Year: 2015

Categories
Compliance|Computer & Network Security|Information Security|Research

2015 Cyber Security Awareness Month

What is Cybersecurity?

According to US-CERT, “The activity or process, ability or capability, or state whereby information and communications systems and the information contained therein are protected from and/or defended against damage, unauthorized use or modification, or exploitation.”

In other words, it is the people, processes and technology that manage or maintain the Integrity, Availability, and Confidentiality of the systems and data with which an organization functions.  Many times these roles are shared with IT which in turn can come with its own challenges.  Often times, IT is focuses solely on availability, or up-time and ease of use, and both confidentiality and integrity can be counterproductive to maintaining availability.

We want to help organizations become aware of ways they can protect this data and still maintain user effectiveness.  Why should organizations be concerned with cybersecurity?

Conclusion

Organizations today face an ever increasing risk of cybersecurity attack.  This can come in many forms from phishing, insider threats, zero-day attacks, DDoS, and malware.  The risks can be high and can include down-time, loss of revenue, litigation, fines and lost customer information.  Often times, organizations do not have the in-house expertise to address these threats.  The media and marketing also try convince everyone that more products will improve security, but this isn’t always true.  Security is a process and not a product.  We continue to advise and train our clients on top things to consider when securing an organization:

  1. Patch Management – Network devices, servers and workstations must stay update to date with patches, and not only OS patches, but also third party applications like Adobe and Java.
  2. Risk Assessments – How do you know what you are missing if you don’t look?  How do you know what to protect if you don’t know where it is?
  3. Data Classification – If all of the data is mixed together, how can you protect it?
  4. Network Monitoring and Testing – Understand your network.  Know where it is vulnerable, and check regularly.
  5. Data Encryption – If it’s encrypted, and it’s lost, it can’t be used.  This is also shown to decrease the cost per record in a breach.
  6. User Training – Users are accessing data every day and are the largest attack surface in an organization.  Security needs to be at the top of their minds too.
  7. Authentication – Password management is often the first line of defense for an organization.
  8. Separation of Duties – If your account isn’t allowed to do everything, then, if you are compromised, you can protect some things.
  9. Centralized Logging – If you aren’t storing logs and correlating them, you may be missing key indicators of compromise.
  10. Physical Security – What good is a high priced network infrastructure if someone can walk in the front door and plug into it?
  11. Auditing – Sometimes, it’s hard to see the forest for the trees.  Auditing can help you keep the trees in view and make sure you aren’t missing something.

Cyber-security: A Year In Review

What are the threats, by the numbers?

ISACA’s 2015 Global Cybersecurity Status Report asked over 3000 respondents questions about cyber security.  83% said cyberattacks are among the three largest threats to their organizations, and 46% expect a cyber attack to strike their organization in 2015.

Symantec’s Internet Security Threat Report for 2015 reported that the top 5 zero-day vulnerabilities in 2014 were actively exploited by attackers for a combined 295 days before patches were available.  In other words, patching and AV alone isn’t going to protect anyone from zero-day attacks.

Ransomware attacks grew 113% in 2014 along with 45 times more crypto-ransomware attacks.

IBM’s 2015 Cost of a Data Breach Study surveyed 350 companies in 11 countries.  They found the average total cost of a data breach to be $3.79million.

The average cost per lost or stolen record was $154/record, but increased to $363/record in healthcare, $300/record in education and $215/record in financial institutions.

According to the 2015 Verizon Breach Report, 60% of attackers were able to compromise an organization within minutes.

23% of recipients now open phishing messages and 11% click on attachments and nearly 50% open and click within the first 4 hours.  We can also agree with this number based on our social engineering tests on organizations.

Nearly 99.9% of the exploited vulnerabilities were compromised more than a year after the CVE was published.

Only .03% out of tens of millions of mobile devices were infected with truly malicious exploits.  They don’t seem to be a preferred attack vector for malware.

Why is this a problem?

According to Raytheon’s 2015 Global Megatrends in Cybersecurity, Only 34% of over 1000 respondents said that they thought their organizations were prepared and keeping up with technologies and the “Internet of Things.”

