Re: Tele-Commuting Risks

[rohnskii () gmail com]

Your questions hit on the big issues, unecrypted PII on the remote PC and transmitted to/from the server and remote 
device.  So deal with those issues first, off the top of my head (not a definitive list):  

1. Only allow remote communication via a (encrypted, naturally) VPN connection.  That takes care of the data in motion 
over the internet.

2. Upon connection, you should have a policy and mechanism to confirm the security policy compliance of the the remote 
PC/laptop.  ie corporate standard anti-malware (AV, AS, AR, firewall etc) is
  a) properly installed
  b) active and running
  c) OS is patched up to current corporate standard
  d) installed software patched up to date
  e) signatures up to date
  f) force an anti-malware scan of remote PC Hard Drive
  g) force an anti-malware scan of any USB storage device, every time it is connected to remote PC/laptop

This would be done by having corporate server check versions and pushing appropriate updates to remote PC BEFORE allow 
user access to the connection.  There will be something of a delay getting access, but sell that as small price to pay 
for the advantages of doing telecomuting.

3. Protect the data "at rest" on the remote PC by encrypting all or part of the HD, OS and data files.

4. Require, and enforce use of userid/password signon to base PC & operating system.

5. Enforce corporate standard on password complexity.

6. Do NOT allow remote user to sign on with adminstrator rights.

7. Discourage use of PC for "home" computing by the family, especially the children.  Or if you do allow "home 
computing" absolutely insist on separate "user" rights only userids for all of the family.

8. Consider a policy of allowing only company owned PC's for remote connections.  That allows you to insist on control 
the PC configuration, and limit/restrict use of PC only for company work.  

There is software available to enforce thie type of policy (ie AD, and some third party software).

9. Alternately, you may consider allowing employees to buy home computers (for family and work computing) at a 
corporate mass purchase discount price.  It gives home user benefit of cheaper, and/or better quality PC than they 
would normally buy and gives you the benefit of enforcing corporate hardware configuration standards.  An additional 
benefit may be to allow the home PC to be brought in for corporate IT to service problem (on a time available basis).

10. Another alternate is to provide a corporate Virtual Machine image to run on home PC for remote connections.

11.  Configure remote PC to allow internet access ONLY via corporate connection.  That allows you to enforce corporate 
endpoint standards, ie firewall, proxy filtering etc.

12. Consider a policy of NOT allowing storage of corporate documents/data ON the remote PC/laptop.  All data is stored 
on server and only downloaded via VPN connection for use.  Part of this policy may also be to require that data stored 
"locally" outside of the corporate network be stored on a corporate approved, ENCRYPTED USB storage device.  By 
separating the remote data from remote machine, it reduces chance of both being stolen/lost at same time.  Of course 
that requires a policy insisting that the user keep the ENCRYPTED USB storage device stored separately from the remote 
PC.  ie do NOT put the USB thumb drive in the laptop bag, put it in pocket or separate briefcase.

Don't forget, that for any PC/laptop (both inhouse corporate and remote access pc/laptop), (Windoze in particular, but 
not exclusively) if the "bad guy" has physical access to the machine there are many commonly available freeware tools 
will allow cracking/reset of the (Windoze) default OS signon passwords.  That is why it is better to 
discourage/limit/prevent storage of corporate data on the remote PC.

13.  Evaluate cost/benefit of individually encrypting data files on remote storage, in addition to encrypting the 
storage device itself.

14.  Consider filtering and limiting remotely accessed data to that actually needed to perform the job.  Too often a 
full "record/row", including unused PII is stored on an off-site device, even though the actual data that the user 
requires does not include any or all of the PII in that "record/row".  And even more often, data for customers that are 
not being worked on is downloaded to remote device.  ie Does a remote "salesman" need 100's of thousands of customer's 
data? Not likely.

