[BreachExchange] Ghost Town Security: What Threats Lurk in Abandoned Offices?

[Destry Winant]

https://www.darkreading.com/edge/theedge/ghost-town-security-what-threats-lurk-in-abandoned-offices/b/d-id/1340866

Millions of office buildings and campuses were rapidly abandoned during the
pandemic. Now it's a year later. What happened in those office parks and
downtown ghost towns? What security dangers lurk there now, waiting to
ambush returning businesses?

Take a bow, ye in IT and infosec, for pulling off the biggest, baddest
save-the-world action in the heat of a pandemic. Because of you, businesses
keep running even when there isn't anyone in the building to keep the
lights on and the machines patched.

"Most CISOs were focused on getting people remote as quickly as possible
using a 'just-get-it-done' approach," says Andrew Turner, executive vice
president at Booz Allen Hamilton.

Among the new duties of leaping tall and varied obstacles was the need for
speed in shipping an unprecedented number of devices to just about as many
homes. Thinking on your feet was the only way to get things done on the fly.

"Some were even chartering flights and shipping laptops to offshore
locations around the world to support operations and critical call-center
functions," Turner says.

He ticked off many such budget-squeezing, logistic jamming, and
disease-defying feats, all of which ranked well above the normal call of
duty. Yet, despite racking up a staggering and unprecedented number of wins
in record time, "In the chaos, a lot of best practices likely fell through
the cracks," he says.

Oh, yes. He makes a fair point. And now it’s all coming back to haunt us.

Pregnant Pauses and Scary Deliveries

Many new issues are arising from those cracks now to threaten companies.
And how could they not? Those empty buildings remain abandoned a
year-and-counting later. No telling what has occurred in there in all this
time — or what new and awful challenges are brewing in there still.

"Companies that rely on 'air gaps' to protect sensitive networks or
machinery should be particularly concerned because the surest way to jump
the air gap is with physical access," says Michael Bahar, partner and
co-lead of global cybersecurity and data privacy at global law firm
Eversheds Sutherland.

"Also, insider threat is heightened by weakened physical access controls.
Employees who have the right to be in an office building may find their
ability to gain unauthorized access to equipment, systems, and information
far easier with fewer other people around," Bahar adds.

An abandoned building could present almost infinite opportunities for an
inside threat. Just finding an "unoccupied desk with an open Ethernet port
can easily become the initial entry point into a company's network," warns
Chris Hass, director of information security and Research at Automox, an
endpoint management company.

Attackers and malevolent insiders could easily sweep the area for passwords
on sticky notes on desktops, sensitive information left on printers and
copiers, and other valuable oversights from a rushed exit. Heck,
maintenance crews, lease holders, and security guards could conceivably do
the same. Or they could just as easily become unwitting accomplices.

"In one of my previous employments, I once forgot my ID badge to access a
very sensitive remote location storing servers, domain controllers, and
databases," says Gavin Ashton, security strategist at Stealthbits, now part
of Netwrix. "I managed to get in with nothing more than a nice smile,
polite manners, and some techno-babble about what I was there to do, so I
was escorted down into the server room and left alone."

Social engineering works, he adds, "and we cannot assume the space inside
four walls to be secure anymore," Ashton added.

Attackers with access to workspaces and devices could plant some nasty
surprises that won't kick in until much later.

"For example, an attacker can install hardware implants. Rather than
stealing hardware, it can be modified by installing a hardware keyboard
sniffer to capture credentials," explains Mario Santana, senior fellow,
threat analytics at Appgate. "Likewise, an attacker can hack into cameras
and microphones in boardrooms to capture sensitive conversations once
people come back to the office."

Company workers are beginning the trek back into these ghost towns. Back to
their seats in abandoned offices and workspaces. What security terrors will
your company face once the doors are thrown open again?

Hauntings and Hardware Horrors

Plenty of security issues have risen from the speed and scale of the
massive worker migrations to their homes.

"A year ago, changes had to be made and organizations had to make a choice
between handling remote work 'right' or handling it 'right now,'" says Rick
Vanover, senior director of product strategy at Veeam. "When solutions are
hurried, mistakes are made."

The challenge now is to mitigate problems as the tide of workers flows back
in the opposite direction. But in many ways, that may actually be trickier
to pull off.

For example, even a mature cybersecurity operation could struggle with
devices left online and untouched for long periods of time, Appgate's
Santana says. Some of the examples he cites are:

- Desktop patches get "stuck" and require a manual reboot.
- Encryption certificates expire, and no one notices.
- Data shares that were meant to be temporary are left enabled.

"There are a million other minor human interactions that we don't normally
notice but may be critical when it comes to cybersecurity," Santana warned.

And don't forget the stockpile of old devices previously scheduled for
wipes and disposal.

"This is like 'Pompeii,' except instead of buildings and people preserved
in ash, it is desktops, servers, and other computer devices that are
running on old versions of software," says Nick Edwards, VP of product
management at Menlo Security. "IT security professionals should assume the
worst when the lights go back on."

Add to that an incoming tsunami of devices that may be loaded with security
threats — some that need to be disposed of and some that will be connected
directly to the office network, too.

According to a November 2020 Blancco report, 97% of 600 global enterprises
surveyed purchased new IT equipment in the last year to equip an at-home
workforce.

"Now there's a redundancy of devices looming — some may be reused and
others may be recycled or disposed of otherwise. With so much tech
equipment in flux, companies will have to hone their data hygiene
practices, an issue that enterprises have not entirely tackled to date,"
says Fredrik Forslund, director of the International Data Sanitization
Consortium (IDSC) and VP of cloud and data center erasure solutions at
Blancco.

Security pros will have to race the workforce to these machines to ensure
they aren’t turned on before they’re checked for problems.

"Companies should also have a plan to test and update systems that have not
been touched during the pandemic. They should be isolated from the network
before being turned on to run diagnostics, make updates, and patch any
vulnerabilities," advises Camille Stewart, cybersecurity expert at Google.

Booby Traps and the Return of the Day Walkers
The usual lineup of security problems that existed pre-pandemic still
persist now. Plus, as expected, the bad guys continue to be super-crazy
creative and increase the level of sophistication in new attacks because
that's just how they roll.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210505/d9dc34d2/attachment.html>