Security Basics mailing list archives
Re: Tele-Commuting Risks
From: rohnskii () gmail com
Date: 2 Jan 2009 23:56:39 -0000
Your questions hit on the big issues, unecrypted PII on the remote PC and transmitted to/from the server and remote device. So deal with those issues first, off the top of my head (not a definitive list): 1. Only allow remote communication via a (encrypted, naturally) VPN connection. That takes care of the data in motion over the internet. 2. Upon connection, you should have a policy and mechanism to confirm the security policy compliance of the the remote PC/laptop. ie corporate standard anti-malware (AV, AS, AR, firewall etc) is a) properly installed b) active and running c) OS is patched up to current corporate standard d) installed software patched up to date e) signatures up to date f) force an anti-malware scan of remote PC Hard Drive g) force an anti-malware scan of any USB storage device, every time it is connected to remote PC/laptop This would be done by having corporate server check versions and pushing appropriate updates to remote PC BEFORE allow user access to the connection. There will be something of a delay getting access, but sell that as small price to pay for the advantages of doing telecomuting. 3. Protect the data "at rest" on the remote PC by encrypting all or part of the HD, OS and data files. 4. Require, and enforce use of userid/password signon to base PC & operating system. 5. Enforce corporate standard on password complexity. 6. Do NOT allow remote user to sign on with adminstrator rights. 7. Discourage use of PC for "home" computing by the family, especially the children. Or if you do allow "home computing" absolutely insist on separate "user" rights only userids for all of the family. 8. Consider a policy of allowing only company owned PC's for remote connections. That allows you to insist on control the PC configuration, and limit/restrict use of PC only for company work. There is software available to enforce thie type of policy (ie AD, and some third party software). 9. Alternately, you may consider allowing employees to buy home computers (for family and work computing) at a corporate mass purchase discount price. It gives home user benefit of cheaper, and/or better quality PC than they would normally buy and gives you the benefit of enforcing corporate hardware configuration standards. An additional benefit may be to allow the home PC to be brought in for corporate IT to service problem (on a time available basis). 10. Another alternate is to provide a corporate Virtual Machine image to run on home PC for remote connections. 11. Configure remote PC to allow internet access ONLY via corporate connection. That allows you to enforce corporate endpoint standards, ie firewall, proxy filtering etc. 12. Consider a policy of NOT allowing storage of corporate documents/data ON the remote PC/laptop. All data is stored on server and only downloaded via VPN connection for use. Part of this policy may also be to require that data stored "locally" outside of the corporate network be stored on a corporate approved, ENCRYPTED USB storage device. By separating the remote data from remote machine, it reduces chance of both being stolen/lost at same time. Of course that requires a policy insisting that the user keep the ENCRYPTED USB storage device stored separately from the remote PC. ie do NOT put the USB thumb drive in the laptop bag, put it in pocket or separate briefcase. Don't forget, that for any PC/laptop (both inhouse corporate and remote access pc/laptop), (Windoze in particular, but not exclusively) if the "bad guy" has physical access to the machine there are many commonly available freeware tools will allow cracking/reset of the (Windoze) default OS signon passwords. That is why it is better to discourage/limit/prevent storage of corporate data on the remote PC. 13. Evaluate cost/benefit of individually encrypting data files on remote storage, in addition to encrypting the storage device itself. 14. Consider filtering and limiting remotely accessed data to that actually needed to perform the job. Too often a full "record/row", including unused PII is stored on an off-site device, even though the actual data that the user requires does not include any or all of the PII in that "record/row". And even more often, data for customers that are not being worked on is downloaded to remote device. ie Does a remote "salesman" need 100's of thousands of customer's data? Not likely. 