Just food for thought (it's an OPSEC thang!)


#1

So let’s say you work for some nondescript company. Now let’s say that your particular job requires you to work with “sensitive” information. Now add in the fact that this company you work for also has a few government contracts. This company also allows you to telecommute (for productivity reasons). Of course for you to telecommute, the company requires you to use their secure corporate VPN and company issued laptop. So today is your day to work from home and you’re all excited. You sit down at your desk and open up your company issued laptop. What’s the first thing you do before remoting in? Do you disconnect your other machines on your home LAN? Do you lock up your personal smartphone in another room separate from where you’re working? Do you cover up the webcam that’s permanently connected to the laptop? If you’re working in the same room that your smart TV is in, did you remember to disconnect that and/or unplug it as well (or any other “smart” devices)?

All of this might seem a little extreme, but you are working with other people’s sensitive data. Isn’t it worth the time and effort to protect that data?

Just puttin’ it out there. Please chime in if I missed something or you have your own thoughts on the subject.


#2

This question is really interesting, and without a doubt in this situation, you become a mouth-watering attack vector.

For me, I would handle this at a network level. I would create 2 entirely separate networks. One for all my incredibly insecure home full of IoT devices, and another for work. This can actually be handled pretty simply with a fairly inexpensive Cisco switch and VLANS.


#3

You and I know this (and probably most of the people on this forum), but then there’s the average user/telecommuter. Who then does the responsibility fall upon? Is it up to the IT Dept. to educate and train these people good opsec/security habits, or is up to the employee to learn this on their own. Typically, telecommuting is an option, and I think most company IT Dept. are going to assume that your home is for the most part safe.


#4

It’s really hard to say. I think that the responsible way to approach this is to just not allow it in the first place. The VPN is a good start, but it does nothing but give a tunnel into the corporate network when that users machine gets compromised.


#5

You’re right. It’s probably safe to assume (or probably not) that an employee who has access and works with “sensitive” data on a regular basis is most likely not allowed to “work from home”, but we’ve seen companies do some really dumb shit, and we both know what “assume” means…


#6

And data doesn’t necessarily have to be labeled “sensitive” in order to be sensitive.


#7

More often than not, sadly.

This is a good point.

This is a scary grey area. I really think that it falls on the IT team to train and educate the individual in proper information handling, and the responsibility of executing it falls on the employee as far as ethics go. Legally, however I have no idea how this would work out.


#8

Shit roles down hill…


#9

A follower in Twitter posted their setup: https://www.peerlyst.com/posts/opsec-is-more-than-a-checklist-for-me-its-a-way-of-life-netsecml

Now there’s one way to do it :slight_smile:


#10

Hey there :slight_smile:

Ok, I see a lot of network separation, and silos. That’s a good start. But then I see appliances as router, or physically connected networks, and that’s a shame. Firmware vulnerabilities are among the most searched and used on the net.
Why ? Because appliances / closed systems are hard to analyze, monitor and update. You basically put a black-box you know nothing about at the center of your system. If you think “a lot of people runs it, so it’s fine”, the recent CCleaner targeted malware attack, or the NSA intercept & patch switches before delivery, should have warned you never to trust a system you don’t have full access to.

Manageable switches and vlans are only a way to segregate a bit between multiple devices that all are considered at the same level. it’s mostly a convenience utility. Eg, usual phone, camera to monitor the baby, tablet and other non-secure devices.
If you want real security, that must be 2 physically separated networks.

About the firmware, it’s the same for your bios. Even if you do gold-images and checksum, you can never trust the AMT or any low-level that can hold an APT: disk firmware, bios, tpm…
I’d rather use a software encryption and lose a few cpu cycles (that are optimized by recent cpu extensions anyway) than a vendor-custom implementation, where I won’t be able to recover / reread my medium if the controller crash. So for my Linux hosts, Luks is my way to go.

For all the IoT/IoS (Internet of Shit) they shouldn’t even have access to internet. If you really need to, log all DNS queries, and http-proxy MitM with tls-bump all shitty stuff for later analysis.

If you can’t afford 2 internet connections, or want to do fail-over, ensure your secure connection is a VPN-Only between your trusted secure devices, and a dedicated server on the internet. Null-route anything else on the router and log it.

