56

I manage cybersecurity team of 10 where I work. A major part of our job duties is providing application security consulting and in house penetration testing for our many development teams.

Two months from now, I will be travelling to Las Vegas with my team to attend (in an official capacity, representing our company) the 2024 Black Hat conference. This conference is a red team / offensive security / penetration testing focused conference aimed at cybersecurity professionals in the application security domain. Attendees are expected to bring laptops to participate in the many hands-on labs that involve working with deliberately vulnerable machines / IT assets. There is a possibility that antimalware and firewall protection may need to be disabled to simulate real world conditions and allow malware to be tested properly.

My manager is asking us to bring personal (non company owned) machines to the conference which I am reluctant to do due to risk of compromise from malware. My machine is relatively pricey ($1000 +) and also contains personal documents in addition to being used for banking and other activities involving my PII.

The company provided laptop cannot be used as deliberate exposure to malware, , even inside a virtual machine, is inherently risky and can endanger other IT assets of my company (e.g: after conference, I join the company network with a compromised machine).

Examples of malware exposure:

  1. Ransomware samples
  2. Raw malware code with antivirus disabled

Question

  • How can I push back against my manager's ask professionally? I dont want to strain the work relationship.

  • If I bought a cheap, disposable laptop solely for the conference, would I be setting a bad precedent for my team / other employees of my company given I am a manager?

Additional information

For a company laptop, our team uses Windows laptops for day to day work (email, documentation viewing, MS Teams etc.) and SSH into a pen testing servers running Kali Linux or Parrot. Our team is allowed to install security tools such as Kali Linux or Parrot OS locally on our work machines. We also have company licenses for VMWare on local laptops and if we were to install Kali / Parrot locally, segregation between guest and host OS will be maintained in NAT mode.

Improve this question
8
  • 45
    Who is the motivator for attending the conference (with its inherent risks)? In my personal view, that is the party that is responsible for providing the resources to make the conference beneficial. Just my two cents... Commented Jun 4, 2024 at 1:59
  • 22
    Are you attending this conference on your own interest / accord, or this is a part of your job? If this is part of your job, your company should provide for the necessary arrangements to meet the requirements - as simple as that. If they are not willing to provide for, and still want you to represent the company - I'm sorry, but you need a better manager / company to work for. Commented Jun 4, 2024 at 3:55
  • 70
    You must be happy your company is not in the vehicle construction business. They'd probably ask you to use your own car when doing crash-tests... Commented Jun 4, 2024 at 10:17
  • 14
    Given your other questions, I'm surprised you want to keep working for this company Commented Jun 4, 2024 at 12:18
  • 45
    I'm surprised your department doesn't already have burner laptops for your own testing usage, maybe that is the angle to pursue Commented Jun 4, 2024 at 12:40

10 Answers 10

Reset to default
256

I would refuse. Point blank.

The conversation should go something like this:

Me: Why don't you want to use a company laptop for this?

Manager: Because we don't want company laptops deliberately exposed to malware.

Me: Well, that's exactly the same reason I don't want to use my personal laptop.

The only reasonable solution is for the company to provide you with a laptop for this purpose - either by buying one themselves or reimbursing you for one. A company of any size is going to have a number of surplus laptops around that can be disabled from access to the company networks, not have any company software on, and can be scrubbed after the conference.

Improve this answer
13
  • 100
    THIS is the correct answer! The laptops should be recently decommissioned and reimaged machines, used at the conference, and then handed directly to the IT team as "toxic" when returning. Don't even power them back on when you get back to the office. Commented Jun 4, 2024 at 20:13
  • 31
    THIS. It's not rocket science - just keep repeating "I will not be using my own laptop at the conference". Too many people overthink things like this. Commented Jun 5, 2024 at 16:34
  • 12
    I'd also avoid taking a company smartphone, or your personal one, into the conference. Commented Jun 5, 2024 at 18:19
  • 5
    My work is very particular about cyber security, and they have special laptops for business and conference travel outside the country that basically have to be handed over to IT to get wiped as soon as you return. Seems like that would be appropriate. They would also never allow work related activities to be done on a personal laptop. Commented Jun 6, 2024 at 16:35
  • 5
    @DJClayworth Anyone who wants to participate in any meaningful way? Or can you get much hacking done with just pen and paper? (I guess you would also need a few suitcases full of printouts of the source code of popular programs and disassembly of common OS kernels.) Commented Jun 7, 2024 at 8:01
51

The answer is dependent on what the primary reason you are attending the Conference for is

Let me explain:

Scenario 1: You are primarily attending as a representative of your company and in a very much official capacity.

