A chain is only as strong as its weakest link. It’s a well worn cliche, but it’s an important one to bear in mind when you’re thinking about the security of your corporate network. That’s because if there’s a single point on your network’s perimeter defense that is weak, then that’s the place from which hackers will choose to launch their attack.
Network administrators put a great deal of effort and resources into promoting security with firewalls, virus scanners and many other measures, while data centers are turned into fortresses and networked PCs in corporate offices are guarded by 24-hour security systems.
In today’s IP-connected world, however, no network is an island. That is, how do you account for teleworkers when planning your network security? An estimated 30 million Americans — some 20 percent of the work force — work from home at least one day a week, and that number is likely to increase steadily as broadband Internet connections become ubiquitous in the home and wireless access for mobile workers becomes cheaper and simpler. Yet the security measures in place at most corporate premises are frequently undermined because they are not mirrored in teleworkers’ homes and cars.
The Weakest Link Begins at Home
The fact is that teleworking can present an huge security risk in a corporation’s security fence — teleworkers frequently represent the weakest link. “Unfortunately, it seems that the security measures taken by teleworkers always lag behind the measures in place in organizations’ offices, so teleworkers are bound to be the Achilles heal, says Mark Lillycrop, chief analyst and security expert at UK-based research house Arcati.
|Security Checklist for Teleworkers
Anti-virus application is installed and is configured to do the following:
Spyware Removal Tools
Install and run a spyware removal tool to identify and eliminate (as appropriate) spyware. On a monthly basis, update and run spyware removal tool, again eliminate discovered spyware if appropriate.
A firewall is an application that is employed to monitor and limit dangerous packets from entering a network, providing the capability to:
Ensure that appropriate encryption software is being used.
Securing the Operating System
Securing Wireless Networks
Online Security Assessment
Ensure that an online security assessment has scanned the current configuration (including the firewall) and that all major vulnerabilities identified by the assessment have been corrected and confirmed by a rescan.
Securing Web Browsers
Browser(s) configured to limit or disable plug-ins.
Source: U.S. Commerce Department
The good news according to Lillycrop is that this need not be the case: It is possible to make teleworking acceptably secure, so that the risks it presents are balanced by the advantages. To see what special measures need to be taken it’s first necessary to understand why teleworkers are such a risk.
Viruses and Trojans and Worms … Oh, My
The most significant threat comes from teleworkers inadvertently introducing viruses, Trojans and distributed denial of service (DDoS) worms onto the network. Although office workers can also infect the network, there are several reasons why teleworkers are far more likely than their office bound counterparts to be the cause of such problems.
In the office environment, desktops are closely managed — often centrally — to ensure virus scanners are kept running and up-to-date. E-mail may also be scanned for viruses before entering the corporate network, and measures may also be in place to bar users from high-risk activities like chat, peer-to-peer (P2P) networks and browsing high risk Web sites.
With teleworkers the situation is very different. A teleworker’s PC will almost certainly differ in specification and installed software from the corporation’s standard desktop PC, and it may not be able to run some security applications that are installed on corporate PCs. Teleworkers may uninstall their virus scanner or replace it with another, less-effective one, and while corporate inventory management software or even company rules can help ensure this does not happen to machines permanently connected the corporate network, this is far harder to do effectively with teleworkers’ machines.
Even if a virus scanner is installed on a teleworker’s PC, the fact that it is remote makes it far harder to ensure that virus signature files are kept current. Unreliable or slow home Internet connections mean that users are often tempted to delay updating their virus definitions — until they have time to spare or until they next come in to work.
Your corporate networks is probably protected by a hardware firewall, but it’s unlikely that teleworkers will have anything stronger than a software firewall to protect themselves. Again, there is the risk that a software firewall will be disabled or uninstalled on a remote computer, especially if the computer itself belongs to the teleworker rather than the company.
And even if teleworkers don’t disable virus software or download programs from untrustworthy sites, this does not necessarily hold true for other family members who may have access to the teleworker’s computer or to other computers connected to it on a home LAN sharing the same Internet connection. Networked computers may also be invisible to the corporate network, adding yet another vulnerability.
Mobile Can Mean Trouble
Salespeople and other so-called “road-warriors” bring another type of vulnerability — the risk of losing a laptop or having it stolen from a hotel room or the trunk of a car. Not only may the laptop contain confidential or valuable corporate data, but it may also provide a simple way for a hacker to gain access to the corporate network and plunder more data. Surprisingly few road warriors have any strong password protection on their laptops because of the inconvenience, and fewer still have any biometric protection. “Laptops should be regarded as gateways into corporate networks, yet they are routinely left in cars and often there are no security measures on them at all,” Lillycrop said.
Wireless 802.11b or 802.11g access points available at Internet cafis, hotels and fast food outlets, or wireless home networks, are also a security risk. Many teleworkers may configure their systems to take advantage of wireless access without understanding what encryption is required to prevent others eavesdropping on their sessions to break in to the network.
So what can the network administrator do to reduce the risks posed by teleworkers to acceptable levels?
Use standard equipment and configurations:
Issue employees with company hardware — either desktop machines for their homes or laptop devices for the road. There are two reasons for this: It’s much easier to monitor and manage computers if they are all of a standard type with a standard operating system, and it’s also easier to insist that employees run certain software and not others if the hardware actually belongs to the organization.
Insist on company specified antivirus, firewall and remote management products:
Regardless of who owns the computer, you should insist on the right to specify anti-virus and firewall software that must be installed running and kept up to date at all times. Better still, inexpensive hardware firewalls are now available that are almost certainly more secure than software-based firewalls. These should be used in conjunction with access-management software that blocks any user from logging in to the network remotely if the specified products are not up and running on the remote machine.
Prohibit certain activities:
There is a high risk that users of P2P networks, adult sites and Internet chat services can inadvertently download hostile applications. Teleworkers should not be permitted to use these applications or visit these sites on computers used for teleworking, or any computers connected to them.
All laptops should require the entry of a BIOS password for startup, and have the facility to encrypt sensitive data at the very least. Since desktop PCs left in a employee’s home could also be stolen, any corporate data stored on them should also be encrypted. Providing teleworkers with removable storage devices that can be secured separately can increase security significantly.
Prohibit casual wireless usage:
As far as wireless access is concerned, insist that (if you decide to permit it at all), wireless access should be allowed only if the laptop or other portable device is configured by your own IT staff with 128-bit WEP encryption and an additional encryption layer as well.
These measures are designed to reduce the risks to corporate networks introduced by teleworking, but they are effective only if they are adhered to. This means that allowing employees to telework is a serious decision — for your organization and for the individual concerned. Anyone who needs to telework must understand and agree to take all the security precautions specified, and he or she must take responsibility for any security breaches that occur as a result of a failure to do so.
“It must become unacceptable for people to sidestep security procedures in the same way as it is to for employees to take cash from the till. It really is that serious. Employees need to be reminded of the disciplinary consequences if they are responsible for a security violation,” Lillycrop said.
Because no set of procedures can ever be comprehensive, teleworkers need to be made aware of the types of security risks that exist, so they don’t leave the network vulnerable by accident. “People see the potential to use the latest gadgets and technology and they get impatient with management caution, so they simply plug in their own devices without getting clearance from the IT department. This should be taken seriously. Employers need to provide education and ensure employees see the impact of their actions beyond the their own productivity, in terms of corporate security.”