Listen to learn about what the effects working from home can have on your data are.
In this episode, Jen Stone (Principal Security Analyst, CISSP, CISA, QSA) sits down with Michael Simpson (Principal Security Analyst, CISSP, CISA, QSA) to discuss:
"Due to the coronavirus and social distancing, a lot of companies needed to move their employees from the office and into their homes, but luckily they weren't just doing it without thinking about how that move would affect their data security and their sensitive data," says Michael Simpson.
Throughout this episode, Michael Simpson discusses tips on how to maintain and improve your security while making the transition of having more workers go from the office and work from home. For example, "If you can minimize those network segments by having those devices come into a VPN that’s controlled by the organization, this can help to simplify the scoping discussion."
Resources:
Download our Guide to PCI Compliance! - https://www.securitymetrics.com/lp/pci/pci-guide
Download our Guide to HIPAA Compliance! - https://www.securitymetrics.com/lp/hipaa/hipaa-guide
[Disclaimer] Before implementing any policies or procedures you hear about on this or any other episodes, make sure to talk to your legal department, IT department, and any other department assisting with your data security and compliance efforts.
Hello, and welcome to Security Slopes, coming at you from the the beautiful Wasatch Mountains here in Utah.
We've got this podcast set up to to help a lot of, especially SecurityMetrics customers who maybe are a little smaller, have less of a a security staff, really security professionals speaking to people who may not necessarily be security professionals, trying to keep that, information flowing so that that you have the tools that you need, when you need them. Today, my guest is Michael Simpson. Mike, how are you doing?
Good. How are you, Jen?
I am doing so well. That even so this, honestly, this coronavirus thing is getting everybody a little bit down. And and I have found that for me, I think I mentioned in last week's podcast, I went and bought chickens because I get to be home now. I'm not traveling every week. And so last week, they were this big. And this week, they are this big.
And so one day very fun. One day soon, I'm gonna have eggs. But how was your weekend?
It was good. We have, also, because of coronavirus, plenty of time to spend with the kids.
So we have kids that are very large, but, they're a lot of fun. We've been enjoying time in the pool, time with the family. It's been good.
Nice. So so your kids are not this big?
They're not this big. Okay.
No. Probably don't have feathers either.
I think before we get started, tell people a little bit about yourself professionally, like, what your background is and and what you do for SecurityMetrics so they kinda know where you're coming from.
Yeah. So I have a background in IT. I I worked mostly in higher education.
I was, worked for eleven years in the higher education space helping with database administration, system administration, network engineering, and then I switched over to security and compliance. So for SecurityMetrics, what I I'm a lead analyst, security assessor.
I work with the enterprise audit team. So our team handles all of our, large enterprise assessments. They handle our, higher education government work. So we we do mostly PCI assessments, also some HIPAA assessments. So helping customers protect the data that matters to them.
Fun fact. Mike is my team lead, and he's the person that I go to when I have questions about PCIs, especially. If there's if there's a compliance question where I'm like, I could go read all this or I could just say, hey, Mike. Can you just tell me?
And then Mike's the guy that tells me. So he's he's got a lot of experience and knowledge just right in his back pocket. So, one of the things reasons that I wanted you on on the show this week, specifically, was because you wrote a a blog post for SecurityMetrics to help people out. There are a lot of people who are working from home now.
And, even though I kind of complain about it a little bit, I think we're a lot of us are the lucky ones. There are a lot of people who are out of work right now or who are who have to go to work, and, be around people and put themselves and their families at risk. So, I think recognizing that the work at home option is it's a pretty fortunate one, but then there's some security implications. So why don't you tell us a little bit about why you wrote that blog post?
Yeah. So starting about a week ago, most of the contacts that I was having with my customers were answering questions about how can we securely move our work out of our offices and into our employees' homes. Because, due to the coronavirus and the social distancing aspect, they a lot of companies needed to get their employees out of the office and into the homes.
But luckily, they weren't just doing it without thinking about how that move would affect their data security and their data. So I was getting just call after call, customers asking me, you know, how can I do this? How will this affect my PCI assessment in the future?
