24

I read an article in the latest InfoSecurity magazine (an infosec trade rag by Elsevier) saying that us security professionals aren't necessarily taking the correct steps to protect our own home office networks and computers. Now as a security consultant who operates out of my own home office, I ask you how you protect your home office? What should we be doing?

Using my own environment as an example, I go to great lengths to protect my clients' source code (I'm in app security). I also use WPA2 on the router and change the password every so often to try to avoid network sniffing. I have a firewall on each computer, though maybe I don't review the logs as often as I might... and I have backups both locally and offsite. And of course the hardware itself is insured.

So, what have I missed? What would you do? What wouldn't you do? Of course, policies aren't such a good solution because there's only one of me, and I'm not about to fire him ;-)

7 Answers7

19

I did a bit of an article on this in the Financial Times 3 or 4 years back but can't find more than the headline piece. Anyway, as I tend to practice what I preach, I have my home set up with networks separated by risk -

  • I have one wireless router with two networks which only connect to the Internet. A DMZ which just uses WEP in order for my kids to use their Nintendo DS's online and another which is for my local community free wireless
  • Another router hosts a secure WPA2 network (mostly for my Playstation 3)
  • For the wired networks, I have a low sensitivity network for the rest of the family - who connect using VMs I have built for them, and a higher sensitivity network for most of my research and non-client activity.
  • For security testing work for clients I have a higher security subnet which requires strong multifactor authentication

For platforms, I have always found the simplest is to use a hardened build for client testing, which can be broken down after testing and reporting is complete. The build has BIOS password and full disk encryption. All machines and servers on all my networks also have firewalls and antivirus and are patched up to date as per vendor guidance.

If you have a security guy working from home, you may find it difficult to audit the kit on site, which can be a problem in terms of managing the risk from them. You typically don't have many solutions here, as they have physical possession of the kit and are effectively unsupervised - understand how much you need to trust them, ensure your contract is appropriate and configure logging as appropriate.

I agree you do need physical security - not only on doors, safes and computer tethers, but also on paper documentation and archives/backups.

Backups and insurance are essential! I use encrypted backups on a site very unlikely to be within the blast radius if my house happens to have a plane land on it (could happen - I'm only a couple of miles off the approach to Edinburgh Airport)

Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
  • 3
    +1 security for paper documents etc. A file cabinet's lock is not enough! :) – Steve Dec 20 '10 at 19:27
  • 3
    +1 for "practice what you preach". Now, when do you want one of us over for an audit? – Iszi Feb 07 '12 at 20:52
  • 1
    @Rory What kind of hardware are you using? Are you using off-the-shelf wireless routers? With the complexity of your network I'd be surprised that you're able to segregate everything so well. How did you setup a separate subnet that requires multi-factor authentication to access? Do you have multiple IP addresses from your ISP? – Bob Jul 10 '12 at 18:24
  • @Rory, Why not use a cloud database like Google Drive? Then you'd not only be safe from *small* plane crashes, but from really big ones as well. – Pacerier May 25 '15 at 06:55
  • @Iszi, No multiple-site (aka cloud) backup = audit fail. – Pacerier May 25 '15 at 06:56
  • Actually, since I wrote this I have now added cloud backup for my essential files :-) – Rory Alsop May 25 '15 at 20:36
  • Bob - a combination of off the shelf kit (some a bit hacked about) and slightly higher end stuff I have picked up over the years. This network is really simple compared with ones I have configured and managed in my earlier role as network Admin, so it's really not an issue – Rory Alsop May 25 '15 at 20:38
8

Source Code Security

Depending on your setup this may or may not be feasible, however:

  • I store all clients source code on removable media which is kept in a safe at all times not in use. This prevents physical theft of PCs exposing clients source code, as well as keeps remote attackers from having access to said source code.

  • When I am finished with an application release I destroy the physical copy (if I don't have it, it can't be stolen.)

Information Security/Integrity

  • Keep in mind that your home office isn't the only place you are responsible for security. The information you generate/deliver is just as (if not more) valuable to an attacker.

  • Implement chain of custody for vulnerability reports. This way there is documentation of everyone who has had access to the data, from the secretary for the development staff, to the CEO of your clients company. I hand deliver all reports when possible to reduce likelihood of compromise.

