this post was submitted on 22 Aug 2023
404 points (95.3% liked)

Work Reform

10044 readers
922 users here now

A place to discuss positive changes that can make work more equitable, and to vent about current practices. We are NOT against work; we just want the fruits of our labor to be recognized better.

Our Philosophies:

Our Goals

founded 1 year ago
MODERATORS
 

A new survey shows that the vast majority of senior executives say would've approached their return-to-work push "differently."

you are viewing a single comment's thread
view the rest of the comments
[–] couragethebravedog 16 points 1 year ago* (last edited 1 year ago) (6 children)

Security is definitely a legitimate argument for some companies. The average home network is nowhere near as secure as an enterprise network and BYOD is not nearly as secure as the systems setup and managed by your organization.

Edit: Everyone saying "use a VPN that's how you secure your home" needs to do more research. I have a comment below explaining how just using a VPN doesn't make you safe.

[–] [email protected] 20 points 1 year ago (2 children)

I doubt it. The home network does not need to be secure. That is why you have VPNs and other such technology.

[–] KnightontheSun 3 points 1 year ago (2 children)

Some networks are not accessible via vpn.

[–] ngdev 5 points 1 year ago (1 children)

In those cases it's justifiable to have to work in-person. I don't think we'd want closed networks (presumably for stuff like nuclear power) exposed to the open internet.

[–] ZoopZeZoop 6 points 1 year ago

True, but that won’t be most of the work force. There will always be exceptions for security/defense and some other areas. I suspect those areas already had a process for monitoring the comings and goings of staff and any off-site work. I also suspect the amount of off-site work was limited to begin with if it impacted security/defense.

[–] atx_aquarian 3 points 1 year ago* (last edited 1 year ago) (1 children)

Those networks are also not accessible from home networks, then. That is to say it's a valid point regarding each industry and company having different constraints, but it's not a concern over the security of home networks. If home/remote network security is ever the limiting concern, that can be mitigated by VPN.

[–] couragethebravedog -1 points 1 year ago

The issue of using a work device outside of the office is if you ever connect it to your home network off of the VPN, then there is a chance the device is compromised. A malicious actor could have targeted you because they want to gain access to your company and they saw on your LinkedIn that you work remotely. So they simply use some OSINT to find your address, run a geo search on shodan and wiggle to identify your homes IP, then use that as an entry point to compromise your router and wait for your device to connect to continue the attack. This may sound complicated or a lot of work but this is actually quite simple to do and takes only 10 - 15 minutes.

[–] couragethebravedog 0 points 1 year ago (1 children)

It's also about physical security, protecting access to your work laptop and protecting IP. That VPN is completely useless if someone can get into your home and access your device. It's way easier to get into someone's home than into a properly secured office.

[–] [email protected] 0 points 1 year ago* (last edited 1 year ago)

That's also why you encrypt your drives. The average enterprise figured out how to let somebody work from an airport long ago. It's really not a huge deal.

[–] malloc 6 points 1 year ago (1 children)

Ever hear of a VPN? This is pretty standard "security" for most Fortune 500s. Home network can be a Starbucks WiFi, but unless you have the decryption keys you are not going to be able to intercept the traffic tunneled through a VPN.

[–] couragethebravedog 3 points 1 year ago (1 children)

It's not just network security though, that was just one example I used. Another is protecting company IP. They could be working from home and a neighbor peek through the window and see what you're working on. Also that VPN isn't worth a damn if someone can get into your home and gain physical access to your device. Sure they could also break into an office, but offices usually have a security system with alarms, cameras, and sensors. They also usually have stronger doors and locks. Security is absolutely a valid reason to return to the office. I work in cybersecurity for the record and this is an actual reason being pushed for a return to the office.

[–] malloc 1 points 1 year ago

They could be working from home and a neighbor peek through the window and see what you’re working on.

This is a joke, right? RTO won’t stop this “attack” either. Since we are looking at extreme situations, what’s to stop an attacker from using a high powered scope and peek at an executives computer? In an office environment you have plenty of targets to choose from and exfiltrate information.

Also, this is easily defeated by privacy screens. So this is a non-issue.

Also that VPN isn’t worth a damn if someone can get into your home and gain physical access to your device

You are right. Which is why multiple layers of defense is needed. VPN is just one layer, albeit a very poor “security by obscuration”

Ways to combat this is have data encrypted at rest, and in transit. Modern computers/OS have the ability to encrypt all data at rest. If computer is stolen, attacker can’t do much without the decryption keys. Also, thin clients (VDIs) can be used to further reduce chance of compromise of physical device. Data does not leave the secure data center of the firm.

Also, having applications / endpoints secured by MFA will help in reducing possible infiltration.

The only attack vector I can think of that will defeat these measures is a person held with a gun pointed to their head but this is why having multiple persons to confirm an action will help reduce the impact of one person.

but offices usually have a security system with alarms, cameras, and sensors

All easily defeated and poor security measures with the right motivation.

usually have stronger doors and locks

This is poor security as well. Perhaps even security theater. Unless the doors are bank vault level lol

None of the points you have given are valid in this digital age. A forced RTO is pointless.

[–] [email protected] 4 points 1 year ago

Having implemented this sort of stuff for the mind if companies you probably think of when you're thinking of enterprise... You're making a mountain out of a molehill.

The use of a VPN to secure data in transit and the use of strong encryption on the device, endpoint protection and management features, along with good password security make it easy for any organisation not dealing with literal SECRET or TOP SECRET information to enable remote with.

[–] TipRing 4 points 1 year ago (1 children)

If you use vdi that runs on a corporate thin client security is basically a non-issue. Data never leaves the data center and so long as you harden the thin client it should be difficult to breach it.

[–] couragethebravedog 0 points 1 year ago (1 children)

It's also about physical security, protecting access to your work laptop and protecting IP. That VPN is completely useless if someone can get into your home and access your device. It's way easier to get into someone's home than into a properly secured office.

[–] TipRing 4 points 1 year ago

Right... that's why you would use a VDI. There's nothing local except a thin client that runs your citrix/vmware/whatever client. There's a reason that VDI is generally used for PCI-compliant business cases but VPN is not.

[–] mycroft 2 points 1 year ago (1 children)

Even the government has capitulated to the idea that devices themselves should be secure:

https://csrc.nist.gov/pubs/sp/800/207/final

If you can deal in government data on your laptop at a starbucks, we most certainly can work at home behind locked doors in our own offices with anything equivalent.

[–] couragethebravedog -1 points 1 year ago (1 children)

See my other comment. It's also about physical security, protecting access to your work laptop and protecting IP. That VPN is completely useless if someone can get into your home and access your device. It's way easier to get into someone's home than into a properly secured office.

[–] mycroft 1 points 1 year ago

No. Even that is incorrect.

You are 4 nodes deeper in OSS intel required, (isemployee->hasaccess?->homeaddress->break in)

I also know there are only 2 people with keys to my home, the hours of operation are limited, and there are no 3rd parties with unrestricted physical access (maintenance, physical security, janitorial services.)

The only difference in person provides is a record of access, cameras and access control systems etc.

My home also has this record of access and if requested can be provided. Most folks have egress cameras nowadays too.