15. Have defined Incident Response Procedure for Lost/Stolen remote access and data storage devices.  That would 
include details like:
  a) clearly defined rules on what the employee has to do.  How soon the incident must be reported, who to (help desk, 
police etc)
  b) clearly defined procedure for help desk/IT to follow
    i) Activate laptop "lo-jack" location software/device. 
    ii) Activate "self destruct" or data data cleanup tool if one is in place. 
    iii) Deactivate remote access by the device to the corporate network, even if a current userid/password is used
    iv) Who further up the corporate "food chain" has to be notified.  
     v) Clearly define when police or other legal bodies need to be involved
     vi) and how soon the notification MUST take place, 

ie loss of store and unencrypted PII requires full "5 alarm" Incident response team to be activated, but loss of a 
laptop which you can clearly document from log data does not store any PII on the local HD, and/or the local HD is 
properly encrypted does not as big a response

     vii) what to do on recovery of lost item


16.  Consider defining access policies based on location and type of remote connection. A wired connection to remote 
desktop/laptop is more secure that a wireless one to a router at the same location.  And they are infinitely more 
secure than a wireless connection at an internet cafe or airport.  So you may want to grant more restricted access to 
data depending on the details of the connection.  ie allow "full" access to remote accessable data one a wired 
connection at home vs only corporate email access via wireless connection at airport/internet cafe.

17. Part of your telecomuting policy will have to include remote devices other than desktops and laptops.
    a.) devices like smart phones, PDA's, BlackBerries.  
    b.) are going to define a corporate standard for allowed devices, or let "anything go" (not a good idea).
    c.) insist on devices that support encrypted data storage
    d.) does the device support remote deactivation / data destruction (good idea)

18. investigate the cost/benefit of going to "2-factor" authentication for remote access, ie using a password and token 
device for authentication.

19. Part of granting telecomute access should include awareness education of the user of the additional risks inherent 
in remote access.  They are less likely to try and circumvent remote access policies if they understand the additional 
exposure the company faces as a result of granting them the privilege of remotely accessing corporate data




<snip>
Audit and Compliance issues related to Tele Commuting? 
</snip>

Sure there are audit and compliance issues.  But of course the specifics depend on legislation/regulates applicable to 
your specific industry.  These days it would be "best practice" to consult with your auditors AND lawyers to find out 
the relevant issues BEFORE implementing a new telecomuting policy.  In general, the steps described above should cover 
most of the compliance issues.  

The audit issues will require documented policies, and documented proof that the policies are enforced. IE log data on 
corporate server that prove that configuration policy is enforced before remote connection is allowed. And log data 
that documents what data/files was remotely accessed and/or downloaded for external storage (to remote PC or USB 
device).  So, naturally if you have the data logged, you will also need to be able to easily generate reports that are 
in auditor 'happy' format.  You can't rely on ad-hoc manual generation of required reports.

A few sources to look at:
http://articles.techrepublic.com.com/5100-10878_11-5295063.html - Ensure security best practice when deploying new 
technologies.  This short article provides the highlights you should consider when defining your new telecomute policy. 
 It also makes the point that your telecomute policy should be flexible enough to handle new devices/technology as they 
arise.

http://www.first.org/about/ - FIRST is the Forum of Incident Response and Security Teams.

http://www.first.org/resources/guides/ - within FIRST, "FIRST Best Practice Guide Library (BPGL)" is a good place to 
start.

http://searchsecurity.techtarget.com/topics/0,295493,sid14_tax299928,00.html?track=NL-102&ad=545596&uid=4739563  - 
SEARCHSECURITY.COM has lots of good info, this is a search specifally for "Vulnerability Assessment"

http://searchcio-midmarket.techtarget.com/tip/0,289483,sid183_gci1186841,00.html?track=NL-386&ad=551900 - Incident 
response made easy (and cheap)

http://www.pcworld.com/downloads/collection/collid,1354/files.html?tk=nl_bpxdwn - search at PCWorld online for 
encryption reviews

http://www.bitpipe.com/detail/RES/116535203_903.html - report comparing effectivess of IPSEC vs SSL VPN for remote 
connections