Over 67% of the respondents said that their organizations need more knowledgeable and experienced security professionals.

How can we prepare?

Respondents saw the following security technologies having the biggest increase in importance over the next 3 years:

  1. Encryption of Data at Rest
  2. Big Data Analytics
  3. SIEM – Security Information and Event Management
  4. Forensics
  5. Encryption of Data in Transit

They also see the following top factors providing the most improvement in their overall security posture over the next 3 years:

Improving Cybersecurity Posture

The IBM study found the following factors that can influence the the cost per record of a data breach:

Increase/Decrease cost per record of a data breach.
This figure shows factors that can increase or decrease the cost per record of a data breach.
Categories
Computer & Network Security>Adobe|Compliance|Computer & Network Security>Java|Computer & Network Security>Vulnerabilities

Third Party Apps: Consider The Risks

What are 3rd party tools?

Everyone, from individuals to enterprises, uses third party tools and applications on their workstations, servers and mobile devices.  Some examples are Adobe Reader, Java, WinRAR, and many more.  They are applications that are run or installed, but are typically not centrally managed by your organization.

Why are they important to an organization?

Many times these tools are required to carry out critical job functions.  These can be running applications that require Java applets, fax services, custom written applications and so on.

What risks can they introduce?

Since these applications are usually not centrally managed, their patches and updates may not be applied as quickly.  Just like all software/hardware, vulnerabilities are found every day in third party applications such as a recently exposed flaw in WinRAR. According to Apigee, new attack techniques are emerging as well, including:

  • Exploitation of mobile and app vulnerabilities with insecure API access
  • Stealing of sensitive data cached by apps that don’t follow security best practices
  • Social engineering of developers to gain unauthorized access of developer keys and credentials.

So what can you do?

While this is an accepted risk when choosing these tools, there are several things you need to remember in order to make the tools as secure as possible:

  • Ensure you stay up-to-date on zero-day vulnerabilities
  • Always be aware of any updates available
  • Use strict authentication methods to secure your systems
  • Consistent monitoring & reporting

In summary, third party tools are an unlocked window into your network and have the potential to cause great damage to your organization when not properly secured. Organizations should consider adopting policies and procedures around approving specific applications and maintaining an inventory of where they are used.  This, in addition to a patch management process for these applications can significantly improve the security posture of your organization.

Categories
Computer & Network Security>Apple

iOS Malware – The Sky Is (not) Falling!

By now you should have heard that malware has been detected in apps available from Apple’s App Store.  (Let’s take a short break to let the rival Android users stop chuckling)  Should you be panicked?  Should you contact your IT department and have them wipe all of your company’s iPhones?  Should you rush home and trade your teenager’s iPhone for an old Samsung flip phone?  No, you shouldn’t – the Appleocalypse is not upon us.  (except maybe for the last one – have you seen the trouble teenagers can get into on smart phones?  Sheesh!)

Because this is somewhat of a rare event, the Internet has been filled with opinion pieces and editorials concerning iOS malware but the facts, so far, have been hard to nail down.  The truth of the matter is that most US, LA, and European users should have little to worry about but that Asia-Pacific iPhone users could be in a bit of trouble.

What actually happened is that some Chinese programmers downloaded a corrupted version of Xcode, which is Apple’s official iOS and OS X app creation tool.  Apps were then created with the corrupted tool (which quietly embedded exploits) and were subsequently uploaded to Apple’s App Store.  About 50 corrupted apps were eventually identified by security firm Palo Alto Networks, and while these apps have now been removed from the app store, they weren’t removed before being downloaded by several million people.  Most of the apps are Asia-Pacific-centric, (like WeChat) but a few are in heavy rotation in the West.  (CamCard, a popular business card reader, being the most prominent).

Remediation is simple: If you do have any of the listed apps installed, report this to your IT department so they’re aware of a potential issue.  IT Staff and individuals should be checking corporate and personal iPhones for the apps.  Change iCloud and other passwords stored on your phone as a precautionary measure, and report any suspicious events to your IT department.

