Effect of Work at Home Policies on Device Activity at Enterprise Campus

New Challenges

With the rapid enforcement of shelter at home strategies around the globe, many companies scrambled to quickly implement policies and solutions to provide employees remote access to minimize loss of productivity while keeping their workforce healthy and secure. This massive shift to a remote workforce model resulted in cyber criminals exploiting both the employees themselves and the extended infrastructure that companies hurriedly put in place. There has been a whole new slew of phishing, email scams peddling masks and sanitizers, and numerous new suspicious domains by which malware is installed and propagated. There are video conferencing flaws resulting in snooping and attacks. In addition, there are privacy concerns on cell phone location tracking being used to identify and combat community spread. All of these are covered in great depth in many articles.

However, in midst of all this flux, we are seeing that enterprise campuses are now more insecure and vulnerable than ever and becoming one of the weakest links in overall organizational security structure. In this study we will cover the impact the work from home trend has on enterprise campuses. Anonymized data from WootCloud telemetry shows how the increased VPN and RDP access, lack of understanding of headless devices and status quo in monitoring campus network, is the perfect storm that is making enterprise campuses more vulnerable to attacks.

*Headless devices: Servers, Cameras, TVs, AV Conferencing, Cameras, MIoT, Sensors, APs, Switches
*User devices: Laptops, Watches, Smartphones, Computers (Dates and counts omitted on all graphs)

Observations  and Inferences from general enterprise campuses

Counts of User vs Headless devices before and after

Observations and Inferences:

1. User controlled device visibility reduced by over 60% in the campus network.
2. Most of this reduction is in employee and visitor brought unmanaged devices
3. Headless device visibility reduced only 20% in the same time period.
4. Headless devices now constitute a significant number of devices on campus.
5. Data and research from WootCloud indicates that due to lack of understanding, the headless devices are not well configured nor well protected and are thus under attack.

Headless devices are a now a significant number of devices in campus and are big threat as they are not typically audited, nor managed as assets, and they are not well understood or controlled.

Device count at enterprise campuses per connectivity per hours seen per day

Observations and Inferences:

1. Significant reduction in BT, BLE devices (75%).
2. Significant reduction in WiFi devices seen 8hrs or less (75%).
3. Count of WiFi devices seen 16hrs or more unchanged.
4. Count of Wired devices being seen 16hrs or more has increased over 50%.
5. WIFI BT,BLE devices and hours seen are indicators of employees and office workers on campus.
6. VPN traffic has increased significantly.
7. VPN devices in some enterprises remain always connected.
8. Data and research from WootCloud shows that the VPN endpoint logs are not usually collected, nor correlated with network data to establish device authenticity and compliance posture.

 VPN/RDP clients are communicating from unmonitored and less protected settings. Lack of insight into VPN traffic and lack of monitoring on installed endpoint protection agents can result in a breach.

Hours seen for Headless and User devices  on campus per day

Observations and Inferences:

1. Count of headless devices seen 16hrs or more is relatively unchanged after shelter at home.
2. Count of Headless devices seen less than 16hrs has reduced over 50% but a significant number of them are still visible post shelter at home.
3. Count of User devices seen 16hrs or more is at similar levels before and after.
4. Data and analysis by WootCloud shows that most headless devices are not recorded in any corporate asset management system.

Enterprises need to audit every device that is present on campus. Lacking the monitoring tools to provide full visibility into devices inside the campus exposes the network to attacks.

Examples of a few types of devices seen on campus per day

Observations and Inferences:

1. User operated devices like smart phones, cars, smart watches have reduced over 80% but some are still present around campuses.
2. An area of concern is around smart phones that stay on campus over 8 hours.
3. Corporate IoT devices such as TVs, Cameras, Printers, Signage, Set Top Boxes, Conferencing Device counts are relatively same before and after.
4. Data and research from WootCloud shows that corporate IoT is not well audited, and not maintained in asset management systems. IoT device specific traffic monitoring, protections and policies are not present.  These devices are also are not segmented out into macro and micro segments in most organizations.

Enterprises need to baseline devices entering the campus during this period. Identifying devices seen for extended hours on campus is paramount. Baselining during the time when BYOD noise is minimal presents the best opportunity to build strong policies.

