The COVID-19 pandemic forced a hurried shift to remote work in 2020 and organizations had to prioritize employee productivity and remote access. While home and public networks, along with cloud-based applications kept everyone working, they also introduced a hidden threat. As lockdown restrictions lift and offices prepare to reopen, we must now address the risk posed by an influx of new and returning devices that have been operating with reduced IT oversight for an extended period of time.
Before the pandemic, a multitude of security tools on the corporate network would work around the clock to assess, monitor and remediate connected devices, thereby ensuring elevated levels of device and network hygiene. For employees that were in the office several days a week, there were millions of dollars of network security investments that protected their devices, kept them up to date and ensured a secure experience.
As we all started working remotely, this was replaced by consumer-grade routers with limited security controls on home and public networks, and an IT team fully reliant on a handful of endpoint agents (that can break or be disabled) to ensure device hygiene. Extended periods of remote work with infrequent IT oversight and limited network security controls causes device hygiene and security posture to deteriorate. Dubbed “device decay”, this exposes devices to vulnerabilities and threats, and translates into an increased attack surface for malicious actors to target.
Consider this – during this period of reduced IT oversight, more than 18,000 CVEs were discovered in 2020 alone, an average of 50 per day. The most exploited vulnerabilities in 2020 and early 2021 included those affecting VPN servers and collaboration software such as Microsoft Exchange or Microsoft Office – products that enable remote work. While patching isn’t rocket science, the mean time to remediate vulnerabilities is 60 days, and some often go unpatched indefinitely. 75% of cyberattacks in 2020 targeted vulnerabilities that were at least 2 years old and 60% of data breaches were attributed to missing OS patches.
As offices, public facilities and retail locations prepare to reopen after months of lockdown, devices with degraded security posture can pose a serious risk to enterprise networks and business operations. They provide an entry point for threat actors looking to infiltrate corporate networks, exfiltrate sensitive information or wreak havoc on day-to-day operations. This comes at a time of massive increase in cyberattacks, with the FBI alone handling more than 4000 cybercrime incidents per day, a 4x jump from pre-pandemic days.
Device decay manifests itself in different ways across different cohort of devices:
- Employee corporate devices that started with generally good security posture in pre-pandemic days and have degraded over time – broken agents, missing security patches, unauthorized applications and configuration drift.
- New devices, often consumer-grade laptops, that got added into the work ecosystem during the pandemic without gold master images and never had the same stringent levels of device hygiene.
- In-office or remote devices that were switched off because they weren’t needed during the work-from-home phase and haven’t been kept up to date with the latest security patches.
- Always-on IoT and OT devices such as physical security systems, conference room smart TVs and HVAC systems that have remained idled/unused and gone unattended by IT, with potential exposure to vulnerabilities discovered in multiple TCP/IP stacks used by hundreds of vendors and billions of devices (such as those disclosed in Project Memoria). These devices will take a long time to be patched, if they can be patched at all.
Organizations need to reevaluate their security policies to protect their networks and business operations from device hygiene decay. The following best practices can fortify enterprise network defenses to prepare for returning workers and their devices.
- Implement real-time inventory procedures. Managing risk starts with a continuous and accurate inventory process. You need to ensure you have full visibility and detailed insight into all devices on your network and you’re able to monitor their state and network interactions in real time. Be sure your system uses multiple visibility techniques to eliminate any blind spots and provides real-time discovery, identification and classification upon device connection instead of point-in-time scans that miss transient devices. Connect this visibility platform with your ITSM tools to keep your CMDB accurate and up to date.
- Assess and remediate all connecting devices. Set up a system to inspect all connecting devices, fix security issues and continuously monitor for potential device hygiene decay. While many users are still out of the office, use this time to get a head start. First check the idled and always-on in-office systems to ensure they have the latest software releases and security patches installed and running. Assess them for vulnerabilities disclosed while they remained dormant. As degraded and non-compliant devices return to the office, initiate remediation workflows in concert with your security and IT systems.
- Automate Zero Trust policy enforcement. Adapt your Zero Trust policies to include device hygiene and fix security issues such as broken security agents, unauthorized apps and missing patches before provisioning least privilege access. Segment and contain non-compliant, vulnerable and high-risk devices to limit their access until they’re remediated. Automating workflows can buffer your SecOps team from being overwhelmed and provide helpful alerts when employees and their degraded devices return to the office in waves.
- Continuously monitor and track progress. As devices start returning to the office, they are also expected to be away for extended periods. Continuously monitor all devices while they’re on your network, maintain visibility into their state while off-network, and reassess their hygiene after extended absence. Constant vigilance will allow you to adjust your approach based on the volumes and types of devices connecting to your network and the issues/risks that appear over time.
- Train/equip staff to help protect your network. Finally, you should ensure that these security measures are properly reflected in official company policies. All employees need to be aware of security protocols and the reasons they have been implemented to avoid internal friction. Employees should know the basics such as avoiding the use of unauthorized apps and keeping their devices up to date, so they can assist with combating device decay and help maintain high levels of device and network hygiene.
Managing device decay is not a one-time activity. In the new normal, hybrid work practices will be implemented differently by various organizations and will also vary by groups within companies. Some employees may work in the office a few days a week or month, others a few weeks per quarter and some may come in only a few times during the year. What will be constant across all these work practices is that devices will remain away from the office for extended periods before returning/re-connecting and will be prone to device decay during the away-period.
Forescout can help you implement security best practices as employees return and transient devices become the new normal. For more information, visit forescout.com/return-to-office.