You can find a list of the corrupted apps here: (courtesy of macrumors.com)

Infected iOS apps (as released by Palo Alto Networks)
网易云音乐 2.8.3
微信 6.2.5
讯飞输入法 5.1.1463
滴滴出行 4.0.0.6-4.0.0.0
滴滴打车 3.9.7.1 – 3.9.7
铁路12306 4.5
下厨房 4.3.2
51卡保险箱 5.0.1
中信银行动卡空间 3.3.12
中国联通手机营业厅 3.2
高德地图 7.3.8
简书 2.9.1
开眼 1.8.0
Lifesmart 1.0.44
网易公开课 4.2.8
马拉马拉 1.1.0
药给力 1.12.1
喜马拉雅 4.3.8
口袋记账 1.6.0
同花顺 9.60.01
快速问医生 7.73
懒人周末
微博相机
豆瓣阅读
CamScanner
CamCard
SegmentFault 2.8
炒股公开课
股市热点
新三板
滴滴司机
OPlayer 2.1.05
电话归属地助手 3.6.5
愤怒的小鸟2 2.1.1
夫妻床头话 1.2
穷游 6.6.6
我叫MT 5.0.1
我叫MT 2 1.10.5
自由之战 1.1.0

A more thorough list, according to fox-it.com:

Mercury
WinZip
Musical.ly
PDFReader
guaji_gangtai en
Perfect365
网易云音乐
PDFReader Free
WhiteTile
IHexin
WinZip Standard
MoreLikers2
CamScanner Lite
MobileTicket
iVMS-4500
OPlayer Lite
QYER
golfsense
同花顺
ting
installer
下厨房
golfsensehd
Wallpapers10000
CSMBP-AppStore
礼包助手
MSL108
ChinaUnicom3.x
TinyDeal.com
snapgrab copy
iOBD2
PocketScanner
CuteCUT
AmHexinForPad
SuperJewelsQuest2
air2
InstaFollower
CamScanner Pro
baba
WeLoop
DataMonitor
爱推
MSL070
nice dev
immtdchs
OPlayer
FlappyCircle
高德地图
BiaoQingBao
SaveSnap
WeChat
Guitar Master
jin
WinZip Sector
Quick Save
CamCard

Again, it depends on which version of these apps you might have or from where they were downloaded that would indicate if you have a corrupt copy.  Be conservative and remove or update them if you have them.

 

 

 

 

 

 

Categories
Compliance|Computer & Network Security|Information Security>Data Breach

Ransomware! – It’s here to stay…

“My firm WILL be affected by ransomware.” If you intone that rather gloomy mantra to yourself every morning before you go to work, you might end up being prepared to deal with the situation when it happens.

Ransomware is a type of malware that most often encrypts the contents of a hard drive and then rather helpfully offers you an email address or phone number to contact for removal instructions. And did I mention they’re going to ask for payment for the key to your now locked-up hard drive? They’ll ask for payment. And when the email with the funny cat pictures is spread around your office and more systems are affected, they’ll ask for money to unlock those too. Can the FBI help you at this point? No, because the kidnapper (of your data) is some kid working out of a grimy apartment overseas and they don’t have the resources to mount an international manhunt over the few hundred dollars that are being extorted from you.

If you bite the proverbial bullet and pay the ransom is the situation over and simply remembered as a painful lesson learned? Maybe……

An increasing number of ransomware variants will leave Trojans on your system; a back door into which the original perpetrator can come and go as he or she pleases. Some ransomware, after being unlocked, has reportedly lain dormant for a few months and then reactivated itself. Even worse, some ransomware operators have actually been caught and jailed and the phone number you call with credit card or Bitcoin in hand will just ring forever.

With estimated losses of over $18 million US dollars and over 1000 cases of a single variant of ransomware (Cryptowall) reported to the FBI’s ‘Internet Crime Complaint Center’ in June of 2015 alone, ransomware is definitely a clear and present danger to any and all firms.