So after several calls and several emails, I decided, you know, maybe it's a a good time to write write up a little post that can help give people a little bit of guidance. So when they're looking to do this transition, they they have something to guide them and some mileposts and, I guess, warning, warnings along the way so that as they're transitioning their CDE, if they're a PCI environment, a cardholder environment, or if they're health care and they're going to be, doing more work from home, they can do it in a way that does not, put their data more at risk, than it would typically be if their employees were in the office.
For sure. And I was super glad that you wrote it because I was getting the same phone calls, and it just shortcutted that whole I was like, yes. Thank you. Thank you.
And I was just able to share that with people. Now this is written from a PCI focus, which is for people who have other data that's that you're not in the PCI space. When we say PCI or cardholder data in the conversation, just think of it this way. You have, information that you don't wanna get out, And whatever that data is, that's that's what you're protecting.
And the PCI, standard actually offers a lot of really good ideas for how to protect that, whether it is cardholder data or, other types of data. The security side of it can be have a lot of correlation. So, yeah, starting with what I really liked how you started this article was define the scope. And I think whether you're talking about remote work or whether you're talking about in offices, defining the scope of an environment is, a lot of people have some misconceptions about that.
What are we protecting and and how do we know for sure what that environment looks like? So maybe you could speak to that a little bit.
Yeah. So I I think that is the key at the beginning is is first identifying what it is that you're protecting.
So if if PCI is kind of the aspect that you're focusing on, then, you know, you're protecting your cardholder information, which would be like the primary account number, your customer account information.
So so once you define that information, then you need to figure out where that information is flowing, where it's being received, what systems are involved in the processing of that data, where that data is stored, if it's stored anywhere.
So you identify and this is gonna be the same regardless of what your critical information is. If you're not PCI, if you're health care, then that, you know, that information may be more broad.
Any personally identifiable in personally identifiable information about your customers.
So so once you identify what that data is, then I think the best way to start scoping your environment is to do a flow analysis.
Identify what are the different ways I can receive this data. And if it is this data is being sent to the homes of your employees, what are the ways that it's getting there? Is it is it coming through, you know, the Internet to their laptops or their desktops? Is it coming through the phone? So identify those flows. And then, once you identify how it's getting into whichever environment you're looking at, if we're specifically looking at the at home work environment, once the data re is received by that employee, what systems are they using to process that information?
You know, what what computers or laptops are they using to enter that into different systems online. You know, maybe they're entering into your hosted systems that are back at the office or maybe have a cloud hosted environment. But you need to identify what all of these systems are, and what network segments those systems are connected to. And this is why in the in my blog, I mentioned a lot, using a VPN.
Because if if you start bringing all of your employees' home networks into your environment, it becomes really difficult, if not impossible, to truly secure that because you have, you know, every employee you have probably has different equipment, different networking equipment at home, and who knows what types of devices are connected to that network that could potentially, be a a potential breach point or at least in increase risk in the environment. Sure. So so if you can minimize those network segments by having those devices come into a VPN that's controlled by the organization, then that can help to simplify the scoping discussion.
And then also, once you define that scope, you know, what systems you're involved in the receipt and processing and transmission of that sensitive data, then we can start getting into how do we then secure those systems.
So I I started off by promising this would be okay for people who are less technical, and then we just put in a lot of technical information. So let's maybe back up a little bit and define some things. So when we when we talk about, the the, the company network, the that's people understand what that means. Right?
There's when you are actually in the office and you are connected to that network, you can get to different, systems, different, like, shares maybe is a word that that people know that you cannot get if you're off of the network. Right? Mhmm. So so that's probably where a lot of people are familiar with that.
So knowing the difference between being on the network and off the network, we know that because we've experienced it if we've worked in with, like, taking a laptop from our our, work situation to our home situation. So the VPN then, can you maybe, help people understand what a VPN is and how it extends that network into the home?
Yeah. Yeah. So a VPN is a virtual private network.
What it does is is your let's say you brought a laptop home from the office. They gave you a laptop, and it has this, software on it called the VPN client.
What that does is that will create an encrypted, connection between your device, that laptop, and the the corporate network back at the office. So even though you bring your device home and you're connected to your home Wi Fi, once you open up that VPN connection, then it kind of it's almost like it's sucking your computer back into the office network. So even the you know, you you're sitting at home, but your computer has been connected to the office network through this encrypted tunnel. And that way, that's what could allow you to have access to, like, those network shares or those file folders that you're able to access when you're in the office that you typically can't access if you're at home or at a Starbucks or at a hotel.
