Authored by: Morey Haber, CTO & CISO at BeyondTrust
As many enter phase II of reopening after the COVID-19 pandemic, many organisations are operating as if they are still in full lock down. In addition, some businesses have even publicly stated that the new normal will allow employees to continue to work from home for however long they want; even permanently. The reasons for the continued change range from variations reopening policies through liability of allowing employees to enter the office and the public transportation needed for them to arrive in urban areas. Organisations have therefore chosen to continue to allowing remote working and now have established a near permanent distributed workforce that was never seriously considered, or even allowed, B.C. (Before corona). The details of this new paradigm are worth a discussion and understanding what information management changes are needed for all roles and personas within an organisation.
To begin, lets explain the technology change that is the most important beyond allowing computers at home to connect to business resources. There have been many articles, blogs, and even marketing webinars covering the threats of home WiFi, unmanaged networks, and even Bring Your Own Device (BYOD). These are only part of the problem. The biggest issue for information technology is an old school threat for the expanding distributed workforce – physical security.
Arguably, if you have physical access to a device, it is only a matter of time, tools, and persistent before any, and all, security controls can be circumvented. If an insider threat has access to a laptop, or the device has been stolen from someone’s residence, there is nothing stopping them from disassembling the device and removing critical components like a hard drive. While this may sound extreme, it is unlikely you would see someone disassembling their laptop in an office environment and have the tools in the office to tamper with the device. However, if they are at home, there is no one walking by their workspace and no additional physical office security controls to prevent this type of manipulation. It is just a fact. The physical security controls of an office are no longer valid and the physical security controls that could protect the device itself from tampering no longer have the benefits of an office environment.
Therefore, for information technology teams attempting to manage a distributed workforce, we need to reconsider their physical security controls. Many of them can be enhanced by electronic and mitigating configuration controls to ensure that the physical location of the device becomes less of a risk. Consider the following:
The BIOS (basic input & output system) is the firmware on a computer used to boot a system after it is turned on, and it manages data flow between the computers operating system and attached devices. If the setting for the BIOS are altered, the device can be compromised by disabling critical security controls. It is therefore recommended that the BIOS should have password protection enabled and most importantly the password for each device unique. Therefore, if one device is compromised, the password protection for the BIOS cannot be used to leverage other distributed assets.
Tamper Protection is a feature only available from specific vendors. It is typically enabled in the BIOS and has a software component that is loaded onto the operating system. The feature monitors the device for any evidence that the case has been opened or physical components have been removed or changed. If it does, the software sends an alert to a management platform indicating the details of the event. This is a critical feature for remote workers but unfortunately, only select vendors have implemented it. As a potential workaround, consider running delta reports against hardware using your asset management systems to determine if any components have changed, removed, or been added. While this will not tell you if the case has been inappropriately opened, it will help determine if key components have been altered.
A Security Cable is a physical device used to secure a device to a desk or table to prevent theft. It consists of a cable, lock (combination or key), and a mounting clip that attaches to an asset using a standard size oval connector. They are typically used in high traffic areas or public locations but also have a place in homes that may represent a high risk due to location, shared space, or unknown personal traffic and access. If the device being used at home has sensitive information, consider issuing the devices to users to prevent theft.
The main problem with a distributed workforce is the unknown location of corporate assets. For any device, consider enabling GPS (Global Positioning Satellite) services to determine its location, verify where it is supposed to be, track the device if stolen, and ensure that it does not move into an unacceptable region (country for example). While this feature is standard on mobile devices like smartphones and tablets, many laptop vendors do not include such capabilities. You may need to use features in the operating system or an MDM solution to provide geolocation services based on WiFi or network connection to determine a devices location and whether that location is appropriate. In addition, ensure your code of conduct and regional privacy laws allow for this type of monitoring and surveillance.
MDM (Mobile Device Management) solutions allow for the remote configuration, monitoring, and automated response to a device operating in the field. While these have typically been used for smartphones and tablets, next generation MDM solutions can manage Windows and MacOS with equivalent functionality like geolocation and remote wipe. For your distributed workforce, consider expanding your MDM initiatives to other assets within your distributed workforce so you can respond accordingly to physical threats.
If a threat actor has access to an asset operating within your distributed workforce, Disk Encryption is the best method to ensure that they cannot get access to sensitive data if the hard disk is removed. This is true for both insider and external threats since once the device is removed and mounted on an external rig, it still cannot be accessed since the encryption is “typically” paired with the original hardware. It is important to note that it is not always true and for some devices an administrator password or key is all that is needed to decrypt the disk and provide access. And, if the device is physically stolen, without a logon password, access is still denied.
Embedded Hard Disks are becoming more and more common to trim device costs and provide lightweight laptops and notebooks. This storage medium is not removable like a PCIe or SATA hard disk but rather the microchips for SSD storage are physically soldered to the motherboard. This makes accessing the data externally very difficult and the storage medium itself non removable. While this makes it more difficult to service a device due to a fault, it does add security by not allowing the storage device to be removed.
The Screws that hold a device together can range from Phillips to Torx. Some of the sizes are standard and some proprietary. As trivial as this sounds, if the threat actor does not have the tools to open a device, the less likely they are to gain access. And, if the screws are sealed with glue or bonding agent, they cannot be removed and make the device nearly disposable in case of a fault. This is true for any device that the user may need to use while working remotely from a laptop to hardware-based VPN. If the internals of a device represent a risk, and the risk, fault, and cost model warrants, considering sealing the device from any access.
One of the settings within the BIOS is the Boot Device selection. As a security best practice, this should be configured to only boot from the internal hard disk and not from any external media like a USB device. An external bootable device can be used to circumvent other security controls and even overwrite the operating system. Therefore, control how the device can boot up and remember to use a BIOS password to secure this setting.
There is an adage that if a user has local Administrative Privileges that they can essentially access and do anything they would like to on a device. This is true. Once you are an administrator locally, it is game over and a threat actor can do anything they would like to settings, security, or the controls used to manage the asset. Therefore, for the distributed workforce, implement the concept of least privilege to support your physical controls and remove administrative rights wherever and whenever possible.
The Cloud is key for the distributed workforce. Assets and users are no longer operating within the confines of the office, the office network, and the physical and electronic security controls that have been established. This means simple items like receiving anti-virus updates, security patches, and other management tools that require on premise raised floor access may no longer operate correctly. This is true for even the alerts we spoke about above if the implement was solely on premise. Therefore, consider the cloud for distributed workforce management. Devices can connect to the Internet anytime to send events, receive updates, and process policies without the need for a VPN and if a device is physically stolen and powered on by a threat actor, it can communicate its location and any alerts without the need for a user to even login.
A distributed workforce forgoes physical security. Information technology teams have no control of who can tamper with a device when it is out of the office. This was true for road warriors before COVID-19 and now we must learn from these policies and apply them to all users working remotely to support our new normal and a distributed workforce. Things are not the same. We all recognise that, but these simple recommendations will help with the physical security changes we are all experiencing.