Managing remote access risks
- Published: Wednesday, 30 December 2015 09:18
Various business continuity incidents - and even normal activities in the business calendar, such as bank holidays - can see a large rise in the number of workers connecting remotely; and this in itself can cause problems.
In this article Guillermo Lafuente looks at the technologies that are available to help manage remote access requirements; and what security issues need to be considered.
Build a tunnel
The classic solution to allow remote workers to connect to internal resources as if they were in the office is to use a VPN (virtual private network). VPNs provide good scalability at relatively low cost, however, when deploying them there are a wide range of security implications that need to be considered. For example, even if a VPN is correctly configured and does not directly open any security holes into the corporate network, there still exists a difficult to control weak link: the end point. It is more than likely that employees will access websites or install software for their own personal use from devices located outside the corporate environment; and they will probably also connect to unsecured public Wi-Fi networks. If the end point is compromised, this can provide an attacker with a direct link into your internal network.
How to secure your VPN?
We have established that your main threat when using a VPN is going to come from end users. Therefore, your efforts should be focused on protecting the devices they will use to access the VPN.
Firstly, make sure you use the strongest possible authentication method. For example, in Windows networks, one of the strongest options would be EAP-TLS, although this requires you to securely provide remote workers with client certificates. Whatever the option you choose, make sure you don’t rely on simple username/password authentication: two factor authentication is far more secure.
It is also important to disable split tunnelling, a technique used to allow users of a VPN to be connected to both a secure VPN and any unsecured network at the same time. This is especially dangerous in situations where users are connecting to a VPN from public networks, such as public Wi-Fi hotspots.
Some VPN servers will allow you to configure security measures that must be implemented on the user’s device before it is allowed to connect to the VPN. You should ensure that devices connecting through the VPN are compliant with the same security policy which is applied internally. If possible, you should at least check for OS and applications security patches, up to date anti-virus definitions, and adequate firewall rules. It is also recommended that you monitor users connected through the VPN for suspicious activity and signs of infection.
A factor you may not have considered, yet is particularly common throughout the winter months, is your own employees causing a VPN denial of service (DoS) incident. In the event of heavy snow or widespread flooding preventing lots of employees getting to the office, you may find that everyone turns to using the company VPN. As well as potentially putting strain on authentication mechanisms, bandwidth intensive activities such as video streaming may exhaust the VPN resulting in a slowdown for all users connected. Consider the potential impact and plan ahead.
Take to the cloud
In another way forward, you may wish to selectively expose applications and make them accessible via the cloud. This can be made easier by choosing a proactive cloud provider who will work with you to minimise the risk of exposing your DMZ or internal network to attackers. That way, you don’t expose your internal corporate network to attackers through a VPN.
However, you have to make sure you chose a provider with a proven security record and it’s also worth considering that by choosing a third party provider, you are entrusting them with your own information or data. If privacy is an issue, consider creating your own mini-cloud, with an extranet completely isolated from the rest of your network.
Using a cloud solution will probably provide a more reliable and faster connection, and may be less prone to performance or availability issues should large numbers of remote workers suddenly connect for whatever reason.
Any applications hosted in the cloud should be properly security assessed beforehand, utilising TLS and preferably enforcing two factor authentication.
Remember that disk encryption only protects data while at rest; therefore anyone able to gain access by compromising the authentication mechanism or leveraging a vulnerability in the application, will have full access to your data.
Most businesses nowadays have the need to allow mobile phones, tablets, and other portable devices which can be connected to the corporate network to access services such as email. This always raises security concerns, but with employees working remotely this raises the potential for any of these devices to become compromised.
One of the biggest risks with portable devices is potentially losing or having them stolen. Without the correct procedures in place, a stolen device provides an easy way for an attacker to gain a foothold into a network. Therefore, it is very important that full disk encryption is used for all devices and that they are protected by adequately strong passwords. It is also important that some form of remote wipe technology is configured into the devices in order to have greater assurance that any data on the device will be protected.
In the case of mobile devices, such as smartphones and tablets, using an MDM (mobile device management) will help in managing and establishing adequate corporate security policies. An MDM typically consists of a third party product that has management features for particular vendors of mobile devices such as Android, iOS or Windows Phone. The only problem with this is that, with every additional device vendor, comes an added complexity of managing via the MDM, and although most vendors offer security policies which can be enforced, they typically are incompatible with each other.
It is also important that portable devices, especially laptops, have security software such as antivirus installed. Additionally, further security products including anti-exploit software such as EMET (Enhanced Mitigation Experience Toolkit) may be used. Users are more likely to visit potentially malicious websites when using their laptop outside of the office, and so precautions should be taken. My company has commonly worked with clients affected by users which were infected with malware, such as ransomware, after an employee accidentally browsed to a malicious website while using a corporate laptop outside the office. If the infected laptop is then connected to the corporate network, you can find yourself with all your company files encrypted and an email demanding money if you want the key to recover your files.
Planning now could avoid your organization grinding to a halt should the unexpected suddenly happen, keeping the business up and running and your data safe from harm.
Guillermo Lafuente is a security consultant at MWR InfoSecurity.