Right. And a fun fact about that is that the security folk at your company, the IT folk at your company, they have a lot of tools that, like if you're just doing a job that is not related to IT or security, you might not even know that they have a lot of tools in the background where they're paying attention to, do you have a virus on your machine? They might know that because you've got some centralized management. Or, when did you log in? What did you access? Some of these security controls that are that are fairly common that are kind of invisible to to, users who have no reason to know about them, the VPN allows those security controls to be applied in the same way as if you're in the office, which is I think it's kinda cool how that works.
So Yeah.
For sure.
Alright. So, the I guess the takeaway from that part was people can't set up their own VPN back to the office. They need to have a client. They need to have it configured by their their IT or security folks. Correct?
Correct. Mhmm.
Alright. So what about these, what about these VPNs out there that people can buy that are are and just set up or or free VPNs? How do is that a different thing?
Yeah. I mean, it's using the same technology, but it has a different focus. So so if you sign up with a lot of these VPN services, the benefit that it offers you is all of your data is encrypted as it's going out, from you to whoever that VPN provider is. So instead of like, if your work set up a VPN and you connected to it, when your computer, communicated out to the Internet, it would do that through the home office.
If you connect to just some free VPN service, instead of being connected to the home office, you're now connected to their office or, you know, their network. So when you, you know let's say you go to Google and you're looking at things or you're on Amazon, instead of it looking like you're going straight from your home out to Google or to Amazon, it's going from your VPN provider out to Google or Amazon. So this is how some people, like, if they're traveling and they're in a place where maybe they can't get Netflix, if they set up their VPN to one of these VPN services that is in a location that does have access to Netflix, and they could steal Netflix because as far as Netflix is concerned, they're coming from that VPN provider.
Right.
So there is some benefits that are provided by those free VPN services. But when it comes to protecting your your customer data, it's not really what we're looking for.
Right. Well, and then the other thing is that if it's a free VPN service, the reason they can make it free is they bundle up all of your personal information that flows across the VPN, and then they sell it to to some companies. So it's like the opposite of what we want for security.
So Yes. Free VPN is a is a bad idea if you're trying to increase your security.
Yes. Very little in life is actually free.
So right?
So we have we have talked about extending your existing, environment, secure environment using the VPNs.
What about what about VoIP? A lot of people in their home offices are on VoIP voice over IP rather than the old, you know, analog lines.
Right. So I was watching, Mean Girls today, and they were all on these, conference calls with the old and I thought, wow.
I feel old because I really like this show, and yet we don't do that that way anymore.
VoIP is is a very, very common thing. Talk a little bit about that and how that can extend your your, environment.
Yeah. So so VoIP, for those who aren't familiar with that term, it's voice over IP. It's most new, you know, phone systems. Most offices now, when you when you have a phone, it's gonna be a VoIP phone. So what they've done is they've taken that voice data that is usually an analog signal going over, you know, dedicated copper wires. And they leverage their IT infrastructure and send that through the same network that they send all of the rest of their data from their computers.
So it's taking that analog traffic, for the voice, and it's digitizing that and sending it over an IP network.
The there's a lot of benefits to VoIP.
From a cost perspective, it it tends to be cheaper for a company to run a VoIP system, and there's a lot of flexibility.
With the VoIP system, it's really easy to have softphones that can be you know, your office line can ring your desktop cell phone. It is really easy to do some of these things on a traditional system. A voice system may not have been possible.
The the downside to that is that data is more accessible.
So just as, like, with in a PCI environment, any system that transmits cardholder data is part of your CDE or your card data environment, your scope, that would include voice transmission. So if people are giving you credit card data or other sensitive data that's coming across a phone line, if that's a a IP network, you need to make sure that there are appropriate controls that are in place to protect that, communication as well. So when when you're looking at how do I protect an at home worker or my my customer data as it's going to these at home work, work offices, you need to look not just at the computers that they're gonna be using to enter the data, but any any way that they're receiving the data, which could include voice.
