It was 1986 and I was newly arrived in the US to do some contracting for American Airlines. I couldn’t wait to get the large, heavy box open. Within a few minutes, I had everything connected and plugged in.
Switching it on, I also remember being slightly underwhelmed by the ‘C:\>_’ prompt sitting quietly on the screen. No Windows, no pre-installed applications, just Microsoft Disk Operating System (MS-DOS). Despite the lacking visual drama, MD-DOS was, of course, a key step in Bill Gates’ journey to his first millions.
In retrospect, my Personal Computer (PC) was never safer than in those days, sitting on my dining table in my small apartment in Tulsa. The success of the 1983 film WarGames introduced to the public the idea of remote exploitation of computers.
In response to this emerging security threat, the US passed the Federal Computer Fraud and Abuse Act in 1986, the first example of law designed for the age of the hacker.
Networking
With the introduction of the PC from the then giant of the industry, IBM, the corporate world had a de-facto technical standard. Competitors to this standard were an eclectic selection of devices - mostly from companies that no longer exist. Adoption was rapid and global.
The next logical step was to somehow connect these new resources together within a company. The concept of ‘local area networks’ (LAN) was born. Again, IBM tried to dominate with their Token Ring technology but in the end, it was the competing Ethernet standard that won out.
Next, we got the results of a Defence Advanced Research Projects Agency (DARPA) initiative, ARPANET, which evolved further to become what we know as the Internet. Now we had PCs connected within companies and companies connected to each other, what could possibly go wrong?
Remote threat
As we have now seen, the massive interconnectedness of the world has brought many advantages to societies equipped to benefit from it. The recent pandemic has also shown the ability for our society and economy to manage quite well with us largely confined to our homes.
Mobile phones, tablets, laptops and traditional PCs have enabled huge parts of the population to continue working and communicating with each other. But what of the special requirements for those working or educating children from home? In all that follows, the word ‘company’ could be replaced by ‘school’ as the entity that should take responsibility for creating as secure an environment as possible.
From a strictly security perspective, the pandemic has caused a number of headaches. Business networks were under bombardment from bad actors before the pandemic. Many had invested significant sums in perimeter defences, sophisticated firewalls, end point protection software and security operations teams monitoring networks for signs of intrusion. Still, the bad actors get in.
So imagine the disquiet in security teams now that much of the workforce is connecting from outside the office, beyond the carefully constructed security perimeter, sometimes on personal devices.
For some companies, this is nothing new: larger companies hit this bump in the road early. Executives wanted to use their latest iPad or smartphone to have full access to the corporate networks while on the move, thus bring your own device (BYOD) became a thing. Fortunately, most companies then adopted the attitude of providing the latest mobile devices to their workforce but centrally configuring and controlling them - in effect extending the corporate security umbrella as best they could to cover the mobile devices.
Mobile devices, by the nature of their form, factor and interface, are designed to be intuitive for the user. In part, this also involves distancing the user from the underlying system on the device. In contrast to traditional PCs and laptops, there are few third-party tools that draw back the curtain and provide deeper access to the system. In normal circumstances and use-cases of course, this is fine. However, this can make identifying when malware is present on such devices harder for the average user.
Bad actors
From the time that mobile phones exploded in popularity, there have been actors devising ways to track, monitor, infiltrate and control them. Almost all smartphones today are sealed so that the battery cannot be removed easily. This means that the device cannot be definitively ‘turned off’.
Most people are aware that their phone can easily be used to track their movements as they travel between network masts. Lots of us realise that many of the apps we use are harvesting information about us and our habits for use by marketers. Many people know that software exists that can activate the phone or tablet’s camera and microphone, secretly, to record and transmit audio and video.
Fewer people realise malware like this can be covertly installed on mobile devices, simply by opening an email. No attachment needs to be opened or other action taken by the recipient, just opening the email is enough.
The protection of mobile devices is so challenging that even the President of the United States is strongly discouraged from using a mobile device.
The situation with laptops and PCs is fortunately a little better. Myriad third-party tools shine light on all aspects of the internal and communication operations. This enables more control and a clearer understanding of exactly what is happening on the machine. For security, it is still better if the laptop is a corporate item, centrally configured and controlled. It should be locked down to prevent the user from inadvertently installing software that compromises the security mechanisms put in place.
All data should be encrypted. Commonly, this would be using Microsoft’s BitLocker to protect against theft of the device itself. This now makes the laptop or PC virtually as secure as if it was in the corporate office. Slightly more open to theft from a private residence but with BitLocker, the corporate ‘crown jewels’ should still be safe.
Secure communication
Next, there is the problem of secure communication. Many home routers, supplied by the major internet service providers, have vulnerabilities that could be remotely exploited.
Regular router software updates are issued by the manufacturers but the average home user does not apply them. Secure communication is best achieved by use of a virtual private network (VPN) and ideally one recommended by or controlled by the employer. A VPN will encrypt network traffic and close the last obvious gap in the homeworking security strategy.
Ideally, companies with homeworkers should also provide an IP-phone or ‘softphone’ capability so that the employee does not use their home telephone. A corporate mobile would do just as well.
Physical access to a device that is logged in to the corporate network by unknown individuals is also more likely at home than in the office. Although with lockdown rules properly observed, this risk is small. Corporate-managed devices should routinely lock after a few minutes of inactivity.
Visibly secure
For most people, security in all its forms seems an impediment - perhaps best illustrated at airports where security is quite intrusive. A common adage in security is that while bad actors need be ‘successful’ only once infiltrating our systems, the security must be ‘successful’ every time in identifying and preventing such intrusions. Unfortunately, that means security is frequently not invisible to those it must protect.
The advantages we have seen with people homeworking cannot be overstated. For most, it means no more tiring commute, improved energy with reduced stress levels. For a generation familiar with social networks, a similar work network environment has been taken in stride.
Companies may well view work differently in the future and reduce physical office space, saving overheads in the process. Living spaces will probably be designed in the future with dedicated workspaces included and homeworking becoming more the norm for many.
As this new era begins, we have a workforce that is becoming more knowledgeable and sophisticated around their personal online security and privacy. Institutions should now focus on better understanding what it involves to accommodate a geographically diverse online community securely. For now, the greater power and flexibility of laptops and PCs forms a more secure platform to support remote working and study.