Diligence and mitigation – mitigation and diligence. These are the two concepts that might just prevent a catastrophic ransomware event in your firm. It’s up to both your employees and your IT Staff to take these to heart, though, as it takes both groups to successfully prevent an infection AND to deal with one correctly when it happens.

Precautions your IT Staff can take:

  • Patch and Update software: Your firm should have a Threat and Vulnerability Management policy that mandates regular scanning, investigation of vendor-specific security alerts, and appropriate patching guidelines and targets.
  • Effective Security Suites: Your IT staff should be deploying a combination of anti-malware software and software firewalls to each and every system in your firm. Definitions should be updated constantly and scans should be a regular and recurring event.
  • Backups: The importance of accurate backups cannot be overstated! And this doesn’t necessarily mean a “you have a mapped Z: drive in Windows, copy anything important to it” type of backup either. Because there have been many, many instances of ransomware encrypting those drives as well. Why? Those drives and folders are just another target folder the infected system can see. What’s really bad is when the mapped drive isn’t the user’s personal folder but the actual root layer of the drive. That’s when EVERYONE’s backups get encrypted.   So make sure your firm has invested in an official backup framework, with software agents that will regularly make secure copies of important data.
  • Log analysis: a good Security Information and Event Management (SIEM) system or similar tool that analyzes log data can help prevent the spread of an infection if the IT Staff is alerted early to log data that would indicate an infection.
  • Hardened Email Systems: Does your firm use a hardened email system? Are spam filters current and in place? Do you scan incoming email for questionable attachments and quarantine them appropriately?

Precautions your Users can take:

  • Training: Do you have Acceptable Use policies for email, external flash media, and appropriate training for the users? Have they been taught not to open strange emails and do they know how to recognize and not click on questionable email links? Do they know what to do if they find a USB drive on the ground labeled “Company Salary Spreadsheet?” These are all part of a comprehensive policy and training framework your company should have in place.
  • Reporting: Employees should be able to recognize the warning signs of a malware infection and know immediately how to (and that they should) contact IT staff. Also, regular IT security training programs are not a luxury any more. They’re not something that only “the big guys” can afford to have. Every firm should have a policy of requiring some form of IT security training for its entire staff at least on an annual basis.

And finally,

What to do with an infected system:

  • Contact the IT Staff: if an employee believes they have fallen victim to or are falling victim to ransomware, the IT Staff should be contacted immediately. The sooner they’re aware of an issue, the more likely it is that some form of damage mitigation or limitation can be performed.
  • Disconnect from WiFi or unplug from the network immediately: This is extremely important! If a system has been identified as infected, disconnect from the network as soon as possible. Some ransomware-type malware “calls home” for encryption instructions. This is by no means foolproof, and users who are savvy enough to recognize a ransomware event in action are few and far between, but it could make a difference.
  • Realize when “you’re in over your head:” Dealing with ransomware is not an easy task. If your IT Staff appears to be floundering a bit, or unsure of what steps to take, or if ransomware is a regular recurrence at your firm, contact a 3rd party that specializes in network and computer security.

IT Security is a process, not an event. Good security policies and practices, regular scanning and investigation, and a watchful eye will go a long ways to keeping your firm secure. As more of the world becomes more connected every day, diligent firms should be making more of an effort to recognize the importance of IT Security in the workplace. An investment of time, attention, effort, and funding will always pay off.

 

 

 

 

 

 

Categories
Information Security>Data Breach|Social Engineering>Phishing

How Does Ashley Madison Threaten Your Organization?

Extortion is not usually a topic that employers have on their radar regarding their employees.  Most employers know they need to protect themselves against viruses, and “hackers”, but they often don’t think about the social engineering tactics that attackers may use to target employees.  However, when users put their private information on “secure” websites, they may assume this information is safe.  But, as the old adage goes, “assume anything you put online can be made public”, and it is likely that all of the users of the Ashley Madison website failed to consider the implications.

