Ask HN: How Do You Maintain Security When Working Remotely?

Can&#x27;t speak for other OSes but OS X constantly phones home to Cupertino, sometimes not even using encryption, thus leaking data when you&#x27;re booked into a public Wifi.<p>I literally spent weeks last year grepping the entire Mavericks base installation for hardcoded URLs, domain names and IP addresses and setting up entries in &#x2F;etc&#x2F;hosts and NAT rules to hardwire that stuff to 127.0.0.1. I also had to disable lots of LaunchServices&#x2F;Agents to get the OS to shut up. Can put this up on Github if there is interest. It&#x27;s only for Mavericks though, couldn&#x27;t be bothered to upgrade to Yosemite as long as there are security updates for Mavericks.<p>Oh and another thing a lot of people don&#x27;t know: The OS stores Wifi passwords in EFI boot variables. This is used for Internet Recovery. So if your device is stolen or just lent to someone else, consider your Wifi passwords compromised, regardless if the disk was encrypted.

Having worked in an enviroment with people traveling all over the world to conferences, this has happened countless times, although it is much more likely something will be forgotten, or lost, rather than stolen when on the road. Nothing magical, and all common sense, just try to limit your exposure. Here is a quick list:<p><pre><code> - VPN (no split tunnel) - 2FA - loner laptop pool (with base OS and their presentation) - do not take sensitive data off-site - encrypted hard disk - antivirus - screen locks after X minutes - let office know if something happens (lock out accounts) </code></pre> Operate from the standpoint that this is going to happen. Work to limit your exposure. You really want to separate your work and personal life as much as possible, by using two computers, as your personal habits, can have big impacts on your work. I know this is not really what you wanted re: working at Github, but I think most of this still applies. I think a lot of opsec applies to this two.

At a previous job (security company) we had an extensive ~&#x2F;.ssh&#x2F;config and would forward anything back through a gateway to get at any internal data.<p>We were pretty much alway connected to the gateway and would used the SSH SOCKS5 proxy feature to get back to any webapps in development and staging staging webapps, code review etc.<p>To remove anyone from the system we would simply remove their keys&#x2F;lock one account on the gateway.<p>Sometimes a bit annoying having to make sure your SSH connection is up all the time but pretty simple to maintain.<p>Disks encrypted with Full Disk Encryption of course so no worries when laptops get stolen.

I don&#x27;t particularly have any security measures other than a secure password, full disk encryption and locking the screen after a few minutes. If you are taking a device outside of the office (e.g. to take home to work over the weekend) you should be using those anyway.<p>Pretty much all the services (even internal systems for staff only) I interact with are available publicly and have HTTPS, so using a VPN isn&#x27;t really going to change much. Most of the company&#x27;s (big multinational) chats happen over Skype, which is known to be monitored by governments so... :)<p>We don&#x27;t deal with sensitive data like financial records or personal data, so there isn&#x27;t really much to compromise. It&#x27;s probably easier just to guess someone&#x27;s password if you want to get access our systems as they are available publicly.

The best approach here is multi-layered with each layer providing another level of protection.<p>The best way to think about it is to start with the protection of the end-user device, then work on protecting the access from that device to your external network, internal network etc and finally protection of 3rd party services you use as a company.<p>For the end-user device the important things are probably a secure password manager, full disk encryption, local firewall, antivirus, requiring a password to log in and locking the screen when you leave the machine.<p>We then move on to access to your external network (i.e. the user facing portion of your service which probably includes admin only tools). A good way to protect this is by requiring strong password + two factor authentication + access from a whitelisted range of IPs. The whitelisted range of IPs is either your VPN network or your network of ssh server hosts used as SOCKS proxy hosts.<p>To protect your internal network I think the best practice is to require all access to be via a limited set of bastion hosts again either over your VPN or over SSH.<p>Finally for all 3rd party services you should were possible require two factor auth be enabled and also educate your users on best practices around password strength etc.<p>Once you have all this setup the next layer is automated &#x2F; human monitoring. This becomes easier if you require all elevated privilege access to happen via ssh socks proxies and bastion hosts because you can just implement monitoring of new &#x2F;failed logins to those. You can the setup manual and automated rules to block users. For example, N failed logins block the source IP, login for an unexpected country manually disable the users public key until you verify it was them etc.<p>Overall the key idea is to help your users stay secure while still making it convenient for them to do there work.

