While teleworking work/life balance are in conflict - a personal story

By Anonymous -

While teleworking work/life balance are in conflict - a personal story


The corona-virus pandemic has fundamentally changed the way many people and organizations operate. While many countries have started progress towards opening up and returning to normal, companies are faced with the decision of whether or not having a remote workforce makes sense for them. Working remotely might be a normal thing for some, but with the advent of the COVID-19 pandemic, a new, massive portion of the global workforce is being thrown into it without any training or past experience. 

As a security professional when thinking about working remotely I focused on the 3 main points: People, Process and Technology. Notice that people are first and technology is just an enabler to the business. A technology-first approach often leads to unhappy people, who break processes to be productive or at least work in a manner that's most desirable to them.

Major observations from the past couple months... Many organizations might not be as prepared for this as they thought and the adjustment period was hard on some than others.



People are the foundation of your organization. Without them the processes and technology will not function, so ensure that they are considered first. People need to be able to be connected to each other and communicate in order to be productive. The workforce needs to know how to do this securely without endangering the business. Awareness and training are critical for this item:

  • Why (Why is it important?)

  • What (What is the impact if it is not done?)

  • When/Where (When/Where is it appropriate and should be used?) 


When working remotely communication and even over-communication is critical. This can be in the forms of Instant Messages, Slack, MS Teams, emails, internal blogs or virtual Town Hall sessions to update your employees and other employees on what is happening and how it impacts them.  For me, each medium has its own pros and cons and the topic of the conversation should be considered when selecting a medium (i.e. major issues should be addressed via email, not Slack, etc). Without the “water cooler” moments, I look for new ways to interact with my peers like virtual Lunch-and-Learns, peer presentations (10-minute tech talks), morning coffee sessions or virtual happy hours.  Having non-work related chat environments where we can talk about topics like pets, food, travel or random hacks of the day has been important for keeping humanity. This is a great way for me to release stress and engage with others topics that make me feel connected to others. 


 My employer wellness benefits like employee assistance, virtual coaches, wellness programs, and other resources which I take full advantage of. If you don’t have these, find creative ways to with your peers or those in the community to do so. I am also a member of #TinkerTribe which is a group of professionals who have come together to share ideas and support each other. 


 If I had to give only one tip to try to make your life easier, it would be to set up a separate workspace at home, this allows you to mentally separate work and home life. Ideally, this location should be as distraction-free as possible to avoid pets, children and partners distracting and interrupting calls or video meetings. I would encourage you to have a dedicated space in the home that is ONLY used for work, so your brain is in the "work mode." Similar to how the bedroom should not have a computer or TV, so the brain knows "this is the room we sleep in." 


team

© Scott Adams http://dilbert.com/


The transition to working remotely, shouldn’t mean that established processes are no longer being followed. And it also doesn’t mean that you do all the same things just virtually. 


Things might need to be done differently and processes might need to be adjusted slightly. As a security professional, I would highlight any concerns and discuss with the business and management. For example, if written approval is needed for a document, creating an alternative process to ensure that the validation continues and is traceable (e.g DocuSign). Ensure people are aware where policies and procedures are stored and are accessible by sending reminders with internal links. Attackers will try to take advantage of this change, so ensure that there is sufficient and refreshed training in the required processes. This is also a great time for security awareness refreshers, especially those focused on phishing, malicious links and out of the ordinary processes. 


While working remotely, it is important to establish work hours and expectations of availability. Working from home makes getting into the “Work” mindset initially difficult, and distractions are often unending. If this is not the case for you, think about the situations about others on your team or who you might interact with. Be clear about deadlines of when work is supposed to be accomplished. 


Just because you are now closer to your work machines/home workspace, does not mean that you should be expected to work 24/7, this will only lead to burn out. Keeping traditional working hours, or as close to it.


Remember communication is key, continue to or schedule new Check-in times with your team, One-on-Ones, or daily Stand-Ups. I would encourage you and your team to enable video, it does give the warm feeling of human interaction. Encourage participation from your all meeting members as it’s much easier for the extroverts to dominate virtual meetings by talking over everyone due to the inherent technical limitations. 


Credit: https://www.hanselman.com


Thinking about working remotely as a security professional, all I can think about is how things can go wrong for the non-technical workforce trying to work from home, hotel or a local cafe (which things return to normal). 

Ensure that your team thinks about how to make connecting to company resources as simple as possible, whether using self-connecting VPN (Virtual Private Network) connections or using web-proxy solutions. Next, if this is going to be a process change for the workforce, create training videos, how-to’s and documentation that lays it out step-by-step. Consider updating awareness programs for the changing concerns of working remotely and providing your team with frequent reminders through helpful tips, tricks or new articles from outside sources. 

If your organization has not implemented MFA, now might be a great time to consider it because it's harder for your security teams to validate legitimate users from not when everyone is external. 

Ensure that your organization’s crown jewels are protected and you can monitor to ensure its not slipping out the side door. I know I simplified it a lot, but it's a process and involves walking the business through identifying what is critical, thinking of ways to protect it and ensuring that the protection does not outweigh the risks or prohibit the business from functioning efficiently. 


