Have you checked the security of your users’ home computers lately? Of course not. In a world where you struggle to keep up with critical servers, applications, and the like, there’s no way to reasonably evaluate the security of everyone’s home-based systems. That being said, the fact that you have employees and contractors using their own systems to access your network via VPN connections and webmail as well as working on sensitive business information on those systems creates significant business risks. This is an issue that goes beyond traditional BYOD–based security challenges because you not only have your employees or contractors using the systems but you also have children, relatives, and perhaps even neighbors that have full access. These are risks that you may not have thought about much less quantified. How is that going to look in the eyes of your auditors, leaders, and shareholders?
Let’s look at this from the perspective of a rogue neighbor that is hacking into an employee’s home network. All it takes is someone who’s bored and poking around or otherwise has malicious intent. Eleanor Roosevelt once said that no one can make you feel inferior without your consent. Looking at this from a computer security perspective, no one can get on your employee’s network without his or her “consent”. Sure, it’s not willing consent. Still, it’s consent brought about by ignorance. All it takes for your business information or entire network to be compromised is a weak wireless network configuration, poorly-constructed password, improper malware protection, or weak physical security controls.
Do you think everyone who has access to your network and sensitive information is thinking about these things, especially on their home computers? I can assure you they’re not. At least not all the time. Of course, they’ll sign-off on this or that acceptable usage terms but, in the grand scheme of things, those terms mean nothing when the proper technical controls are not in place to set those users up for success and actually enforce the policies. To rub more salt into the wound, when a neighbor or some other external hacker gains access to these home computers that have a direct link to your business, odds are slim to none that your users, or anyone else – including yourself – will ever know that the systems have been compromised and your business assets have been, or will be, exploited.
Stop going through the motions just simply telling your users what to do and what not to do. Checking security boxes in the name of compliance is a surefire way to facilitate a breach. Give your users tangible steps – written in a language that they can understand – that they can take to truly lock down their home network environments. Talk about WPA pre-shared keys and how to set them up properly. Share the risks associated with Wi-Fi Protected Setup that so many people have enabled on their wireless routers. Show them how to create reasonable passphrases for their computer systems, applications, and websites. Explain why it’s so important to keep their software patches up-to-date, especially patches for third-party software products like Adobe Reader, Java, and the various web browsers that people use. Ditto for good malware protection and physical security.
Again, you face enough security challenges inside your four walls. Don’t let home computers and poor user decisions further impact your information security program. Take some time out to get your arms around this issue before something bad happens that you may or may not find out about. Ignorance is bliss but it’s not a good security strategy.
About the Author
Kevin Beaver is an information security consultant, expert witness, writer, and professional speaker with Atlanta-based Principle Logic, LLC. Having over 26 years of experience in the industry and 20 years focusing on security, Kevin specializes in performing independent security assessments of Web applications and network systems. He has written 12 books on information security including Hacking For Dummies and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, he’s the creator of the Security On Wheelsinformation security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at www.principlelogic.com and you can follow him on Twitter at @kevinbeaver.
Source: SANS ISC SecNewsFeed @ March 2, 2017 at 03:06PM