Lock IT Down: Beware these false security assumptions about work-from-home personal computers

Takeaway:
Secure work-from-home personal computers to protect the enterprise network

An increasing number of employees are building sophisticated computer networks in their homes, containing a mix of personal and company equipment. Many enterprises are allowing this practice—or even encouraging it—believing that work conducted at home on employee-purchased PCs or networking equipment will save them money.
However, security problems are created when users link personal systems to the corporate network, especially if enterprises fall prey to false assumptions about the associated risks. The following four anecdotes—culled from real-life incidents and feedback from Gartner clients—illustrate how enterprise data can be dangerously exposed by employees working from home on network-connected personal systems. We provide examples of the impact of these security exposures and offer recommendations on how to guard against them, including thin client alternatives (see Note 1).

Note 1: Thin client solutions
In addition to our recommendations offered with the four false assumptions, Gartner suggests that enterprises consider increasing their reliance on thin client computing solutions—including Web/SSL sessions and secure, encrypted Windows terminal services, which are delivered by products from vendors such as Citrix Systems and Tarantella. Thin client methods minimize the risk of data exposure on nonenterprise-owned systems.


False assumption No. 1: Strong encryption on our VPN is all we need for secure remote access
A major independent software vendor (ISV) had source code stolen through the home PC of one of its employees. Although the company had strong internal security policies, vigilance was abandoned because the VPN was assumed to be secure. Using simple user IDs and passwords, remote users were allowed to log in from home equipment that was not guaranteed to have antivirus and personal-firewall protection. Split tunneling also was allowed so that users could connect freely to the Internet while their VPN held a private connection open to the company network.

Tactical Guidelines

        Do not allow unmanaged and unsecured systems to connect to an enterprise's VPN. Strengthen the VPN with authentication tokens, and turn off split tunneling.

        Warn users about the risks of leaving unprotected personal and business data stored on PCs that they turn in for service. Encourage users to use system passwords and disk encryption.

        Alert users to the data exposure risks posed by downloading file-sharing and remote control programs on personal systems. For company-owned workstations, use a combination of policy control, configuration lockdown, and firewall filters to block the installation of such programs.

        Prohibit the use of home wireless LANs for work-connected systems or restrict such use to enterprise- or employee-purchased equipment that has been preconfigured by the enterprise. Home wireless LANs should be configured with at least 128-bit Wired Equivalent Privacy, and users should be required to log in with unique IDs from each of their systems.

        Do not allow LAN-to-LAN VPN tunnels to be created between enterprise and home networks.

Consider implementing thin client computing solutions, which minimize the risk of data exposure on nonenterprise-owned systems.
The code theft occurred when a user's PC was infected by QAZ, a hacker tool that puts the user under surveillance. The hacker then identified the user's employer and entered the ISV's network through the user's or hacker's PC, because the method of identification was so simple.

Impact
Enterprises that allow unsecured systems to connect to VPNs using simple authentication mechanisms are vulnerable to highly damaging, hacker-perpetrated theft, espionage, and vandalism. Gartner analysts have heard variations of the story above from many clients.

Nevertheless, we continue to receive calls from some clients who mistakenly believe that their user connections are too obscure to be noticed among the millions of connections on the Internet. The Internet may be large, but it is also an extremely efficient medium in which hackers can scan as much as they want, quickly and inexpensively. In this example, the user lived in a city that was known to be the preferred "bedroom community" for commuting employees of the ISV. Knowing which geographic area to target made the hacking more efficient and rewarding.


False assumption No. 2: Corporate data is safe on home PCs
Many clients have reported stories from their help desks about home PC VPN users who requested to have all of their software and VPN services reinstalled because of home PC failures. Reinstallation is not the security risk; however, an alarming number of these requests came from users who sent their PCs (or at least their hard drives) back to the manufacturer, or to a retailer, for a swap-replacement under warranty (a popular service model).

In the cases reported to Gartner, very few of these users had backed up their systems, and none had used data encryption on their home PCs. This means that everything on their PCs, including company data, was completely exposed to the manufacturer or retailer that received the returned PC.

Impact
The value of the information on such returned PCs is probably far higher than any data a hacker could hope to obtain at random over the Internet, because it provides a complete picture of the individual—that is, his or her job and personal life. In general, service companies take no responsibility for information left on PCs returned for service.

Several enterprises asked their employees to try to retrieve the systems, with mixed results. Many enterprises and users don't know these risks, so when data is misused from a returned system, the source of the exposure is unlikely to be discovered.

Recommendation
Users must be warned about the exposure risks of leaving personal and business data on personal systems that are turned in for service. Enterprises may consider providing and servicing home PCs—preloaded with safeguards such as disk encryption—through a company-sponsored program. At the least, they should strongly encourage employees to use system passwords and disk encryption.

