This post is an adaptation of a recent episode of the SecurityMetrics Podcast titled, How To Work From Home Securely with Host Jen Stone (Principal Security Analyst, CISSP, CISA, QSA) and Guest Michael Simpson (Principal Security Analyst, CISSP, CISA, QSA).
Maintain security when employees work remotely
Helping employees work from home securely is important for all businesses, but with this post we especially want to support SMBs and those companies without large staff or in-house security professionals. Our mission is to keep the information flowing so you have the security tools you need, when you need them.
Due to the global COVID pandemic crisis and social distancing requirements, many companies needed to get their employees out of their offices and into homes quickly. Luckily, they weren’t doing it without thinking about how that move would affect their data security. We have been inundated with calls from clients asking, how can I do this? How will this affect my PCI DSS assessment in the future? How can we securely move our business out of our offices and into our employees’ homes?
What is a VPN?
Michael: Let’s say you brought a laptop home from the office. Your laptop may have software called a “VPN client.” That will create an encrypted connection between your device (laptop) and the corporate network.
So even though you bring your device home and you’re connected to your home WiFi, once you open up that VPN connection, it’s almost like it’s sucking your computer back into the office network. Even though you’re sitting at home, your computer is technically on the office network, through an encrypted tunnel. This allows you to have access to network shares or file folders that you’re normally only able to access in the office.
Jen: The IT department at your company likely uses many tools. If your job is not related to IT or security, you likely don’t even know that they have a lot of tools running in the background, for example, to watch viruses, log access, monitor web activity, etc. These security controls are fairly common, but are invisible to users. The VPN allows these security controls to be applied in the same way as if you’re in the office. And because of this fact, VPNs need to be configured by IT professionals.
Should I use a free VPN?
Jen: So what about free or cheap VPNs out there that people can buy and just set up?
Michael: These free or cheap VPNs use the same technology, but have a different focus. The benefit of signing up with your own VPN service is that all the data you send out will be encrypted–as it travels from you to wherever the VPN provider is. When your company sets up a corporate VPN for you, your data will still be encrypted, but will go through your home “office” (not through an off-site VPN provider).
With free or cheap VPN services, your data appears to be sent through the VPN provider’s systems, instead of your home office. Let’s say you are connecting to a Google or Amazon website. If someone were to gain access to that network traffic or look at the web server logs, it would look like the VPN provider system was connecting to the Google or Amazon site and not that your home computer was connecting to these sites.
When it comes to protecting PCI or HIPAA data, a free VPN service is not what we’re looking for.
Jen: There’s a reason why these VPNs are free. In these cases, providers will bundle up all of your personal information that flows across the VPN, and then sell it to companies. A free VPN is a bad idea if you’re trying to increase security.
What is VoIP?
Jen: And what about VoIP?A lot of people in their home offices are using a VoIP system, rather than analog phone lines. Old analog conference calls are almost a thing of the past. VoIP is a very common thing. Talk about that and how that can extend your environment.
Michael: VoIP stands for Voice over Internet Protocol. If an office has a newer phone system, it’s likely going to be a VoIP phone. VoIP takes the voice data that used to be sent as an analog signal over dedicated copper wires, and leverages a company’s IT infrastructure to send voice data through the same network used to send all the rest of their data from their computers. So VoIP takes analog traffic for the voice, digitizes it, and sends it over an IP network.
There are a lot of benefits to VoIP from a cost perspective. VoIP tends to be cheaper than analog and offers a lot of flexibility. Your office phone, desktop computer, or cell phone can ring simultaneously when a call is received. Call routing and call recording can be performed easily with VoIP systems. The downside to VoIP is that data is more accessible. So just like in a PCI-compliant environment, any system that transmits cardholder data is considered part of your CDE, and therefore part of your scope. This includes voice transmission. So if customers give you credit card data or other sensitive data on a phone line, if the voice data is then transmitted on an IP network, you need to make sure that the appropriate controls are in place to protect that communication.
Benefits to VoIP: If you can extend your corporate VoIP network to home offices corporate IT staff will be able to maintain central security controls and customers don’t need to know that their calls are being handled in someone’s home office. By transmitting VoIP traffic over the corporate VPN the voice traffic is encrypted so someone can’t intercept that data and gain access to the information you are receiving from your customers.
Jen: So VoIP offers consistency. Customers can call the same way they were before. It also offers more formality and more security; if you have VoIP security set up in the office, extending VoIP to a home office over a VPN connection is going to extend that same security.
Security risk reduction strategies for your home office
Jen: Not every business has the staff or the expertise to help remote workers set up a VPN, so how can these companies mitigate some of the work-from-home security risks without a VPN?
Michael: Unfortunately there’s not a silver bullet for data security at home. There are a lot of options, and your solution depends on your environment. What kind of data are you handling? What is that data being used for? How is it being processed?
One example of a solution I've seen comes from my online ticket sales clients. These businesses typically have agents answering phones and entering customer purchase data for ticket sales. To secure their customers’ credit card information, they have given their employees point-to-point encrypted terminals (P2PE) to use at home. The calls are routed to agents at home but instead of entering data into a computer, they’re using an encrypted terminal pin pad, which they get from their payment provider and which can be connected to any network; including a wireless network or a home network. And because this solution encrypts data before it’s sent out onto the network, and the decryption key for that data is only held by the provider on the backend, even if someone intercepts that data, it’s still protected.
