15 real ways to secure teleworkers

Current Job Listings

Security continues to be one of the top bugaboos to letting employees telecommute.  As gas prices have stayed high and the economy continues to drive itself into the ground, telecommuting continues to be a viable and cost-effective way for companies to keep employees connected to the home office, but at what price? Lost laptops? Network hacks? Stolen data?

Certainly telecommuting isn't to blame for all of these seemingly daily occurrences. It is into this environment that the National Institute of Standards and Technology (NIST) recently updated what many consider to be the bible on maintaining teleworker data security.

"In terms of remote access security, everything has changed in the last few years. Many Web sites plant malware and spyware onto computers, and most networks used for remote access contain threats but aren't secured against them," says Karen Scarfone of NIST's Computer Security Division in a release. Above all, an organization's policy should be to expect trouble and plan for it.

While the NIST recommendations are myriad, we have listed here some of the most important items.  Should you want to read the actual 42-page NIST release on the subject, go here.

The major NIST recommendations for securing teleworkers include:

Physical security: An organization might require that laptops be physically secured using cable locks when used in hotels, conferences, and other locations where third parties could easily gain physical access to the devices. Organizations may also have physical security requirements for papers and other non-computer media that contain sensitive information and are taken outside the organization's facilities.

Encrypt: Encrypt files stored on telework devices and removable media such as CDs and flash drives. This prevents attackers from readily gaining access to information in the files. Many options exist for protecting files, including encrypting individual files or folders, volumes, and hard drives. Generally, using an encryption method to protect files also requires the use of an authentication mechanism to decrypt the files.

Back up: Ensure that information stored on telework devices is backed up. If something adverse happens to a device, such as a hardware, software, or power failure or a natural disaster, the information on the device will be lost unless it has been backed up to another device or removable media. Some organizations permit teleworkers to back up their local files to a centralized system (like through VPN remote access), whereas other organizations recommend that their teleworkers perform local backups. Teleworkers should perform backups, following their organizations' guidelines, and verify that the backups are valid and complete.  It is important that backups on removable media be secured at least as well as the device that they back up. For example, if a computer is stored in a locked room, then the media also should be in a secured location; if a computer stores its data encrypted, then the backups of that data should also be encrypted, NIST says.

Cache cleaning: A computer that is temporarily used for remote access. Some remote access methods perform basic information cleanup, such as clearing Web browser caches that might inadvertently hold sensitive information, but more extensive cleanup typically requires using a special utility, such as a disk scrubbing program specifically designed to remove all traces of information from a device. Many organizations offer their teleworkers assistance in removing information from personally owned devices.

Cleaning the missing: Erase information from missing cell phones and PDAs. If a cell phone or PDA is lost or stolen, occasionally its contents can be erased remotely. This prevents an attacker from obtaining any information from the device. The availability of this service depends on the capabilities of the product and the company providing network services for the product.

Wear protection: Teleworkers need to ensure that they protect their remote access-specific authenticators, such as passwords, personal identification numbers (PIN), and hardware tokens. Such logins should not be stored with the telework computer, nor should multiple authenticators be stored with each other, for example a password or PIN should not be written on the back of a hardware token, NIST states.

Hack attack: Teleworkers should be aware of how to handle threats involving social engineering, which is a general term for attackers trying to trick people into revealing sensitive information or performing certain actions, such as downloading and executing files that appear to be benign but are actually malicious.

Get some separation:  The most important part of securing most wired home networks is separating the home network from the network's ISP as much as possible, NIST states.  If a telework device connects directly to the teleworker's ISP, such as plugging the device directly into a cable modem, then the device becomes directly accessible from the Internet and is at very high risk of being attacked. To prevent this from occurring, the home network should have a security device between the ISP and the telework device. This is most commonly accomplished by using a broadband router or a firewall appliance. This security device should be configured to prevent computers outside the home network from initiating communications with any of the devices on the home network, including the telework device, NIST says.

Again with  the encryption:  Use strong encryption to protect communications. An industry group called the Wi-Fi Alliance has created a series of product security certifications called Wi-Fi Protected Access (WPA), which include the WPA and WPA2 certifications. These certifications define sets of security requirements for wireless networking devices. Devices with wireless network cards that support either WPA or WPA2 can use their security features, such as encrypting network communications with the Advanced Encryption Security (AES) algorithm.

Know your enemy: Permit access for only particular wireless network cards. Some APs can be configured to allow only specific devices to use the wireless network. This is accomplished by identifying the media access control (MAC) address of each device's wireless network card and entering the MAC address into a list on the AP. Because a MAC address should be unique to a particular network interface, specifying its MAC address in the AP can be helpful in preventing some unauthorized parties from gaining wireless network access.

Get to know SSID: Change the default service set identifier (SSID). An SSID is a name assigned to a wireless AP. The SSID allows people and devices to distinguish one wireless network from another. Most APs have a default SSID-often the manufacturer or product's name. If this default SSID is not changed, and another nearby wireless network has the same default SSID, then the teleworker's device might accidentally attempt to join the wrong wireless network. Changing the SSID to something unusual-not the default value or an obvious value, such as "SSID" or "wireless"-makes it much less likely that a device will choose the wrong network.

Watch those admins: Disable AP administration through wireless communications. Flaws are frequently identified in the administration utilities for wireless APs. If an AP has such a flaw, attackers in the vicinity could reconfigure it to disable its security features or use it to acquire access to the teleworker's home network or the Internet. To prevent such incidents, teleworkers should configure APs so that they can only be administered locally-such as running a cable between a computer and the AP-and not administered wirelessly or otherwise remotely, NIST says.

No slow lanes:  For a PC with slow network speed support, such as dial-up access, teleworkers should be cautious when configuring automatic software update features, NIST says. Because many updates are very large, downloading them could consume all the network bandwidth on a slow link for hours at a time. This could make it difficult for teleworkers to send and receive email, access Web sites, and use the network in other ways while the download is occurring. Teleworkers could instead configure the software to download the updates at a time when no one needs to use the PC. Updates should still be performed at least weekly, preferably daily.

Needless net nabobs:  By default, most PCs provide several network features that can provide communications and data sharing between PCs. Most teleworkers need to use only a few of these features. Because many attacks are network based, PCs should use only the necessary networking features. For example, file and printer sharing services, which let other computers access a telework PC's files and printers, should be disabled unless the PC shares its files or printers with other computers, or if a particular application on the PC requires the service to be enabled, NIST says.

Secure assistance: Some operating systems offer features that let a teleworker get remote technical support assistance from a coworker, friend, product manufacturer, or others when running into problems with a PC. Many applications are also available that permit remote access to the PC from other computers. Although these features are convenient, they also increase the risk that the PC will be accessed by attackers. Therefore, such utilities should be kept disabled at all times except specifically when needed. The utilities should also be configured to require the remote person to be authenticated, usually with a username and password, before gaining access to the PC.

Layer 8 in a box

Check out these other hot stories:

The first 90-year old in space?

NASA offers $4M in prizes for bold technology that leads to space elevator

Military tags $150M to build advanced space electronics

CVS spanked for customer privacy failures, pays $2.25 million to settle HIPPA violations

Software counterfeiter gets 41 months in prison, loses Ferrari

Space flight fare wars blast off

Researchers tout data buffering, quantum computing style

Last call: Anheuser-Busch IT guy tossed into prison for computer theft

The rocket's red glare: In your backyard?

Prepaid calling card fraudsters must pay $2.25M for cheating on talk time minutes

FAA network hacked

Satellites collide, create major flying junk pile

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT