Lock IT Down: Beware these false security assumptions about work-from-home
Secure work-from-home personal computers to protect the enterprise
An increasing number of employees are building sophisticated computer networks
in their homes, containing a mix of personal and company equipment. Many
enterprises are allowing this practice—or even encouraging it—believing
that work conducted at home on employee-purchased PCs or networking equipment
will save them money.
However, security problems are created when users link personal systems
to the corporate network, especially if enterprises fall prey to false
assumptions about the associated risks. The following four anecdotes—culled
from real-life incidents and feedback from Gartner clients—illustrate
how enterprise data can be dangerously exposed by employees working from
home on network-connected personal systems. We provide examples of the
impact of these security exposures and offer recommendations on how to
guard against them, including thin client alternatives (see Note 1).
Note 1: Thin client solutions
In addition to our recommendations offered with the four false
assumptions, Gartner suggests that enterprises consider increasing their
reliance on thin client computing solutions—including Web/SSL sessions
and secure, encrypted Windows terminal services, which are delivered by
products from vendors such as Citrix Systems and Tarantella. Thin client
methods minimize the risk of data exposure on nonenterprise-owned
False assumption No. 1: Strong encryption on our
VPN is all we need for secure remote access
A major independent software vendor (ISV) had
source code stolen through the home PC of one of its employees. Although
the company had strong internal security policies, vigilance was abandoned
because the VPN was assumed to be secure. Using simple user IDs and passwords,
remote users were allowed to log in from home equipment that was not guaranteed
to have antivirus and personal-firewall protection. Split tunneling also
was allowed so that users could connect freely to the Internet while their
VPN held a private connection open to the company network.
Do not allow unmanaged and unsecured systems to connect to an enterprise's
VPN. Strengthen the VPN with authentication tokens, and turn off split
Warn users about the risks of leaving unprotected personal and business
data stored on PCs that they turn in for service. Encourage users to use
system passwords and disk encryption.
Alert users to the data exposure risks posed by downloading file-sharing
and remote control programs on personal systems. For company-owned workstations,
use a combination of policy control, configuration lockdown, and firewall
filters to block the installation of such programs.
Prohibit the use of home wireless LANs for work-connected systems or restrict
such use to enterprise- or employee-purchased equipment that has been
preconfigured by the enterprise. Home wireless LANs should be configured
with at least 128-bit Wired Equivalent Privacy, and users should be required
to log in with unique IDs from each of their systems.
Do not allow LAN-to-LAN VPN tunnels to be created between enterprise and
Consider implementing thin client computing solutions, which minimize the
risk of data exposure on nonenterprise-owned
The code theft occurred when a user's PC was infected by QAZ, a hacker
tool that puts the user under surveillance. The hacker then identified
the user's employer and entered the ISV's network through the user's or
hacker's PC, because the method of identification was so simple.
Enterprises that allow unsecured systems to connect to VPNs
using simple authentication mechanisms are vulnerable to highly damaging,
hacker-perpetrated theft, espionage, and vandalism. Gartner analysts have
heard variations of the story above from many clients.
Nevertheless, we continue to receive calls from some clients who mistakenly
believe that their user connections are too obscure to be noticed among
the millions of connections on the Internet. The Internet may be large,
but it is also an extremely efficient medium in which hackers can scan
as much as they want, quickly and inexpensively. In this example, the
user lived in a city that was known to be the preferred "bedroom
community" for commuting employees of the ISV. Knowing which geographic
area to target made the hacking more efficient and rewarding.
False assumption No. 2: Corporate data is safe on home PCs
Many clients have reported stories
from their help desks about home PC VPN users who requested to have all
of their software and VPN services reinstalled because of home PC failures.
Reinstallation is not the security risk; however, an alarming number of
these requests came from users who sent their PCs (or at least their hard
drives) back to the manufacturer, or to a retailer, for a swap-replacement
under warranty (a popular service model).
In the cases reported to Gartner, very few of these users had backed up
their systems, and none had used data encryption on their home PCs. This
means that everything on their PCs, including company data, was completely
exposed to the manufacturer or retailer that received the returned PC.
The value of the information on such returned PCs is probably far higher
than any data a hacker could hope to obtain at random over the Internet,
because it provides a complete picture of the individual—that is, his
or her job and personal life. In general, service companies take no responsibility
for information left on PCs returned for service.
Several enterprises asked their employees to try to retrieve the systems,
with mixed results. Many enterprises and users don't know these risks,
so when data is misused from a returned system, the source of the exposure
is unlikely to be discovered.
Users must be warned about the exposure risks of leaving personal and
business data on personal systems that are turned in for service. Enterprises
may consider providing and servicing home PCs—preloaded with safeguards
such as disk encryption—through a company-sponsored program. At the least,
they should strongly encourage employees to use system passwords and disk
False assumption No. 3: Home PCs with personal firewalls
and antivirus protection will be safe
Even with personal firewall and antivirus protection installed,
the information stored on a PC can still fall into unscrupulous hands,
such as with the swap-replacement example. Peer-to-peer tools can create
an even bigger problem.
