The risk of malware infection from employees’ home networks is real and should not be overlooked.
This is illustrated by the example of a small company that was infected by the Sircam virus a few years ago. It was easily done when an employee took his laptop home to continue working.
However, he also allowed his daughter to access her emails from the company laptop, which unfortunately included a message infected with Sircam, a particularly vicious computer worm that spreads via open networks. The employee's daughter was insufficiently aware of online security precautions and opened the attached files, which immediately infected the laptop with the virus.
When the employee returned to work the next day, he plugged his laptop into the company network, unaware of the virus, and so infected the corporate network with Sircam. This resulted in the network having to be disconnected so that each machine could be cleansed of the virus.
Fortunately, Sircam was removed before any damage occurred, but it still took time to determine what was happening, disinfect the network and ensure it would not happen again. This was in addition to employees not being able to access the network during this time.
Society as a whole is becoming much more aware of the dangers of bogus emails, but virus attacks that originate from home networks appear to be on the increase.
“It is something we are coming across more and more,” says Colin Tankard, CEO of Digital Pathways. “Devices are being exploited and [companies] find that something unusual is going on. It is only when they do a little bit more investigation that they realise somebody or something is monitoring what they are doing.”
Most home networks operate on an eggshell model, where the external security is reasonably robust, but once inside, hackers can easily compromise the entire system. Corporate networks, on the other hand, take on a “castle keep” mentality, whereby they have metaphorical strong walls and a moat to defend what is within the network, as well as constantly policing their environment. However, if hackers are able to bypass the external security, then their job becomes much easier.
These are rarely targeted events. Instead, it is lapses in security that allow malicious software to spread from home networks into the corporate environment. “For hackers to specifically go for [employees’] private email accounts and devices is not very common,” says David Jacoby, senior security researcher at Kaspersky Lab.
Nevertheless, companies are putting themselves at risk by exposing their networks to employees’ networks and devices. Malicious software can easily bypass companies' external network security by chance if they can exploit the vulnerabilities of home networks.
These vulnerabilities usually come in two forms:
- Employees taking work laptops home and connecting to their home network.
- Personal devices, such as smartphones, being taken into the office and connected to the company network or machines.
The risks are greater if employees have failed to change the default passwords of their network routers or the router has been reset to factory defaults and if security software is not updated regularly.
“We had an incident where the machine of the employee’s children had been exploited,” says Tankard. “The work machine was set up on the home network as ‘trusted’, so it was just another part of the network and the exploit occurred across the network.”
If the network had instead been set to ‘public’ – in that it was an open network accessible by several people/machines – the machine would have been much more secure.
Read more about securing mobile workers
- Traditional security does not always work for mobile as mobile operating systems are different to those on PCs, says MobileIron's Mike Raggo.
- Mobile security has come a long way, but organisations still have to address many sizeable gaps.
- Mobile security SaaS provider Lookout is betting on its cloud-based big data analytics capability to attract enterprise customers.
- Security fears dominate much of the discussion around enterprise mobility.
Security breaches cost companies time and money to resolve. The company network would be interrupted during the investigation, as professional investigators would need to determine the source of intrusion.
These investigations typically involve sealing the breach to prevent further intrusion, as well as firewall and system logs being examined for any unusual patterns. Of course, the true cost of a data breach may far exceed the investigation cost if sensitive data, such as customer details, are lost, leading to reputational damage.
There is a rising number of internet-enabled devices within our homes, and the security of these devices is not always as strong as it could be. Last year it was reported that a fridge formed part of a network of devices that were distributing spam.
Other devices connected to this 100,000-strong network included smart televisions and media storage devices. All of these devices had computer processors that allowed them to act as a web server and perform the sophisticated functions required to distribute spam emails.
This news report highlighted the inherent security vulnerabilities that lurk within our homes and the dangers to which companies are exposing themselves. “Think when you are connecting to your home network, particularly when you are using a company machine,” says Tankard. “Treat the network as being hostile, so you cannot be compromised through the network.”
As the internet of things becomes increasingly prevalent, these exploitations of home network security vulnerabilities will become more common. Recent studies have demonstrated that Wi-Fi-enabled baby monitors and CCTV systems can be hacked, allowing strangers to see and hear inside our homes. Potentially, this could even lead to hackers being able to spy on people as they enter login codes.
Last year, Jacoby hacked his home network and discovered that within 20 minutes he was able to gain full access privileges to several devices, including two network attached storage (NAS) drives and a smart television. From the permissions he gained, he could even have been able to upload a Trojan virus to the operating system of his NAS drives.
“Suppliers who create these devices need to do something, as the support lifecycle for them is only six to 12 months,” says Jacoby. “You get some updates for longer, but not security updates.”
Given how long most people own a television or other such devices, this lack of updates creates a worrying number of opportunities for their security to be exploited. Unfortunately, many people do not realise how big a problem this can be and most suppliers do not have the infrastructure to resolve the issue.
Given the security vulnerabilities that companies risk exposing their networks to, IT managers need to ensure company laptops remain secure by mandating that they are for appropriate business use only.
Locking the operating system
Locking the operating system, so that it prevents employees from installing their own software, is part of the solution. Internet filtering software, such as WebFilter by Blue Coat, can be installed to ensure employees are not visiting inappropriate and potentially dangerous websites.
“I have seen organisations have dual-boot areas of [company] machines,” says Tankard. “For personal use you can boot into one part of it, and then for business you log into the other part – obviously there is an internal firewall between the two.”
Although this take longer to install compared with a single operating system, it ensures that the work-specific and personal-use sectors of the laptop remain separate and distinct.
One of the easiest ways a hacker can access a company’s server is through personal devices that employees have brought from home. For this reason, some companies refuse to allow staff to bring personal devices into the office. Other companies tackle this problem by disabling USB ports on all but a limited selection of machines.
An IT professional once told me of a school technician who found a pen drive in the computer laboratory. Assuming it belonged to one of the students and wanting to discover who it belonged to, the technician plugged it into his laptop, which had full administration rights for the whole of the school’s network. Unfortunately, the network was quickly compromised as the pen drive contained malicious content, but the technician quickly realised what was happening and was able to contain the breach before any damage was caused.
Enacting a policy banning personal devices in the workplace can be frustrating for staff, especially those who want to synchronise their company email and calendar with their personal accounts. However, this frustration is offset by the threat of hackers gaining access to sensitive information.
Another solution is to install a separate guest network for employees to use in conjunction with their personal devices. Although they will still be able to connect to the internet via the network, it will be separate from the rest of the network and will not grant them access to the file servers on their device.
With the internet of things making home networks typically encompass an increasing number and variety of devices, more and more security vulnerabilities are being discovered. This is exacerbated by poor security update provisions for many of these devices, and it is only by companies proactively protecting their systems by limiting their exposure to home networks that they can ensure their data remains secure.