This is a sponsored story produced in collaboration with ExtraHop. The views and opinions expressed in this article are those of the authors, not the CyberWire, Inc.
Everything from IP phones to printers to treadmills in your office gym connect to a network somewhere—except now there’s nobody in the building to turn them off. A recent security report from ExtraHop did find that most businesses remembered to shut down the exercise equipment when shuttering their doors in an attempt to slow the spread of COVID-19, but can the same be said for other connected devices?
IT ops teams’ lives became a lot more complicated as stay-at-home orders forced a tireless push to spin up a remote workforce overnight. As the dust now settles, they’re preparing for the inevitable challenges that accompany hasty work, including misconfigurations and potentially a surge in attacks.
As IT teams diverted their attention to enabling their remote workforce, keeping an eye on the empty office fell to the bottom of their list of priorities. But just because the doors are locked does not mean that the business is secure. According to a sample of anonymous ExtraHop customer device behavior from March 2020, many devices are still connected.
A note on data sourcing: Using anonymized, aggregate data from a global customer base, ExtraHop analyzed business-related device activity during a one-week period at the end of March 2020. This activity was then compared to the same cross-cut of devices from November 2019. ExtraHop analyzes 4 petabytes of data from over 15 million devices and workloads each day across cloud, data center, and remote site deployments. This intelligence is derived from that data set.
In March, ExtraHop observed just a 7.5 percent decline in IP phones connected to the network, meaning relatively few office IP phones have been disconnected.
Change in device connections from November 2019 to March 2020 - ExtraHop connected devices security report.
In April 2020, researchers at Tenable uncovered a critical vulnerability (CVE-2020-3161) impacting the web server on specific models of Cisco IP phones. If exploited, the vulnerability could enable an unauthenticated remote actor to execute code with root privileges or launch a denial-of-service (DoS) attack. According to reporting by ThreatPost, the vulnerability ranked 9.8 out of 10 on the Common Vulnerability Scoring System (CVSS) scale. The Cisco vulnerability highlights the risk of leaving devices connected to the corporate network. If left unmonitored, these devices can open a back door for attack while security teams are otherwise occupied.
This is not an isolated incident. IoT security is still a relatively new consideration for many enterprises, many of whom have not yet considered the security risks of placing IoT devices in their corporate environments—especially devices that seem entirely innocuous.
For example, printers have long been a target for hackers, and for good reason. A 2019 study by NCC Group uncovered 49 vulnerabilities in the drivers and software running on the top six enterprise printer brands. The vast majority of enterprise printers remain on and connected to the network, according to the ExtraHop report.
But back to the treadmills!
While no one should be surprised to see treadmill connections fall by 100 percent, their place in ExtraHop’s device list indicates a broader trend in IoT—the desire to connect anything and everything to the internet. While IoT makes our lives more convenient, it comes at a cost–an ever-growing attack surface and greater exposure to risk.
With many companies around the world continuing to work from home for the foreseeable future, IT teams may not be able to go into the office to disconnect the devices that were left on. Perhaps the greater challenge, however, lies at the intersection of connected devices and remote work.
Remote work will become more common as we emerge from the pandemic. Organizations will need to look for long-term solutions to enable their remote workforces. In some cases they may decide to send corporate devices to employees’ homes.
While remote software updates to these devices are theoretically possible, they’re complicated by lack of direct access to the device on a trusted network (e.g., being able to obtain the firmware via TFTP for the install process). In many cases, individual employees will need to install updates or apply patches themselves. Unfortunately many, if not most, employees lack the technical skills required. This means that critical updates may not be applied properly or in a timely manner, leaving network resources exposed.
While much remains uncertain, it’s increasingly clear that many of the changes in how people work—and the resources required to support remote work on a large scale—are here to stay for the foreseeable future. They may be here permanently. The transformation, while painful in its swiftness and scope, forced a change that many organizations have been exploring for some time.
A long-term transition to a more flexible workforce model will require security that can adapt to campus, branch, and remote work. Companies will have to find new ways to make services like VoIP available to employees in a secure and manageable way, without putting the burden of critical updates on individuals.
About the author: Ted Driggs is a customer-focused expert in enterprise cybersecurity solutions. Outside of his work in network detection and response product development for ExtraHop, he’s a maintainer on the Racer project for Rust.