Recent events have compelled companies to support staff members working from home. Some aspects of working from home have similarities to mobile remote staff. But there are distinct differences that need to be taken into account due to the elevated risks that working from home networks present. The risks are human and technological in nature. Let’s review some of each.
SECURING THE HOME NETWORK
Severe vulnerabilities exist in low-cost consumer routers. Therefore, it is necessary to examine the make and model of each staff home router and check for vulnerabilities. If a severe vulnerability is found, one should either upgrade the OS, or consider purchasing a low-cost known secure router for the staff member. If the router has a wired DMZ connection, then encourage the staff member to utilize the wired DMZ for the connection to the home machine. If WiFi is to be used, ask the home owner to set up a separate SSID specifically for the corporate laptop use. Try to isolate the corporate laptop away from TVs, mobile phones, gaming systems, and/or Alexa. Most of those devices are of unknown security posture and present a risk.
One of the larger risks of operating for long periods of time across distances away from the corporate office is the stealing and misuse of credentials. Fortunately, it is relatively easy and cost effective to implement two-factor authentication. Use two-factor authentication, which significantly reduces the effectiveness of credential stealing and phishing campaigns for access to web applications, VDI, VPN and even RDP.
HOURS OF ACCESS
There might not be a need to allow 24x7 access to all applications. Reduce the footprint (attack surface) of brute force password hacking or misuse of credentials by disabling access to applications when they are not needed. Access control can include limiting access to the VPN as well.
Organizations should provide corporate machines to home staff wherever possible, because the full complement of security protections will be available on the corporate-owned machines. Companies that had the foresight to deploy laptops in their office environment have a distinct advantage in this area. Staff-owned machines should be a definite second preference, because staff-owned machines carry risks associated with malware. Keylogger malware presents high risks to corporate systems. If staff-owned machines must be used, then they must be checked for installed and correctly operating malware protection (i.e., anti-virus). Staff-owned machines must also be checked to ensure network bridging is turned off. Bridging on the staff-owned laptops coupled with VPN client software presents the risk of network hijacking. To address these issues, corporate IT should make all of the security tools that are available for corporate machines available for installation on staff-owned machines. Care must be taken to ensure that the staff-owned machine has sufficient resources and capacity to support the corporate security tools.
Finally, ensuring that home users are educated and aware of security and financial risks helps to reduce the chance of breaches and financial losses. Educate the staff members to avoid any financial transactions that are not properly authorized. Instruct staff that the company will never request arrangements that require a financial expenditure. Educate staff through enterprise security training programs. Ensure that staff have a copy of the company information security policy. And ensure that staff are fully informed of the proper password reset procedures.
With all of these controls in place, working from home can be as productive and secure as working in any other context. To summarize:
- Change the defaults on your router – Admin password, SSID, etc.
- Separate the traffic – Make a separate network (SSID) for non-trusted computers, gaming systems, guests, etc. BTW, your kid’s Minecraft server is untrusted. I trust my kids, I don’t trust their computers.
- Never trust a non-corporate owned device. If you didn’t personally make it safe, it’s not safe.