
"CISOs should come with a plan that 'cleans' their infrastructure of such devices by scanning for their existence and putting specific controls to prevent future installation of such devices," he says.
JumpCloud's Matthews suggests creating a quarantine network away from the production network and use that to triage devices to ensure they are patched, use only company-approved software, and are configured properly.
"If machines are infected or out of compliance, they can be remediated in a safe place without access to company confidential materials," he says.
And don't forget about in-office machines that have not been used during the quarantine period. They need attention, too.
"A lot can change in the months of remote working, so it's critical to get patches installed before they become a weakness in the corporate network," HP's Albright says. "Many office systems may have trust assumptions built in that devices on the network are secure. A screening oversight in a trusted environment could present a risk for the enterprise once returned to the office environment."
Jeffrey Coe, CISO and senior director at ON Semiconductor, says his firm has been handling hardware requests and upgrades for users with a combination of prebuilt and staged equipment, along with self-service instructions that employees can follow. It has been challenging, he says, but he is also looking at the future as an opportunity to refresh the company's hardware strategy.
"We are revisiting our procedures and technology around bring-your-own-device because this is now more akin to UAD, or use any device," Coe says. "And trends like zero trust are taking hold. In essence, our employees and partners should be able to use any device, and we've taken steps to support that."
Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for information on conference information and to register.