5 min read

Are your networks and devices safe while you work from home?

Historically, most of our users have connected to our corporate network from the confines of our walls. 

They have connected to networks with cables or through wireless networks connected with enterprise-grade security. We’ve allowed remote and teleworkers to access our network, but this has been limited to a few employees with all the bells and whistles of security on their laptops. 

The world has now changed and we are asking our teams to work remotely from their homes. What impact does this have on our systems and security?

Firstly, we are extending barriers and now extend our network into people’s homes. We have enacted our business continuity plans and deployed an impressive number of machines into our users’ hands. We’ve finally gotten support from the executive to implement Multifactor Authentication (MFA) and have rolled out corporate endpoint security solutions to all these machines. We have enforced Active Directory authentication on all our machines to reduce the risk of unauthorised access to the device. We have technical and process controls in place. Our mail filter is up-to-date to protect phishing and we have rolled out user awareness training in rapid time. 

Job done? Yes. Can we sit back and relax? Not quite. 

The part we’ve all forgotten is the third pillar of cybersecurity - people. 

HOW SECURE IS YOUR WFH SETUP?

The one consideration so many organisations have missed out on is the strength of home users and their wireless networks

How long do you think that WPA2 wireless password, which has not been changed for 2 years, is going to stand up to an attack from a bored kid, who is now on school holidays, or worse, a malicious attacker? 

What about that home router that’s presented to the network, when users connect to media servers and don’t know about firewalls? When you think about it, when did you last update your router or change your Wi-Fi password?

Okay, so what, you can connect to my home network, big deal. Well, I am now on YOUR network. You have extended your network across the VPN to allow your staff to work. I can launch a piece of malware against their machines as I am now on the network. You may have deployed endpoint protection but it’s only Windows Defender relying on pattern files. 

Worse still, in haste, laptops were deployed without AV. Even with these tools, I can still compromise a machine running a vulnerable piece of software, such as outdated Adobe or Java, as I need it to access that legacy application on the network. I now have access to relay all my traffic through your staff machine that is now on your network. I am on your network and you have no idea.

From the comfort of my own couch, I am on your network by compromising your employees’ wireless network and then popping their machine. I can move about onto your network, grabbing SAM hashes with Mimikatz and LSAdump - I might have even gotten these from the compromised laptop after an admin logged in to the local machine. 

I then upload all the admin hashes to my NPK box, built with Terraform running in AWS that I can start within 30 seconds. I throw ten top-of-the-line NVIDIA Tesla v100 Supercomputers at it to crack these passwords in minutes. I now have your admin passwords and it only cost me some of my time and about $20 of AWS resources. 

I am on your network and have access to do what I want, where I want, and when I want. I can also connect to your Office365 tenancy and wreak havoc. I can pivot throughout your network and you won’t even know I’m there. 

All because of a bad WPA2 key.

HOW DOES 24X7X265 SOC MONITORING HELP?

Let’s rewind and imagine we had some form of 24x7x365 monitoring that was tracking user behaviour and knew what normal user behaviour is? Wouldn’t it be better if SMEs could afford this and didn’t have to pay for a million-dollar solution? 

DefenceShield Monitor, Triskele Labs’ 24x7x365, 100% Australian-based SOC that leverages User Behaviour Analytics (UBA) and Endpoint Detection and Response (EDR) in one package, all via one easily deployed agent.  

We can’t force your users to have a strong Wi-Fi password, but we can certainly identify when something strange is happening on their laptop. We can see when someone is scanning your internal network for open services. We deploy a honeypot to catch malicious users while they are moving laterally around your network. Ultimately, we can see when machines have been compromised and attackers are seeking to gain a further foothold.

Using DefenceShield Assess, we go further and conduct ongoing and real-time vulnerability scanning to immediately identify when a user has installed a vulnerable application that’s going to allow them to be targeted and utilised to launch further attacks. This insight is second to none and allows you to take swift action before the bored kid sitting on his couch or that determined attacker has time to think. 

Before you start thinking this is an expensive solution, DefenceShield Monitor starts at $3,500 AUD per month and Assess starts at $2,500. All this for less than $100k to provide complete peace of mind.

Reach out to sal.unwin@triskelelabs.com or 0408604351 to discuss this further. We can deploy our SOC, remotely, within three days to have you up and running.