I am a retired programmer and I have not worked in the field since 2012. At the time I left, my company ( a large insurance company) had stopped the practice of letting employees login remotely from their own computers at home. Most employees were issued a laptop that they were expected to ferry between home and work if they wanted to work from home. If you were regularly on call they gave you another laptop to keep at home. You were not the administrator of these computers, so you could not load software on them. While this was a huge pain in the ass, I recognized the utility of this policy. The company wanted to have control of every computer used to access their systems. I was under the impression that this was becoming the policy of much of corporate america, especially financial institutions.
Recently my niece got a job at a large investment bank in NYC (you would recognize the name). She says that everyone is expected to be able to login from their own computer at home.
My first question is this; Is the practice of remote login from uncontrolled computers a serious security problem? Although I was a programmer, my understanding of viruses, vpn’s and hacking are no greater than most educated people.
Secondly, is the situation my niece describes accurate?
I am a software developer for a Fortune 500 firm that serves the banking industry. We can access company networks only using company devices. I have a laptop that I use in the office and at home. When I am on call, I have to use a company-supplied phone to get pages and read emails. Both of these devices are administered by enterprise tech at my company.
I am not a security expert, but your niece’s situation seems less secure than the one I work under. I suppose the vulnerability could be mitigated somewhat by logging on to a secure VPN before accessing company systems, but the device itself seems vulnerable to me.
Yes. Allowing people to VPN to a company network using their own home computers is a big security risk.
A problem arose in the military not too long ago regarding this. We had to have Common Access Card (CAC) readers at home if we wanted to VPN to the network, to make it more secure (roll-eyes). The problem was people had key-loggers and certificate stealers installed that allowed hackers to pretend to be the user, even with PKI certificates.
Can’t believe places still do that. Actually, I can, since most places don’t know shit about cyber security.
To answer the first part - There are many, many, many different ways to remotely log into a system. If it is a bank, and folks are expected to log in from home, more than likely they will be logging into a secure portal, and that portal will have tons of security on it. Its like using remote desktop to access a different computer - You’re only providing a way to get into that computer, so whatever is on your machine can’t effect the system, as no data is transferred from your machine to the remote machine. The access requirements would be a decent monitor to see it on, and an internet connection with decent speed.
As to whether its common practice - Again, it depends on the business. BYOD - Bring Your Own Device - was a big push for a while, but people saw the security risks for it. For some companies, it worked, for some, it didn’t. All it will take is for the CEO to be sent to a new Corporate Training, and they’ll come back with a whole new theory on how IT should go for the company. Next thing you know, everyone has RFID chips embedded in their wrist to access data and their machines.
I’m a freelance IT consultant. In the last ten years I’ve had all these:
laptop provided by the client,
laptop provided by the consulting firm,
incredibly ancient desktop provided by the client; due to requirement to write documents in both English and Spanish combined with idiotic policy making it impossible to set keyboard to Spanish (not even the “real IT” guys could do it, the systems read and applied the general configuration any time you logged in), laptops provided by ourselves (freelancers) or the consulting firm (internals);
BYOL but it was required to have a no-longer-supported OS; we needed to get pirate copies. When IT told two of us that we weren’t allowed to have dual-booting or have “unauthorized files”, we replied “if you want to be in charge of the computer, bloody well pay for it”.
BYOL with a package of required software provided by the client;
BYOL, no requirements, but because of WannaCry we were suddenly required to have our laptops checked. What a surprise, the freelancers were the one group whose laptops were eat-off-the-keyboard clean
While there are security vulnerabilities in the way your niece’s company does it which are not present in the “company owns all devices” model, there are a lot more vulnerabilities that are shared by both models, such that the company might have decided that it wasn’t worth it to worry about those few extra ones.
In the WannaCry case I mentioned before, the IT guys were pulling their hair off over the amount of company-owned laptops being found in people’s desks or homes; many were obsolete. The most extreme case I heard of had 4 company laptops: the one he normally used, a slightly-older one kept in a drawer as “backup if the new one breaks or something”, a third one kept in a drawer to be used once a month (apparently dude didn’t know that his Magic Excel could be moved to another computer) and a 4th he kept at home so he wouldn’t have to lug the company laptop around.
Having company-owned computers doesn’t increase security if you don’t even know who the hell has them, don’t keep the software updated…
I have had similar experiences. For a while I was lugging 3 laptops through airport security, 2 from clients, 1 BYOL loaded with company-ware. That, multiple VPNs, remote desktops, and a couple of 2-factor fobs, I was secure!
