If your organisation is looking to ramp up its remote working capabilities, you’re not alone. But how can you empower more users to work remotely whilst maintaining appropriate security levels? Follow our best practice advice and ensure you do it once and do it right.
The global coronavirus outbreak is having a profound effect on the way we work, travel and go about our daily lives. Organisations throughout the UK are reviewing and in many cases ramping up their remote working capabilities, as government advice to employers around COVID-19 emphasises the importance of isolation in a number of instances. Aside from the obvious health risks, organisations may also be exposing themselves to cyber security risks as system administrators scramble to implement remote working capabilities that would in other circumstances require months of planning and design to get right.
If you are tasked with enhancing your organisation’s remote working capabilities and you are concerned about the cyber security risks you may be introducing, follow our best practice advice to ensure you keep your organisation safe from cyber illness.
Secure Remote Access Best Practice Advice
As with all things cyber security, where projects are rushed or not planned to perfection there lies the possibility for error. In recent weeks our cyber security professionals at Six Degrees have seen cases of opening remote access ports such as RDP and SSH to the internet or to dynamic home IP addresses to allow continued remote access; the firing up and use of outdated or unsupported VPNs that have been dusted off the shelf; access given to users on non-company equipment; and for some the roll-out of cloud-based solutions without multi-factor authentication. What a mess.
If your organisation is about to go down one of these routes, here are four pieces of best practice advice you should follow in order to deliver secure remote access.
1. Setup a Management Zone
If you need remote access to internal systems/servers for management purposes, setup a management zone and block access from the internet. Limit access to a management VLAN which you can connect to via a jump box, a dedicated management VPN or both. Avoid the temptation to expose RDP, Telnet, SSH, SNMP or any other remote management ports to the Internet or your ‘home’ IP addresses.
2. Review Your VPN Technology
If you have VPN technology that is rarely used and is about to be swarmed on by a large number of users for the first time:
- Check you are running the most up-to-date versions of your soft/firmware.
- Check crypto settings are not stuck in the dark ages running 64/128 bit ciphers – bump these all the way up to 256 and above where you can.
- Use certificates – don’t just rely on simple passwords and usernames.
- Use multi-factor authentication.
- Keep your network design simple. Many people over-complicate what should be a simple setup, and most vulnerabilities we find in VPN connections are simple oversights due to complexity, usually around the scope of what connecting clients can and cannot connect to from the VPN connection versus the standard internal office network.
3. Always Use Multi-Factor Authentication
With more people working from home it will of course mean internal systems and cloud systems alike will be operating without the trusted barrier of being inside the network. If you don’t already, ensure cloud-based solutions such as Office 365, AWS and Azure use strict multi-factor authentication. Without it you run the ongoing risk of falling victim to simple brute force or credential stuffing attacks. Don’t give attackers the chance.
4. Ensure Users are Working from Approved Devices
If you are thinking about letting users use their own personal devices, don’t forget they won’t have corporate anti-virus or group policies to help you control their devices. Provide them with a decent sandboxing technology to access your business applications from. This will protect your network from any home-brewed nasties their devices may be harbouring. Our cyber security professionals recommend only allowing access from corporate-approved devices that fall under your internal IT security policies.
Mobilise Staff and Protect Your Organisation
Desperate times can lead to desperate measures. However, you should never give malware a chance to have free reign within your network – it can be just as catastrophic to pave the way for a remote attack that affects the whole organisation as it is delaying the roll-out to a few staff members to implement some carefully designed sandboxes or remote hardware. Do it once and do it right – don’t panic yourself into poorly executed action plans.
As the coronavirus pandemic continues to spread, cyber criminals are