Question: How can I test the security of my home office employee’s router?
John Bock, Senior Research Scientist at Optiv: This can be a challenging question, because it depends on your user base and how creative your legal department wants to be. The technical answer is that enterprise vulnerability management products can scan home office routers, but before doing so, you must consider a few things-namely, employees in certain languages may agree to declare that they have the IP address to be scanned. They need to allow organizations to scan their routers and possibly cause outages.
This will provide the most accurate results and comprehensive visibility into the overall risk of the organization, especially if we now consider the home office as an extension of the corporate environment. But there are some dependencies on relying on employees to provide their home router IP addresses correctly. There are also potential shortcomings in terms of privacy issues and accidents, such as scanning addresses incorrectly. In any case, the entire work must start from the legal department.
If this method is impractical, you can only use typical user groups with different technical skill levels to complete the task, including individuals who may have never logged in to the home router management interface. Starting from the most basic process, you can ask users to check whether their IP address appears in a public database. A quick way is:
Now, most home users will have a non-static address from their provider, but it’s still worth knowing if there is a problem with the address they came from. If you can require employees to log in to their routers, then the highest priority is for them to update the firmware and verify that their firewall is enabled.
For technical users, this is not a big deal, but for some of your user groups, it may be a lot more demanding. There is no easy way to deal with this problem, but you can simplify the process by providing links to vendor documents about specific actions you want users to take and make the help desk available for support. Although the support team may not enjoy the increased load, in order to enable automatic updates and ensure that basic protection is in place, a one-time resource is worth it.
John Bock is a senior research scientist at Optiv. Prior to this, John was the vice president of threat research. Prior to this, he was the head of Optiv application security practices, providing application penetration testing and other software security services.More… View the complete bio