Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Cyber Security Awareness Month - Day 25 - Using Home Computers for Work - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Cyber Security Awareness Month - Day 25 - Using Home Computers for Work

Today's CSAM topic is Using Home Computers for Work.  I will share with you a simple practice I've been using for quite some time that provides me a couple key protections from myself while keeping me and my employer safe from mingling home equipment with the corporate equipment.

It is common for many people to have company issued laptops, so the mileage may vary on my suggestion.  However, for those who do not use an issued laptop to access the company network and are left to using home equipment to accomplish work for your employer I highly suggest using a some sort of virutal machine software and utilize all access to the corporate network through the inside of that machine.   
 
My home setup for connecting to work consists of our family computer, an iMac (behind a firewall of course) with a VMWare Fusion machine consisting of a basic XP installation that has been fully patched, updated Anti-Virus and any basic software required for connectivity to the company resources. I.e. VPN software, SSH Clients, etc...  Once this VM has been setup, I save a snapshot of it.  When Patch Tuesday rolls by, I update everything and take another snapshot. Most anti-virus can be configured to update when it boots up, and at a minimum I update the image monthly, but sometimes more if I am ambitious.  When I need to use the home computer to connect to work, I fire up my VM and utilize the VM environment for all connectivity to work.  When I have completed my session for work, I power down the VM and rollback to my most recent snapshot.  This practice insures that my computer will not propogate any malware or viruses that my family or I happen to carelessly add to the home computer.  It keeps my risks low and my productivity higher because I always have a fresh installation.
 
I am not a lawyer nor play one on the Internet, but it could also be argued that since a concerted effort is maintained to keep work and home activities separate while using the same the hardware, all legal privacy issues could be bound to only the VM files and not my entire computer. Again, consult your lawyer before believing this to be true.
 
I've only touched upon some of the connectivity risks associated with using home computers for work.  There are many more things to consider.  So please, share with us what you do to reduce or minimize any risks associated with using home computers for work.
 
--
Kevin Shortt
ISC Handler on Duty
 
Kevin Shortt

81 Posts
ISC Handler
This setup will not stop some flavors of malware that may be on the host machine from affecting the work VM. The largest concern is a key logger. Reversing the roles of the host and guest, while certainly harder to pull off, is probably safer.
Ken

40 Posts
Surely dual booting would be a better measure - plus it then gets rid of the problem of distractions.
djsmiley2k

5 Posts
If you do allow users to access work systems from home machines, don't punish your users for attempting to be secure.

Don't do what my wife's employer did (still does) and actively discourage users from running the latest versions of browsers. For a very long time, they would not provide any support to users who had replaced IE7 with IE8, and actually warned users not to upgrade. They also would not provide any support to a user who chose any browser other than IE on a Windows machine.

Once into her work network, my wife would regularly be prompted to reenter her password multiple times to access different layers of the system. This was not prompting for a different ID and password to access more restricted areas, this was passing through the same ID, but requiring the user to reenter their same password each time they followed a link in some areas of the system. Using the same applications from work required one login, and never prompted for the password again. We once counted having to reenter her password five times during one 15 minute attempt to get something done. My wife's response -- change her password to something as simple as possible to avoid the pain of having to reenter something complex so many times to complete a basic task.
djsmiley2k
5 Posts
As inexpensive as "student" laptops are, any company who lets folks log on to internal resources from their own machines (even from a harder than normal to exploit, but still volnerable, VM) deserves what they get.
djsmiley2k
1 Posts

Not all companies can afford to provide laptops to everyone yet they will certainly appreciate the extra work that gets done.

One solution I've found aceptable, in my assignment with a client, was to enable remote access to the desktop PC and use the VPN to access the desktop from home.

All software and accesses were preserved and information never really left the company "cyber grounds".

I also use a VM to connect to my office but it runs on a separate machine and I access it using RDP. A once powerful P4 or such with Linux will do fine and provide a WinXP or W7 environment.
djsmiley2k
17 Posts
For employees that work from home without a dedicated work laptop (and even some that do) we provide an encrypted workspace via our F5 Firepass SSL VPN. This removes all concerns about what the user has done or note done to their home PC... key loggers, trojans etc. and at the same time prevents any files from being copied from the production network to an untrusted home PC. While in the encrypted workspace, the user has access to a Citrix desktop that is limited to Office applications. An ISA server limits access available to internal web resources. If a user requires access to a more sensitive resources we add them to a group in the ISA server and require them to authenticate using an OTP token also.

Just a note, I definitely don't want to come off as an advocate for the Firepass; it's a solution that provides the encrypted workspace and that's why we use it. It's had A LOT of problems otherwise though!
jtwaldo

17 Posts

Sign Up for Free or Log In to start participating in the conversation!