15. Have defined Incident Response Procedure for Lost/Stolen remote access and data storage devices. That would include details like: a) clearly defined rules on what the employee has to do. How soon the incident must be reported, who to (help desk, police etc) b) clearly defined procedure for help desk/IT to follow i) Activate laptop "lo-jack" location software/device. ii) Activate "self destruct" or data data cleanup tool if one is in place. iii) Deactivate remote access by the device to the corporate network, even if a current userid/password is used iv) Who further up the corporate "food chain" has to be notified. v) Clearly define when police or other legal bodies need to be involved vi) and how soon the notification MUST take place, ie loss of store and unencrypted PII requires full "5 alarm" Incident response team to be activated, but loss of a laptop which you can clearly document from log data does not store any PII on the local HD, and/or the local HD is properly encrypted does not as big a response vii) what to do on recovery of lost item 16. Consider defining access policies based on location and type of remote connection. A wired connection to remote desktop/laptop is more secure that a wireless one to a router at the same location. And they are infinitely more secure than a wireless connection at an internet cafe or airport. So you may want to grant more restricted access to data depending on the details of the connection. ie allow "full" access to remote accessable data one a wired connection at home vs only corporate email access via wireless connection at airport/internet cafe. 17. Part of your telecomuting policy will have to include remote devices other than desktops and laptops. a.) devices like smart phones, PDA's, BlackBerries. b.) are going to define a corporate standard for allowed devices, or let "anything go" (not a good idea). c.) insist on devices that support encrypted data storage d.) does the device support remote deactivation / data destruction (good idea) 18. investigate the cost/benefit of going to "2-factor" authentication for remote access, ie using a password and token device for authentication. 19. Part of granting telecomute access should include awareness education of the user of the additional risks inherent in remote access. They are less likely to try and circumvent remote access policies if they understand the additional exposure the company faces as a result of granting them the privilege of remotely accessing corporate data <snip> Audit and Compliance issues related to Tele Commuting? </snip> Sure there are audit and compliance issues. But of course the specifics depend on legislation/regulates applicable to your specific industry. These days it would be "best practice" to consult with your auditors AND lawyers to find out the relevant issues BEFORE implementing a new telecomuting policy. In general, the steps described above should cover most of the compliance issues. The audit issues will require documented policies, and documented proof that the policies are enforced. IE log data on corporate server that prove that configuration policy is enforced before remote connection is allowed. And log data that documents what data/files was remotely accessed and/or downloaded for external storage (to remote PC or USB device). So, naturally if you have the data logged, you will also need to be able to easily generate reports that are in auditor 'happy' format. You can't rely on ad-hoc manual generation of required reports. A few sources to look at: http://articles.techrepublic.com.com/5100-10878_11-5295063.html - Ensure security best practice when deploying new technologies. This short article provides the highlights you should consider when defining your new telecomute policy. It also makes the point that your telecomute policy should be flexible enough to handle new devices/technology as they arise. http://www.first.org/about/ - FIRST is the Forum of Incident Response and Security Teams. http://www.first.org/resources/guides/ - within FIRST, "FIRST Best Practice Guide Library (BPGL)" is a good place to start. http://searchsecurity.techtarget.com/topics/0,295493,sid14_tax299928,00.html?track=NL-102&ad=545596&uid=4739563 - SEARCHSECURITY.COM has lots of good info, this is a search specifally for "Vulnerability Assessment" http://searchcio-midmarket.techtarget.com/tip/0,289483,sid183_gci1186841,00.html?track=NL-386&ad=551900 - Incident response made easy (and cheap) http://www.pcworld.com/downloads/collection/collid,1354/files.html?tk=nl_bpxdwn - search at PCWorld