Some others have provided their inputs, my one is just short: take your devices with you, all the time. Yes, that includes the quick toilet break at starbucks.<p>I can&#x27;t remember how many times I heard total strangers asking around &quot;can you look after my stuff quickly?&quot;. You can do that for your beach towel, but not for your devices.

Don&#x27;t forget a privacy filter for the screen. Amazing how much information you can glean just from shoulder surfing.

I run a 2-3 person shop working on SAAS and iOS apps.<p>We don&#x27;t use VPN, because most of the communication goes through HTTPS anyway (github, gmail). I just made sure that everyone has 2FA and strong passwords on key services.<p>Oh, and don&#x27;t download user data to your machine.

I found VPN configuration complicated, routers you have no control over sometimes have problems with VPN bypass, paid service doesn&#x27;t let it through and so on. Instead I am using the SOCKS5 proxy in OpenSSH together with redsocks and iptables. For me this seems to be simpler and works everywhere. If you have a dedicated IP or your server runs SSLH then you can SSH to port 443 which is rarely if ever blocked.<p>Also, this allows for easy bastion hosts. While some tutorials still miss it, ssh has -W for 5+ years now and it makes creating bastion hosts even easier than when you needed nc in there. Hire a cheap physical server, put OpenBSD on it, run OpenSSH and absolutely nothing else. Firewall off everything from the sensitive servers except this server and there you go. Of course the bastion host does not have any credentials on it, agent forwarding is your friend.<p>Put your SSH key on a Yubikey NEO, the NEO on your keychain and never ever ever depart with it. Make it a habit not to be plugged into your laptop more than for the few seconds when actually log into a server. Stealing your laptop is pointless now.<p>If you work remotely then the exposure to social engineering is bigger as all chat facilities become an attack surface. Practice. Create a Skype account with a disturbingly similar screen name to your own Skype account and try to coax passwords out of your colleagues. If there are no static passwords to be had then you automatically win.<p>To me, full disk encryption was always of dubious value. You are sitting in a cafe someone walks in and suddenly grabs the laptop and runs out the door. What&#x27;s good your FDE? Instead, have nothing stored locally and work over SSH. Now at worst what the brazen attacker has is the files open in your IDE but can&#x27;t open any other files since the connection dropped and the yubikey is still with you. Also, when at the border you are not facing any issues since there are no passwords to be revealed (I do not want to get into a legal debate with anyone whether I can be forced to reveal a password. It&#x27;s easier to not have the issue.). Your laptop boots, runs etc. Just there&#x27;s nothing interesting on it.<p>I like the Yubikey as 2FA better than having some sort of 2FA on my phone because the keychain and the Yubikey is a much lower profile target than a phone. You probably have your keychain affixed to your belt&#x2F;pocket by a carabiner or similar solutions so ordinary pickpockets, casual coffee shop thieves won&#x27;t easily walk away with it and honestly don&#x27;t want too much it either -- phones and laptops are too easy a target. (I do not wear it on a neck chain when showering but you can since it&#x27;s waterproof. Pick your level of paranoia freely.)

Is anything special even required, as most services have their own encryption? Email, chat, git server... VPN seems only if you use Windows Filesharing? So sharing docs via some cloud service would get around that?

Full disk encryption, close the lid of the laptop when you wander away from it.<p>No need for a VPN if your connection to the email, chat and vcs servers are using TLS. If not, why not? It is the year 2015.

VPN, client cert per device. SSH key per device. Full-disc encryption. 2fa. Single sign-on.<p>That&#x27;s about it.

disk encryption, totally locked down VPN (forcing everything over VPN with 2FA, if you&#x27;re not in the VPN your packets are going nowhere), some even forbid USB drives.

OpenVPN