So the the benefit of if you can extend your corporate voice network to home and still have that central control, when people are calling your offices, they they don't need to know that this is going to someone's home office. You know? They're still just calling the same number, and someone's answering, the phone and helping them out. And you also, at that point too, would have more control over protecting that data, just making sure that that that transmission over the phone is protected. The the data is encrypted so that someone can't intercept that data and get the same information that you're collecting from your customer.
Right. So so it it offers some consistency.
People are calling the same way as they were before. Some more a little bit more formality and and more security. If you if you have the VoIP set up securely in your office, extending that to a home office is going to extend that security. So yeah. Yes. Great.
Let's see.
So some risk reduction strategies for your home office. Let's say you can't extend the CDE. Let's say VPN just isn't an option and or or you've maybe people are a little bit, they don't have maybe the time or the expertise or the, or the tooling to set up VPN and extend it. How can they still allow people to work from home?
And, but but kind of mitigate some of the the security risks.
Yeah. So, unfortunately, there's not a silver bullet for this. There there are a lot of options, and it and it kind of depends on your environment. What is your data? What what is that data being, used for? How is it being processed?
One solution that I've seen, a couple of my customers that do online ticket sales use, they have agents that'll answer phones and they'll enter, you know, customer purchase data for for these ticket sales.
What they've done is they've implemented point to point encrypted terminals.
So the call will be routed to them, but instead of having them use a computer provided by the the home office with this VPN connection, they're just using this, encrypted terminal or PIN pad that they get from from their payment provider, and that can be connected to any network. It can be connected to a wireless network or to their home network.
And because it is doing encrypting that data before it sends it out onto the network, and only, that decryption key for that data is only held by the provider on the back end. Even if someone intercepts that data, it's still protected. So that's the I think the risk reduction strategies is, you know, just look at what your risks are. If you if you don't have any control over the endpoint, then obviously that endpoint is a risk.
It could have malware on it. It could have viruses on it. There, you know, there there could be, I just lost my train of audio. The things that keep track of what you're saying.
Key loggers?
Key logger. Could have a key logger on it. You know, so if you're letting your compute yours your, workers use their home systems, you really have no idea at what state their systems are. Some of them may be pristine, and maybe they do a really good job of home security.
Other users may not. You know, maybe their home computer is used by all of their kids, and who knows what they're doing on the computer and what has been installed on that computer. So if you can see that risk and then try to mitigate that risk by by finding ways to, circumvent those those risks. That's kind of your best approach at that point.
So even if people have done their annual risk assessment for compliance with some, you know, standard or whatever or or just as a general practice. This is a this is a big change, and that this is allowing people to work from home when they have not worked from home. It it requires a risk assessment. There's there's really no way to just say, hey. Just go home, and we're we'll think about it later because that's going to cause, companies some pretty serious problems, in terms of of security, especially if they run into to breaches, which I think there's a much higher probability that we're going to have security problems right now than there has been.
People are stressed out, and people who are stressed don't often make, good decisions because we don't think of all of the implications.
So taking a breath and and doing that risk assessment in relation to what are the changes and how then how do we mitigate them, it's it's it's worth the time just to take a minute and do that.
For sure. And and for those who need to be PCI compliant, they they should realize that that is a PCI requirement. Is if there's a significant change in your environment, that a risk assessment be performed for that very reason. I think, you know, if a customer is well prepared, they'll have, BCP, you know, business continuity plan. But even companies that have a business continuity plan in place, a lot of them probably didn't cover this situation.
You know? So so maybe they don't have all of the risks that that they're now facing. Maybe they haven't really taken those into account and decided, you know, what can we do to mitigate these risks or avoid these risks? So that that is something that, you know, now, even though it's a really hard time, a stressful time, a lot of companies are very busy, take the time to relook at your environment and how your environment is now, and what new risks you face. Look into, you know, what those risks are and which risks can be mitigated or voided, and then what risks, you know, you're still going to have to carry.
So I I've had a few, friends friends of my kids mostly reach out to me and say, I've been told that I need to work from home, and I have to plug in directly to the modem. And, I don't have a way to do that because someone else has already plugged directly into the modem or or the modem's in somebody else's room and they're not letting me physical access to it, or I don't have Internet at home. I'm gonna lose my job, and I don't, you know, people this is a bad time to lose your job. People are worried.