Misc

  • One other little tidbit I like to do for the home office is to turn off SSID broadcasting on my wireless router. This single (and simple) task will deter most people from snooping around.
Purge
  • 1,996
  • 2
  • 14
  • 26
  • 1
    Snooping? You are just adding complexity to your own access by turning off the SSID. The network is still visible, just not to consumer-level people. – Steve Dec 20 '10 at 19:08
  • Yes it does add complexity to accessibility. It does so for every person, not just myself. That does not make my statement any less accurate. I am not discounting that it is still visible, nor am I saying that this should be the only method used to secure your network. – Purge Dec 20 '10 at 19:14
  • Sorry, I wasn't meaning that it's your only way of securing the network...what I essentially meant was: is it worth the added complexity? – Steve Dec 20 '10 at 19:23
  • I find it quite easy to connect to my router by defining the SSID I want to connect to. I've never had an issue doing so, so I personally don't find it very complex. That said, I can't answer your question, because every person/company has a different way of appraising worth. Me personally? Yes. – Purge Dec 20 '10 at 19:32
  • Fair enough... :) – Steve Dec 20 '10 at 19:45
  • 2
    The only argument there is that the people that aren't going to snoop b/c SSID broadcasting isn't turned on are probably the same ones that aren't a threat anyway and don't matter -- they can't even find your ssid. – Bradley Kreider Jan 07 '11 at 05:43
7

What about physical security?

  • Encrypted hard drives (across all drives on all systems)
  • Fireproof safe for backups, both onsite and off
  • Proper locks on doors
alecxe
  • 1,565
  • 5
  • 19
  • 34
Steve
  • 15,215
  • 3
  • 38
  • 66
  • 1
    @SteveSyfus - you can add edit notes in the notes section when it's something minor like adding parentheses. – orokusaki Dec 20 '10 at 22:11
  • @orokusaki: or indeed when it's something major. –  Dec 21 '10 at 10:47
  • 1
    @orokusaki yeah he can but small changes like 2 parenthesis doesnt let you save as an edit, too few changes, so the EDIT bit was probably to get over the minimum limit threshold –  Mar 21 '13 at 10:16
6
  1. Develop & practice annually your own security plan.

I see a lot of good information regarding intrusion detection, monitoring, etc, but nothing beats a full blown security plan which can be reviewed and practiced at your specified time. Would you know what to did if your USB HD crashed with your clients data, could you have their data available immediately? In your head your saying yes, but have you unplugged your HD, data's gone, phone rings, it's the client wanting the data sent to them ASAP. What if your local data was compromised, could you not only detect it, but react to it, and the on top of that, recover the data? What if you couldn't recover the data, what steps are in place with the clients to cover that?

  1. Hire a firm to run penetration tests on your environment.

I see a lot of speculation as to "what should I secure?", WEP, Data, etc. There's nothing worse then using the "shotgun approach" when it comes to security. Pretend for a second, you are your own client, what option would you want you to do? You can guess at what needs secured, or you can know for sure what needs secured. You can create 25 fake SSID's and all this talk above, but that's all for nothing if there is a vulnerability your NOT aware of and do NOT address. Even if your an expert in the field, this is your business and your income, there is no harm in having someone else "double check" your work!

I'll stop the novel now...my apologies.

badcode
  • 61
  • 1
5

There are two parts of data security.

  1. Keeping "them" out
  2. Detecting when you failed at that

For keeping them out, without knowing any specifics of your network, your steps seem reasonable. That's not an endorsement per se, you can always do more. Although there's a point where you move from reasonable security to paranoid (then progressing further you become the TSA).

For detecting where you failed at keeping "them" out you need some sort of host intrusion monitoring. You need something that can scan for evidence of breech and reliably report it to you. The reliably reporting it is the key. You need to balance the signal to noise ratio. Too many alerts and you'll start ignoring them. Too few and you won't detect the breech.

bahamat
  • 1,071
  • 8
  • 11
0

My WiFi hotspots (loaded with virus injections at http level) around the block will kill any attacker's PC, show him feasible pr0n so he'll lose attention (females too) and once he cames to my CCTV systems, I'll give the poor guy photos out to his GF.

