Security Think Tank: As offices reopen, address patching and ‘build drift’

The start of home working at the beginning of lockdown caused several logistical and security problems with the roll-out of more VPN endpoints and additional security measures for home workers.

Although the expected full relaxation of Covid-19 restrictions has been pushed back from 21 June to 19 July in England, there has been a trickle of people going back into the office, either part or full time, which could turn into a flood if government recommendations to work from home if possible are rescinded. On the face of it, this should not cause a problem, but there may be a few things to watch out for.

Depending on VPN architecture and how tightly users’ laptops are locked down, there may be the risk of home-introduced malware, particularly for bring your own device (BYOD) users. This could have been introduced via USB devices shared with the family, or directly from the internet if there were no restrictions on users accessing it and installing software.

While antivirus should pick up known malware, it is possible that other unknown variants could lie dormant, only to emerge when the user returns to the office and connects to the internal network. Although this can happen intermittently with mobile users, a mass return to the office after many months could result in a peak in such events.

Typically, however, most companies would use a “walled garden” approach, with full tunnel VPNs that only allow connections to the internet via the company’s normal internet gateway for mobile laptops. This means that remote laptop traffic is protected in the same way as if it were being used in the office. The risk of user-installed software and the introduction of malware still exists, of course, if not controlled by restricting user permissions and the use of standard endpoint protection.

Over the past 15 months, there have been a lot of software updates, including Windows version updates weighing in at around 3GB. Users on poor internet connections, or where VPN bandwidth may have been restricted because of the increase in the number of users, may have cancelled, or avoided these updates if the download caused a bottleneck and they couldn’t work. 

This may cause a surge in updates when users return to the office, or have allowed exploitation of unpatched vulnerabilities, the results of which only become apparent when users return to work and connect to the internal network.

One thing that is likely to have happened with people working away from the office for a long time is that the build of their laptops may have drifted from what it should be, for one reason or another. The extent of this depends on the remote access architecture and the levels of restrictions on users’ privileges and use of removable media.

Where this does happen, it may cause false positives from user behaviour anomaly detection systems for a short period before they retrain. This may have been experienced at the start of the first lockdown and, if so, is more likely to be repeated.

Generally, the issues that may occur with a mass move back to the office are more things to be aware of and prepared for. However, they could be mitigated by a phased return to prevent issues with many users at the same time or additional malware scans, build audits and security posture assessments on users’ laptops remotely before permitting a return to the office.