7 Tips for Virtual Security

Large and small business alike are moving at a rapid pace toward a remote workforce.  In many cases, it just makes good business sense.  You can have a staff around the country, or around the world for that matter and not be limited to the talent pool in your geographic area.  Technology lets us work from just about anywhere, anytime.  While this can be highly effective and desirable in many cases, it doesn’t come without significant risks.

Alan Wlasuk joined us back in August to talk about his business.  Alan is the CEO of 403 Web Security, a full service, secure web application development company.  He recently contacted me with these 7 tips he wanted to share with all of you.  If you have any questions or comments, please share them in the comments section below.

1. Monitor internal system access – I continue to be amazed at the number of larger, security sophisticated companies that find out about their security breaches well after the breach has occurred. We also frequently hear about hackers that continue to come back to a breached web application, without the company ever knowing they have a problem. While I would strongly suggest setting up monitoring of all company websites traffic to monitor your standard garden variety hack, I believe it is far more important (and a lot easier) to specifically track the use of internal systems by remote employees. Remote employees follow strict protocols of access which immediately identify the employee upon entering your systems. System logs should not only identify which employees are using which systems, but also where the employee has gone in the system and what they have seen or done. These logs should identify unusual or unexpected remote user access, perhaps indicating problems. And this should go without saying; you will need to monitor these logs.

2. Secure all of your attack surfaces – Many companies view security implementation as expensive and, unfortunately, cut corners whenever possible. This often results in a separation of web applications into externally and internally facing, where only externally facing web applications are developed and tested for security. While cutting security implementation is never a good idea, it did have its place in an IT environment where internally facing systems were traditionally protected by locked doors, firewalls and access only by internal IP addresses – the domain of trusted users. Unfortunately, this cost cutting concept breaks down with the addition of remote users, some of which will appear to be within the physical walls of the company (VPN based) -perhaps perceived by existing IT systems as trusted, internal users. This presents the problem where a compromise of a remote user’s credential will allows a malicious hacker into unprotected company systems – the proverbial fox in the hen house. Companies introducing remote users need to rethink those older, intentionally insecure systems in light of the fact that the brick walls that used to surround them are no longer sufficient.

3. Limit information access on a need to know basis – While the ‘need to know’ rule is important throughout any IT environment, it is even more important when supporting remote users. Consider it a fact that at least one of your remote users will have their access privileges compromised. Then ask yourself, given this future problem, what do your remote users really need to see or use within your IT systems? Companies often grant broad access privileges to all users because it is far easier to go broad than it is to figure out operationally acceptable minimal privileges. I strongly suggest taking the time to minimize privilege grants (for local as well as remote users). It will make the eventual access compromise far easier to live with.

4. Require strict password policies and implementation – We’ve all heard the ineffective password horror stories — the shortened version of the dog’s name that has been in place for years. Yes, 12 character, randomly created passwords are a pain in the butt, particularly when they expire every three months. But when you consider the availability of brute force password cracking tools you might want to think about their effect on your minimal, easily guessed passwords. I like to think of this tradeoff between painfully strict password policies and the chance to work from home in your PJ’s – the PJ’s always win.  And while we’re talking passwords, make sure your password implementation locks a user out after only a few failed attempts (to avoid brute force attacks), and reports excessive login failures.

5. Require SSL Encryption – This is the remote security access version of ‘look both ways before you cross the street’. Encryption is relatively free (the cost of the SSL certificate), easy to implement and will keep your data away from hackers. When in doubt, encrypt. You never know what that Starbucks data sniffer may do with data that your think is harmless – it is best not to find out.

6. Implement Two-Factor Authentication – You have probably seen security tokens that higher-end systems use. These hardware devices (i.e., SecurIDs from RSA) provide an additional level of security where the remote user must enter a user supplied PIN as well as an unguessable six-digit code (changed every 60 seconds) taken from the display on the device. A hacker would be required to know the PIN as well as hold the device itself in order to compromise the system. This is possible, but a lot less likely than just scamming a login name and password. While a two-factor authentication system implementation is expensive (cost of devices and fees to RSA) it has been considered hack proof for many years and is in widespread use by governments and companies where security is absolutely essential. When your remote users must access company critical systems with uncompromised security, two-factor authentication systems should be considered.

7. Make use of VPNs – At the heart of any security oriented remote access conversation is the use of Virtual Private Networks (VPNs). Conceptually, a VPN connection allows a remote user to access internal IT systems as if he were directly on the internal IT system network. This is good since it allows users to work remotely without modifying the existing IT systems. The bad news is the same IT systems that were depending on the physical environment (i.e., walls, locks, limited IP addresses) may believe the hacker, pretending to be a remote user, is within the trusted company walls. There are many good reasons for the widespread use of VPNs throughout companies of all sizes, but don’t be fooled into thinking they don’t come without added security risks.