All laptops are at SSH tunnels for web proxy and remote access to chats (irc, jabber, thank you screen!). Basically, nothing besides that is needed. Also, I do not want to provide websites with any details about using different OS, screen resolutions etc, at least my workspace is always sitting in a virtual machine accessible via RDP over SSH and from the terminal.

P.S. I dislike the idea of having a single house apartament identified with multiple networks. Its like coming to a bar and paying to security instead of barista, or listening reggae and smoking while reinstalling OS at police dept. Instead, I broadcast lots of networks and fake IDs in order to detect possible attacks.

kagali-san
  • 171
  • 3
-2

It would be wise to hire a security guy for your security guy. The only problem with this is that you create another situation... The security guy's security guy's house could be compromised. If this happens, you run the risk of the compromiser getting access to your security guy's security details, which means that your security guy can be compromised, which means your company's security is compromised.

So, as you might imagine, it would be wise to hire a security guy for your security guy's security guy. The only problem with this is that you create another situation... The security guy's security guy's security guy's house could be compromised. If this happens, you run the risk of the compromiser getting access to your security guy's security guy's security details, which means that your security guy's security guy can be compromised, which means your security guy can be compromised, which means that your company's security is compromised.

So, as you might imagine, it would be wise to hire a security guy for your security guy's security guy's security guy. The only problem with this is that you create another situation... The security guy's security guy's security guy's security guy's house could be compromised. If this happens, you run the risk of the compromiser getting access to your security guy's security guy's security guy's security details, which means that your security guy's security guy's security guy can be compromised, which means your security guy's security guy can be compromised, which means that your security guy can be compromised, which means that your company's security is compromised.

If you repeat those steps until you experience a neural stack overflow, you'll be safe. If you don't find comfort at that point, you might look into tail call optimization by way of hiring an assistant who can hire assistants who can hire assistants, and so on.

orokusaki
  • 1,342
  • 2
  • 10
  • 13
  • Unless of course you are the security guy for your security guy. – Steve Dec 20 '10 at 21:43
  • 1
    @SteveSyfuhs - you have a good point. The theory isn't perfected, yet. – orokusaki Dec 20 '10 at 22:10
  • 4
    @Orokusaki - the answer is long winded and doesn't add much value. I think there is a point in there around where you place your trust, but you'll need to focus on that. – Rory Alsop Dec 21 '10 at 15:37
  • 1
    @Rory, I agree. Your security guy should be trustworthy, and reliable. Trustworthy to not do bad things, and reliable to know what the right thing to do is. And reliable enough to know the areas he's NOT an expert in (e.g. hardening OS), and rely on someone who is. (That said, I do find the sarcasm and potential infinite loop to be mildly amusing...) – AviD Dec 21 '10 at 16:27
  • 1
    The original question was what can a self-employed person working from a SOHO do, in addition to the steps he's already taken, to ensure his own IT security. At no point did he make mention of hiring someone to do his security for him, so This seems like quite the tangent. Albeit mildly amusing, IMHO it detracts from the question at hand. -1 – Purge Dec 21 '10 at 16:42
  • I LoL'ed .... :P – Chris Dale Dec 22 '10 at 12:05
  • As I read this, I started imagining encryption techniques, such as AES's "rounds". Circular indeed. – makerofthings7 Dec 10 '11 at 23:24
  • 1
    The solution is a lot simpler - get a dog. Of course, you'll then need someone to feed the dog while you're at work. So get married. Of course, you'll then need to support yourself, your spouse, and your dog. So stop wasting time on philosophy and get to work! – TildalWave May 04 '13 at 08:41
  • @TildalWave - if you actually think this answer was intended to be serious (it wasn't - it was a joke), you might need to seek some help. – orokusaki May 06 '13 at 13:25
  • @orokusaki - Honestly! I didn't expect _a few lines of obnoxious conventional wisdom_ to bite your ass that hard. You can't really think I was serious, can you? – TildalWave May 06 '13 at 14:00
  • @TildalWave - oh, sorry mate. I was just making sure. I think a few of the commenters thought it was a serious answer. – orokusaki May 06 '13 at 14:15