Malware found on 45 percent of home office networks
New research by BitSight compared malware infections on home office networks versus corporate networks, and the results were unsettling for remote enterprise users.
Enterprise users are far more likely to have malware on their home office networks compared to corporate networks, according to new research by BitSight.
The security vendor Tuesday released a report, titled "Identifying Unique Risks of Work From Home Remote Office Networks," that determined 45% of companies had malware on their corporate-associated home networks, whereas only 13.3% of companies had malware on their corporate networks.
The vendor analyzed more than 41,000 organizations and studied what it called "work from home-remote office (WFH-RO) networks." BitSight researchers conducted the study by creating asset maps of WFH-RO IP addresses associated with each organization.
"It's unique in the fact that it's the first time we took a step out to take a look at affiliated networks and understood the security posture of those networks in comparison," said BitSight researcher Dan Dahlberg, who authored the report.
During the period of March 2020, BitSight researchers found home office networks were 3.5 times more likely to have a malware infection present than a corporate network. TrickBot malware, which is often used in ransomware campaigns, was observed at least 3.75 times more frequently on home office networks, according to the report.
During the research, which was inspired by the recent surge of remote workers, well-known botnets were found to be prevalent as well. Mirai was observed at least 20 times more frequently on corporate-associated home networks than corporate networks.
"Worms like Mirai impact home networks more than corporate networks because of all the different IoT devices and consumer devices that Mirai was built to take advantage of and exploit," Dahlberg said.
Another reason Mirai was effective was because 10% of networks have an administrative interface exposed, BitSight co-founder and CTO, Stephen Boyer, said.
"Mirai exploited defaults and things like that to log in and most users haven't changed their defaults," Boyer said.
Protecting home networks
While remote work was common prior to the pandemic, the sudden and sizeable increase created new risks.
"The attack surface has expanded because you have people working from home who've never worked home before, and it happened so quickly. By talking with customers, they said they went from thousands of remote workers to tens of thousands overnight," Boyer said. "The other area is that not everyone is issued a corporate device and not everyone is on a super well-protected and monitored device. Another part is it's persistent; you're not just connecting every now and then. The network you operate isn't administered by a professional group. And, there's a push as we say, from a better protected, higher hygiene network to [not] very ... protected, low hygiene network."
Companies that have had a security culture mindset of zero trust from the beginning are better prepared, Dahlberg said.
"Companies that put emphasis into the trust of a local network presume physical access will have risks. If you have a model device like that, these organizations will struggle more because all of the devices will now be outside that network and because of that, they may not have the same protection technology enforced on the workstation. Some employees don't have corporate devices to use and that protection," Dahlberg said.
Interest in zero trust has risen over the past few years as organizations search for better methods to secure corporate data.
"Zero trust is still relatively nascent, " Boyer said. "A zero-trust area would help in this situation, but I don't think that many people are there so all these devices sitting on local area networks will have a different trust level. They may do file sharing, click on things or do things they wouldn't normally do to get their job done. Install applications they wouldn't usually install -- it starts to erode a layer of trust."
There are policies and practices enterprises can enact to increase trust, Dahlberg said.
"They can enhance the protection of the device itself as well as accessible networks for data, so if the device is in a network that is compromised or with other malware, the device itself can have a lower chance of being compromised. They need to ensure their endpoint workstations are protected to help build that defensive depth strategy," he said. "Education is also a big component -- educating employees on the new environment they are in and to understand the risks."
Part of that education is understanding which devices are operating under their remote or residential network.
"People need to understand better what basically needs to be done to maintain these devices. For example, everyone loves to click 'later' on that 'here's an update' alert, but don't do that. There's practices to reduce risks like applying those updates," Dahlberg said.
According to Boyer, 90% of all malware they see in the globe is on non-corporate networks.
"So that's where we see, it wasn't just a huge shift because that's already what's going on," Boyer said. "We think long term this will be a structural shift as people are learning to work from home and become more effective at it. The fact is there's a market difference in protections for corporate and home networks and we need to get those closer together. It's a big scaling challenge."