Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Cyber Security Awarenes Month - Day 24 - Using work computers at home - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Cyber Security Awarenes Month - Day 24 - Using work computers at home

The 4th week of the awareness promotion month start with a topic close to every employee's personal experience: "Using work computers at home".

To best situate this, one needs to be able to take the viewpoint of the different stakeholders and walk through them in order to get a good balance between it all.

The overruling bodies

Local laws, habits, employment legislation, tax regulations etc. have an impact on what the parties can and cannot do. E.g. where I live work computers are often given as part of the payment of the employee and the employee is to a (very small) extend taxed on it as a benefit. Similarly the applicable rules might well limit the amount of monitoring and other intrusions on the privacy of the users. And It'll be much harder to argue in favor of extensive monitoring when the machine is (also) used at home and not just at work.

Bottom line is simple for the security professional: expect every jurisdiction you operate in to be (slightly) different in rules and regulations; seek advice from the local legal and HR teams before setting troublesome policies that will violate some of these.

The user

The user of a work computer at home should really try to see the machine as property of the company (s)he works for. Sticking to the letter and/or spirit of the rules set forth is a start. But many security professional get gray hair -or just tear it out- from users doing -or request permission to do things they really should not be contemplating. So how do you know if your bright idea is one that will create a faceslap if found out at the security dept. ?

Summarize your plan before you ask or do -generalizing it a little bit- back to yourself, and add after it "and I work for a _______"

E.g.

You'd be interested to surf to a website containing NSFW images. Before you do, you ask yourself:
"I'd like to surf to p*rn using my work computer, and I work for a wall street bank"

If it doesn't sound like a great idea: time to urgently reconsider.

Most places will introduce some measures like Anti-virus software, limited user accounts, or even very strict security that will allow little to nothing to be done with the machine. These are in most cases put in place to prevent the machine (and it's precious data) to become infected with malware, or be taken over by the bad guys. Do not work around or find a way to sidestep these measures: they are there "for your own good", really!

Do expect some things to not work all that simple. E.g. adding printers on a windows system is a tricky business that requires rights beyond what a user at the office needs (where printer drivers are managed by the IT dept.). Expecting it to work "just" like on a machine you administer yourself like your family computer is only going to leave you frustrated in many cases.

Know that "mobility" is what you're doing when you use a work machine outside of the physical and logical confines of work. And most models those companies that create the software like the operating system make are not all that compatible with mobility. This results in a lower level of protection while the machine is at home than when it is at the office in many if not all cases. To mitigate this a user can make sure to have some essential security measures on home networks/routers/WiFi networks, but it also requires more care of the user.

The boss

Your employees might be the best asset you have, they might be lazy or even sneaky. But in the end you trust them or you'd' not have them at all. So your part of the deal is to make sure the users that are allowed to take machines home and use them there are given some guidance. It's also your task to make sure it's balanced between the needs of the organization to have it protected, to allow the employees to do some of their stuff as well as stay within the limits set by rules and regulations you have to comply with.

The bottom line is double:

  • Set forth rules -yes: policies and procedures-  to give the guidance
  • Give the good example by complying to the rules yourself.

Expect your security and IT department to need some changes and extra work to support the mobility you're demanding of them. The old measures they have in place often will not suffice as mobility needs and expectations increase.

HR

 Work computers used by employees at home can be seen as

  • a benefit for the employee: it can indeed be a cost saver for the employee not to have to buy a family computer. But that also means the employee is likely to want to install that toddler's game on the business machine (imagine the sticky food covered fingers all over that keyboard and screen ...

    Moreover a computer's total cost for a business is significantly higher than a machine bought for home use. Hardware that's not changing every week with the whim of fashion is more expensive in itself; Software licenses for businesses are more expensive than for student and home users; and business machines need to be managed by supporting staff. To make it worse: the more freedom the user gets, the more they damage the software on the machine and the more work the support staff has to keep it all together.
  • a benefit for the company: the employee works longer for the business by being able to work at home.
  • something IT support and security staff alike want to avoid as much as possible as it gives them more work and doesn't fit in their model of the world. Not only are they not ready to accept a world were mobility isn't embraced yet, but the models and tools they need to use make it impossible for them to fully embrace it.
  • a status symbol
  • ...

Try to see both sides of the story and not just advantages either. Laptops are among the most fragile devices in the company (expected lifetime of just 2 years) and need loads of TLC in order to function properly.

The administrator/security team

Remember mobility will not go away. Maybe your industry has some strict requirements but even then mobility will only increase. Worst of it all your perimeter heavy security model isn't very compatible with mobility.