For more details about the Ashley Madison hack there are a number of sources that can reviewed.  Brian Krebs has two posts on the subject that are worth reviewing for more detailed information: Was the Database Leaked? and Extortionists Target Ashley Madison Users

Why should this apply to me?

Considering the services offered, and the number of records released, it is likely that most people will have a connection to someone who could be affected.  Given this line of thought, it is also plausible that attackers could exploit this, and target users who are on the list of records released.  Employers are not likely to be directly concerned about whether their employees are on this list; however, what if their users are put into a situation where they are black mailed, and may do something they would not otherwise think of doing, such as clicking on an illicit link, or downloading a malicious file?  Alternately, an attacker could use information from the Ashley Madison list to entice users to click on a link in a phishing email.  Employers need to be cognizant of this, and consider some controls which can be put in place to mitigate this threat.

We regularly see organizations where a user falls victim to phishing emails, and these stats will only increase when this specific, targeted threat vector presents itself.  This is a real threat, and it is a risk to organizations, as some users are going to be concerned about this, and may act more foolishly than normal in order to conceal their misdeeds.

What should we do?

User Awareness Training – Ensure users can identify a phishing email.  Make users especially aware of attacks related to the Ashley Madison hack.

Spam Filtering – It may be worth discussing the merits of blocking or increasing the risk of any emails containing words related to Ashley Madison.

Follow Basic Security and Compliance Practices – Review security practices including Authentication, Access Controls, and Patch Management.  Additionally, ensure there are mechanisms for recognizing anomalous behavior within the network.

It’s impossible to prevent users from being targeted, but organizations can use that to better prepare.  If their users will be targeted, then training employees is key.  Remember, instead of trying to prevent a ‘hack,’ expect one, and be prepared to detect it, slow down or stop the attack, and recover quickly.

 

Categories
Computer & Network Security>Android|Compliance>Privacy

Android Security Flaw: Stagefright – What You Need to Know

Update: As of Thursday, August 6th, 2015, Google and some phone carriers are pushing out a security fix to address this vulnerability. Source: http://www.zdnet.com/article/after-stagefright-samsung-and-lg-join-google-with-monthly-android-patches/

What is StageFright?

Stagefright is a remotely exploitable software bug in Android that can allow an attacker to perform arbitrary operations on the affected device through remote code execution and privilege escalation.  This flaw currently affects versions 2.2 and newer of the Android operating system. Source: http://arstechnica.com/security/2015/07/950-million-android-phones-can-be-hijacked-by-malicious-text-messages/

How Can This Affect Me?

An attacker can send specially crafted MMS (multimedia) text messages to the victim device, which require no end-user actions upon receipt, for the vulnerability to succeed.  The victim’s phone number is the only target information an attacker would require.  In other words, someone can send you a text message and without any interaction from you it can allow the attacker to take control of your phone.

What Can I Do About It?

There are currently some mitigations users can put into place for unpatched devices, including disabling the automatic retrieval of MMS messages, and/or blocking the reception of text messages from unknown senders.  Additional mitigation comes from some of the security features built into newer versions of Android that may help in making exploitation of the Stagefright bug more difficult; thus, updating to the latest version of Android may also help alleviate the issue.

Additionally, firms should set minimum standard for allowed Android devices to account for software updates.

Additional Details:

The Stagefright bug was reported the bug to Google in April 2015, and was publicly announced on July 27, 2015.  Fortunately, Google is currently working on a patch for the Stagefright vulnerability; however, there are often long delays in propagating patches to end-user devices due to a large fragmentation between the manufacturers, device variants, Android versions, and various Android customizations performed by the manufacturers.  Furthermore, Google maintains the Android’s firmware updates for carrier devices are the responsibility of wireless carriers and original equipment manufacturers (OEMs).

 

Categories
Information Security

Spam Email – Stop it before your users click on it

It doesn’t matter if you’ve trained them or yelled at them or had to fix their infected computers in front of them (or all of the above) ……..they’re still going to open that suspicious email, aren’t they?
Because who can resist the attachment that promises funny cat pictures, and who doesn’t have a slight panic attack when faced with a fraud alert from their bank?
Protecting your corporate network from malicious email is a never-ending battle and there’s no simple, one-size-fixes-all method to do so, either. There are three modes of defense, though, that are remarkably effective but we’ve recently realized that most small to mid-size companies are only using one or two of those methods.

