Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Cyber Security Awareness Month - Day 24 - Using work computers at home

Published: 2010-10-24
Last Updated: 2010-10-26 22:29:36 UTC
by Swa Frantzen (Version: 2)
6 comment(s)

The 4th week of the awareness promotion month start with a topic close to every employee's personal experience: "Using work computers at home".

To best situate this, one needs to be able to take the viewpoint of the different stakeholders and walk through them in order to get a good balance between it all.

The overruling bodies

Local laws, habits, employment legislation, tax regulations etc. have an impact on what the parties can and cannot do. E.g. where I live work computers are often given as part of the payment of the employee and the employee is to a (very small) extend taxed on it as a benefit. Similarly the applicable rules might well limit the amount of monitoring and other intrusions on the privacy of the users. And It'll be much harder to argue in favor of extensive monitoring when the machine is (also) used at home and not just at work.

Bottom line is simple for the security professional: expect every jurisdiction you operate in to be (slightly) different in rules and regulations; seek advice from the local legal and HR teams before setting troublesome policies that will violate some of these.

The user

The user of a work computer at home should really try to see the machine as property of the company (s)he works for. Sticking to the letter and/or spirit of the rules set forth is a start. But many security professional get gray hair -or just tear it out- from users doing -or request permission to do things they really should not be contemplating. So how do you know if your bright idea is one that will create a faceslap if found out at the security dept. ?

Summarize your plan before you ask or do -generalizing it a little bit- back to yourself, and add after it "and I work for a _______"

E.g.

You'd be interested to surf to a website containing NSFW images. Before you do, you ask yourself:
"I'd like to surf to p*rn using my work computer, and I work for a wall street bank"

If it doesn't sound like a great idea: time to urgently reconsider.

Most places will introduce some measures like Anti-virus software, limited user accounts, or even very strict security that will allow little to nothing to be done with the machine. These are in most cases put in place to prevent the machine (and it's precious data) to become infected with malware, or be taken over by the bad guys. Do not work around or find a way to sidestep these measures: they are there "for your own good", really!

Do expect some things to not work all that simple. E.g. adding printers on a windows system is a tricky business that requires rights beyond what a user at the office needs (where printer drivers are managed by the IT dept.). Expecting it to work "just" like on a machine you administer yourself like your family computer is only going to leave you frustrated in many cases.

Know that "mobility" is what you're doing when you use a work machine outside of the physical and logical confines of work. And most models those companies that create the software like the operating system make are not all that compatible with mobility. This results in a lower level of protection while the machine is at home than when it is at the office in many if not all cases. To mitigate this a user can make sure to have some essential security measures on home networks/routers/WiFi networks, but it also requires more care of the user.

The boss

Your employees might be the best asset you have, they might be lazy or even sneaky. But in the end you trust them or you'd' not have them at all. So your part of the deal is to make sure the users that are allowed to take machines home and use them there are given some guidance. It's also your task to make sure it's balanced between the needs of the organization to have it protected, to allow the employees to do some of their stuff as well as stay within the limits set by rules and regulations you have to comply with.

The bottom line is double:

  • Set forth rules -yes: policies and procedures-  to give the guidance
  • Give the good example by complying to the rules yourself.

Expect your security and IT department to need some changes and extra work to support the mobility you're demanding of them. The old measures they have in place often will not suffice as mobility needs and expectations increase.

HR

 Work computers used by employees at home can be seen as

  • a benefit for the employee: it can indeed be a cost saver for the employee not to have to buy a family computer. But that also means the employee is likely to want to install that toddler's game on the business machine (imagine the sticky food covered fingers all over that keyboard and screen ...

    Moreover a computer's total cost for a business is significantly higher than a machine bought for home use. Hardware that's not changing every week with the whim of fashion is more expensive in itself; Software licenses for businesses are more expensive than for student and home users; and business machines need to be managed by supporting staff. To make it worse: the more freedom the user gets, the more they damage the software on the machine and the more work the support staff has to keep it all together.
  • a benefit for the company: the employee works longer for the business by being able to work at home.
  • something IT support and security staff alike want to avoid as much as possible as it gives them more work and doesn't fit in their model of the world. Not only are they not ready to accept a world were mobility isn't embraced yet, but the models and tools they need to use make it impossible for them to fully embrace it.
  • a status symbol
  • ...

Try to see both sides of the story and not just advantages either. Laptops are among the most fragile devices in the company (expected lifetime of just 2 years) and need loads of TLC in order to function properly.

The administrator/security team

Remember mobility will not go away. Maybe your industry has some strict requirements but even then mobility will only increase. Worst of it all your perimeter heavy security model isn't very compatible with mobility.

Find a good balance between:

  • The more you restrict your users, the more rebellious their nature will be.
  • The more rights your users have the more they can do wrong

Make sure the balance is approved by all stakeholders.

Users come and go, you will need to inform them of the rules and goals of those rules in a a short awareness session/introduction every so often. You can't expect the new colleague who just started today to already know and have read all policies on their own.

Make sure to work with HR, the powers that be, legal, ... to get to know the stakes in every jurisdiction you operate in.

Staff members that are allowed to work from home are a special case in some operations as their computer hardly ever is at the office and still needs proper support from a distance. Make sure you're equipped with the needed tools and have a proper solution for securing their home networks. This isn't a laptop that's playing the latest disney movie in the back of the car, it's a work machine used to do work, accessing corporate data and having access rights into the company in most cases.

Conclusion

What's allowed will be different for every organization. It's not even going to be static over time. Work computers that go home with employees are of course an added risk, but there are benefits too. Keep it balanced!

Also stakeholders often have different viewpoints on the global problem, try to place yourself in the other stakeholder's shoes and come to a balanced agreement.

--
Swa Frantzen -- Section 66

6 comment(s)
Diary Archives