One thing the UK is famous for is its rain. However, the last few weeks have seen some regions deluged by record-breaking persistent and heavy rainfall with devastating consequences—with weather reporters warning that there’s more to come. For the rest of the country, the threat hasn’t passed, and that’s in addition to the reports claiming that—after a nice summer and higher than usual temperatures so far this autumn—we will have to brace ourselves for one of the coldest and longest winters in record. Then of course there’s the festive break with many workers connecting remotely while the office is closed.
So how can your business plan to avoid grinding to a halt—even if employees find themselves cut-off or the office inaccessible—all whilst keeping your data safe?
The answer could be to have adequate infrastructure in place that allows workers to securely work from home, while stranded anywhere sensible with an Internet connection.
So what technologies are there to help, and what are the security implications that need to be considered?
The classic solution to allow remote workers to connect to internal resources as if they were in the office is to use a VPN (Virtual Private Network). They provide good scalability at relatively low cost. However, when deploying VPNs there are a wide range of security implications that need to be considered. For example, even if a VPN is correctly configured and does not directly open any security holes into the corporate network, there still exists a difficult to control weak link: the end point. It is more than likely that employees will access websites or install software for their own personal use from devices located outside the corporate environment, and they will probably also connect to unsecured public Wi-Fi networks. If the end point is compromised, this can provide an attacker with a direct link into your internal network.
How to secure your VPN?
We have established that your main threat when using a VPN is going to come from end users. Therefore, your efforts should be focused on protecting the devices they will use to access the VPN.
Firstly, make sure you use the strongest possible authentication method. For example, in Windows networks, one of the strongest options would be EAP-TLS, although this requires you to securely provide remote workers with client certificates. Whatever the option you choose, make sure you don’t rely on simple username/password authentication—two-factor authentication is far more secure.
It is also important to disable split tunnelling, a technique used to allow users of a VPN to be connected to both a secure VPN and any unsecured network at the same time. This is especially dangerous in situations where users are connecting to a VPN from public networks, such as public Wi-Fi hotspots.
Some VPN servers will allow you to configure security measures that must be implemented on the user’s device before it is allowed to connect to the VPN. You should ensure that devices connecting through the VPN are compliant with the same security policy which is applied internally. If possible, you should at least check for OS and applications security patches, up to date antivirus definitions, and adequate firewall rules. It is also recommended that you monitor users connected through the VPN for suspicious activity and signs of infection.
A factor you may not have considered, yet is particularly common throughout the winter months, is your own employees causing a Denial of Service (DoS) of your VPN. In the event of heavy snow preventing lots of employees getting to the office, you may find that everyone turns to using the company VPN. As well as potentially putting strain on authentication mechanisms, bandwidth intensive activities such as video streaming may exhaust the VPN resulting in a slowdown for all users connected. Consider the potential impact and plan ahead.
Mobile Devices and laptops
Most businesses nowadays have the need to allow mobile phones, tablets, and other portable devices which can be connected to the corporate network to access services such as email. This always raises security concerns, but with employees working remotely this raises the potential for any of these devices to become compromised.
One of the biggest risks with portable devices is potentially losing or having them stolen. Without the correct procedures in place, a stolen device provides an easy way for an attacker to gain a foothold into a network. Therefore, it is very important that full disk encryption is used for all devices and that they are protected by adequately strong passwords. It is also important that some form of remote wipe technology is configured into the devices in order to have greater assurance that any data on the device will be protected.
In the case of mobile devices, such as smartphones and tablets, using an MDM (Mobile Device Management) will help in managing and establishing adequate corporate security policies. An MDM typically consists of a third party product that has management features for particular vendors of mobile devices such as Android, iOS or Windows Phone. The only problem with this is that, with every additional device vendor, comes an added complexity of managing via the MDM, and although most vendors offer security policies which can be enforced, they typically are incompatible with each other.
It is also important that portable devices, especially laptops, have security software such as antivirus installed. Additionally, further security products including anti-exploit software such as EMET (Enhanced Mitigation Experience Toolkit) may be used. Users are more likely to visit potentially malicious websites when using their laptop outside of the office, and so precautions should be taken. MWR InfoSecurity has commonly worked with clients affected by users which were infected with malware, such as ransomware, after an employee accidentally browsed to a malicious website while using a corporate laptop outside the office. If the infected laptop is then connected to the corporate network, you can find yourself with all your company files encrypted and an email demanding money if you want the key to recover your files.
Alternatively, you may wish to selectively expose applications and make them accessible via the cloud. This can be made easier by choosing a cloud provider, minimising the risk of exposing your DMZ or internal network to attackers. That way, you don’t expose your internal corporate network to attackers through a VPN.
However, you have to make sure you chose a provider with a proven security record and it’s also worth considering that by choosing a third party provider, you are entrusting them with your own information or data. If privacy is an issue, consider creating your own mini-cloud, with an extranet completely isolated from the rest of your network.
Using a cloud solution will likely provide a more reliable and faster connection, and may be less prone to performance or availability issues should large numbers of remote workers suddenly connect for whatever reason, such as bad weather.
Any applications hosted in the cloud should be properly security assessed beforehand, utilising TLS and preferably enforcing two factor authentication.
Remember that disk encryption only protects data while at rest; therefore, anyone able to gain access by compromising the authentication mechanism or leveraging a vulnerability in the application, will have full access to your data.
While adverse weather isn’t predictable, it is probably inevitable. Planning now could avoid your organization grinding to a halt should ‘the wrong type of snow’ fall.