Sign up, and you'll be able to vote in polls. Sign up
Apr 5, 2020
12:02:52pm
m4t4d0r All-American
By Popular Demand - Secure Work From Home Recommendations
After several boardmail requests over the last week, here is a quick overview of my perspective about how to securely work from home in today's crazy times. The amount of cyber attacks going on around the world is unprecedented, mainly because some of the most-sensitive information is being passed over some of the least-secure networks, systems and applications. You'll never be able to overcome poor decisions made by your company's IT team, but you can at least do your part to protect what you do have control over.

Let's start with your internet connection. If you are using your ISP's router as a combined modem, router and WiFi access point you are probably already owned by the bad guys. You should NEVER trust those systems to serve as a security boundary between your home network and the ISP's raw internet connection. The best way to fix this is to turn whatever your device that is connected to your ISP's network (DSL, cable or fiber modem) into a simple internet gateway which will publish an IP address to another device. This will eliminate 90% of the problems that we often get called to clean up.

The worst situation we've seen due to using the ISP's hardware for a combined modem, router and access point was with an independent board member of a Fortune 100 technology company. The bad guys had targeted his router, then used it as a command and control node to take over every single piece of equipment on the guy's home network (including his personal laptop). Every email/board communication that he read on that home network, the bad guys read it also. We built a model for how much money the attackers could have made with the 'insider' information that was available to them from this attack foothold. They easily could have netted tens of millions of dollars without raising any alarms at the SEC or exchange authorities over the course of the 2 years we believe they had control over his home network.

This brings up another good point... I highly recommend that people working on sensitive projects NOT to co-mingle their primary work devices with their personal/home/kids' devices. You want to have segmentation between the smart TV's, smart refrigerators, appliances, etc and your work computer. So, you will want to have an access point which supports easy segmentation.

My recommendations for a solid router/access point:
- Netgear Orbi Pro: decent value for money and good system maintenance, easy-to-setup WiFi segmentation
- Asus BRT-AC828 router: for the geeky folks out there, a solid system at a good price, not as user-friendly as the Orbi Pro
- Zyxel: for someone who wants to really manage risks, and is willing to configure multiple systems and pay for long-term support for protection from sophisticated attacks, and is super geeky

The most-important aspect of operating all of these, MAKE SURE YOU UPDATE THE FIRMWARE RELIGIOUSLY! You can have a great system, but if you don't maintain it, they your network will be owned. Not a matter of if, but when.

Now, you've got your network taken care of. Next, let's talk about your laptop. I'm on the record here as being an outright Apple hater, so you'll have to take this recommendation with this filter... but anyone who uses a Mac is a lost cause from a security perspective (unless you really have the technical chops to stay ahead of the bad guys). https://www.forbes.com/sites/daveywinder/2020/02/11/platform-wars-2020-apple-security-threats-outpace-microsoft-windows-for-first-time/#637331c07c5a When we are doing penetration tests, executives who use Macs are our absolute favorites to abuse to get access to business applications which provide us with material access to 'real' systems (like ERP, payroll, wire transfer, etc.). You want to stay ahead of the bad guys with the least amount of effort, here's your best bet:
- Asus equipment (assuming you can choose your hardware, Asus is the last man standing against the Chinese Communist party): The new ASUS TUF A15 is freaking amazing value for money
- Windows 10 with ALL of the feature packs and updates, including assuring that your system's TPM (a dedicated encryption microprocessor) is updated with at least firmware version 2.2
- Assure that your user account is operating as a standard user (and not as admin)
- Only use Brave as your daily driving browser. If your work requires you to use another browser for a particular application, then have the discipline to ONLY use that browser for that app and nothing else
- Make sure you've got a solid password manager installed separately from the one provided by your browser. Dashlane and LastPass are pretty much the best out there, but you can't use the free versions. Make sure you select the option to integrate your authentication with Yubikey to assure MFA before your vault is unlocked

If you are a small business owner and need help monitoring the integrity of your endpoints, my preferred endpoint detection and response partner is Binary Defense https://www.binarydefense.com/ If you need any help getting in touch with them, let me know and I can get you significant discounts.

Let's talk a little about how you work remotely. First, let's make something specifically clear... whatever you're sending over email is being read by at least 3 and sometimes as many as 10 other people along the line. Email has zero integrity and should only be used as a last resort for sharing sensitive information, files, etc. Every email you receive should be scrutinized and should not be trusted. If you work for a company which forces you to use email for sensitive/critical/material tasks, let your IT people know just how badly you need to change. If people want specific recommendations for what to use, send me a boardmail and I can help you find things that actually work to protect people and data from sophisticated attacks.

If you work in an organization that has you relying on Office 365 or G-Suite, and you only enter a username and password to access it, then your account is probably already owned. Every organization should be requiring multi-factor authentication for every interaction with cloud applications like Office 365 or Salesforce. And... if your employer has you use a smartphone app to serve as the MFA token, then let's talk about your mobile device.

Every single Apple device on planet earth is pre-compromised by the Chinese government (and 30 other governments). They have root access to every set of credentials stored on iPhones and have real-time access to every conversation flowing through iMessage. If you are using an Apple device, and you do sensitive work, you should do everything you can to get off of that device. We have had to clean up dozens of security incidents in the last year where the Chinese People's Liberation Army have exploited their root access to iOS devices to do really, really awful things to companies both big and small. Apple collaborates with some of the most despicable authoritarian governments to provide surveillance for them, the advertising campaigns they run about how they protect privacy is one of the most despicable falsehoods of the last decade in the technology world. The fine folks from Cupertino have made it so the only way to correct their pre-compromised configurations is to jailbreak their devices. Not cool.

If you have a choice in what device you use, get a Google Pixel (3a or later). When we are asked to do mobile penetration tests, we charge 3X for including a Pixel class device in the scope versus an iPhone X or later. iOS was about 7 years ahead of Android in the beginning, but Google came back with a vengeance and now it's the opposite. If you have a Pixel and only install applications from the Play Protect apps in the official Play Store, there are significant security advantages over iOS and App Store programs. The most important bit on Pixels, you can correct the pre-compromised configurations without jailbreaking the device. If you want details on this, please send me a boardmail and I'll send a step-by-step guide on how to maintain your privacy from both opportunistic as well as targeted mobile attacks. Now, you have to worry about how Google monetizes and shares your data, but at least they are honest about what they do and you have options within the Android platform to decide what you share and with whom. Apple provides no such option.

If you're stuck on Apple or have a Pixel, keeping that device up-to-date with security patches is critical. For Apple devices, you'll want an XS or later. For Android a Pixel 3a or later. Both of those platforms need to be updated within 21 days of the release of any security updates. If you ever have a device which cannot update to the latest version on a monthly basis, it's time to get a new device. In these days of economic uncertainty, if you cannot afford the latest Apple or Pixel devices, then I recommend an Android One device (Motorola One is my preference).

Now, about those video conferencing systems. Zoom, Teams, GoToMeeting, Webex... they are all essentially 'security best-efforts' platforms, without any real integrity. You should consider that all of those systems have easily-exploitable vulnerabilities which could be exploited without notifying the users. I tell people using those systems that they should consider that speaking and working over those systems should be like you're working in a Starbucks and everyone can hear what you're talking about. Your voice can be recorded without your knowledge and consent.

Here's hoping that companies (the ones that have the resource) use this remote work time to shore up their systems so that they don't lose all of their critical intellectual property and customer data as people try to get work done remotely.
m4t4d0r
Previous username
MSCoug
Bio page
m4t4d0r
Joined
Jul 14, 2001
Last login
Apr 20, 2020
Total posts
8,423 (12 FO)