The high number of Americans working from home continues to present opportunities for hackers to get creative with in-home attacks. As a result hackers are becoming more and more successful at a phenomenon called “in-home local propagation.”
Most Americans thought that by fall of 2021, offices would be open and business as usual would have returned to most of the globe. Unfortunately, the Delta variant and an uneven rollout and uptake of vaccinations has delayed the reopening of many offices. Estimates vary but the general consensus is that 20 to 25% of Americans are working from home in 2021. That number is expected to continue to grow.
At the same time, many workers admit to getting lazier in their security habits. They make mistakes like exchanging corporate data on personal email accounts. Not surprisingly, hackers have done what hackers do: they’ve figured out the best way to leverage the situation to their personal advantage.
Think Like a Hacker
Consider the situation like you’re one of the bad guys. A household of people is on a shared network. Mom is at home, working for a large healthcare company on a standard issue laptop, and she rarely uses her corporate VPN. Dad works in financial services and frequently toggles between his personal phone and tablet and the corporate PC, depending on where he is in the house or if he’s taking meetings around town. The kids are back in school, but they carry a school-issued Chromebook for homework. A few gaming devices and other assorted phones and tablets are also in the home on the same network. This is a pretty typical American household in the year 2021.
How many endpoints do you count in the scenario above? If you’re the CISO or IT manager for the companies where this couple works, what are your fears?
When everyone is working in an office, security threats are limited to one organization. But now attackers are “jumping zones.” In shared work spaces, like the home described above, there are many endpoints for multiple organizations. Every device accessing the home network represents an ingress avenue that could become a way for hackers to reach the larger targets of the healthcare company, the financial services business, or the kids’ schools. Every device is also a potential egress avenue, where an attack that starts at one of the bigger organizations can spill over to personal devices and compromise the kids’ information or the parents’ checking account.
How Hackers Do It
When employers sent staff home in early 2020, they were at the mercy of whatever connectivity equipment was already installed in their homes. Most home routers are consumer-grade and poorly configured.
The average person does not have the training or the inclination to make their home a fortress against digital vulnerabilities. Home routers are not encrypted and users often fail to do something as basic as changing the manufacturer password. There are minimal logs on a home router, so detection and response are nearly impossible. Physical proximity and sharing internet access makes additional victims easy to access.
What Hackers Have to Gain
Must be…the money? When there are more organizations and individuals involved in a ransomware attack, there are more people to pay up. It’s really that simple.
If a company has functioned as an egress avenue to seize an employee’s family photo library or their kids personal data, the company has additional reasons to pay. If the company has high-quality security and frequent backups for their corporate systems, they may not need to pay a standard ransom (double ransoms are a different story). But the company has to consider the damage to their relationship with their employees or their reputation if they are implicated in an attack that becomes personal.
Employers are in a difficult position. They don’t typically have direct control over the network infrastructure of employees working from home. And most employees would reject the idea of anything that felt like more of their work life entering their personal space at this point.
So, as usual, the best option is more training. Companies need to teach their employees how to configure their home networks correctly. And provide funds for improving those networks if necessary. Employees should also be reminded regularly about using VPN. A training session about what is and is not safe to share on a personal device or via messaging services like Teams and Slack should be mandatory.
IT departments should make sure that they have a good system in place for updating software on all corporate endpoints remotely. They should also schedule regular detection and response activities across all endpoints.
Home-Based Cyber Attacks Are the “New Normal”
A heightened risk of home-based cyber attacks during the pandemic is the new normal. It is not likely to abate. Hackers thrive in environments of uncertainty. The early 2020s is nothing if not uncertain.
Malware and ransomware will continue to proliferate. New and more enticing phishing messages will arrive with every new COVID and climate change boogeyman. Despite their best intentions, people will click and cyber attacks will happen. Employers and employees must be prepared to face these risks.
What is your company doing to stay secure while employees work from home? If you need help with employee training or with evaluating the safety of your endpoints, reach out to Asylas. Call us at 615-622-4591 or email firstname.lastname@example.org. Or complete our contact form.