• Watch
  • Listen
  • Live Stream
Security Weekly
Security Market Validation
  • Listeners
    • Subscribe
    • Insider List
    • Suggest a Guest
  • Shows
    • Paul’s Security Weekly
    • Enterprise Security Weekly
    • Business Security Weekly
    • Application Security Weekly
    • Security & Compliance Weekly
    • Security Weekly News
    • Tradecraft Security Weekly
    • Secure Digital Life
  • Series
    • CISO Stories
    • Getting the Real Work Done in Cybersecurity
  • Webcasts/Trainings
    • Registration
    • On-demand
  • Articles
  • Partners
    • Become a Partner
    • Landing Pages
  • Hosts
  • Company
    • About
    • Careers
    • Contact

Articles

The Mobile Workforce and Learning From Mistakes

Larry Pesce September 26, 2008

BurglarUes.jpgFor those of you who haven’t heard already, friend of the show, Michael Santarcangelo (The Security Catalyst) had his mobile home robbed while he’s on US tour with his family taking his security messages on the road. The thieves made off with his computing gear. I have to say that he’s been very upfront about his predicament so that we can all learn from his situation; He did lose some data, but for the most part his backup and disaster recovery plan went well. He’s deriving a great amount of inspiration for some more security training out of this as well. I have to applaud him on taking some lemons and making lemonade.
I have to admit that the incident has inspired me as well. It got me thinking about some possible issues with mobile workforces. I mean, we all (for the most part) do a pretty good job of securing our assets while they are in our corporate environment; Whole disk encryption, AV, Desktop and Network firewalls…the list goes on. We also have those locked doors, a security guard, alarm system and so forth.
IMG_0114.JPGBut what happens when someone takes (with permission) that asset, such as a laptop, home to do some work in the evenings, work from home, or visit client sites? What do the employees have for protection? Do they have a network firewall, or do they plug directly in to their cable modem? Do they have a security guard (dog or alarm system at that)? Typically no. Unsecured wireless? Yikes, all of the same things that we’ve thought about as challenges in the corporate environment, we have think think about “on the road” I see these as some potential issues for security for both data on the machine, as well as a possible connection to the corporate network.
Let’s set the scene. Intellectual property gets loaded on to a laptop with fill disk encryption. The employee takes the laptop home to telecommute (which is a regular occurrence), connects the laptop to the home network and initiates the VPN connection (with cached VPN credentials possibly) to the corporate network. the employee decides to take a breath of fresh air with a trip to the local coffee shop for an invigorating mocha-chino. While away form home, a burglar (or attacker in this case) breaks in and has a few minutes to play on the VPN, and so forth. Without full disk encryption, this situation looks like a disaster to me.
geotag.jpgSo, you are asking, how does the attacker find where the “target” lives to break in? A little Google searching (and maybe even some Maltego action), could turn up a photo sharing service account for the “target”. Combine that with a Nokia N95 or iPhone with firmware 2.0 or later, and some nice, geotagged photos get uploaded (such as the one to the right, with output from a nice Firefox greasemonkey script to pull map info from google). Now you know where to search…
Protect your corporate assets on the move! It is hard to make unreasonable requirements of folks at home, so a little education needs to go a long way. Make those corporate assets as secure as possible, and design a policy framework that will appropriateley guard against the high risk areas; include screen saver locking with a short delay, workstation login timeouts, whole disk encryption, VPN activity timeouts and maybe even a good cable lock for good measure, amongst a myriad of other things.
Educate staff about what they share on the internet; in most cases it would be in bad form to restrict what folks do in their spare time.
Best of luck securing your mobile workforce, and Michael, best of luck to you and your family recovering from your ordeal.
– Larry “haxorthematrix” Pesce

Share this:

  • Click to share on Twitter (Opens in new window)
  • Click to share on LinkedIn (Opens in new window)
  • Click to share on Facebook (Opens in new window)

Related Posts

uptrend line arrows with bar chart in stock market on blue color background

Articles /

Ransomware Damage Claims Driving Insurance Hikes

web-application-firewall-comparison-696x423

Articles /

Building a More Secure AppDev Process

apptitude-test

Articles /

Diversifying Cybersecurity Talent Through Aptitude Testing

‹ We don’t talk politics… › Stream FAIL!

About Security Weekly

Security Weekly is the security podcast network for the security community, distributing free podcasts and media since 2005. We connect the security industry and the security community through our security market validation programs.

More Than Just A Sponsor

We view our relationships with the security industry as partnerships, not sponsorships. Security Weekly works closely with each partner to help you achieve your marketing goals and gain traction in the security market. Interested in becoming a partner? Please visit our partnerships page.

Back to Top

Subscribe To The Blog:

RSS feed RSS - Posts

Search

Latest Tweets

Tweets by @secweekly
© Security Weekly 2022
Powered by WordPress • Themify WordPress Themes