Risk reduction strategies include locating your risks; if you don’t have any control over the end point, then obviously that end point is a risk. It could have malware, viruses, or keyloggers. If you’re letting your workers use their home systems, you have no idea at what state their systems are. Some may be pristine and maybe they do a really good job of home security. Others may be using a home computer that is used by their children and has who-knows-what installed on it. So if you can increase visibility into your risk surfaces, and then try to mitigate those risks, that would be your best approach.
Jen: Even if a company has done their annual risk assessment for their compliance mandate, moving employees to home offices is a big change. It is allowing people to work from home when they have previously not been allowed to work from home. This change requires a risk assessment. You shouldn’t say, “just go home and we’ll think about security later.” That’s going to cause companies some pretty serious security problems, especially if they run into breaches.
I think there’s a much higher probability that we’re going to have security problems during times of change and crisis. People are stressed out, and people don’t often make good decisions in that state because they don’t have time to think of all of the implications.
Take a breath and do a risk assessment with the guiding questions, “What are the changes and how does this affect the risks we face as a business? How do we mitigate risks faced by implementing an at-home workforce?” It’s more than worth the time it will take you.
Michael: And companies should realize that a risk assessment in this case would be a PCI DSS requirement. If there is a significant change in your environment, you are required to perform a risk assessment. If a customer is well-prepared, they’ll likely have a business continuity plan (BCP). But, even if they have a BCP, most plans probably don’t cover this kind of situation or include all of the risks that businesses are now facing.
Even though things are really stressful right now, it’s more important than ever to take the time to re-examine your environment and understand what it looks like now. Find the new risks you are facing. Look into the risks and see where they can be mitigated or avoided, and then understand what risks you're still going to have to carry.
When companies can’t or won’t secure at-home workers
Jen: What about employees who have been told to work at home with a “figure it out” mentality? Some employees are being asked to plug directly into a modem, but that can be difficult with roommates and not everyone has internet access at home. What can we tell people who are supposed to use their own systems to first of all, work, and second of all, consider security when they are not IT professionals?
Michael: When you’re relying on your own systems (or in the event that your company gives you the system but not the guidance) one of the best things you can do is patch your systems. You should also use strong passwords. Most of the time, it’s not some new technology that will cause a data breach. The attacks we are seeing are the same attacks that have been used for years. These are known exploits. If your system has a vulnerability that has not been patched, it can be exploited.
The two biggest mistakes work-from-home employees make are: using weak or overused passwords and not installing system patches.
Michael: most of the paid services are really not that expensive. And it does provide you with some level of security that you wouldn’t otherwise have.
How to scope your environment when working from home
As you shift your card data environment (CDE)–or sensitive healthcare information like personally identifiable information (PII), you can take steps to do it in a way that does not put data at more risk than it would typically be if your employees were in the office.
We typically think from a payment card industry data security standard (PCI DSS) perspective, but for those businesses that work with other protected data and aren’t in the PCI space, these recommendations and requirements will help you too. Just apply the controls to any information that you don’t want to get out. The PCI data security standard has a lot of correlation with other data security mandates and is a great resource to help guide your efforts.
Jen Stone: The “define the scope” step–whether you’re talking about remote work or in offices–is a step that people often have misconceptions. How do we know exactly what we’re protecting and what our “environment” looks like?
Michael Simpson: I think accurate scoping is the key. First, identify what it is that you’re protecting. If you follow the PCI DSS, then you’re protecting cardholder information, which would be information like primary account numbers (PAN), sensitive authentication data, and other customer account information. If you’re healthcare, then that information would be much more broad. Any personally identifiable information (PII) about your customers must be protected.
Once you identify what data needs to be protected, the best way to start scoping your environment is to do a data flow analysis.
In a data flow analysis you will identify where that information is flowing; how the data is being received, what systems are involved in its transmission and processing, and if and where it’s stored. Defining your information flow will be the same regardless of what your critical info is.
Identify the different ways you receive data. If data is being sent to the homes of your employees, how does it get there? Is it coming through the internet, to employee laptops and desktops? Is it coming through the phone?
After this data is received, we need to find out how it is being processed? What systems do employees use to enter data? Is it online? Maybe they’re entering the data directly into your hosted systems that are back at the office or out in a cloud-hosted environment.
Once you have identified what systems are involved in the receipt or transmission of this protected data you then need to identify which network segments these systems are connected to. This is why in my previous blog about PCI DSS compliance at home, I mentioned using a VPN. If you start bringing all of your employees’ home networks into your business environment, it becomes really difficult, if not impossible, to secure data. Every employee has different equipment at home and it’s hard to know what types of devices are connected to their network. It could potentially be a breach point, or at the least could increase risk in the environment.
So if you can minimize network segments by routing devices through a controlled, business VPN, you can help simplify the scoping discussion. Once you define your scope and understand what systems either receive, process, transmit, or store your sensitive data, you can start getting into how to secure those systems.
Jen: To help give context some of these concepts to customers, let’s define “company network.” Being on your company network usually means you are actually in the office, your laptop is connected, and you can access different corporate systems, or different shares, that you would not be able to when you’re off of the network. Customers should understand the difference between being “on the network” and “off the network.” In that same vein, can you help people understand what a VPN is and how it extends the corporate network into the home?
Michael Simpson (QSA, CISSP, CCNP) is a Principal Security Analyst at SecurityMetrics and has been in the IT Security industry for over 15 years. He has a Bachelor of Science in Computer Science and a Masters in Business Administration.