InfoSec News

Today's CSAM topic is Using Home Computers for Work. I will share with you a simple practiceI've been using for quite some time that provides me a couple key protections from myself while keeping me and my employer safe from mingling home equipment with the corporate equipment.
It is common for many people to have company issued laptops, so the mileage may vary on my suggestion. However, for those who do not use an issued laptop to access the company network andare left to using home equipment to accomplish work for your employer I highly suggest usinga some sort of virutal machine software and utilize all access to the corporate network through the inside of that machine.

My home setup for connecting to work consists of our family computer, an iMac (behind a firewall of course) with a VMWare Fusion machine consisting of a basic XP installation that has been fully patched, updated Anti-Virus and any basic software required for connectivity to the company resources. I.e. VPN software, SSH Clients, etc... Once this VM has been setup, I save a snapshot of it. When Patch Tuesday rolls by, I update everything and take another snapshot. Most anti-virus can be configured to update when it boots up, and at a minimum I update the image monthly, but sometimes more if I am ambitious. When I need to use the home computer to connect to work, I fire up my VM and utilize the VM environment for all connectivity to work. When I have completed my session for work, I power down the VM and rollback to my most recent snapshot. This practice insures that my computer will not propogate any malware or viruses that my family or I happen to carelessly add to the home computer. It keeps my risks low and my productivity higher because I always have a fresh installation.

I am not a lawyer nor play one on the Internet, but it could also be argued that since a concerted effort is maintained to keep work and home activities separate while using the same the hardware, all legal privacy issues could be bound to only the VM files and not my entire computer. Again, consult your lawyer before believing this to be true.

I've only touched upon some of the connectivity risks associated with using home computers for work. There are many more things to consider. So please, share with us what you do to reduce or minimize any risks associated with using home computers for work.

--
Kevin Shortt
ISC Handler on Duty
~ (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
State Street Corp., one of Computerworld's 2010 Top Green-IT Organizations, is working on a global virtualization effort that has thus far saved the firm $3.5 million, and cut CO2 emissions by 30,000 metric tons annually.
 
Goldman Sachs has suggested that Microsoft should spin off its consumer division. A good deal? Certainly for stockholders, but what about the business itself -- and users?
 
Computerworld's Top Green-IT Organizations where chosen among nearly 100 applicants, each striving to find new ways to reduce energy consumption in their IT equipment and use technology to conserve energy.
 
Take Computerworld's Top Green-IT quiz and get some ideas from the Top Green-IT Organizations for making your company greener.
 
The survey methodology for Computerworld's Top Green-IT Organizations.
 
Pacific Gas & Electric, one of Computerworld's Top Green-IT Organizations, presets its printers to save ink and paper, and its servers run in a virtualized environment.
 
Technology vendors and data center suppliers who are reducing energy consumption by their IT equipment.
 
Environmental expert Jonathan Koomey describes technology's ability to create beneficial environmental effects that vastly outweigh the direct environmental impact of the electricity that it consumes.
 
Citigroup, one of Computerworld's 2010 Top Green-IT Organizations, will redesign its data center floor by relocating network switches to the server cabinet, reducing the purchase and use of copper, and cutting power consumption by as much as 50%.
 
Allstate Insurance, one of Computerworld's Top Green-IT Organizations, has eliminated 1,500 physical servers, and it built a LEED Gold-certified data center as part of a data center consolidation project..
 
The 4th week of the awareness promotion month start with a topic close to every employee's personal experience:Using work computers at home seek advice from the local legal and HR teams before setting troublesome policies that will violate some of these.
The user
The user of a work computer at home should really try to see the machine as property of the company (s)he works for. Sticking to the letter and/or spirit of the rules set forth is a start. But many security professional get gray hair -or just tear it out- from users doing -or request permission to do things they really should not be contemplating. So how do you know if your bright idea is one that will create a faceslap if found out at the security dept. ?
Summarize your plan before you ask or do -generalizing it a little bit- back to yourself, and add after it and I work for a _______
E.g.

