Work-from-Home Security Advice

SANS has made freely available its “Work-from-Home Awareness Kit.”

When I think about how COVID-19’s security measures are affecting organizational networks, I see several interrelated problems:

One, employees are working from their home networks and sometimes from their home computers. These systems are more likely to be out of date, unpatched, and unprotected. They are more vulnerable to attack simply because they are less secure.

Two, sensitive organizational data will likely migrate outside of the network. Employees working from home are going to save data on their own computers, where they aren’t protected by the organization’s security systems. This makes the data more likely to be hacked and stolen.

Three, employees are more likely to access their organizational networks insecurely. If the organization is lucky, they will have already set up a VPN for remote access. If not, they’re either trying to get one quickly or not bothering at all. Handing people VPN software to install and use with zero training is a recipe for security mistakes, but not using a VPN is even worse.

Four, employees are being asked to use new and unfamiliar tools like Zoom to replace face-to-face meetings. Again, these hastily set-up systems are likely to be insecure.

Five, the general chaos of “doing things differently” is an opening for attack. Tricks like business email compromise, where an employee gets a fake email from a senior executive asking him to transfer money to some account, will be more successful when the employee can’t walk down the hall to confirm the email’s validity — and when everyone is distracted and so many other things are being done differently.

Worrying about network security seems almost quaint in the face of the massive health risks from COVID-19, but attacks on infrastructure can have effects far greater than the infrastructure itself. Stay safe, everyone, and help keep your networks safe as well.

Posted on March 19, 2020 at 6:49 AM23 Comments

Comments

JonKnowsNothing March 19, 2020 9:54 AM

Eons ago, in the dark ages of computers, when the first set of “fun viruses” started popping up on people’s CRTs with falling rain of bricks, it was neigh on impossible to get people to run a “virus check” on those “big funny black wobbly thingies” or those “cute hard plastic coffee coasters” from a central PC checker, or as things improved from software directly installed on their systems.

One may fault the short sightedness of people, managers and bosses but it’s also been a complete failure of the computer industry. A failure the industry passes along to the victims of their faulty designs, and thus far, they have successfully been able to blame the “user”: ESO, RTFM.

The entire computer industry is designed for planned obsolescence. Once that number was 5 years, then 2 years, 18 months, 12 months and moving along to 6 months. Smartphones, replacing many old standard corporate systems, fail spectacularly on ever shorter timetables. The primary response is: ditch it and get a new one.

Our computer industry holds the entire blame for over complexity, lack of true integration and the “fix it in the next release” or “fix it in the next model update or rollout” mentality.

We can see the same sorts of issues falling like dominoes during the COVID-19 crisis. Only this time it’s not falling colored bricks on a CRT, it’s costing people their lives.

Not only are some areas facing financial, and personal disasters, the very core structures of our global economy are shaking. Those same old STUXNET infected controllers are still running.

There is zero indication that any major provider or any subset segment, is changing tactics.

ht tps://en.wikipedia.org/wiki/Stuxnet

Stuxnet is a malicious computer worm, first uncovered in 2010, thought to have been in development since at least 2005. Stuxnet targets supervisory control and data acquisition (SCADA) systems and is believed to be responsible for causing substantial damage to the nuclear program of Iran. Although neither country has openly admitted responsibility, the worm is widely understood to be a cyberweapon built jointly by the United States and Israel.

(url fractured to prevent autorun)

Laurent March 19, 2020 10:27 AM

“… from their home computers. These systems are more likely to be out of date, unpatched, and unprotected. They are more vulnerable to attack simply because they are less secure.”

Bro have you ever seen a fleet of computers managed by the IT section of a big company? Logging into the VPN endangers my computer, not the company’s computers.

Clive Robinson March 19, 2020 10:29 AM

@ Bruce, All,

There is also the questin of,

    Who is going to break the Internet?

Unfortunatly the Internet is “a finite resource” at any one time…

Increasing the Internet’s bandwidth beyond a certain smallish capacity is not something you can do overnight even at the best of times. Significantly increasing the Internet bandwidth currently even if there is enough “dark fiber” will almost certainly require parts that are on a long supply chain that for one reason or another will currently be well below normal. In fact it may well be effectively broken for upwards of six weeks to six months if and only if we get our act together and stop “political pi55ing matches”.

