Pain Points in the New Virtual Workspace
Posted by: Kyle Rohan
In the current age of technology, we are all very familiar with notifications from our computers, phones, smart devices, etc., all telling us we need to apply an update. Whether those prompts to update are followed or not, it depends on the person receiving it and whether they understand its importance. Security professionals know that update prompts inform us there is an issue or vulnerability that needs to be addressed. Not doing so can cause problems with our devices, or worse, open our system up to an exploit designed to take advantage of the vulnerability now present in the equipment or software. Now, many end-users don’t have a choice with corporate systems whether to patch or not, as the IT team usually forces it. The problem becomes, now that the users are at home, these corporate systems are being exposed to devices that are not being forced to patch.
Normally these vulnerabilities are not at top of mind daily since we have a vulnerability management system in place and your office security catches a majority of these attacks. Now that users are no longer contained within the office security perimeter, we can run into some issues. Whether this was an organic change your organization made over time or forced by some sort of event, we have to prepare for the changing work environment and know what types of risks our users will be facing.
Even though the work landscape is in a constant state of flux, older vulnerabilities are still the most common in this at-home environment. Attacks are still showing up via the usual suspects like Adobe, Java, and Microsoft Office products.
The misconfigurations, default passwords, and vulnerabilities you work with every day to resolve on internal systems, are no longer the primary points of interaction with corporate assets. We have to start thinking about what patches, configurations, and changes has our IT team implemented over the last couple of years to resolve significant vulnerabilities, as these same issues probably still exist in our employee’s home networks.
For instance, has everyone one of your employees patched their systems for BlueKeep? Are they still running Windows XP systems? Do my users even know how to patch? Do they use an Antivirus or firewall on their home systems? Have Ripple20 vulnerabilities been taken into consideration? These 19 vulnerabilities affect hundreds of millions of IoT Devices and allow an attacker to remotely gain a foothold. The devices in your corporate network may have been patched three weeks ago, but you don’t know about the home systems. They may be infected and are now attacking you and your corporate machines.
Something that you can do now to get a leg up on security in the environments of your end-users homes is to start talking to them. Like children, they will get their information from somewhere; it might as well be from you, a trusted source. Explain the importance of patching their home computers and smart devices. Talk about why firewalls are good, and explain that most routers have the option to enable one. Suppose we can help our end users get a better grasp of their home network hygiene and start or revamp security training. In that case, we can build a better security culture, helping us to remediate one of our most significant vulnerabilities, people. For more information about managing more pain points in your expanding environment as well as some lessons learned, check out our white paper, Managing an Expanded Open Security Perimeter: The New “Normal”.
About GuidePoint
GuidePoint Security LLC provides customized, innovative and valuable information security solutions and proven cyber security expertise that enable commercial and federal organizations to successfully achieve their security and business goals. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.
Contributing Authors
Kyle Rohan, Vice President of Engineering, GuidePoint Security