Editor’s note: Wired for Safety is a column on cybersecurity and other tech issues. Duane Dunston is an assistant professor of cybersecurity and networking at Champlain College.
Many organizations are having their employees work from home these days. But the current COVID-19 situation may have required quick decisions to be made on how to continue operations by allowing users to work remotely.
A VPN (virtual private network) is the most common type of method for remote access. It is a secure connection between your computer at home and your organization. When using a VPN, most organizations set it up so that it looks like your home computer is physically on their network. Accordingly, all the day-to-day activities you do at home will appear within your organization — web browsing, music streaming, and video streaming would pass through your organization’s network. Keep that in mind that all of your internet browsing may go through your organization’s network and they could potentially see what you’re doing. Do not be alarmed by that because it depends on the set up of the VPN and if your organization has tools to monitor network traffic. Also, that monitoring can only occur when you are connected to the VPN.
Additionally, you want to spare as much of the data going into your organization’s network so if a streaming service is running it could affect performance of other employees and could lead to slow access to documents and information or cause people’s VPN connection to disconnect. That could lead to data loss and overall frustration.
Recommendations for employees
1. Ensure your computer has all the latest updates and an antivirus program.
2. Try to refrain from downloading organizational data to your home computer, unless it is necessary. If you have to download files, put all the files in one folder and organize it within that folder. That way it will be easier to manage for your work and to delete when you no longer need access to it. A common occurrence of breaches is data that is left in unprotected places.
3. Create a new account on the computer you are using and use that for remote work only. That way, the applications and sites that load automatically using your normal home account won’t go through your organization’s network. Set up a unique background so you know you are logged in to do work under that account. Tell your family so they know not to use that account if you have to share your computer with others.
4. Log out of the account you create and restart your computer and then login to your everyday home user account.
5. If possible, limit who can use the computer during the time you have to work from home.
Recommendations for VPN use decision makers and technical readers
1. If possible, use two-factor authentication to add an additional layer of access control. This is not always possible due to the cost involved. VPNs that use client certificates provide an additional layer of access control. VPNs that use pre-shared keys are another option.
2. See if the VPN can check to ensure users have the latest updates for their operating system and an antivirus program.
3. Remind users how to properly manage data and if they are allowed to download data to their personal computers, and which data they can download. Encourage them to store data in one folder to make deleting the data easier when they return to the office and prevent accidental data leakage.
4. If they are using a remote access program like Remote Desktop, remind them to lock the screen when they step away to prevent a family member from accidentally viewing sensitive data or loading streaming services. Set up a unique background and screensaver so they know they are logged into to work.
5. Have a policy to not allow the use of streaming services, unless it is necessary for their work.
6. Split-tunneling may be a good option. This will greatly depend on your risk tolerance and the type of data they have access to and servers they have access to, as well.
There is a debate on the security of split-tunneling. If an employee browses to a malicious site, it doesn’t go through the organization’s network and may not be tracked or blocked. This could allow an adversary to gain access to the organization network. Well, the same can occur if using a full-tunnel, where all data goes through the organization network and the proper security tools aren’t in place. The best practice, regardless, is to not drop the VPN into the internal network. Rather, place it just outside the network (or within a DMZ) and apply firewall rules to allow traffic from the VPN to the requisite internal services.
7. You may have to upgrade your organization’s bandwidth temporarily to support the number of users on the VPN.
8. Consider how many people need to use the VPN and if the device can support the number of users required.
9. There may be additional costs associated with adding more users to the VPN.
10. Monitor the use of the VPN for repeated failed login attempts. Adversaries know that many organizations are using VPNs these days so monitor, monitor, monitor. You’ll want to monitor the common VPN ports, 443/TCP (SSL and SSTP), 500/UDP & 4500/UDP (IPSEC), 10000/TCP (Cisco sometimes uses this port), and 1194/UDP (OpenVPN). The controls mentioned in #1 can greatly reduce the likelihood of someone attempting to guess passwords.