As the US is more economically dependent on the Internet than any other Nation in the world, perhaps they should kind of take notice, even if it is just for selfish reasons of “looking after number one”.

The simple fact is there are two things that are going to have a significant increase on Internet traffic,

1, Poorly designed colabaritive working applications.

2, First time home workers, setup not in a “work” but “home” environment.

Currently I do not know which will be worse.

Many of the colabarative apps that organisations are going to turn to were only ever designed for “LAN not WAN use”. That is they need wide bandwidth and low latency…

But many “home workers” are not going to be alone. Schools, colleges, universities and other employers are going to send people home for the duration (my son has been told his higher education establishment is closed indefinitely and he will be contacted about “study at home”).

Realistically “home working” is not going to be in anything like a “work” environment. If people are stuck inside their homes for two weeks to four months, they will either go “stir crazy” or need entertainment.

In the last five years home entertainment has moved from the general broadcast “push model” to the individual “pull model” thus thousands if not millions of homes are going to be chewing up high bandwidth at the same time as “home working” is trying to happen.

It’s difficult to get a quart in a pint pot at the best of times but two or three quarts, not a chance, you need a gallon jug and those are just not around at the moment.

Clive Robinson March 19, 2020 10:43 AM

@ Bruce,

I notice the two new Tags:

1, COVID-19,
2, epidemiology

Lets all hope they are not needed again.

La Abeja March 19, 2020 11:54 AM

One, employees are working from their home networks and sometimes from their home computers. These systems are more likely to be out of date, unpatched, and unprotected. They are more vulnerable to attack simply because they are less secure.

That’s not a home. That’s a business. Some people do run businesses out of their homes or home offices, but by the time you are responsible for the security of multiple networks and computers of your own, you are well and truly in business for yourself on a 1099 basis rather than a W-2, and you’re going to need to hire assistants or employees of your own.

That’s usually how it goes if you’re not working on site under a boss at a big city business park or corporate campus.

I’m not saying it’s for everyone, or even possible for everyone, but if you’re going to work on your own, you need to get the proper financial benefits of it, not the rank-and-file employee junk benefits, premium all-expenses-paid company health plan etc., which you wouldn’t be choosing to spend your own money on if you had the choice.

And no it’s not an option for me, or for targeted individuals like me. When we were shut out of the labor markets by Democrats, the Republicans turned around and made double sure we were shut out of trade, business, and commerce for life on NICS and other RINO watch lists.

George H.H. Mitchell March 19, 2020 1:00 PM

Clive, my feeling is the internet is well prepared for this level of demand — except, of course, for chronically underprovisioned home service. (It’s one reason I pay for business internet at home.)

me March 19, 2020 1:17 PM

Giving vpn to normal people is not a problem.
I installed openvpn on other people pc but they could have done it alone.
-install (next, next, done)
-copy profile&credentials (copy paste a directory)
Done

What is problematic is a friend who whork at bank and use vnc, i hope the encrypted version at least…

At my work one used his work notebook, other personal, both with openvpn.

Other friend is still waiting for a pc since he have been told he can’t use home pc.

lurker March 19, 2020 2:08 PM

@JonKnowsNothing

The entire computer industry is designed for planned obsolescence. […] The primary response is: ditch it and get a new one.

Do I have excess optimism to hope the current disruptions to production and supply lines might supply a clue bat to some people to actually learn how to fix stuff? And yeah, that includes stuff that has been designed as unfixable, might provide a clue bat to the designers as well?

La Abeja March 19, 2020 2:17 PM

@George H. H. Mitchell

chronically underprovisioned home service. (It’s one reason I pay for business internet at home.)

So do they allow you to write it off from your taxes then?

Or is there a “net nanny” at the local ISP who blocks “file-sharing” and “management” ports and otherwise enforces “traffic shaping” as well as various other restrictions on your paid internet service?

How do you work around all that garbage if you have to work from home?

Your internet is 100% personal to the IRS but 100% business to the local ISP who “knows you best.”