All security related stuff must be self-hosted. My selection of self-hosted tools are :

  • System : Gentoo + catalyst. Remove all unused feature from tools and kernel (reduce surface attack).
  • Health : netdata + prometheus.
  • Logging : Linux Auditd + rsyslog + greylog + hindsight.
  • Communication : Matrix / Riot / Mail
  • File and data : OpenZFS + encryption + send/receive on external host (parents), Nextcloud for filesync and share.
  • Identity : LDAP + Kerberos (might consider migrate to FreeIPA). That’s also called GSS and well-managed by most enterprise-class application (at least, implemented by curl and ssh, so you can use the 2 most important ports: 22 and 443).
  • Analytics : piwik, superset
  • Web : mostly PHP-7.2 fpm + nginx tools + letsencrypt.
  • Perf analysis : opengrok + compiler explorer (+ usual unix tools).

I certainly forgot a lot of things to say there, but I’m running out of free-time… I’ll be back sooner or later :slight_smile:


#11

I do want to mention that there is a certain amount of balance between cost/convenience and privacy/security here.

This was all about somebody just wanting to work from home. I’m not sure that that warrants an entirely separate internet connection. It does however, in my opinion, warrant something like a managed switch and segregation through VLANs. I agree that using a VLAN isn’t the most secure, but I think it is more secure than you imply in your post.

As far as that goes, on the segment that is meant to be the secure segment, there is nothing but expensive enterprise equipment that is designed with security in mind. That being said it’s not like Sophos has never had a vulnerability but it’s not like he’s running a $40 netgear router.

All else aside, welcome to the forum :slight_smile:. Nice to see you again and thanks for the well thought out input and reply.


#12

Just to be clear. I’m approaching this debacle…er…scenario from the standpoint of your average user, using standard consumer hardware, having a standard consumer broadband connection. Your average telecommuter probably works from home on average 1-2 days a week. So unless he’s remoting in every day of the work week and only handles truly sensitive information, that would then warrant some kind of elaborate set-up and hardware, most likely provided by the employer. Having said that, I go back to my previous statement that data does not have to be labeled “sensitive” to be sensitive. Maybe those days working from home he/she is not working with sensitive material, but a true threat actor or APT will know that even though the target is NOT currently working with “sensitive” data from home, he does have access to it.

Precautions should be taken irrespective of the fact of the persons current home network situation. It’s simple situational awareness.


#13

Agreed. But at what point are precautions not enough. Depending on the individual working from home’s position at the company, he/she could be just opening a big ass hole for an attacker to get in.

From an attackers standpoint:

  1. Attack the infrastructure that likely has significant safeguards against typical attacks, or
  2. Attack the dude working in his underwear with a spearphishing attack and go through the tunnel to the inside of the network.

Almost nothing we can do here prevents from this sort of attack. No number of routers, or network segregation, or intrusion detection systems is going to stop any attacker if this single computer gets compromised.


#14

Agreed. If someone wants to hack you, you’re going to get hacked. As long as you show due diligence though, and have at least some idea of what’s at stake, you’re less likely to fall prey to such an attack. I would think that if an attacker can’t get to where he wants to in a reasonable amount of time, he’ll most likely move on to a different, more vulnerable target.


#15

Hey,

Thats my article, thought I would register to respond quickly:

  1. Its a home network that evolved while I was researching

  2. The physical networks are connected on two different NICs

  3. Its sophos NXG Firewall, community edition
    4)Fortinet Switch is managed

  4. My wife is Asian, two internet connections are a necessity for lag free relationships.

  5. Everything technically from QubesOS to the point I am connecting is in a secure tunnel. So not sure why half the points were brought up, but anyways.

  6. Non- of what I told you is really too relevant any more.

If they want your data, they send a $100 hooker around to spearphish you, if you dont respond, they will send her bf for $100 and then you ganna have wannacry ransomware.

Thats how it is now. I actually have stopped caring about layers 1-7 that much now.

Btw, my setup has since changed, this was pre- Meltdown and Spectre.

So now, my secure net are AI nodes on raspberry pis on their own vpn securenet. I cant trust intel and AMD anymore :frowning:

Incase ure asleep. Infosec has changed the last two years. Almost no one is focusing on layers 1-7 any more. Neural networks, AI and layer8 are where its at now.


#16

what happens now. Cause its faster and cheaper.

I honestly no longer care. The last thing I worry about now is my data getting leaked. Im worried about my mind retaining sanity than anything else.

The battlefield has changed dramatically. I am now more focused on those I work with than the hardware I put on my network.


#17

Thanks for your input. It’s definitely something to think about.


#18

How about using a Citrix farm where users login to a portal, run a small bit of software, and launch into a remote environment within your own protected network? I have seen this work successfully. You have a lot more control over the overall environment, outside of the software connecting back to you.