Sensitive Data and your Work Computer
Author: Derek Burke, Technical Support Engineer, dburke@cubro.com
With the spread of the SARS-COV-2 virus, responsible for COVID-19, an unprecedented number of people have found themselves working remotely. This brings a lot of new challenges to bear, not the least of which is simply putting together a workspace in the home. Unfortunately, a remote worker’s considerations shouldn’t end at simply gathering the tools to work remotely. It is very important during this time to be conscious of security practices regarding your computing habits and home network.
I want to preface this article with a disclaimer of sorts. I understand that everyone is not well-versed in networking and security concepts and may not be “computer people.” It’s probably safe to say the vast majority working from home are not IT professionals and, certainly, not everyone is expected to be. However, in this increasingly interconnected world, with a growing dependence on technology, I believe that everyone will have to take some responsibility for understanding and practicing security concepts just as we take responsibility in reasonably securing our homes against physical intrusion. I also believe it is the responsibility of those of us who are technology professionals to educate and help those whose focus is in other areas of expertise. Fortunately, for anyone inclined to learn there are many resources available online that will help even complete beginners implement resilient defenses. A Detailed walkthrough for practically anything is usually only a YouTube search away.
The content of this article will focus on awareness of what may be exposing you to security threats in a home network environment as well as best practices of “security hygiene”, as well as threats arising from the current Coronavirus pandemic. The concepts here are not only useful for working from home but are worthy considerations for any technology user.
The first consideration concerns working with sensitive information and where it is stored. Working remotely introduces the risk that sensitive information is more exposed to possible threat vectors than if workers and work machines remained solely on premises. Perhaps your place of employment has provided you a work laptop but perhaps they haven’t. In the case of being provided a work system, odds are it is full of business sensitive information. You don’t have a to be a super-secret government agent to be handling sensitive material. Documents marked “For office use only” fit the definition as would customer records. I am a big proponent of separating work systems from those for personal use, if one is able. If you have a work supplied laptop (or other device) it should not be used for purposes unrelated to work. If you haven’t been supplied a work device and have the ability, you should dedicate another available machine to work and nothing else.
For more technically savvy users or those interested in exploring some new options, this could be accomplished with dual-booting between two operating systems, one for work and one for play, or even dedicating a virtual machine to work purposes, thus avoiding the need for new hardware. If you are interested in either of these options, a wealth of information can be found online, and it shouldn’t take more than an hour to get everything set up. The main goal here is to reduce your own liability. The less exposure any sensitive work information has, the less likely it is to be unintentionally accessed. Generally speaking, a company-provided system with only work specific data and apps should (and I’ll stress ‘should’) have a smaller attack surface than a personal machine (especially a multi-user one such as a family computer). Regardless, if data is exposed as a result of choices the company made in deploying their systems and not because of software or negligence of the employee, that falls on the company and not you.
When it comes to our computers, we need to make sure that the latest Operating System updates are being downloaded and installed. We have been seeing massive amounts of vulnerabilities surface in recent times. This critical SMBv3 vulnerability was just discovered and forced Microsoft to issue an out of band patch (Windows updates are usually released the second Tuesday of each month, known as Patch Tuesday); the unfortunate thing is, it seems this is becoming more commonplace. And no, Mac and Linux users, you are not an exception to this, the past few years have busted the myth that Mac and Linux systems don’t face these issues, so check for updates regularly. If your work system is a company-owned and provided one there is a good chance that software patches and system security are centrally managed by the organization. If you are a smaller business with little to no IT team though, this may not be the case.
One huge thing a home user can do to protect against malware, phishing, and other online dangers is to not use an administrator account for daily tasks. I can’t stress this enough, create a second account that does not have administrator privileges and use that for everyday computing tasks. Log in to the administrator account only when needed (making system changes, installing applications etc.) The minor inconvenience of switching accounts will pay dividends in protecting your system.
Lastly, consider comprehensive security suites such as those from F-Secure or Symantec. Typically, these are known as Anti-Virus programs though the former incorporate far more functionality such as defenses against ransomware and features to protect sensitive online transactions like banking. I personally don’t recommend using free third-party anti-virus solutions though, and if you are a Windows user then Windows Defender, already built-in to the OS, is quite good.
I would be remiss not to point out that third-party solutions have come under fire many time for selling users personal data such as this case here. Bypassing anti-virus is definitely possible for a determined attacker as in this example and some AV products have the potential to become the threat vector themselves, as discussed here. So please keep in mind the potential trade-offs; if you aren’t paying for the service you very well may be the product. Also, virus scanners are not a panacea and won’t necessarily save you from reckless behavior (opening random email links, downloading questionable software, visiting shady websites).
A broader point of concern is that, even if you maintain a separate system for work and personal use, either system is still sharing a potentially vulnerable network with numerous devices of questionable security, placing your work data (as well as personal data) at risk. In the next article, we will delve into securing your home router.