• United States
by Steve Taylor and Joanie Wexler

Teleworking vulnerabilities

Jul 24, 20033 mins
Network SecurityRemote WorkSecurity

* Wireless LANs, physical security important for home workers

As mentioned last time, a complete network/IT security policy should include a set of best practices and rules for telecommuters. Some of these practices simply involve common sense – someone just needs to think them through and educate the company’s teleworker population about them.

For example, there is the issue of wireless LANs, which are quickly becoming the rage and whose popularity in the business office is being driven by home use. Almost in spite of themselves, folks in one house, apartment or condo can associate to an access point in a neighboring residence and hop on that individual’s broadband Internet connection if the proper encryption hasn’t been enabled. At a minimum, this encryption would be Wired Equivalent Privacy (WEP).

It is also advisable to disable “SSID broadcast” (so that a teleworker’s access point will not present itself for access to outsiders), to change the name of that worker’s SSID name or number from the default setting, and to use an access control list with only the teleworker having access rights, says Craig Mathias, wireless consultant and principal at the Farpoint Group. Mathias adds that a standard network logon should be used.

Even though it’s unlikely that the broadband poacher would be able to access the corporate data center if a VPN is in place, the squatter might be able to see the data on that individual’s computer if no personal firewall has been installed on it or if the data has not been encrypted.

In fact, given the ease with which ever-shrinking laptops and PDAs can be lost or stolen, it’s probably advisable to just encrypt all stored data of a confidential nature on any client device. This can be accomplished using the encryption in Microsoft XP Professional or in third-party software.

And, finally, there’s the obvious but often overlooked issue of physical security. If you’ve got your VPN connection up and there are guests in the house, such as neighbors, party attendees, friends, workmen and so forth, again, seeing confidential data could end up a crime of opportunity.

Much of these worries will end up moot. But how can you, as the IT professional, know if all your employees’ friends and relatives can be trusted? Whoever is in charge of IT security for your organization should have a corporate policy for what security steps should be followed by teleworkers. The potential consequences should be spelled out if it’s shown that these precautions have not been followed.