The Forcibly Converged Network
The convergence of home and corporate networks continues unabated. Converged workspaces are here to stay for the foreseeable future. Most converged networks that we assess are flat, like many corporate networks. However, the comparisons abruptly end there. Unlike corporate networks, converged networks lack common controls and typically lack monitoring of internal and wireless access. Similarly, firewalls in the home “office” are often limited to simple packet filters and are not well implemented beyond default configurations. More than anything, converged networks do not fare well when it comes to the security of non-corporate assets on adjacent networks.
One Hop Away from the Corporate Network
From the onset of the pandemic, non-corporate assets continue to pose risks to adjacent corporate networks. Consumer connected devices, thermostats, home assistants, and printers are often unmanaged. Adding virtual schooling to the mix has only increased the odds of corporate compromise. Attacks on remote learners could be leveraged to compromise accessible corporate provisioned devices – one hop away. A recent spate reported incidents of ransomware impacting the start of schools and the increased level of the malice of these attacks are telltale signs of impending corporate breaches
The Converged Network Threat Model
If they haven’t already, security stakeholders have expanded threat models of their organizations in response to converged networks on which their employees work. Widely known attacks against home routers and IoT place converged networks in jeopardy and, ultimately, corporate assets. CISOs and CIOs should be actively considering risks posed by a shared workspace that extends the corporate domain. Many inherent weaknesses corporations are sure to encounter in converged networks like malware (i.e., 3.5x more likely) and service and remote management exposure.
What Can Go Wrong?
In a real-world example from a recent engagement, we recently stumbled upon an asset management risk that warranted attention. The firm stood up infrastructure to commission images for its workforce at the outset of the pandemic. Those machines were never provisioned, and the infrastructure never decommissioned. Moreover, a scan of that network revealed the existence of the vulnerability. Stories like these confirm the need to reassess all access and assets. All threat models must be thoroughly fleshed out and refreshed.
Another example is detailed in Anton’s most recent post which outlines one possible attack scenario given this new shifting perimeter and to provide some defense guidance around these Tactics, Tools, and Procedures (TTPs).
Shifting Policy
Many organizations and businesses are reassessing their risk management practices, policies, and procedures in light of these converged workspaces. This new inflection point mandates a refresh of corporate security and awareness programs. As a result, businesses can minimize the impact on corporate assets and data compromise. Further, new guidelines should require controls like segmentation to limit the attacker’s reach due to compromises on the adjacent network. Visibility, to whatever degree possible, is equally important as converged networks are effectively blind spots. Ultimately, Data protection policy should be top of mind. Leaders are already rethinking their positions on data privacy with remote workers potentially processing data remotely. Lax data protection controls during the pandemic have led to widespread compromises, and industry leaders have taken notice.
What Else Can We Do?
The Forcibly Converged Network has its challenges. Every organization’s architecture is different; every home network and the devices communicating with the Internet are unique. Similarly, parental or guardian oversight of Internet usage varies per beliefs and household rules. Hence, updating security program documentation, adjusting threat models, and implementing monitoring technical controls (where possible) should be of paramount concern for all organizations to help limit potential threats.
As this problem is likely not one that can be completely addressed by a single blog post, we decided to hold a roundtable discussion on Wednesday, October 14th, 2020, at 12 pm ET with several Lares employees to bring their own unique parenting, security, and anecdotal perspectives to this problem.
Sign up for the free webinar here: https://attendee.gotowebinar.com/register/775648688884026384
Mark Arnold has a 15+ cybersecurity career, serving 8 of those years in leadership roles. As a transformational leader, Mark has built security teams and programs, authored maturity model blueprints to optimize risk management processes, and implemented security domain practices at large enterprises and service providers. Mark’s areas of interest include cloud security, threat intelligence, and vulnerability research, nation-state attack methods and related activities (e.g. information operations and disinformation campaigns) and their collective impact on nations and society. Mark recently completed an executive education cohort on the intersection of cybersecurity and technology at Harvard’s Kennedy School.