Security Basics: RE: Home laptops on a corporate network

["Adam Rosen" <ajrosen () buffdata com>]

The reason is that the office has a lot of fee-for-service employees,
and they don't want to pay for a lab big enough for these people to come
in and do paperwork, so they want them to be able to use their own
laptops to get their work done.

Adam

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Yousef Syed
Sent: Tuesday, May 08, 2007 7:35 PM
To: security-basics () securityfocus com
Subject: Re: Home laptops on a corporate network

Just wondering...
But is it possible to setup a locked-down VMWare image for external
laptop users to use if they really-really need access your corporate
network. (a small subsection of the network inside its own DMZ
specifically designed to share data)


Personally, I can't think of a reason why an external laptop (or USB
drive for that matter) would need access to the internal corporate
network anyway. They can be provided with separate access to get onto
the internet from a segmented system that has no access to the Internal
system.

ys


On 08/05/07, Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
wrote:
> On 2007-05-08 christopherkelley () hotmail com wrote:
> > I'd recommend NOT doing this. Especially if you are trying comply 
> > with HIPAA. Keep in mind that you will have little to no management 
> > capability over these personal laptops, which means you have no 
> > ability to verify patch level and AV update on these machines that 
> > may have EPHI on them. Not to mention the fact that these employees 
> > are probably taking them home and plugging them into their home 
> > networks, where they (or their kids) are running bearshare, 
> > gnutella, grokster, bitorrent, and surfing to unfiltered web sites. 
> > Not only does this mean that they are potentially exposing critical 
> > data in this manner, it also means they are bringing potentially 
> > infested computers into the soft chewy center of your network.
> >
> > Whenever you have an employee with a laptop, you create a liability 
> > to your network, allowing them to use personal laptops presents an 
> > even bigger liability. IMHO, this level of risk is unacceptable, 
> > especially from a HIPAA compliance standpoint.
> I wholeheartedly second that recommendation. Allowing corporate data 
> on private computers (or private computers on a corporate network) is 
> a bad, BAD practice. Never EVER do that. You really want to do the 
> exact
> opposite: establish a policy that *prohibit* employees from 
> transferring corporate data to private computers, and have it signed 
> by each employee.
>
> Regards
> Ansgar Wiechers
> --
> "All vulnerabilities deserve a public fear period prior to patches 
> becoming available."
> --Jason Coombs on Bugtraq


--
Yousef Syed
"To ask a question is to show ignorance; not to ask a question, means
you remain ignorant" - Japanese Proverb