  1. The first and most effective defense is simply user training. Every company, no matter the size, should inform and educate users as to the dangers of fraudulent emails. Provide examples, show warnings, and do it on a regular basis. Don’t numb them to the dangers but find a balance between over-lecturing and educating your users.
  2. The second most effective defense is desktop antivirus and anti-malware software. These programs won’t stop a zero-day exposure but they’ll prevent about 98% of anything that makes it as far as the desktop. They won’t prevent someone from entering their banking credentials on a fake website but they do a moderately decent job of preventing older malware from infecting your network.
  3. The third defense, and the one you may not be using, is a block list on your mail server. These block lists do exist and contain real-time updated lists of spam websites and domains. The most popular of these is the Spamhaus Project. In their own words: “The Spamhaus Block List (“SBL”) Advisory is a database of IP addresses from which Spamhaus does not recommend the acceptance of electronic mail. The SBL is queriable in realtime by mail systems thoughout the Internet, allowing mail server administrators to identify, tag or block incoming connections from IP addresses which Spamhaus deems to be involved in the sending, hosting or origination of Unsolicited Bulk Email (aka “Spam”). The SBL database is maintained by a dedicated team of investigators and forensics specialists located in 10 countries, working 24 hours a day to list new confirmed spam issues and – just as importantly – to delist resolved issues.”

Simply put, by taking advantage of the Spamhaus DNS block lists, you can set most modern mail servers to prevent many of those fraudulent emails from ever reaching your users. There are some limits on free usage of their offering but larger, heavier users can still pay for the service.
You can find more information about Spamhaus at the following url: https://www.spamhaus.org/

Categories
Computer & Network Security|Information Security

Java vs. Javascript

We field questions about Java security issues on a regular basis, and have noticed that users are often confused about the differences between Java and Javascript.

Java is a standalone application that runs separately from your browser, although it can be called on by your browser to run Java ‘applets.’ Applets aren’t that common any more, but the Java application is a different matter. Java has a history of being exploited for vulnerabilities, and updates have historically released on a somewhat tardy basis. Even more painful is that users have to manually watch for and install those updates unless they chose the “check for updates periodically” option during the original Java install. And even then, they’re required to manually download a patch file and run it. And we all know how users are so very diligent about that sort of thing……..

Javascript is something else altogether. It’s integrated into the browser, and although there have been security issues with it in the past, updates come in the form of operating system updates which are usually controlled by Windows Update settings or corporate patch agents.

Securit360’s recommendations for this sort of thing always follow the “least privilege” concept: if you don’t need it – turn it off. Just like every other piece of unused software, we recommend uninstalling Java unless it’s actually being used. We’re not singling out Java; this is our recommendation for every piece of software and application on the market. If your users really need Java to do their work, though, then make sure Java is configured to periodically check for updates and patches. On top of that, run regular security scans to confirm what version of Java is installed and update old versions when you find them.

Java is a fantastic program but needs some care and careful handling to prevent it from being a security issue for your organization. Keep an eye on it……

Categories
Computer & Network Security

Do you really need a smart toaster?

Even though you CAN buy it, you need to ask yourself if you really SHOULD you buy that Internet-connected appliance……..

Very few people would seriously consider this question before purchasing a brand new appliance or item that has all sorts of nifty and exciting ‘up-sell’ features, such as network or direct Internet-connectivity.

But for those of us who work in the computer and network security fields, this question is neither academic nor trivial.

It’s easy to understand why Internet-connected gadgets are tempting. Who wouldn’t want a dog collar with a GPS in it, in case Fido runs away? Who would turn down a tracking unit you could put in your child’s backpack in case they get lost or something more sinister happens? And who wouldn’t find some convenience in a video-capable home security system that was able to be monitored while you were at work?

