Mike Campfield, VP, GM International and Global Security Programs at ExtraHop, highlights some home truths surrounding the way networks have changed since the pandemic, and how they may continue to change going forward.
Offices all over the world have been empty for months now. Under quarantine, office staff have been largely turned into remote workforces and one might reasonably think that without them – offices have stayed dormant, waiting for their return.
Offices might be empty, but it doesn’t mean they’re quiet. At the end of March, ExtraHop analysed four petabytes of data from more than 15 million devices and workloads across cloud, data centre and remote site deployments. That data provides insights into how office networks are changing under quarantine.
Rise and fall
The first and most obvious insight here is the overall decline in use of devices. People have left the office and turned off or otherwise disconnected their devices. That’s why smartphone connections are down by 69% and laptop connections are down by 64%.
Use of digital assistants is also down by over 70%. That decline reflects this mass migration to remote working, but it doesn’t mean that people aren’t remoting into the office through Virtual Private Networks (VPNs) or getting their office desktop delivered to their home computers through Virtual Desktop Infrastructure (VDI). Many are relying on cloud infrastructure and services which don’t require a VPN to connect to.
What is perhaps more interesting is the enduring – and sometimes increased – activity of many devices. For example, VOIP phone connections are down by 7.5% and printers are down by only half a percentage point. Meanwhile, the presence of IP cameras has shot up by almost 50%.
The increase is understandable. As workforces have gone home, enterprises want to keep an eye on their offices and because of that, they’ve started to turn on their cameras to bolster their physical security.
But even though there might not be anyone in the office, the devices that are left on are still attackable.
The vulnerabilities in IP cameras are well known. When the Mirai botnet hit in 2018, it launched some of the most powerful DDoS attacks ever seen. Among its victims were Rutgers University, Deutsche Telekom and, by some accounts, the entire telecommunications infrastructure of the country of Liberia. It did so with a massive botnet mostly made up of hacked routers and IP cameras, which had been captured because the Mirai malware could guess their device credentials from a small set of commonly used default passwords.
Furthermore, critical vulnerabilities have recently been unearthed in Cisco VOIP phones. Cisco patched these vulnerabilities back in March, but a quarter of VOIP phones we scanned were still vulnerable.
How should enterprises respond?
Enterprises have largely shifted their security efforts to remote working. But that doesn’t mean the office – however empty – can be entirely neglected. Instead enterprises should accommodate this unique situation.
Firstly, enterprises have to look closely at the IoT devices they’re buying. The promises of the IoT can’t be easily refused, but given the widely reported state of their security they can’t be too heavily trusted on either.
If enterprises want to take advantage of the clear benefits of things like IP cameras and VOIP phones – they need to seriously inspect their security pre-purchase. IT departments should always configure these devices before deploying them, and not trust the default settings to provide proper security.
Secondly, remote working is at least part of the future of the enterprise. The current public health crisis has only accelerated that upward trajectory. As traditional enterprise endpoints and devices are used less, and employee-owned devices are used more – enterprises have to be smart about how they manage security and access for remote workers.
Remote workers need to know how to protect themselves and the enterprise while they use their own devices. They also need to know about the unique threats – such as phishing or insecure local networks – that face them while outside of the office and without the protection of enterprise controls.
Perhaps most importantly, enterprises need to retain visibility over both their remote workers and the office. The devices in the office are still vulnerable and attention must be devoted to the empty office as well as the remote workforce.
Perhaps the harder job is maintaining visibility over a remote workforce – enterprises have to do so without direct visibility over employee-managed devices. IT departments need to consider that remote workers’ home networks and personal devices are part of their expanded attack surface.
Enterprises have to be able to watch for odd IP addresses of connecting employees or failed login attempts which may indicate an attack attempt. For traffic inside the local network, IT teams should focus their attention on account activity and how users access sensitive data.
The data analysis by ExtraHop reflects a shift in the activity of the office network in this unprecedented moment in history. A survey from Hoxby, an international consultancy was carried out early in the quarantine period.
It showed that 59% of workers believe that remote working will stay in place for at least six months after quarantine ends. If the current situation holds, this data analysis may not just provide a picture of the present moment, but the future too.
