Cyber Threats Rise at Home: An Interview With Tom Kellermann

A top cyber security leader speaks frankly about the risks of working from home, the importance of the cloud in securing home critical infrastructure, and how his job as a nightclub bouncer prepared him for a career as a go-to cyber risk specialist.

By Russ Banham, Contributor

As millions of people work from home to reduce the possibility of becoming infected with (and spreading) the coronavirus, they inadvertently increase the risk of a cyberattack targeting their company’s IT network and systems.

This threat is especially perilous since many C-level executives are now working in their home offices, sending and receiving confidential emails and texts via their smartphones and laptops. The problem? These work devices are connected over the internet to the same wireless system that also connects to their homes’ smart devices, which are particularly vulnerable to cyberattacks.

YOU MAY ALSO LIKE: IT Security Specialists Weigh in on the Cyber Strategies of Working at Home

“The C-suite is no longer within the cyber defense walls set up at the corporate level,” says Tom Kellermann “TK”, former cybersecurity adviser to the Obama administration, now head of cybersecurity strategy for VMware Carbon Black—a next-generation endpoint cybersecurity provider in the cloud.

If hackers decided to launch a cyberattack against the “smart” IT infrastructure of a marginally cyber-protected home—gaining access to the smart garage door opener that wirelessly connects to the internet, for instance—a more insidious door may open to the corporate IT infrastructure.

“While the security of connecting the Internet of Things [IoT] devices in the home has been a cybersecurity concern for CISOs and CIOs for some time, the nature of remote telework by so many people during this difficult period of time vastly compounds the risk,” says Kellermann, who recently relocated from Boulder, CO (pictured above) to Washington, D.C.

YOU MAY ALSO LIKE THIS BLOG ABOUT CYBER ATTACKS

Whereas hackers in the past might target a person’s home to steal credit card data and other personal information, they’re now looking for corporate trade data, proprietary information, and customer and employee data. In turn, this increases the need for people working from home, Kellermann says, to “virtually lock the doors and turn on the alarm.”

Island Hopping

Kellermann’s concerns should not be taken lightly. In 2008, he was one of the first cybersecurity experts appointed to a seat on the Commission on Cybersecurity, created to advise the president of the United States on the nation’s cyber risks and defenses. In the post, he served as an advisor to the International Cybersecurity Protection Alliance.

Prior to joining publicly traded VMware in 2018, Kellermann was the CEO of venture capital firm Strategic Cyber Ventures. Before that, he served as chief cybersecurity officer at Trend Micro, where he was responsible for the analysis of emerging cybersecurity threats and relevant defensive technology. In 2017, he was named a global fellow for cyber policy at the Wilson Center, the nation’s key nonpartisan policy forum for tackling global issues through independent research.

The son of a U.S. diplomat, Kellermann grew up in West Africa, Mauritania, and Guatemala. In college, he was a bouncer in a nightclub. He once told a journalist the job was similar to cybersecurity, as one has to look for behavioral anomalies in both roles.

Kellermann’s ability to scope out anomalies has made him the go-to cyber risk specialist for many large enterprises and government agencies seeking advice on securing critical infrastructure.

Kellermann’s ability to scope out these anomalies has made him the go-to cyber risk specialist for many large enterprises and government agencies seeking advice on securing critical infrastructure. These days, he’s also being called upon to advise companies how to secure critical home infrastructure. In this regard, he’s particularly focused on “island hopping.”

The term describes an advanced cyberattack whereby hackers invade the target enterprise through a smaller company that provides services to the organization, such as a key supplier or a third-party contractor. Following a successful invasion, hackers hop from one “island” to the next, invading other companies in the network. In this case, our homes are just another island.

“Your ‘smart’ infrastructure, whether it’s your website, mobile apps, mail servers, and so on, are being purposely targeted by hackers not to steal from you but to attack your employer and its customers—the malware effectively pushed off your infrastructure,” says Kellermann.

Smarting From Smart Systems

This infrastructure, of course, is not what it was in 2003, the year that Wired announced the beginnings of “The Wi-Fi Revolution,” a transformation as groundbreaking as the internet itself, the magazine stated. Smart home technologies followed about a decade later, proliferating in number and types only in the past few years. Prior to 2013, there were no internet-connected smart devices or WiFi systems.

Today, smart thermostats, fridges, coffeemakers, and crockpots are connected to the same WiFi system as office laptops, smartphones, and home printers. Inside each smart home device is a miniature, multi-purpose computer—a circuit board that operates the device. This tiny computer has the same power and capabilities as a full desktop workstation from a dozen years ago, but is much easier to hack, as it was not designed with strong, configurable security in mind.

Added up, our smart homes are a cyberattack in the waiting, one whose repercussions may resound throughout the enterprise network, causing financial losses and reputational damage.

To minimize this risk, Kellermann advises the development of a “cyber-threat hunt team,” designated to conduct penetration tests and monitor the endpoints within a home in search of defensive weaknesses. Once the hunt concludes, he recommends creating the virtual equivalent of a physical “panic room” providing safe shelter to its inhabitants.

“The cloud provides intrinsic security—expanding telemetry and enforcement points, and increasing the speed of prevention and remediation.”

—Tom Kellermann, head of cybersecurity strategy, VMware Carbon Black & global fellow at the Wilson Center

“A traditional panic room is built when a homeowner recognizes the physical perimeter is subject to failure,” says Kellermann. “A cyber panic room is built for the same reason, in this case the recognition of the virtual perimeter’s vulnerability to failure. … With a virtual panic room, the means of suppressing an intruder is by actively hunting for them, unbeknownst to the adversary.”

He also touts the importance of the cloud in securing a home’s critical infrastructure. “The cloud provides intrinsic security—expanding telemetry and enforcement points, and increasing the speed of prevention and remediation,” he says. “It also enables IT staff to operationalize security, freeing up security resources to focus on the threat hunt.”

Smart Tactics in a Smart Home

IT security professionals, many of them working at home like the rest of us, can only do so much to reduce home-based cyber risks. Kellermann advises companies to establish strict policies and procedures governing employees’ home-based work. They include tactics like updating all software and apps on Tuesday nights, as this is when Silicon Valley pushes out all critical updates, Kellermann says.

“It’s also a smart idea to change the password on the routers to a sentence,” he says, noting that many routers come with a built-in default password. “You should be the only system administrator for your network and all devices connected to it.” In other words, just because your digital-native 10-year old set up the system, she should not be the system administrator.

YOU MAY ALSO LIKE THIS PODCAST ABOUT SMART HOMES

Since wireless internet routers come equipped with two networks, each at a different bandwidth, Kellermann advises that one network be used for work laptops and work smartphones, and the other for the home’s smart devices.

Other home IT security tips include deploying security software on all work and home devices, turning on firewalls and encryption tools, and using Firefox as a browser. Recent tests by the German Federal Office for Information Security indicate that Firefox is the most secure browser available today.

These varied tactics are especially important since many CIOs and CISOs, along with their teams of thousands of employees, are now working at home.

“In these days of the pandemic, CISOs and CIOs are forced to maintain business continuity and resiliency, but they and their staff are working remotely and practicing social distancing like everybody else,” says Kellermann. “They’re severely limited in their ability to do all they can to insulate home offices from a cyberattack.”

To mitigate this risk, we—everyone teleworking today—must rise to the challenge and secure the perimeter of our homes against a virtual invasion. The sooner, the better.

Russ Banham is a Pulitzer-nominated journalist and best-selling author.