The problem is that the security of these gadgets is questionable at best. Multinational, experienced software companies, such as Microsoft and Apple, have entire divisions devoted to securing their software and hardware, and yet potential and actual compromises are announced almost on a weekly basis. Most corporations have IT security teams who monitor and test systems on a regular basis but we read about corporate breaches almost daily.

In light of those observations, can we really trust the manufacturing company that creates a product that allows you to keep track of your child or pet via an Internet-based website? How do we know they’re performing due diligence to keep the location of your child safe? How can you be assured that a potential burglar isn’t watching for the next time you kennel your pets, giving them a good idea when you’re out of town? And who’s monitoring the log data to be sure that your home security system wasn’t shut down remotely for a brief period today and then reactivated? Or who’s making sure that your “private” video feed into your house isn’t quite so private after all?

Sometimes it pays to be a little paranoid and cautious. When purchasing a product with a network connection, do some due diligence. First, ask yourself if you really need it. Is it going to simplify your life or bring a reward that’s worth the risk? Second, do a little research. Find manufacturers with a proven track record or maybe those who have partnered with a security-conscious company. And above all, be careful. Be aware of what you have and practice common sense security precautions – change passwords, watch for anomalous behavior, and review and apply software updates.

 

 

Categories
Research>The Hitlist

The Hitlist: Remote Access

Remote access is often one of the weakest points we find in a customer’s network.  Corporations allow home users, with no real security on their home network, to remotely connect to their corporate network, access, and even download content.  This alone is a breach of security, and could even facilitate a data breach.  We have all known of users who email themselves company files, but what if those files contained Personally Identifiable Information (PII) or Personal Health Information (PHI)?  We have seen it happen.  What if someone is writing a report, and then decides to bring it home to finish it up?  What if that report contains intellectual property?  To avoid these potential disasters, it is important to have proper controls in place.  You should have a secure method of accessing corporate data remotely, and there should be policies and procedures in place to ensure that users are forced to use this to access data.  We have outlined some topics to consider below:

SSL VPN/Remote Desktop Solution (not to be confused with Remote Desktop (RDP) for Windows)

Step one, you must have a secure solution in place to access corporate data remotely.  Ideally, all users with remote access privilege should be using an encrypted VPN connection, period.  If possible, some sort of remote desktop solution should be employed that provides an interface for accessing internal network resources.

Corporate Devices

If you don’t use a remote desktop solution then you should mandate that only corporate devices are allowed to access the internal networks. When employees use personally owned devices for work, they tend to use them however they want. This creates an unneeded vulnerability for your company. Corporate owned devices can help alleviate this gap in security. It will give your IT department increased accountability without taking away the employees productivity.

Policies

Step two, you must have policies in place to enforce the usage of your secure remote access solution.  Tell users what they can and can’t do, and set expectations so that if they do not follow company policy there could be repercussions.

Administrative Access

Admins should not use privileged accounts for remote access.  It is best practice for admins to have two domain accounts, one with privileged access, and a standard user account that does not have any elevated privileges.  The account with administrative access should only be used when administrative duties are required, and should never be used for remote access into your corporate network.

Network Traffic Control

In addition, you need to have tools in place to control the traffic on your network. The resources on your network are not only available at your organizations physical location, but when you add remote access capabilities, it adds an additional increase in the amount of traffic that moves around the network. Look at it like a highway, a highway is made to allow a steady flow of cars to move about from location to location with ease. At any point, there could be a heavy flow of cars that causes the highway to become congested. Depending on the situation, this backup will spread if the cars cannot leave as fast as they are approaching. This is the same for you organization’s network. If you do not have the correct tools or policies and procedures in place to control your network traffic, it could greatly deteriorate the speed of your network. This, in return, could decrease business continuity/productivity?

Application Control

Another essential tool when utilizing remote access is application control. Your network is a combination of different ways to communicate including email, instant messaging, and point to point applications. As more applications are introduced to your network, the number of risks by malicious software also increase. This is why it is very important to have a solid application control policy and assure that it is implemented throughout your organization.