Bench Talk

(Source: Song_about_summer/Shutterstock.com)

Many of my techno-friends are employed by large companies and—until recently—spent their working days ensconced in their corporate facilities. I also have sundry friends who are freelance consultants, covering things such as hardware design, software development, embedded systems, and security. Many of this latter group work out of home offices.

I’m a freelance consultant, but–rather than work out of my home–I rent an office in a complex downtown. One reason for this is that I don’t have space at home to establish a fully functioning office, but I also try to keep my professional and private lives separate.

Of course, all of this changed with a shelter-in-place order. Since that edict, I’ve been working from my kitchen table. Like many, I’m worried about the level of cybersecurity I have at home. Is what I have good enough? At least I’ve had some time to prepare since I’ve been working from home on occasion for the past couple of decades. By comparison, a lot of engineers who—until now—have predominantly worked in the office and relied on their corporate IT department to handle the security, now find themselves up to their armpits in security concerns.

And what about the IT folks themselves? At many companies, IT teams are scrambling because they’ve gone from having a small percentage of employees working occasionally (one or two days a week, or maybe a month) from home, to having almost 100 percent of their workforce toiling remotely.

Let’s explore some of the security options available that can help protect important information no matter where the office is set up.

A Base-Level Security Setup

Remembering that each situation is unique, let me start by describing my own setup. I have a tower computer in my office driving three 28" monitors. I also have a laptop computer at home driving a single 34" screen (Figure 1). Opinions vary on which is the most secure operating system (OS). Both of my machines run the Microsoft Windows OS. Some of my friends use Apple computers with macOS^®; others prefer Linux OS-based machines. Many believe machines equipped with macOS are inherently more secure, but some dispute this claim. Others informed me that Linux offers your best chance to establish a secure environment, however, they maintain you need some Linux expertise for the proper setup. Though each of the operating systems has its fans and critics, the listed operating systems can form the base of a secure home office environment.

Figure 1: The desk in the pleasure dome (my office) with my three 28” monitors. Observe the myriad boxes of cables and components under the desks. (Source: Author)

Being Held to Ransom

The thought that one of my machines might be affected by ransomware terrifies me. Ransomware is a type of malware. The name “malware” is itself a blend of words for “malicious software.” The most common form of ransomware attack is one in which the perpetrator manages to encrypt all of the data on your system and then threatens to perpetually block access to it unless a ransom is paid.

Should this happen to me, it would be problematic. My setup encrypts each file, so my system would see a change and upload an encrypted version of the ransomware to the cloud. It could then spread to my other system, if it were on at the time. Thus, once a week, I disconnect the computer I’m currently working on from the internet, run a full virus scan, then connect an external USB solid-state drive (SSD), back up my entire Dropbox folder, disconnect (“air gap”) the drive, and reconnect the main computer to the internet. Of course, there’s always the chance that I just backed up a copy of a sneaky, undetected virus to my SSD. But you can only do what you can do.

One point to be careful of–becoming overenthusiastic, thinking “more has to be better,” and installing multiple tools. The problem is that antivirus tools work at a low-level deep in the OS abstraction, interposing themselves between the OS and the rest of the system. Although some of these offerings play well together, other combinations see each other as viruses and start to fight it out between themselves (This usually “ends in tears,” as they say).

Virtual Private Networks (VPNs)

One thing that continues to surprise me is the number of techno-savvy people who fail to use a virtual private network (VPN). Another thing that surprises me: The number of techno-savvy people who do use VPNs and mistakenly assume themselves to be protected. If you are independent, or if your company doesn’t already provide a VPN solution, then a lot of VPN providers are out there to consider.

Here’s the idea: When you access the internet, you typically go through your internet service provider (ISP), which redirects you to where you are trying to go. The problem here is that your ISP can see (and log) everything you do online. Also, your connection to the ISP might itself be less than secure.

In the case of a VPN, the first thing you do is launch the VPN client on your computer. This establishes an encrypted communications link between your computer and the VPN host, which means that all your ISP sees passing before its eyes is encrypted gibberish. Of course, this does mean your VPN provider could potentially monitor (and log) your traffic, which is why they go to great lengths to convince you that they would never do such a thing.

A word of caution: If you are using Wi-Fi in a café or hotel or airport, you are potentially wide open to various attacks in the form of rogue access points, evil twin access points, connection hijacks, man-in-the-middle attacks, and so forth. Even if you are at home or in your office, if you are on Wi-Fi, you are vulnerable to attack, so try to use a wired connection wherever possible.

Conclusion

This brings us to the end of our security primer. To be honest, we’ve really only scratched the surface of home-based cybersecurity here. This is a humongous topic with myriad ramifications. As for this post, I welcome any comments, questions, and suggestions. In the meantime, take good care of yourself and keep safe and “CyberSecure.”