If you need some guidance in this area, check out NIST also has provided guidance on Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security ( https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-46r2.pdf )




Additional tips and tricks:

















Credit: https://open.buffer.com/integrating-work-family-21-tips-working-home-kids/


Carve out space and time away from distractions. Distractions come in all shapes and sizes: kids, food-sites/Amazon/eBay, sometimes even email for some of us. We remote workers have to exercise great discipline to ensure we're productive. We're grown-ups, and "shouldn't need supervision to be productive." However, we need to be honest with ourselves.


Set specific hours. Don't short work, duh... but don't work all the time either! Balance is important.


Take breaks like you would at work! Go outside and get some sunlight on your skin (helps absorb the vitamin D, which helps with happiness and cognitive power). Think about how you used to operate back in the office: didn’t you take a break maybe once an hour or so to get up and walk around? Perhaps you’d take 10 minutes now and then to research a purchase on Amazon, buy concert tickets or even just scroll through Twitter. THIS IS ALL FINE AND NORMAL. Take these mental health breaks when you need them; they’re critical to productivity and reducing burn-out. 


Meditation and breathing exercises help reduce stress and anxiety, and now it is so much easier to do at home than in the office. Use these opportunities to help ensure that you can focus on your mental health if needed. 


Take a walk in the morning before work. The view will change your perspective, and help unclog the brain.


Make sure your family (if applicable) knows when you are and are not working! Otherwise, you may find a great balance but your family always feels like you're working and tensions will escalate.


Self-motivate appropriately. Set goals for yourself, determine what benefits those goals will have, determine a path to achieve them, and go at it! When you fall down, get back up, remember the value you're going after, and run at it again!


Self-limit appropriately. Don't allow stress to overwhelm you. Manage and reduce stress (there are many papers on this on the Internet and books on this topic). A little stress can be motivating, but can quickly become debilitating and draining.


Be sure to schedule critical thinking, and even break times for yourself! One of the biggest caveats of working remotely is the fear that you’ll be judged as non-productive. This predominantly stems from the comfort of being in your own home, and it’s very normal. Just like you will block on time on your calendar at work for critical tasks or thinking time, continue to do so. 


And if you need a little extra support, take advantage of provided employee wellness programs, they are there to support you!


Want to join our substantial remote workforce? We’re hiring

Have complex security problems? We are happy to help resolve them, feel free to contact us.

Popular posts from this blog

New Old Bugs in the Linux Kernel

By Anonymous -
Image
  Introduction Dusting off a few new (old) vulns Have you ever been casually perusing the source code of the Linux kernel and thought to yourself "Wait a minute, that can’t be right"? That’s the position we found ourselves in when we found three bugs in a forgotten corner of the mainline Linux kernel that turned out to be about 15 years old. Unlike most things that we find gathering dust, these bugs turned out to still be good, and one turned out to be useable as a Local Privilege Escalation (LPE) in multiple Linux environments. Who you calling SCSI? The particular subsystem in question is the SCSI (Small Computer System Interface) data transport, which is a standard for transferring data made for connecting computers with peripheral devices, originally via a physical cable, like hard drives. SCSI is a venerable standard originally published in 1986 and was the go-to for server setups, and iSCSI is basically SCSI over TCP. SCSI is still in use today, especially
Read more

Automated Struct Identification with Ghidra

By Anonymous -
Image
At GRIMM, we do a lot of vulnerability and binary analysis research. As such, we often seek to automate some of the analysis steps and ease the burden on the individual researcher. One task which can be very mundane and time consuming for certain types of programs (C++, firmware, etc), is identifying structures' fields and applying the structure types to the corresponding functions within the decompiler. Thus, this summer we gave one of our interns,  Alex Lin , the task of developing a Ghidra plugin to automatically identify a binary's structs and mark up the decompilation accordingly. Alex's writeup below describes the results of the project, GEARSHIFT, which automates struct identification of function parameters by symbolically interpreting Ghidra's P-Code to determine how each parameter is accessed. The Ghidra plugin described in this blog can be found in our GEARSHIFT repository . Background Ghidra is a binary reverse engineering tool developed by the National Sec
Read more

SOHO Device Exploitation

By Anonymous -
Image
Netgear R7000 SOHO Device Exploitation After a long day of hard research, it’s fun to relax, kick back, and do something easy. While modern software development processes have vastly improved the quality of commercial software as compared to 10-15 years ago, consumer network devices have largely been left behind. Thus, when it’s time for some quick fun and a nice confidence boost, I like to analyze Small Office/Home Office (SOHO) devices. This blog describes one such session of auditing the Netgear R7000 router , analyzing the resulting vulnerability, and the exploit development process that followed. The write-up and code for the vulnerability described in this blog post can be found in our NotQuite0DayFriday repository. Initial Analysis The first step when analyzing a SOHO device is to obtain the firmware. Thankfully, Netgear’s support website hosts all of the firmwares for the R7000. The Netgear R7000 version 1.0.9.88 firmware used in this blog post can be downloaded from this web
Read more