Jan 28, 2016 By Jean-Paul Bergeaux In Blog

Your security infrastructure doesn’t cover mobile use

For many workers, a laptop is essential for them to be productive when away from the office. They take their laptops on travel. They bring them home in the evenings and on weekends, perhaps to catch up on work or be on call to handle emergencies.  A new report by CYREN highlights how attackers are using the habits of remote and mobile workers to circumvent the robust security infrastructure larger organizations like Federal agencies have in place.

“Cybersecurity professionals report that as employees return to the office on Monday and login to corporate networks, security alerts begin popping up. These professionals speculate that when employees take their laptops home over the weekend, they connect to the Internet through public or unsecured WiFi, and proceed to surf the web and download content …. It turns out that Fridays are the peak distribution days for malware and spam.”

Federal agencies design access for employees over VPN to secure data and rightly so.  But that doesn’t mean that everything the remote laptop is used for will go through that VPN.  Because of physics, adding a hop through VPN for non-internal applications makes users feel that the Internet is slow.  Nearly everyone will tell you “my home Internet is faster than work.”  This leads to users to disconnecting VPN to do work they can get done without internal servers.   This can include browsing the web for legitimate work and personal uses or downloading Email, especially personal mail.

This is not only a problem on Friday through Sunday, but for any device that leaves the organization’s physical walls.  When the device re-enters the internal network, the device can become “patient zero” that spreads infection and results in lateral movement to sensitive data, as the security professionals reported back to CYREN.

So how do Federal agencies deal with this problem?

There are two ways to address this problem.  First is a security endpoint product that monitors for Indicators of Compromise (IoCs) and has Incident Response (IR) built in, instead of legacy Aniti-Virus (AV) products.  There are several good products that do this and your choice will probably depend on what your infrastructure currently has in it.  This next-gen endpoint can include looking for malware through “fuzzy hashing” by products like CloudHash.  These products will identify problems early, possibly before the endpoint connects to the network, but if not, quickly when it is connected to the network.

The second way to address this problem is to force each returning endpoint to receive a health check through a next-gen Network Access Control (NAC).  ForeScout is SwishData’s leading product here.  When the endpoint reconnects, it can be scanned for patches that were missed, files that have been installed and even compared against new vulnerabilities and threats the infrastructure has learned about since the device left the network.  Depending on the settings and the results of those scans, the device can be granted full access, be refused access, or quarantined for further administrative action.  Patient zero contained.

Defending the network from returning systems that have been infected “in the wild” is a real problem.  Between the above two solutions, and the possibility of them working together through pre-defined integration points, it is possible to defeat this problem.  It’s a real problem, but can be addressed.  For more about how SwishData can help you with these problems and simplifying your environment while making it more secure, contact us here.