For example, the CEO of a northeast manufacturing company discovered,
to his horror, that his nine-year-old niece had downloaded a popular music
sharing, peer-to-peer (P2P) program onto his PC during a weekend visit.
She wanted some music, and the installation took only a few minutes. She
also chose the option to share "all files" on the PC—a new feature
of P2P tools that enables users to swap documents, programs, and other
files. The personal firewall and antivirus programs raised alerts at the
beginning of the installation, but the niece selected Yes or Allow at
these prompts, authorizing the download to continue—and making the P2P
program an authorized application. So all personal and business data on the PC was completely exposed
to the global P2P user group. The CEO discovered this fairly quickly
and removed the software, but there was no way to determine if any files
had already been copied from his system.
Remote-control products pose another example of this type of risk. End
users can install them quickly and they work through firewalls. Although
many remote-control products, such as GoToMyPC,
use data encryption and passwords, users can install and run them without
supervision. This makes unauthorized sessions a serious potential risk.
Given the ease with which file-sharing and remote-control
products can be installed on end user systems, even managed workstations,
enterprises face constant exposure through products and services that
may not yet be known to the security team and, therefore, go undetected.
Enterprises must remember that fully managed company workstations may
also be affected by tools like P2P file sharing and personal remote control.
It is not possible to fully lock down personal
systems, but users at least can be warned about the risks of exposing
personal and business data on personal systems caused by downloading file-sharing
and remote-control software. Company-owned workstations should use a combination
of policy control, configuration lockdown, personal firewall, and central
firewall filters to block installation of the better-known file-sharing
and remote-control programs. Personal systems can be similarly protected;
however, if the systems are not managed by the enterprise, there is no
way to be sure such protections are in place.
Although it may seem like a logical solution, Gartner does not recommend
that enterprises provide employees with basic antivirus, firewall, and
security software for voluntary installation on nonenterprise
systems. By doing so, enterprises take direct responsibility for the integrity
of these systems. Rather than waste unrecoverable funds and increase liability
trying to enhance the users' personal systems, enterprises should simply
deny enterprise network connection from any system that does not conform
to company standards. This places the onus on users to put their personal
systems in order and keep them in compliance
False assumption No. 4: Wireless LANs in the home won't
expose enterprise data
The media continues to report stories regarding
hacking into private business and public "hot spot" wireless
LANs. Hacking tools are improving, and the level of care that most enterprises
take to activate wireless security is low. Hacking into users' home wireless
LANs is even easier, because no professional security employees are monitoring
them. Home wireless LANs often are set up with little or no security,
and home PCs usually have accessible storage, scanning, and printing devices
Access to the Internet from the home wireless LAN is just the first step
of the problem. An increasing number of under-$200 home-networking appliances
are capable of "nailing up" an open, LAN-to-LAN tunnel between
the home and enterprise networks. If this occurs, the home wireless LAN
becomes a direct extension of the enterprise network, and anyone who gains
access to the wireless LAN may be assumed by the network to be trusted.
Home wireless LANs face the same exposure risks as enterprise networks,
but are far less likely to be configured and managed for proper security.
Hackers can easily target wireless LANs in homes, condominiums, and apartments,
and they can prioritize their efforts based on a victim's identity or
neighborhood. The operating range of wireless LANs (usually more than
1,000 feet at degraded speeds) is large enough to expose networks in expensive
homes on large suburban lots.
In addition, there are enough people now using wireless LANs to access
the Internet through shared arrangements among homes—or casual "borrowing"
of such connections—that telcos and cable companies
are prohibiting this activity as theft of service. So even if an employee's
wireless LAN is secure, the enterprise is at risk of legal liability for
theft of service if it subsidizes the connection.
Many Gartner clients' IS organizations have chosen to prohibit the
use of home wireless LANs, although such edicts can't be effectively policed
or enforced. Some enterprises have begun to offer enterprise-supported
equipment, but price is a barrier when hundreds or thousands of users
Nevertheless, enterprises must explicitly prohibit the use of wireless
LANs for work-connected systems, or restrict such use to enterprise- or
employee-purchased equipment that has been pre-configured by the enterprise.
Do not allow LAN-to-LAN VPN tunnels to be created between enterprise and
home networks. Home wireless LANs should be configured at least with 128-bit
Wired Equivalent Privacy, and users should be required to log in with
unique IDs from each of their systems.
Enterprises shouldn't expect that their employees' personal
equipment and networks conform to enterprise security and privacy standards.
Enterprises that allow work to be done from network-connected personal
equipment should expect security problems to arise, and should follow
best practices to reduce their liability. Continuing training and awareness
programs will help remind users of the risks of data exposure and the
potential damage such exposure can cause to themselves and the enterprise.
In addition, enterprises should consider implementing thin client computing
solutions, which minimize the risk of data exposure on non enterprise-owned