online for encryption reviews http://www.bitpipe.com/detail/RES/116535203_903.html - report comparing effectivess of IPSEC vs SSL VPN for remote connections http://www.pcworld.com/businesscenter/article/129771/the_simple_way_to_keep_your_private_files_private.html - http://www.pcworld.com/businesscenter/article/129771/the_simple_way_to_keep_your_private_files_private.html http://searchsecurity.techtarget.com/whitepaperPage/0,293857,sid14_gci1189270,00.html?psrc=RSC&asrc=SS_RSC_Permeo - download a 2006 SSL VPN Buyers Guide by Blue Coat Systems http://www.trustdigital.com/ - management of PDA's and smartphone http://searchcio-midmarket.techtarget.com/tip/0,289483,sid183_gci1237894,00.html?track=NL-383&ad=576443&asrc=EM_NLT_890323&uid=4739563 - Two-factor authentication best practices for SMBs http://searchsecurity.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid14_gci1208706,00.html?track=NL-102&ad=569761&asrc=EM_NLN_758759&uid=4739563 - Creating a security awareness program http://it.toolbox.com/blogs/adventuresinsecurity/protect-laptop-traffic-in-hotspots-and-hotels-part-1-26393 - 2 Part article on how to "Protect laptop traffic in hot-spots and hotels" http://www.pcworld.com/businesscenter/article/141388-1/how_to_stop_laptop_theft.html - "How to Stop Laptop Theft" good article focused mostly on laptops, but many of the concepts can be applied to home desktops (ie lock device to unmoveable point) http://software.techrepublic.com.com/abstract.aspx?kw=blue+lock&docid=838257 - Blue Lock 1.91 (Windows). I just came across this interesting utility. Pairing it with a bluetooth enabled cell phone seems like a natural for a remote computing device. I have no idea how good it actually is. http://searchenterprisedesktop.techtarget.com/generic/0,295582,sid192_gci1331922,00.html?Offer=W2Sint823 - Step-by-step guide: Laptop hacking. Interesting short read. Summarizes many of the points I made above. http://it.toolbox.com/blogs/adventuresinsecurity/portable-storage-device-security-8995 - Portable Storage Device Security http://csrc.nist.gov/publications/PubsFIPS.html - The NIST FIPS publications will provide you with lots of good reading. (For those who don't understand "alphabet soup", NIST = (US) National Institute of Standards & Technology, and FIPS = (US) mandatory Federal Information Processing Standards. Even outside of the US federal service these standards documents often provide a good "best practices" starting point for your security exercises. http://www.csoonline.com/article/print/472866 - Top 9 Network Security Threats in 2009. Good general read on computer security threats. http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1334813,00.html?track=NL-431&ad=665590&asrc=EM_NLT_4805719&uid=4739563 - Recovering stolen laptops one step at a time http://www.pcmag.com/print_article2/0,1217,a%253D164085,00.asp - Maximum Security: 94 Essential Tips for Staying Safe. It is a little dated, 1995, but for a shotgun approach (94 points) it still covers a lot of valid points. http://www.sans.org/resources/policies/ - SANS Security Policy Project provides templates for many security policies. http://www.privacyrights.org/ar/ChronDataBreaches.htm - Privacy Rights Clearing House Chronology of Data Breaches. Here is a really depressing summary of data leakes over almost the last 3 years. If you are having a hard time selling security, here is the place to go to find examples of the "bad things" that can happen to a company (find examples from your specific industry!) if they don't do information security properly. http://searchenterprisedesktop.techtarget.com/generic/0,295582,sid192_gci1246404,00.html?track=NL-475&ad=582851&asrc=EM_NLT_1132811&uid=4739563 - Plan for a security breach, step by step OK, this should be enough "food for thought" for a free consult. I'll be interested to see what additional points others will add. Have fun. "Selling" information security is tough if senior managment is not a willing "buyer".
Current thread:
- Tele-Commuting Risks John (Jan 02)
- Re: Tele-Commuting Risks HITESH PATEL (Jan 05)
- RE: Tele-Commuting Risks Andrew Johns (Jan 05)
- Re: Tele-Commuting Risks J. Oquendo (Jan 05)
- Re: Tele-Commuting Risks aditya mukadam (Jan 05)
- Re: Tele-Commuting Risks Charles Hardin (Jan 06)
- <Possible follow-ups>
- Re: Tele-Commuting Risks donald . riggins (Jan 05)
- Re: Tele-Commuting Risks rohnskii (Jan 05)
- Re: Tele-Commuting Risks rohnskii (Jan 05)
- Re: Tele-Commuting Risks rohnskii (Jan 06)
- Re: Tele-Commuting Risks HITESH PATEL (Jan 05)