And so, for people who are are I'm gonna I'm gonna get a little ranty here. People who are told to go home and do their job and figure it out and and take care of their own, get a modem, get the these things that they have to have in order to do their jobs without help from their companies. First of all, that's negligent, I believe, on their company's part and lazy on the part of their IT department. I understand we're all stressed and we're all busy, but just sending people home and say work from home and, you have to do these things without supplying them the a way to do it is, just kinda gets me worked up.
And so I I tried to think of ways that I could help them so that they could at least come close to fulfilling these things when they had no ability to do it. And so, when they have the laptops from work that they're allowed to take home, that's great because then, you know, we're going to assume that the company has taken care of some basic security things. But if they're told to work from home, what are things that that people can do using their own systems to try to increase their security, when they don't know IT or security?
Yeah. So I think I think part of it, you know, if especially if you're using your own systems, make sure the system's batched. Or even in the event that you have a company that's saying, hey. Here's your system. Take it home and, you know, keep working. And and they're not giving you that guidance. One of the best things you can do to protect yourself and to protect, your customers is to patch your systems, use strong passwords.
A a lot of the times, the most of the breaches that we're seeing, they're not, you know, some weird, difficult technology that people are using. Their their attacks have been used for years and years, and they're usually using known exploits. So this is you know, if your system has a vulnerability that has been that has not been patched, those those are something that people are gonna use. Or if you're using weak passwords or even if you're using strong passwords that you use everywhere.
If if you have a really strong password that you use on all of your accounts and one of your account providers is compromised Yeah. Then that really strong password is not really strong anymore because it's out there. And there's lists of all of these compromised passwords.
It might be of, like, when Disney plus first came out. There was right afterwards, people were selling account lists. They had username and passwords that people could buy on the black market to get access to free Disney plus And it's not that these hackers broke into Disney plus They just looked at these lists online of compromised accounts, usernames and passwords, and they just started trying it and seeing which ones work. And because a lot of us don't wanna remember a whole bunch of passwords, there's a lot of people who reuse the same password over and over again on a lot of environments.
So that's gonna put you more risk. So don't reuse your passwords. Have strong passwords. Patch your systems.
And that really will take you really far in in in a security, you know, in your effort to try to secure yourself.
Sure. And we talked about VPNs a little earlier and why free ones are are a bad idea and why you should get your company to set one up for you. But if you, have to work and you know the connection is sketchy, pay the the three, four bucks a month and get something like, like a NordVPN or one of these paid VP. I can't that's the only name I can remember right now.
But but they're, you can go online and you can look at, recommended you know, get some reviews, reputation of these companies, and then choose a VPN that is a paid service, that has a good privacy policy that they will not log your information, and they will not resell it.
And that's a good way to keep your, the the security of the information that you're that you're putting in through your computer.
Yeah. And most like you mentioned, most of the paid services are really not that expensive.
No. Yeah. They're not too bad.
And it and it does provide you with some level of security that you wouldn't otherwise have.
Right. So, for people who want to know more, we have a a a hang on. We have a if you're in the PCI world, so short. It's ridiculous.
We have this PCI compliance guide. Is two thousand nineteen our most recent guide?
Why do I have an old guide? I'm sorry. I don't have the most recent guide here for you. So we have a twenty twenty one, but I apparently did not grab that. But it's, you can go online to SecurityMetrics. We we'll put the, the links in the in the show notes. It's a free guide you can download.
We also have, if you're in the health care world, we have the HIPAA compliance guide. Super proud of this one because I put a lot into this. So, you should go and download the PDF if you're in the health care world. It's actually super helpful.
And now I sound really arrogant. But no. It was really it was a lot of work, and I had a lot of help with it. And I'm kinda proud of it.
But those are two places that you can find. There's also the the blog, the SecurityMetrics blog. Search for Michael Simpson or, you know, put again, put the link in the show notes. And Mike, thank you so much for for coming and joining me on this call today.
I really appreciate you you taking the time.
It was my pleasure, Jen. Alright. Thank you.
Thanks. Bye bye.