The Mobile Workforce and Learning From Mistakes

BurglarUes.jpgFor those of you who haven’t heard already, friend of the show, Michael Santarcangelo (The Security Catalyst) had his mobile home robbed while he’s on US tour with his family taking his security messages on the road. The thieves made off with his computing gear. I have to say that he’s been very upfront about his predicament so that we can all learn from his situation; He did lose some data, but for the most part his backup and disaster recovery plan went well. He’s deriving a great amount of inspiration for some more security training out of this as well. I have to applaud him on taking some lemons and making lemonade.
I have to admit that the incident has inspired me as well. It got me thinking about some possible issues with mobile workforces. I mean, we all (for the most part) do a pretty good job of securing our assets while they are in our corporate environment; Whole disk encryption, AV, Desktop and Network firewalls…the list goes on. We also have those locked doors, a security guard, alarm system and so forth.
IMG_0114.JPGBut what happens when someone takes (with permission) that asset, such as a laptop, home to do some work in the evenings, work from home, or visit client sites? What do the employees have for protection? Do they have a network firewall, or do they plug directly in to their cable modem? Do they have a security guard (dog or alarm system at that)? Typically no. Unsecured wireless? Yikes, all of the same things that we’ve thought about as challenges in the corporate environment, we have think think about “on the road” I see these as some potential issues for security for both data on the machine, as well as a possible connection to the corporate network.
Let’s set the scene. Intellectual property gets loaded on to a laptop with fill disk encryption. The employee takes the laptop home to telecommute (which is a regular occurrence), connects the laptop to the home network and initiates the VPN connection (with cached VPN credentials possibly) to the corporate network. the employee decides to take a breath of fresh air with a trip to the local coffee shop for an invigorating mocha-chino. While away form home, a burglar (or attacker in this case) breaks in and has a few minutes to play on the VPN, and so forth. Without full disk encryption, this situation looks like a disaster to me.
geotag.jpgSo, you are asking, how does the attacker find where the “target” lives to break in? A little Google searching (and maybe even some Maltego action), could turn up a photo sharing service account for the “target”. Combine that with a Nokia N95 or iPhone with firmware 2.0 or later, and some nice, geotagged photos get uploaded (such as the one to the right, with output from a nice Firefox greasemonkey script to pull map info from google). Now you know where to search…
Protect your corporate assets on the move! It is hard to make unreasonable requirements of folks at home, so a little education needs to go a long way. Make those corporate assets as secure as possible, and design a policy framework that will appropriateley guard against the high risk areas; include screen saver locking with a short delay, workstation login timeouts, whole disk encryption, VPN activity timeouts and maybe even a good cable lock for good measure, amongst a myriad of other things.
Educate staff about what they share on the internet; in most cases it would be in bad form to restrict what folks do in their spare time.
Best of luck securing your mobile workforce, and Michael, best of luck to you and your family recovering from your ordeal.
– Larry “haxorthematrix” Pesce

Larry Pesce

Larry’s core specialties include hardware and wireless hacking, architectural review, and traditional pentesting. He also regularly gives talks at DEF CON, ShmooCon, DerbyCon, and various BSides. Larry holds the GAWN, GCISP, GCIH, GCFA, and ITIL certifications, and has been a certified instructor with SANS for 5 years, where he trains the industry in advanced wireless and Industrial Control Systems (ICS) hacking. Larry’s independent research for the show has led to interviews with the New York Times with MythBusters’ Adam Savage, hacking internet-connected marital aids on stage at DEFCON, and having his RFID implant cloned on stage at Shmoocon. Larry is also a Principal Instructor and Course Author for the SANS Institute for SEC617: Wireless Penetration Testing and Ethical Hacking and SEC556: IoT Penetration Testing. When not hard at work, Larry enjoys long walks on the beach weighed down by his ham radio, (DE KB1TNF), and thinking of ways to survive the impending zombie apocalypse.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.