In this case - it is the responsibility of your company to provide you with the tools to do your job. Think of it like any other expense claim for a work-related trip: they pay your hotel fare, your travel costs, your meal costs etc. This is no different.

Now - you have some options

  • Get it in writing that you will procure a laptop for the sole purpose of attending this conference and work will reimburse you for it - may need to get some specs or spending limits agreed.
  • Ask your company if there is an old Laptop in stock or from an employee who has recently left - ask to wipe it completely, so that it can be used for this purpose.
  • Present a quote to your company for the cost(s) for you to completely back-up your current laptop, wipe it, attend the conference, wipe it again and restore from backup and get them to agree to pay it.

Scenario 2: You are primarily attending as yourself, a professional in the field with only a tangential link to your company.

For example - if I want to go to a conference that I am interested in my field of work - but my company is not particularly interested in me attending, I may still go, Work might approve the time off - but it is me that is going not an employee going.

Here - if this is more like what is happening - then it is your responsibility to get all the tools that you need for it - which I would suggest getting a second-hand laptop from the likes of Trademe (NZ represent!) or the regional equivalent and be done with it.

In short - if you are going in an official work capacity - they should provide it or reimburse you, if you are going in more of a personal capacity, then it is on you

Improve this answer
10
  • 14
    The fact that the whole team is going and the manager is mandating laptop use clearly makes this scenario 1. Commented Jun 4, 2024 at 21:40
  • 30
    @DJClayworth - I was about 80 percent certain that this was the case, but I felt that giving the other perspective (that sometimes people attend functions not in an official capacity) lead to a better answer. Commented Jun 4, 2024 at 21:41
  • 2
    That's a very reasonable point. Commented Jun 4, 2024 at 21:43
  • 3
    knowing what types of viruses exist... I wouldn't bring my $1000+ dollar laptop to the black hat conferance... A $100 dollar chromebook running kali linux? Sure... but a $1000 dollar laptop? nope. Not going to happen Commented Jun 4, 2024 at 21:54
  • 27
    I personally wouldn't consider the third option viable. Wiping a laptop is not guaranteed to clear off all malware, especially not at a hacker conference where people will showcase the latest advancements in malicious software. There is already malware out there that can survive getting wiped by hiding inside the firmware of anything in your PC, ranging from hard drives and GPUs to the hidden management engine inside your CPU. Just blindly assuming that a malware infection is resolved by wiping and restoring from backup is not a smart bet when dealing with Black Hat. Commented Jun 5, 2024 at 8:56
24

Where I work, the standard solution would be to go to the IT department and borrow a spare laptop - probably an old one. That can be wiped and then reimaged with a minimal software install (e.g. Windows and Office). If you have any presentations to give, you can then copy them on. When you return, the laptop can be wiped again and re-used.

Improve this answer
6
  • This is the correct answer. Get a machine that you can wipe and reinstall afterwards. Commented Jun 5, 2024 at 7:33
  • 8
    Afterwards, wipe it if you want, but do not reuse it. There are exploits which won't go away with a wipe. Commented Jun 5, 2024 at 12:02
  • @jcaron: Interesting. Do you have more info about it? Commented Jun 5, 2024 at 12:47
  • 1
    @EricDuminil See Nzall's comment on TheDemonLord's answer as a starting point. Commented Jun 5, 2024 at 12:51
  • 1
    @EricDuminil There are some really nasty viruses that will do things like re-flash your BIOS, or modify the firmware on your hard disk. Or maybe the firmware your network card or graphics card. Commented Jun 5, 2024 at 19:30
10

"I do not own a laptop that would be usable for this purpose." seems to be the obvious answer. Its diplomatic, can't be argued with, and its undoubtedly the truth.

In my case I don't own a laptop period; I have a desktop and an Android tablet. Even if I owned a laptop, it wouldn't have Outlook or Word installed (they are expensive, and there are good Free alternatives available). Even if for some weird reason I had a laptop with the right software installed, I'd never consider my personal system I maintain in my own rare free time secure enough to be usable for a Black Hat cybersecurity conference (!!) So no matter what, the statement above is the honest truth. You don't own a laptop that would be usable for that purpose.

If they then want you to then go rent one, then it would be reasonable to expect them to pay for it. If they won't, then they clearly don't feel its that important.

If you're told to expense it, I'd check with accounting first to make sure the expense will be reimbursed, and what if any restrictions they have on what you can rent.

Improve this answer
1
  • Note: Under the circumstances, I'd be just as worried about bringing any personal electronic devices (cellphone, tablet, heck smartwatch). If the company issues you a phone, they should be too. Commented Jun 6, 2024 at 20:17
8

Since you have indicated that you will be travelling with your team, the assumption is that it is work related. In which case your work needs to provide a machine. Understandably, existing work machines shouldn't be used for this purpose. Equally, you shouldn't be using your machine.

