IT managers are under increased pressure to provide broad remote-access capabilities. User communities range from
casual "day extenders," who only need access to their e-mail and the corporate Web portal from their family PC, to full-time telecommuters who use core applications and IP telephony. Because they depend upon remote access for all their work, companies usually don't have too much trouble justifying high-end solutions for the full-time telecommuter by providing them with a company-owned computer, firewall and 24x7 help desk access. But how can we effectively (and affordably) support the low-end needs of other users?
The upside of allowing users access from their own computers and network connections is attractive. Often, remote users don't even want a company laptop -- too much to lug around. Besides, the family system is likely faster (designed for the kids to blast alien spacecraft with). However, it's the downside that we need to consider.
Risks are proportionate to access provided
Users who have full network access to internal enterprise LANs can inflict much more damage than those who can only use webmail. So, the first step in your strategy for managing remote employees entails providing tiered access, appropriate to the needs of each user. Many companies can get by with two or three tiers, with webmail at the low end, file and Web application access in the middle, and full VPN connectivity at the top.
End user security education is essential for successful remote-access programs. It should play a prominent part in your ongoing security education program. You can use online programs on the company intranet. Make sure that you track completion and require periodic refresher training. Try awarding a gift certificate to someone selected from those who took the course to give users a positive incentive for completing their mandatory training. The curriculum should include information on the hazards of active content, including viruses, worms and spyware. Make the point that this instruction will help them protect their own data as well as that of the company. Also include information on password hygiene and what to do in the event that they suspect an incident might be in progress. Don't forget to include requirements for access to company information.
You have to know who someone is before you allow them access to any service, including webmail. Typically, we use user names and passwords to provide authentication, which are vulnerable to interception and compromise. Educating users about password hygiene and protecting passwords in transit with encryption used to be adequate, but with today's spyware and keystroke sniffers, two-factor authentication with hardware tokens is practically mandatory for all remote users, even those with low-end privileges.
If you choose to stay with usernames and passwords, make sure that you don't set yourself up for a denial-of-service attack. Do you use your internal domain authentication source for remote access and automatically lock out accounts after a certain number of failed login attempts? If manual intervention by an administrator is required to restore an automatically locked-out account, your systems are vulnerable. It's a simple matter for a disgruntled employee sitting at a cyber cafe to go down the company directory typing three bad passwords for every username on the list and lock out the whole company, internal as well as external. It's much better to use separate authentication sources for external services or to only lock out accounts for a short period of time. Even lockouts as short as five minutes will protect you from dictionary attacks.
FOR MORE INFORMATION ON THE TOPICS COVERED IN THIS COLUMN, VISIT THESE RESOURCES:
- Learn more about training your employees in this Security Planner column.
- Should you monitor your employees? Find out more about employee monitoring in this webcast.
- Get the latest developments on firewalls in this Featured Topic.
Appropriate access to internal resources is key. If you have an existing data inventory and authorization model, it will pay off. If not, you need to identify your information assets and how they are classified. The best SSL VPN and gateway products have rich access-control models, but they won't do you any good if you don't know which users should have access to which data and where the data is stored. If you haven't classified your data, this could provide the motivation to start.
Active content control
Viruses are the scourge of the decade and like all effective security programs, virus control should be layered, starting at the edge of the network. Of course every computer should have antivirus software installed and maintained. Here's another place where you can provide an incentive for good security practices: consider providing antivirus software to your end users for free or at a discount. You may not want to use the corporate edition that you deploy internally, since that would increase your support burden, but you can still provide the consumer editions to your day extenders. Of course you will want to ensure that users renew their subscriptions each year, so consider including the renewals in your program. Don't forget to protect the systems used by the full-time telecommuters as well.
Personal firewalls are very common in full VPN environments, and can be useful even for day extenders using webmail, because they can help block spyware back channels. You may elect to subsidize their use in a manner similar to that discussed for antivirus software.
Every time a browser loads a clear text Web page, a copy of the page is made in the browser's cache. Likewise, pathnames and other parameters can be captured by the browser's history feature. And end users often download e-mail messages and attachments, as well as files to which they might have access. Obviously this can be a serious problem. All is not lost, however. Browsers do not normally cache data downloaded over SSL connections. Further, some SSL VPN remote access products have special features to clean up after sloppy software and forgetful users. If the risk of information leakage is important for your company, you will want to investigate these features.
If you can't control, monitor
You won't necessarily have the resources to implement technical controls to compensate for every threat. That's the bottom line. However, you shouldn't give up. If you can't control, often you can monitor instead. Monitoring techniques can include network- and host-based intrusion detection, system auditing and log analysis -- powerful techniques for stopping problems in their tracks.
Your company can allow employees to use their home computers. It won't be free, and it likely won't encompass all the services that some users will want, but it can be done safely for many services.
About the author
Mark Mellis, ISACA/CISM, is a consultant with SystemExperts Corporation, specializing in network security.