How to Securely Return to the Office
Many companies are preparing to ease employees back into the office, but there are major risks as devices return to the corporate network.
The Risks of Returning to the Office
With many states now opening up and restrictions being eased in others, companies are getting ready to ease employees back into the office. No doubt they are thinking carefully about sanitization of premises, reconfiguration of spaces, how to arrange workflows to lower the amount of human contact, and other essential aspects of the return to office life. What many don’t realize, however, is the danger posed as soon as user devices begin to operate within the firewall.
Those devices have been living in the wild for a year. Who knows what kind of exotic creatures they may have run into? A good number carry malware. If the bad guys penetrated a laptop, they may be quietly waiting for its return to home turf. Why take a low-percentage shot at bypassing corporate security from the outside when you can wait a few months and exploit systems from within?
Consider the fact that little or no planning was involved when Covid-19 restrictions forced staff to work from home. Companies had anywhere from a few hours to a couple of days to scramble before state mandates shuttered their premises. Once home, IT faced a mountain of help desk requests. In some cases, they were forced to accept the lesser of two evils: Rather than deny users access to the network, they permitted some to operate with consumer-level applications and operating systems. Windows 10 Pro laptops, for example, are not designed for the enterprise. But that was what the user had available.
Another Catch-22 surrounded administrative privileges. It’s one thing to restrict admin privileges when you are behind the firewall. But many home workers couldn’t download what they needed unless IT relaxed restrictions. Perhaps it was only to download a printer driver or a tool to enhance productivity. Whatever the reason, the sanctity of administrative privileges may have been compromised.
The bottom line is that the laptops of the work-from-home brigade could already be weaponized in preparation for the return to headquarters. Admin privileges granted for that printer driver installation may now be in the hands of the bad guys. Therefore, it is vital that organizations take steps to prepare themselves for the havoc that could manifest upon employee return.
What Steps to Take
As soon as a laptop is docked on the office network or tries to access the office WiFi, it needs to instantly be detected and identified. It is not enough to set up a scan at 10 am every morning to check for rogue or new devices accessing the network. If a user doesn’t log in till 10.30 am, almost 24 hours will have passed before IT is alerted about a questionable device.
By then, an attack may have been carried out or the bad guys could have entered and burrowed into some dark corner of the network where they can study company habits, finances, intellectual property (IP), and other assets unobserved. Instead of scans scheduled daily, then, the system must be able to detect laptop presence immediately.
What happens then? That device must be isolated so it cannot contaminate servers and other devices. It should be quarantined until fully scanned, patched, and all vulnerabilities and threats removed. Vulnerability and patch management systems, therefore, should be capable of accessing quarantined devices to clean them up in such a way as to not put the network at risk.
Patch scans should verify that all critical patches have been installed. If not, the device remains in quarantine until all high priority or security related patches are up to date. Additionally, a thorough security scan should check for any vulnerabilities. This should include checking for installed software that is really a backdoor, or applications installed by the user that have a backdoor hidden within. Check, too, for untrusted processes and software running on any device, as well as extra privileges granted to users during an emergency.
What Your Solution Should Do
Scanning and patching tools should be able to terminate rogue or suspicious processes automatically, or leave them running in a sandbox to collect evidence for investigation purposes. Remember that the SolarWinds attack could have infected just about any software. No device must be allowed to access the network until all such matters have been fully resolved.
Attention should also be paid to group memberships such as the local administrator group. The security system should be alert for new user being added to such groups, or administrative accounts being modified. It should be possible to suspend suspicious accounts until fully verified and approved.
One further aspect should be mentioned. It is likely that upon their return, more than a few users will be up in arms that their laptop can’t access the network. They correctly want to be productive immediately. A raft of quarantined devices could send emails flying and see help desk calls spike. It would be wise to prepare a bunch of loaner laptops to hand out to employees to enable them to hit the ground running.
How Syxsense Can Help Your Business
Syxsense fulfills all of the above duties. As well as being a comprehensive vulnerability scanner, it offers IT management and patch management on one console.
Additionally, the newly released Syxsense Cortex Covid Readiness Job protects corporate networks from devices that reconnect with unauthorized software installed, outstanding patch vulnerabilities, or open security vulnerabilities.
Syxsense Cortex recognizes device returning to the corporate network and immediately quarantines them from communicating to other network devices. While the device is isolated, Syxsense Secure maintains a direct connection and scans the device for vulnerabilities, alerts IT staff of issues, installs updates, modifies settings, removes risk factors, and then restores the secured device to connected status.