New Devices seen per OS, Type, Spectrum, Ownership and Control

Observations and Inferences:

1. Significant reduction seen in new devices (70%) .
2. New device volume spiked during the period of transitioning to shelter at home.
3. These new devices are seen across connectivity, and across headless, user devices.
4. Data and analysis by WootCloud shows that most enterprises do not monitor new devices connecting into campus network nor do they have automation/rules for their access rights and restrictions before auditing them.

It is critical to get visibility into new devices being seen, especially to identify those that are connecting to the campus network. Set up policies and access restrictions that ensure new devices cannot access the corporate network until sufficient context is developed.

External IP addresses accessed by headless and User controlled devices

Observations and Inferences:

1. Both headless and user devices do access external IP addresses .
2. It is not uncommon, nor abnormal for many headless and IoT to communicate to external IP addresses. Ex: Conferencing devices.
3. Data and analysis by WootCloud shows that most enterprises do not know where there headless devices are communicating and do not have policies, alerts if unexpected application protocols are used or if communication is happening with unexpected locations.

It is critical to understand the communication over internet for each type of user and headless devices. While certain communications over the internet are acceptable, it is absolutely a sign of a breach if certain types of devices and application protocols are observed over the internet.

Alert and Anomaly counts per day before and after

Observations and Inferences:

1. No significant changes seen in the alert counts seen.
2. However, data analysis by WootCloud shows that nature of alerts and the types of alerts seen has changed after the shelter at home. Alerts due to missed configurations, unencrypted login traffic are being seen more than before.

Monitor alerts, especially those related to headless devices.  Monitor authentication errors, lateral login failures, and DHCP errors. Keep your firewall and IPS/IDS signatures up to date and look for anomalies.

Guidance/Recommendations

IT and security teams are now working isolated from each other and thus network monitoring and  Incident response plans need to be reworked to where education is important, and visibility is critical. Developing strong context on every device is the key to successfully preventing security breaches. Where contextual information is unavailable, restrict access to the network until sufficient context is developed. Create dashboards for monitoring remote access connections, new devices and headless devices.  Baseline device activity inside campus, this is especially important as it will mitigate the resulting chaos associated with people returning to work.

Following are the recommendations:

• RDP and VPN usage is dramatically increased, with majority of employees connecting via VPN. Monitor for non-sanctioned devices that connect via VPN. Identify logins and locations of users to ensure that the logins are happening from expected locations. Monitor that all the remote devices connecting via VPN have current EDR, antivirus, patch and config management systems. A VPN connection is a door to your LAN and should only be open when it needs to be. Remote employees should be discouraged from connecting to the VPN all day.Prohibit the use of other VPNs and remote-control software while connected to your VPN.
• All communications between corporate network and external sources should be monitored, and strong policies should be in place to disallow such access based on device context and functionality. Audio video conferencing devices should be monitored for conferencing calls being made from inside enterprises. Monitor your OT and IoT processes more diligently, tracking parameters, their histories, and their frequencies. This could be an early indicator that something is not right within the systems.
• If your organizational policy usually stipulates that no one can access the web interface or management portal of IoT devices from outside of campus;  due to shelter at home policies, staff working from home may need to do so. False alarms for policy-violations may start showing up. However, during this time, no action needs to be taken due to the unusual situation. Better solution would be to administer them only via internal machines.
• New devices are being seen on campus after the shelter at home implementation, especially during the transition period. Monitor this attribute for identifying unauthorized devices on campus.
• Transition period and post shelter also shows changes to corporate infrastructure like new access points, network topology and gives indicators of new scripts running in the network. Monitor this attribute for identifying mistakes and unauthorized network infrastructure configurations.
• Special focus needs to be given to remote office or branch office monitoring and auditing. Identify every device during this period of low noise and use this opportunity to manage remote assets.
• Baseline your network now when the noise due to unmanaged user devices is at a minimum. Identify and understand devices that stay in your enterprises beyond normal working hours or 24/7 and audit them. Prune, fix and add the devices to your asset management.
• Monitor the airspace which includes BT, BLE devices and unconnected Wi-Fi devices. There may also be devices presenting themselves as access points in your campus. This gives an understanding of who and what enters your campus during this period.

To learn more in a zero touch, no obligation Demo or POC, please contact us.

Author: Srinivas Akella, Founder, Chief of Products and Technology, WootCloud Inc.
Data and Statistics: Dr. Shahab Sheikh-Bahaei, Director Data Science, WootCloud Inc.