Find a good balance between:

  • The more you restrict your users, the more rebellious their nature will be.
  • The more rights your users have the more they can do wrong

Make sure the balance is approved by all stakeholders.

Users come and go, you will need to inform them of the rules and goals of those rules in a a short awareness session/introduction every so often. You can't expect the new colleague who just started today to already know and have read all policies on their own.

Make sure to work with HR, the powers that be, legal, ... to get to know the stakes in every jurisdiction you operate in.

Staff members that are allowed to work from home are a special case in some operations as their computer hardly ever is at the office and still needs proper support from a distance. Make sure you're equipped with the needed tools and have a proper solution for securing their home networks. This isn't a laptop that's playing the latest disney movie in the back of the car, it's a work machine used to do work, accessing corporate data and having access rights into the company in most cases.

Conclusion

What's allowed will be different for every organization. It's not even going to be static over time. Work computers that go home with employees are of course an added risk, but there are benefits too. Keep it balanced!

Also stakeholders often have different viewpoints on the global problem, try to place yourself in the other stakeholder's shoes and come to a balanced agreement.

--
Swa Frantzen -- Section 66

Swa

760 Posts
Challenges come from management asking "how do you know that people that are working from home aren't copying or stealing confidential information, or how do you know these people aren't sharing this type of information with friends and family?
Anonymous
As a user I employ the method discussed in the companion article "Using Home Computers for Work". I run a Linux VM on the company's XP laptop that I do all my personal stuff in. Being Linux it's much less likely that my activities will result in the installation of any malware, and it's doubly unlikely that any malware affecting the Linux VM will bleed into the XP host. My Linux home directory is encrypted, so my personal privacy is protected if ever I have to return the machine. I occasionally backup the VM image to another home machine so I have a safe copy in case I do have to surrender the laptop, or (more likely) if its XP gets to the point that patch + patch + patch + malware + patch + patch + malware + patch => re-image.

IT doesn't know anything about this; I don't know what they'd think, and I'm not asking; they don't have to support this. I don't do anything in the VM that I wouldn't feel right doing in the host OS, and I consider this an improvement over the default situation: Work stuff and home stuff are isolated and protected one from the other. Regardless of written policy (a risky way to start a sentence), I believe that although I may be a bit outside the pale, I'm miles ahead of the typical salesdroid who takes his work laptop home for personal use in terms of protecting company assets. As a bonus (as prime motivation, actually) I get to use my preferred OS at home.

I'm a systems & network engineer; I'm way ahead of what said salesdroid can do with regard to the above. I wonder, not facetiously, which class of user in general causes the most headaches for IT.

Hal

50 Posts
I am a consultant in business for myself. I use a Linux host and vmware workstation to run a guest very much as you described. On top of this, I can run multiple guests for multiple clients, thus keeping them separated. I also run a fully encrypted disk, so both the Linux host as well as all the guests are protected from loss or theft -- as far as compromising the clinet proprietary data is concerned. I also make my backups to an encrypted disk; what good is encrypted drive if the backups are plaintext? DUH! Amazing how many people overlook this point.
Moriah

133 Posts
There is another aspect that needs to be considered when an employee is using their work laptop on their home network. The other computers on that network. If they are infected, they will sooner or later infect the work computer. I have seen it happen.

The employer cannot tell the employee what to do with their personally owned equipment or even provide much in the way of support. However they can create a culture where the employees always think about security on their home networks. And you can provide information, or sources of information, or even personal advice to assist the employee in making good decisions about their home network.

Teens seem to have the fewest cares about the security of their parent provided computer and who is going to fix it if it gets infected.

KBR

63 Posts
KBR; You are certainly correct, but in a sense it goes without saying since by definition these company-issued laptops are mobile are expected to be connected to foreign networks of uncertain health. They will be connected at airports; they will be connected in hotels; they will be connected at conferences; they will be connected on visits to clients and vendors. Being connected at home is just another modus operandi in its raison d'etre, at least insofar as it's being used for work.
Hal

50 Posts
Ken; I thought of that, but I have observed that people tend to trust their home computer systems, quite often to the point of being irrational. Also that telecommuters are often on their home networks far more than any other so there is much more opportunity for an infected machine to infect the work machine.

Home networks do have some things that other foreign networks do not have. We know who owns the home network and that person, quite often, is unversed in security. And we can have some influence over the owner of the home network even if we cannot, generally, tell them what to do.

Perhaps it does go without saying, but should we assume that? Making sure is better.

KBR

63 Posts

Sign Up for Free or Log In to start participating in the conversation!