Will a Remote Worker Compromise Your Network?

Follow These 10 Suggestions to Reduce the Risk.

Published March 23, 2020
Randall Brinks, CEO

The current pandemic has forced knowledge workers to scatter from a central, secure location (the office) to vastly more vulnerable places (their homes).  This has created an opportunity for malicious actors who are actively trying to compromise remote worker’s computers.

Ideally, remote workers have a corporate laptop.  But many don’t and will be connecting back to the corporate network using personal computers.

If you’re a remote worker, or responsible for employee access when working remote, what steps should you take to reduce the risk of compromise?

Note: This blog post has a summary checklist at the bottom of the page.

1. You’ll need a remote access policy

If your company doesn’t have a remote access policy, create one.  There are great examples online which can be used as a template.  If you have a policy, quickly review it, looking for software no longer in use, operating system requirements that may be out of date, and connection technologies that don’t apply.  Always have the user sign off on the policy.

2. Train all remote workers, even if they’ve been trained in the past

As tempting as it may be, do not skip this step.  Coronavirus fears have resulted in an increase in email phishing, sometimes very targeted, to trick remote workers into opening malicious email attachments or spoofing the CEOs email, asking for sensitive information which could quickly and easily compromise the corporate network.

Training doesn’t need to consume vast amounts of time and can be covered by going through a short checklist.  Training can be performed by IT staff who are setting up the employee’s computer.

What is reviewed with the employee? Don’t click email attachments unless you’re expecting it, don’t respond with sensitive information without calling the person first (and don’t use the callback number in the email).  Review the information in the rest of this document and incorporate it as needed into your training program.

3. Use a supported operating system

Windows 7 is no longer supported as of January 2020.  Unsupported operating systems are unacceptable for remote access, since they are no longer eligible for updates, opening them to attack. Make sure all systems are running Windows 10.  If using macOS, check that it’s also fully patched and is on a supported version.

4. Enable the firewall

Both Windows 10 and macOS have a firewall built into the operating system.  Check to see that it’s enabled in Windows and macOS. Newer operating systems may have this enabled by default.

5. Virtual Private Network considerations

Corporate IT or your outside provider will assist with setting up VPN access to the corporate network.  A small software program is typically installed and configured, allowing the remote worker to quickly and securely connect and work as if they were at the office.  This list is for experienced IT staff or for management to use as a compliance check.

  1. Do not allow split-tunneling. Once the VPN is active, all traffic should go through the VPN, including Internet browsing
  2. Timeout the connection after a period of inactivity
  3. Use strong encryption
  4. Enable multi-factor authentication

6. Enable multi-factor authentication

All corporate applications, whether accessed through the VPN or not, should use multi-factor authentication (MFA) if available.  MFA is a technology where once a user enters a username and password, a second screen is shown, and a one-time use code is entered.  This code is obtained ‘out of band’, meaning it’s displayed on a smart phone through an app or via text.

MFA refers to an authentication process of having two or more of: something you know, something you have, or something you are (biometrics).  To authenticate, you would generally input a username and password (something you know), and then enter the code from your phone (something you have).

7. Encrypt the hard drive

Both Windows 10 Professional (with BitLocker) and macOS have a built-in mechanism to encrypt the contents of the computer.  Corporate computers used for remote access should have encryption enabled at all times.  Check whether the drives are encrypted in Windows or macOS.  Unfortunately, Windows 10 Home does not contain BitLocker.

8. Use an antivirus solution

Antivirus for Windows is not optional and should be enabled on all PCs. Windows 10 includes Windows Defender antivirus (now known as Windows Security) for free, and it’s a great choice for remote workers using a personal computer. Enable it here. macOS users should review this page regarding antivirus and other security engineered into the operating system.

9. Application considerations

Besides training, this is one of the most essential items on the list.

  1. Application Updates: When a software application is installed and offers the option for automatic updates, select that option. If you open an application and it prompts you to update, don’t wait, do it immediately, then resume your work.
  2. Operating System Updates: Windows 10 has built-in mechanisms to keep the operating system updated.  Check this Microsoft page to make sure your computer is configured correctly.  macOS also has the ability to keep the operating system and applications updated.  You can find out how to make sure your Apple computer is configured to do that here.
  3. Application Sources: Be very careful when searching the Internet for a software program. Since the days of floppy disks, malicious programs have been offered as legitimate software. If you’re looking for a Microsoft program, make sure you get it from Microsoft, Adobe programs should come from Adobe, etc. If you find expensive software on the Internet for free, it’s likely too good to be true.

10.Secure the Internet gateway

This section will be technical and may require assistance from someone with IT experience.

Every remote worker has a way to connect to the Internet.  Whether the connection is through a cable modem, fiber, DSL, or WiFi, the connection device needs to be secure.

  1. Make sure this device is running the latest firmware.
  2. If using WiFi, check the encryption level.  WPA2-PSK using AES with a random 15 character passphrase is the minimum.  Don’t be concerned with what this means from a technical standpoint; log into the WiFi device, and make sure these are set.  If the device is on the latest firmware and doesn’t have these options, the device needs to be replaced; it’s out of date and vulnerable.
  3. Don’t use default usernames or passwords

Summary:

I’ve condensed the list so you can turn it into a checklist to fit your corporate policy. This list is geared toward IT administrators, so you will see technical information and acronyms.

  1. Remote access policy
    1. Reviewed by management
    2. Signed off by remote access employee
  2. Training
    1. Ask if the employee has any questions about the remote access policy
    2. Review phishing techniques with the employee
      1. Hover over URL to make sure it’s legit
      2. Don’t open unexpected attachments
      3. Call back when receiving an email requesting sensitive information. Don’t call the number in the email; look it up separately.
  3. Check operating system version
  4. Ensure firewalls are enabled
  5. Review VPN configuration
    1. Disable split-tunnel (this may not be practical if the corporate Internet connection isn’t adequately sized)
    2. Timeout (30 minutes is an excellent place to start)
    3. Using strong encryption (check the vendor documentation for latest recommendations)
    4. Enable MFA
  6. MFA enabled for corporate applications
  7. Hard drive encryption for corporate devices
  8. Check antivirus. Make sure you can centrally manage if corporate laptop.
  9. Application considerations (should have a central management system if corporate device)
    1. Applications patched
    2. Operating system updates
  10. Secure the Internet gateway (this step can be time consuming and isn’t as high risk)
    1. Check firmware version
    2. Ensure login isn’t using default credentials
    3. Review outside access if available
    4. Review connection method (Ethernet or WiFi)
    5. Check WiFi settings (WPA2-PSK-AES with min 15 character passphrase)