http://www.pcworld.com/businesscenter/article/129771/the_simple_way_to_keep_your_private_files_private.html - 
http://www.pcworld.com/businesscenter/article/129771/the_simple_way_to_keep_your_private_files_private.html

http://searchsecurity.techtarget.com/whitepaperPage/0,293857,sid14_gci1189270,00.html?psrc=RSC&asrc=SS_RSC_Permeo - 
download a 2006 SSL VPN Buyers Guide by Blue Coat Systems

http://www.trustdigital.com/ - management of PDA's and smartphone 

http://searchcio-midmarket.techtarget.com/tip/0,289483,sid183_gci1237894,00.html?track=NL-383&ad=576443&asrc=EM_NLT_890323&uid=4739563
 - Two-factor authentication best practices for SMBs

http://searchsecurity.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid14_gci1208706,00.html?track=NL-102&ad=569761&asrc=EM_NLN_758759&uid=4739563
 - Creating a security awareness program

http://it.toolbox.com/blogs/adventuresinsecurity/protect-laptop-traffic-in-hotspots-and-hotels-part-1-26393 - 2 Part 
article on how to "Protect laptop traffic in hot-spots and hotels"

http://www.pcworld.com/businesscenter/article/141388-1/how_to_stop_laptop_theft.html - "How to Stop Laptop Theft"  good 
article focused mostly on laptops, but many of the concepts can be applied to home desktops (ie lock device to 
unmoveable point)

http://software.techrepublic.com.com/abstract.aspx?kw=blue+lock&docid=838257 - Blue Lock 1.91 (Windows).  I just came 
across this interesting utility.  Pairing it with a bluetooth enabled cell phone seems like a natural for a remote 
computing device.  I have no idea how good it actually is.

http://searchenterprisedesktop.techtarget.com/generic/0,295582,sid192_gci1331922,00.html?Offer=W2Sint823 - Step-by-step 
guide: Laptop hacking.  Interesting short read.  Summarizes many of the points I made above.

http://it.toolbox.com/blogs/adventuresinsecurity/portable-storage-device-security-8995 - Portable Storage Device 
Security 

http://csrc.nist.gov/publications/PubsFIPS.html - The NIST FIPS publications will provide you with lots of good 
reading.  (For those who don't understand "alphabet soup", NIST = (US) National Institute of Standards & Technology, 
and FIPS = (US) mandatory Federal Information Processing Standards.  Even outside of the US federal service these 
standards documents often provide a good "best practices" starting point for your security exercises.

http://www.csoonline.com/article/print/472866 - Top 9 Network Security Threats in 2009.  Good general read on computer 
security threats.

http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1334813,00.html?track=NL-431&ad=665590&asrc=EM_NLT_4805719&uid=4739563
 - Recovering stolen laptops one step at a time

http://www.pcmag.com/print_article2/0,1217,a%253D164085,00.asp - Maximum Security: 94 Essential Tips for Staying Safe.  
It is a little dated, 1995, but for a shotgun approach (94 points) it still covers a lot of valid points.

http://www.sans.org/resources/policies/ - SANS Security Policy Project provides templates for many security policies.

http://www.privacyrights.org/ar/ChronDataBreaches.htm - Privacy Rights Clearing House Chronology of Data Breaches.  
Here is a really depressing summary of data leakes over almost the last 3 years.  If you are having a hard time selling 
security, here is the place to go to find examples of the "bad things" that can happen to a company (find examples from 
your specific industry!) if they don't do information security properly.

http://searchenterprisedesktop.techtarget.com/generic/0,295582,sid192_gci1246404,00.html?track=NL-475&ad=582851&asrc=EM_NLT_1132811&uid=4739563
 - Plan for a security breach, step by step

OK, this should be enough "food for thought" for a free consult.  I'll be interested to see what additional points 
others will add.

Have fun.  "Selling" information security is tough if senior managment is not a willing "buyer".