In the past couple of years, my employer has gone to more and more applications that are available without logging in to the VPN. I work from home several hours per week, and I rarely use the VPN. All of our email, access to our CRM data, HR info, expense reporting, all is done through secure services that don’t use the VPN.
Yes, and that’s how it should be done. Web-based applications should be norm as they allow access to critical apps without actually being on the network. Of course, this sometimes allows access to back-end databases that aren’t secured, as is shown by various government agencies and corporations having data breaches.
The problem at my work now is that authentication to applications is supposed to be via PIV card (smartcard) and allowing application access via the web from personal computers would require people to purchase PIV readers for their home computer, something that isn’t yet forced on them. So web applications are still password based, which sucks.
Some of our applications aren’t web-based (as in, accessed through a web browser), and they’re still available without the VPN.
We’re using the Microsoft Office 365 package now which gives email access, through the Outlook program running on my computer, and it connects to our mail server with no VPN. Many of us also use MS OneNote frequently, which also works not in a browser and securely without a VPN.
I don’t know the details of how it’s secured (and how my security-uptight employer was convinced to use it), but I do frequently have to give it a six-digit code that gets texted to my cell phone. It makes me do this several times a week.
Web-based applications won’t cut it for my job. At my current employer (a medium-sized semiconductor company) I can take my company laptop home, connect to the internal network via VPN, and pick up a VNC session that I always keep running on a Linux server.
At my previous employer (a very large semiconductor company) I could download the approved VPN client and anti-virus software from the corporate web site and connect using my own computer. Again to pick up a VNC session that was always running on a Linux box.
In both cases the VNC is configured such that I cannot access my local network while the VPN is active (it is a pain printing stuff).
Sometimes I wonder if having people hauling corporate laptops back and forth all the time is actually more secure than allowing VPN from a non-company computer. I have know a number of persons who have had their company laptops stolen from their cars.
I’ve known a number of persons who’ve been working on confidential information in view of whomever sat behind them in the train, the plane, the station or airport… one time I could have taken pictures of a competitor’s sales projections for the upcoming year all nice and pretty. Leaving a company laptop unsecured is idiotic; so is opening your forecast above the Atlantic ocean. There is so much one can do with technology, so little one can do with stupidity.
Don’t pretty much all companies use whole disk encryption on their laptops? From what I understand, it makes a stolen laptop (as long as it wasn’t unlocked/logged in when stolen) just a loss of property problem and not a security problem.
I work for a civilian federal agency, and we recently abandoned the use of thinclient laptops (i.e., no hard drive) for remote access. We now access remotely via home computer to log into a secure portal, using a plug-in PIV card reader supplied by the agency.
Agreed - on the face of it, the security of the situation the OP describes does depend a lot on how it is implemented - allowing end users to join their own machines to the company network would be generally bad (but I bet it’s not uncommon) - providing a virtualised portal (either a pure web solution, or a view of a controlled desktop a la Terminal Services) would be generally better… but…
The trouble with any of these solutions is that users find creative ways around the security.
Suppose you give the user a remote view of their desktop, but no file access and no rights to install software within the controlled desktop - simple enough (too simple) - but almost straight away, people will start feeling frustrated by:
[ul]
[li]The available screen size[/li][li]The cursor lag and other latencies - often introduced largely by the quality of the user’s home internet [/li][li]The availability of specific software to work on their data (which is not actually their data)[/li][/ul]
And they’ll work around this by:
[ul]
[li]emailing files from their work desktop to their home email account in order to work on them locally (so now there are multiple copies/versions of the same file, out of control)[/li][li]Carrying important files on a thumb drive (so now there’s only one version, but it’s at high risk of loss)[/li][li]Opening above files on their own machines, potentially introducing malware which they will carry, or email back to their work desktop[/li][/ul]
There are solutions to all of this, but when you start to implement them, users may perceive this as additional reasons why the solution is unsatisfactory, which require their creativity to work around, rather than work within.
My law firm issues laptops, but also allows lawyers to log in to the company intranet from home computers. Any out-of-office login (on firm-owned or private computers) is through a VPN. We also have two-factor authentication for out-of-office logins using Duo Mobile (basically, we have to confirm that we are trying to log in using a smartphone app).
