We know that employees in the office need to be secure. We know that employees we see day to day need to have their information backed up and have anti-virus solutions installed on their computers. However, for remote workers who are travelling from hotel to hotel and riding in taxis all day – are you ignore their security needs.
If your remote workers are not secure, it means that your own NETWORK might not be secure.
Alan Wlasuk CEO of 403 Web Security, a secure web application development company and he’s given us some guidelines for how to best secure remote workers.
Internet security is scary stuff. Think about any conversation that starts off with words “We just got hacked.” and try not to wish you were back in Kansas. Even with the most locked down IT environment, there is always a risk your company will be hacked. Now consider the addition of remote workers accessing those same systems and you multiply the risk of hearing those dreaded words many times.
Remote workers and their need for access is a standard, and often unavoidable, part of doing business these days. Unfortunately, cyber crime is also part of our lives, often taking advantage of sloppy remote access implementations to get into internal systems that were once impenetrable.
Even though securing remotely accessed company IT systems is harder, it is not impossible. Common sense, a few more hacker hurdles and security implementations that you should be doing anyway should get you back into security game. The following seven tips of secure remote access are good thinking points for you as you and your company move into the remote worker model of business.
- Monitor internal system access – I continue to be amazed at the number of larger, security sophisticated companies that find out about their security breaches well after the breach has occurred. We also frequently hear about hackers that continue to come back to a breached web application, without the company ever knowing they have a problem. While I would strongly suggest setting up monitoring of all company websites traffic to monitor your standard garden variety hack, I believe it is far more important (and a lot easier) to specifically track the use of internal systems by remote employees. Remote employees follow strict protocols of access which immediately identify the employee upon entering your systems. System logs should not only identify which employees are using which systems, but also where the employee has gone in the system and what they have seen or done. These logs should identify unusual or unexpected remote user access, perhaps indicating problems. And this should go without saying; you will need to monitor these logs.
- Secure all of your attack surfaces – Many companies view security implementation as expensive and, unfortunately, cut corners whenever possible. This often results in a separation of web applications into externally and internally facing, where only externally facing web applications are developed and tested for security. While cutting security implementation is never a good idea, it did have its place in an IT environment where internally facing systems were traditionally protected by locked doors, firewalls and access only by internal IP addresses – the domain of trusted users. Unfortunately, this cost cutting concept breaks down with the addition of remote users, some of which will appear to be within the physical walls of the company (VPN based) –perhaps perceived by existing IT systems as trusted, internal users. This presents the problem where a compromise of a remote user’s credential will allows a malicious hacker into unprotected company systems – the proverbial fox in the hen house. Companies introducing remote users need to rethink those older, intentionally insecure systems in light of the fact that the brick walls that used to surround them are no longer sufficient.
- Limit information access on a need to know basis – While the ‘need to know’ rule is important throughout any IT environment, it is even more important when supporting remote users. Consider it a fact that at least one of your remote users will have their access privileges compromised. Then ask yourself, given this future problem, what do your remote users really need to see or use within your IT systems? Companies often grant broad access privileges to all users because it is far easier to go broad than it is to figure out operationally acceptable minimal privileges. I strongly suggest taking the time to minimize privilege grants (for local as well as remote users). It will make the eventual access compromise far easier to live with.
- Require strict password policies and implementation – We’ve all heard the ineffective password horror stories — the shortened version of the dog’s name that has been in place for years. Yes, 12 character, randomly created passwords are a pain in the butt, particularly when they expire every three months. But when you consider the availability of brute force password cracking tools you might want to think about their effect on your minimal, easily guessed passwords. I like to think of this tradeoff between painfully strict password policies and the chance to work from home in your PJ’s – the PJ’s always win. And while we’re talking passwords, make sure your password implementation locks a user out after only a few failed attempts (to avoid brute force attacks), and reports excessive login failures.
- Require SSL Encryption – This is the remote security access version of ‘look both ways before you cross the street’. Encryption is relatively free (the cost of the SSL certificate), easy to implement and will keep your data away from hackers. When in doubt, encrypt. You never know what that Starbucks data sniffer may do with data that your think is harmless – it is best not to find out.
- Implement Two-Factor Authentication – You have probably seen security tokens that higher-end systems use. These hardware devices (i.e., SecurIDs from RSA) provide an additional level of security where the remote user must enter a user supplied PIN as well as an unguessable six-digit code (changed every 60 seconds) taken from the display on the device. A hacker would be required to know the PIN as well as hold the device itself in order to compromise the system. This is possible, but a lot less likely than just scamming a login name and password. While a two-factor authentication system implementation is expensive (cost of devices and fees to RSA) it has been considered hack proof for many years and is in widespread use by governments and companies where security is absolutely essential. When your remote users must access company critical systems with uncompromised security, two-factor authentication systems should be considered.
- Make use of VPNs – At the heart of any security oriented remote access conversation is the use of Virtual Private Networks (VPNs). Conceptually, a VPN connection allows a remote user to access internal IT systems as if he were directly on the internal IT system network. This is good since it allows users to work remotely without modifying the existing IT systems. The bad news is the same IT systems that were depending on the physical environment (i.e., walls, locks, limited IP addresses) may believe the hacker, pretending to be a remote user, is within the trusted company walls. There are many good reasons for the widespread use of VPNs throughout companies of all sizes, but don’t be fooled into thinking they don’t come without added security risks.