You'd be interested to surf to a website containing NSFW images. Before you do, you ask yourself:

I'd like to surf to p*rn using my work computer, and I work for a wall street bank
If it doesn't sound like a great idea: time to urgently reconsider.
Most places will introduce some measures like Anti-virus software, limited user accounts, or even very strict security that will allow little to nothing to be done with the machine. These are in most cases put in place to prevent the machine (and it's precious data) to become infected with malware, or be taken over by the bad guys. Do not work around or find a way to sidestep these measures: they are there for your own good, really!
Do expect some things to not work all that simple. E.g. adding printers on a windows system is a tricky business that requires rights beyond what a user at the office needs (where printer drivers are managed by the ITdept.). Expecting it to work just like on a machine you administer yourself like your family computer is only going to leave you frustrated in many cases.
Know that mobility is what you're doing when you use a work machine outside of the physical and logical confines of work. And most models those companies that create the software like the operating system make are not all that compatible with mobility. This results in a lower level of protection while the machine is at home than when it is at the office in many if not all cases. To mitigate this a user can make sure to have some essential security measures on home networks/routers/WiFi networks, but it also requires more care of the user.
The boss
Your employees might be the best asset you have, they might be lazy or even sneaky. But in the end you trust them or you'd' not have them at all. So your part of the deal is to make sure the users that are allowed to take machines home and use them there are given some guidance. It's also your task to make sure it's balanced between the needs of the organization to have it protected, to allow the employees to do some of their stuff as well as stay within the limits set by rules and regulations you have to comply with.
The bottom line is double:

Set forth rules -yes: policies and procedures- to give the guidance
Give the good example by complying to the rules yourself.

Expect your security and ITdepartment to need some changes and extra work to support the mobility you're demanding of them. The old measures they have in place often will not suffice as mobility needs and expectations increase.
HR
and business machines need to be managed by supporting staff. To make it worse:the more freedom the user gets, the more they damage the software on the machine and the more work the support staff has to keep it all together.
a benefit for the company:the employee works longer for the business by being able to work at home.
something IT support and security staff alike want to avoid as much as possible as it gives them more work and doesn't fit in their model of the world. Not only are they not ready to accept a world were mobility isn't embraced yet, but the models and tools they need to use make it impossible for them to fully embrace it.
a status symbol
...

Try to see both sides of the story and not just advantages either. Laptops are among the most fragile devices in the company (expected lifetime of just 2 years) and need loads of TLCin order to function properly.
The administrator/security team
Remember mobility will not go away. Maybe your industry has some strict requirements but even then mobility will only increase. Worst of it all your perimeter heavy security model isn't very compatible with mobility.
Find a good balance between:

The more you restrict your users, the more rebellious their nature will be.
The more rights your users have the more they can do wrong

Make sure the balance is approved by all stakeholders.
Users come and go, you will need to inform them of the rules and goals of those rules in a a short awareness session/introduction every so often. You can't expect the new colleague who just started today to already know and have read all policies on their own.
Make sure to work with HR, the powers that be, legal, ... to get to know the stakes in every jurisdiction you operate in.
Staff members that are allowed to work from home are a special case in some operations as their computer hardly ever is at the office and still needs proper support from a distance. Make sure you're equipped with the needed tools and have a proper solution for securing their home networks. This isn't a laptop that's playing the latest disney movie in the back of the car, it's a work machine used to do work, accessing corporate data and having access rights into the company in most cases.
Conclusion
What's allowed will be different for every organization. It's not even going to be static over time. Work computers that go home with employees are of course an added risk, but there are benefits too. Keep it balanced!
Also stakeholders often have different viewpoints on the global problem, try to place yourself in the other stakeholder's shoes and come to a balanced agreement.
--

Swa Frantzen -- Section 66 (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
HP had a surprise for the tech world when it announced the immediate retail availability of its Windows 7 Slate 500 tablet computer. Although the iPhone revolution has all but erased the distinction between consumer and business when it comes to mobile devices, the marketing strategy for the Slate 500 tablet seems to be to target it as a 'business tablet.'
 
This week both Apple and HP made new computing platforms available. Both the MacBook Air and the HP Slate had been the subject of months of rumors and speculation, and now they're both here. A business professional in the market for a portable computing device could conceivably consider either, so let's look at how they compare.
 


Internet Storm Center Infocon Status