You need to talk to your boss and tell them that you don't like the idea of using your own machine as it could become compromised. And work could just buy a cheap machine that could be discarded after the event.

Improve this answer
4

I'd get a cheap used laptop for the purpose. I've got an ancient 386 now running a lightweight Linux, for example, that I'd be willing to consider completely discarding if I didn't trust it. And a slightly newer rescued-from-trash machine also now running Linux, which I'd be slightly more reluctant to burn. You could probably get something of this sort for $150 or less, maybe free if you haunt reuse sites like Freecycle.

The company said use your own machine. In doing so they abdicated all opinion over which machine.

Improve this answer
8
  • 1
    @infinitezero: Why not? Lightweight OS means less stuff running by default, which may mean greater security (fewer open ports/protocols). If you're not expecting folks to be attacking Windows machines, that too is an argument for, rather than against. Heck, load it up with Kali Linux and you're starting with one of the most respected security probing toolkits in existence... Commented Jun 5, 2024 at 0:22
  • 1
    but I'm expecting folks to attack windows machines?? Commented Jun 5, 2024 at 4:46
  • 1
    I'll phrase it differently: the organizers might require a Windows OS, so this might not be an option. Commented Jun 5, 2024 at 4:57
  • 1
    Might be worth asking. As I said, Kali Linux is a standard security toolkit; at this sort of event I would expect it to be extremely common. Commented Jun 5, 2024 at 12:31
  • 6
    @infinitezero We're talking about Black Hat. No, they don't require their attendees to bring a Windows Laptop. Commented Jun 5, 2024 at 15:06
4

A carpenter does not need to bring his own hammer to work, it's provided by the boss.
A mason does not need to bring his own trowel to work, it's provided by the boss.
An IT professional does not need to bring his own computer to work, it's provided by the boss.

I'm always surprised why people treat a computer as something different than another regular tool.

Improve this answer
1
  • 2
    This answer is wrong (though I oddly "upvoted" it, because it is "useful" for discussion, despite being wrong). Some trades-people do provide their own tools. They may get compensated different. The question-asker asked about just buying a laptop. If the quetion-askwer feels suitably compensated for work overall, this might just be a slightly unpleasant drop in an overall excellent bucket, so not really feel exploitive overall. (I've done similar, buying a cheap laptop so I could better work for a place that hired me 80% higher than my prior job.) Commented Jun 7, 2024 at 15:41
3

I would not take a personal laptop to a computer security conference. Period. Your personal laptop is your personal laptop, not the company's laptop. It's in their enlightened self-interest that this is so - you may (reasonably) refuse to let them see what is inside your personal laptop absent a search order.

You should ask for a corporate laptop that will be wiped upon your return. The cost of taking anything else is the (cost of remediating malware) * (probability that the laptop will be infected). My estimate of P(infection) is 100%. If the laptop is infected and you do not wipe it before connecting to the corporate network then the cost is ((2 days * burden_rate_for_IT) + cost_of_downtime) * (number_of_machines_in_network).

Managers think in terms of dollars, at least in the United States. So make your pitch in terms of dollars. I

Improve this answer
1
  • Assuming the company is paying to attend the conference (plus the time it takes), the company should want to get maximum value out of that investment. Not having an appropriate laptop prevents getting value form the investment (skills, experience, engagement, etc) and a cheap "disposable" machine would unlock much more than its cost form the existing investment. Plus it reflects poorly on the company too. TL;DR The company could spend 90% of the total and get 50% of the value - or spend 100% of the total and get 100% of the value. Commented Jun 7, 2024 at 11:32
0

I manage cybersecurity team of 10 where I work. (...) to attend (in an official capacity, representing our company)

Since you mention that you are expected to use your own laptop I assume you have some kind of a BYOD arrangement. How do you work when you have to analyze malware or do other risky stuff as part of your job? You probably do it in an isolated sandbox.

If so there are two solutions

  • either you use this sandbox at BH
  • or you get from your job "transportable sandboxes", aka spare laptop

Since you manage this team your boss will either say "ok" if they do not understand what you are saying because you manage security, or say "ok" if they understand what you are doing (kind of CISO or something).

if they say "no" I would not do the malware exercise because this is a liability for the company.

Improve this answer
0

Your home insurance may not cover your laptop outside the home. As insurance policies differ, you would have to check with your insurance. For this reason alone, I would refuse if you don't have appropriate insurance to take kit out of the home. However, they may offer to pay the difference if you have to raise your home insurance to cover electrical items outside the home. If so, then they can pay for a laptop for the conference. Laptops are not expensive, and they should be able to be sourced for you.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.