False assumption No. 3: Home PCs with personal firewalls and antivirus protection will be safe
Even with personal firewall and antivirus protection installed, the information stored on a PC can still fall into unscrupulous hands, such as with the swap-replacement example. Peer-to-peer tools can create an even bigger problem.

For example, the CEO of a northeast manufacturing company discovered, to his horror, that his nine-year-old niece had downloaded a popular music sharing, peer-to-peer (P2P) program onto his PC during a weekend visit. She wanted some music, and the installation took only a few minutes. She also chose the option to share "all files" on the PC—a new feature of P2P tools that enables users to swap documents, programs, and other files. The personal firewall and antivirus programs raised alerts at the beginning of the installation, but the niece selected Yes or Allow at these prompts, authorizing the download to continue—and making the P2P program an authorized application. So all personal and business data on the PC was completely exposed to the global P2P user group. The CEO discovered this fairly quickly and removed the software, but there was no way to determine if any files had already been copied from his system.

Remote-control products pose another example of this type of risk. End users can install them quickly and they work through firewalls. Although many remote-control products, such as GoToMyPC, use data encryption and passwords, users can install and run them without supervision. This makes unauthorized sessions a serious potential risk.

Impact
Given the ease with which file-sharing and remote-control products can be installed on end user systems, even managed workstations, enterprises face constant exposure through products and services that may not yet be known to the security team and, therefore, go undetected. Enterprises must remember that fully managed company workstations may also be affected by tools like P2P file sharing and personal remote control.

Recommendation
It is not possible to fully lock down personal systems, but users at least can be warned about the risks of exposing personal and business data on personal systems caused by downloading file-sharing and remote-control software. Company-owned workstations should use a combination of policy control, configuration lockdown, personal firewall, and central firewall filters to block installation of the better-known file-sharing and remote-control programs. Personal systems can be similarly protected; however, if the systems are not managed by the enterprise, there is no way to be sure such protections are in place.

Although it may seem like a logical solution, Gartner does not recommend that enterprises provide employees with basic antivirus, firewall, and security software for voluntary installation on nonenterprise systems. By doing so, enterprises take direct responsibility for the integrity of these systems. Rather than waste unrecoverable funds and increase liability trying to enhance the users' personal systems, enterprises should simply deny enterprise network connection from any system that does not conform to company standards. This places the onus on users to put their personal systems in order and keep them in compliance

False assumption No. 4: Wireless LANs in the home won't expose enterprise data
The media continues to report stories regarding hacking into private business and public "hot spot" wireless LANs. Hacking tools are improving, and the level of care that most enterprises take to activate wireless security is low. Hacking into users' home wireless LANs is even easier, because no professional security employees are monitoring them. Home wireless LANs often are set up with little or no security, and home PCs usually have accessible storage, scanning, and printing devices

Access to the Internet from the home wireless LAN is just the first step of the problem. An increasing number of under-$200 home-networking appliances are capable of "nailing up" an open, LAN-to-LAN tunnel between the home and enterprise networks. If this occurs, the home wireless LAN becomes a direct extension of the enterprise network, and anyone who gains access to the wireless LAN may be assumed by the network to be trusted.

Impact
Home wireless LANs face the same exposure risks as enterprise networks, but are far less likely to be configured and managed for proper security. Hackers can easily target wireless LANs in homes, condominiums, and apartments, and they can prioritize their efforts based on a victim's identity or neighborhood. The operating range of wireless LANs (usually more than 1,000 feet at degraded speeds) is large enough to expose networks in expensive homes on large suburban lots.

In addition, there are enough people now using wireless LANs to access the Internet through shared arrangements among homes—or casual "borrowing" of such connections—that telcos and cable companies are prohibiting this activity as theft of service. So even if an employee's wireless LAN is secure, the enterprise is at risk of legal liability for theft of service if it subsidizes the connection.

Recommendation
Many Gartner clients' IS organizations have chosen to prohibit the use of home wireless LANs, although such edicts can't be effectively policed or enforced. Some enterprises have begun to offer enterprise-supported equipment, but price is a barrier when hundreds or thousands of users are involved.

Nevertheless, enterprises must explicitly prohibit the use of wireless LANs for work-connected systems, or restrict such use to enterprise- or employee-purchased equipment that has been pre-configured by the enterprise. Do not allow LAN-to-LAN VPN tunnels to be created between enterprise and home networks. Home wireless LANs should be configured at least with 128-bit Wired Equivalent Privacy, and users should be required to log in with unique IDs from each of their systems.

Bottom Line
Enterprises shouldn't expect that their employees' personal equipment and networks conform to enterprise security and privacy standards. Enterprises that allow work to be done from network-connected personal equipment should expect security problems to arise, and should follow best practices to reduce their liability. Continuing training and awareness programs will help remind users of the risks of data exposure and the potential damage such exposure can cause to themselves and the enterprise. In addition, enterprises should consider implementing thin client computing solutions, which minimize the risk of data exposure on non enterprise-owned systems.