In this age of quarantines and social distancing, many organizations are just beginning or expanding remote work capabilities. As always, along with whatever moves we make the hackers are not far behind or are already there. Here are five things you need to consider in making sure your remote work capabilities are healthy and ready to go.
- Pick the solution that best works for your organization, or at least understand what you have. Discuss the requirements of the remote work with the departments using the solution and select the type of connection best suited for your needs or understand the ones you already have available. Here is a high level description of some common solutions:
-
- Tunneling/ Virtual Private Network (VPN)- A tunnel (secure channel created by encryption) is created between the user’s device and a gateway into the organizations network. It requires installation of the VPN software on the user’s device, which is the communication mechanism between the user’s device and the organizations resources. The software also takes care of the authentication, access control and other security functions.
- Application Portal- A portal is a server that houses the resources and applications used by the remote user. The portal appears much like a web browser to the remote user. The portal functions much like the VPN above, however, the location of the software and data are on the portal instead of the user’s device.
- Remote Desktop Access- Remote Desktop Access (RDA) allows the user the ability to remotely control a computer located inside the office from their home device. This is delivered through an application or internet browser plug in which connects directly to the office computer. Note that there are a couple of disadvantages of remote desktop access from a security perspective:
-
- The communications may not pass through perimeter controls such as firewalls, intrusion detection and intrusion prevention, and
- These are not single location access points and given the direct access to the office computer, this computer needs to be secured like perimeter devices, a function for which personal computers are not designed.
- Assume devices used in remote work (laptops, cell phones, etc.) and networks used to connect to the organization will be compromised and secure accordingly. These devices will be in environments outside of the organization’s control, such as cars, which are vulnerable to ‘smash and grab’ attacks, home offices, which can be vulnerable to curious kids home from school, or in airports, coffee shops and public places where devices can be lost or stolen and on unsecured networks. Some considerations for securing these devices:
-
- Use network access controls to verify security posture of the devices in case they haven’t been patched or have picked up a virus or malware from a malicious site.
- Consider using a separate network for all external client devices instead of allowing them direct access to the network.
- Ensure the hard drives and removable media, such as USB drives, are encrypted to prevent a lost or stolen device’s data from being easily obtained by the person who took it.
- Secure all the points in the connection. The points listed below are a just few points to consider and good high level points to discuss or verify in your solution:
-
- High on that list of importance is your remote access server. These are the gatekeepers between your organization’s network and the world, so it’s very important that these are up to date on patches, securely configured and managed only by approved administrators. If you’re thinking of having your remote access server run other functions such as other services and applications, make sure you understand the risks, as having all the eggs in one basket increases the likelihood and impact of a compromise of any of those services.
- User authentication has traditionally been a favorite target for attackers as social engineering schemes have proven, and continue to be, successful. Multi-factor authentication is a must here. Popular alternatives to the physical token use apps on the user’s phone to authenticate and have proven widely accepted by users.
- Do a health check the health of the user’s device before allowing them on the network. Make sure the device is patched, configured, virus or malware free and for mobile devices not rooted or jailbroken to avoid allowing these to compromise your organization’s network.
- Secure the data in transit by ensuring that strong encryption is required. A great reference for determining the acceptable types of encryption is FIPS-140.
- Plan to maintain your remote access solution. In addition to ensuring that the devices are secured and up to date when you implement the remote access solution, make sure that it is tied into your organization’s overall security program, including:
-
- Vulnerability and patch program,
- Penetration tests,
- Risk assessments, and
- Network monitoring.
- Train your users. In addition to your traditional security policy training, acceptable use policy and the like, many security training platforms have modules specifically designed to educate users on the risks of remote work and how they can help prevent the common scenarios. Make sure to include how users can report lost or stolen devices and other security incidents specifically within your organization.
If you need help with a risk assessment, policy or training your employees on remote work, we can help! Contact us at support@bedelsecurity.com or 833-297-7681.
Additional Resources
Remote Access Risk Assessment
https://www.bedelsecurity.com/lp-remoteriskassessment
Remote Employee Access
https://www.bedelsecurity.com/blog/remote-employee-access