Skip to main content

I'm hoping someone can ease my mind here and tell me if I'm being a paranoid weirdo, or if this is legitimately strange.

My wife works from home with a company issued laptop. She's a teacher and she's on Zoom with students for hours a day. We've never had any issues with our network over the last three years that she's been a virtual teacher.

There's a new tech support guy at her company who's issued new rules. She had a "tech check up" with him yesterday in which he said he's going to need:

Pictures of our cable modem and routers including serial numbers and MAC addresses.

Pictures of any hardware between the cable modem and routers, including serial numbers and MAC addresses.

Pictures of any hardware between router and company issued laptop, including serial numbers and MAC addresses. This is to include any other personal computers that may be on the same segment of the network.

Is this just good, preemptive tech support and I'm overthinking it?

My first thought was that I am not sending him the info on my own, personally owned cable modem, routers and hardware firewall, so he's getting photos of the old Spectrum equipment they dropped off that's been sitting in the closet for a decade, and we'll just tell him it's a VLAN all to itself(which it is). But after sleeping on it I thought that maybe I'm overreacting.

#CyberSecurity #WorkFromHome

#CyberSecurity #workfromhome
Peter Healy
Peter Healy  
I don't think that kind of information is necessary, especially information about other machines on the LAN that are not under management. I could see them asking for the subnet assignment for the local LAN to make sure it doesn't conflict with the issued laptops VPN connection or something but, serial numbers of your personal equipment? No way. The issued laptop needs an Internet connection, that's the only requirement and assumption remote IT support should be making in my book.
πŸ‘©β€πŸ’» Jess "GirlGerms" Dodson :ferdiverified: :donor:
πŸ‘©β€πŸ’» Jess "GirlGerms" Dodson :ferdiverified: :donor:  

OOF. I've just retooted this into the infosec.exchange instance, so you might see a few more folks chiming in.

100% no. There is absolutely no need, unless they're planning on paying for an upgrade of equipment - and even then, they should only need model numbers, not serials and MACs. I cannot imagine that their security logging is tracking that information and they're filtering based on that, especially if there is a VPN in use.

The idea that this person also wants serials and MACs of other personal devices - there is something dodgy going on here and it's raising serious red flags. This is a HUGE overreach. I would definitely be pushing back and taking it higher - chances are, some folks have already provided what he's asked for.

Tindra
Tindra  

@girlgerms you’ve already gotten good answers. Which is: NOPE

The one thing I’ll add: was this β€œthe IT guy said verbally” or β€œthe IT guy shared a real, approved policy”?

If the former, start by asking for the latter. If the latter? Uh, I’d start researching local labor laws. And possibly prospective employers.

@πŸ‘©β€πŸ’» Jess "GirlGerms" Dodson :ferdiverified: :donor:
Cat πŸˆβ€β¬›πŸ›°οΈβ€‹
Cat πŸˆβ€β¬›πŸ›°οΈβ€‹  
@TindrasGrove @girlgerms I'm straight up thinking like a bad guy -- that's literally my job. If a test target gave me what he's demanding there wouldn't need to be a test, the door is wide open and the silverware packed for carrying.
@πŸ‘©β€πŸ’» Jess "GirlGerms" Dodson :ferdiverified: :donor: @Tindra
silverwizard
silverwizard  
@A Concerned Scientist Are they using an invasive NAC type thing so the device has whitelisted MACs it can talk to or something? It feels very weird, and it's probably overzealous tech support ime
@A Concerned Scientist
⇧