SpaceLifeForm March 19, 2020 3:35 PM

@ Clive, Anders, MarkH, Myliit, All

It’s not just WFH or SFH (School From Home).

It’s BAH (Bored At Home)

Netflix is going to throttle in EU.

To preserve bandwidth.

tfb March 19, 2020 3:40 PM

@JonKnowsNothing

It’s not the case that, for instance phone lifetimes are ever-decreasing. There was a time when they were, as a feature arms-race ran its course, but like most exponential curves it was actually S-shaped and it has substantially flattened off as is to be expected. The same has happened for digital cameras I know and PCs / laptops I strongly suspect.

SpaceLifeForm March 19, 2020 4:08 PM

@ Bruce

I believe this is worthy of being up top.

hxxps://www.wired.com/story/coronavirus-cyberattacks-ransomware-phishing/

Jonathan Wilson March 19, 2020 4:17 PM

A lot of businesses are providing work-from-home employees with PCs or laptops to use at home (configured to go through the company VPN out of the box, configured with security and encryption enabled to protect data etc)

In some cases its just the same PC/laptop they use at work but taken home and with some extra software installed for VPN and stuff.

SpaceLifeForm March 19, 2020 4:46 PM

@ Clive, Anders, MarkH, Myliit, All

Gee, what could possibly go wrong?

Are they really written? On a server?
Legally binding?

Papers Please.

hxxps://www.theregister.co.uk/AMP/2020/03/18/army_adopts_whatsapp_orders_coronavirus/

British Army adopts WhatsApp for formal orders as coronavirus isolation kicks in

The British Army has made a coronavirus-related tech U-turn after telling soldiers that commands issued over WhatsApp are now legally binding.

In written orders posted to a Ministry of Defence intranet site, an Army unit told its soldiers that from now on, orders delivered over WhatsApp are to be treated just as seriously as written instructions delivered through the usual chain of command.

The move is controversial because only last year, the Army’s top sergeant major stated WhatsApp is not an acceptable way to distribute formal military demands.

tfb March 19, 2020 5:13 PM

The issue-orders-over-whatsapp thing is going to work … well … once all the messenger products have had their security deliberately compromised by order of our glorious and enormously smart leaders.

John Smitch March 19, 2020 6:48 PM

@La Abeja

“Your internet is 100% personal to the IRS but 100% business to the local ISP who “knows you best.””

This is one of the reasons for using a VPN – to hide your traffic from the ISP.

SpaceLifeForm March 19, 2020 6:56 PM

@ Clive, Anders, MarkH, Myliit, All

Charter (Spectrum) you just can’t be this stupid when most can WFH.

hxxps://arstechnica.com/tech-policy/2020/03/amid-pandemic-charter-call-center-is-nightmare-breeding-ground-for-germs/

SpaceLifeForm March 19, 2020 10:10 PM

@ All

I think this sums up the best approach

“manage what is unavoidable instead of avoid what is unmanageable.” @tomfriedman

myliit March 20, 2020 6:50 AM

Might now be a good time for people to consider opening up there wifi to guest users, using guest functionality of router, if available. Ready access plus social distancing.

https://openwireless.org/

On the other hand, From SANS factsheet: “Allow only people that you trust: Do this by enabling strong security so that only people you trust can connect to your wireless network. Strong security will require a password for anyone to connect to your wireless network. It will encrypt their activity once they are connected.”

Zaphod March 20, 2020 4:14 PM

@Clive.

I don’t need to worry about you. I know you and yours will be perfectly fine. A bit of prep and know how!

Don’t worry about UK (at least) bandwidth over the core. Even yesterday evening peak was less than 30% of available bandwidth at most extreme. We got this covered. Can’t speak about mobile handsets to masts though.

Keep safe y’all

Zaphod

PLR March 22, 2020 11:06 AM

Bro have you ever seen a fleet of computers managed by the IT section of a big company? Logging into the VPN endangers my computer, not the company’s computers.

I agree. During my last stint at one firm I had a dedicated laptop exactly for docking into that cesspool of poor address planning, periodical switching loops, broadcast storms and intermittent port scanning by hell knows what.

Not even mentioning the amount of shiteware I’d never wish to see anywhere near on my home PC.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.