Aug 27 2007

Can I Borrow the Car, Uncle Sam?

Think of your teleworkers as drivers who need to obey the rules of your road if they want to keep their license to access data.

When setting security for teleworkers, an agency’s information technology staff members should think back to when they got their driver’s licenses.

Like people who rely on friends for rides, employees working in an agency office depend on the IT staff to handle security issues for them. Agencies have policies, procedures and technology in place to protect onsite IT systems. Workers are somewhat responsible

for security, but the main duties lie beyond them. For example, agencies can provide security software and tools, put security policies in place and ensure employees understand them.

Enabling employees to telework is like handing them the keys to the car itself, whether they use the agency’s “wheels” or their own. The former chauffeurs may provide a certain level of support, but the new drivers are still responsible for ensuring they follow the speed limit, don’t engage in reckless behavior or tinker with the engine if they want to arrive at their destination safely.

Securing a mobile workforce re­quires enforcing compliance requirements and protecting end-points such as notebooks, flash drives and wireless devices. Together with best practices, these technologies not only protect workers regardless of where they connect but also help prevent unauthorized personnel from accessing government network resources.

To help protect critical government information, an agency’s security checklist for teleworking employees should require employees to secure their remote communications, keep security software running and up to date, secure the data and secure the physical space.

Secure Remote Communications

Teleworkers, like drivers, must be careful to lock their doors so that they don’t pick up any unwanted passengers. Many agencies provide secure remote communications to their networks for teleworkers through virtual private networks.

But network routers, common in many homes, can pose potential security risks. Routers come with a well-known password that, if not changed, will let unauthorized users access and reconfigure them any way they like. An unsecured router makes stealing work and personal data from home computers — as well as federal data coming and going through a VPN — simple. Therefore, the way to help make a router safe for federal telework is to change its default password.

Wireless routers, which are more common still, present additional security risks. The routers’ built-in security features are often turned off by default to make installation easier. Unfortunately, this also makes the wireless traffic they carry — including VPN access — less secure against rogue hackers.

The VPN encrypts the data traveling between the remote system and the agency’s network, so data sent between the remote machine and the agency is safe. But if the remote machine has been hijacked, a VPN will not protect the machine or the agency’s network. For instance, a Trojan can be used to access data before the data is encrypted. To avert this problem, it makes sense to augment the agency’s firewall and VPN with a machine-level firewall and virus protection.

Federal IT staff should make sure teleworkers take the following steps to secure their wireless routers at home:

  • Change a router’s default network name (the service set identifier, or SSID).
  • Turn off the broadcast function, so that anyone attempting to access the network must guess the router’s name.
  • Take advantage of built-in security features. Media Access Control lets users create white lists of specific machines allowed on the network, barring access to unauthorized machines.
  • Use the built-in encryption capability to encrypt all communication on the network. This requires using encryption on all machines in the home, but the tremendous security improvement is worth the extra effort.

Keep Security Software Running and Up to Date

Drivers conscientious about their security fix broken windows and flat tires to avoid potential problems. Routine safety maintenance is just as important for teleworkers. Just like inside the office, security software remains a critical piece of protection for teleworkers.

54% Nonteleworkers who take work home and use their own systems.

41% Nonteleworkers who log on to their agency networks from home.

SOURCE: May 2007 Telework Exchange Survey of 258 federal employees (52 percent are nonteleworkers; 48 percent are official teleworkers)

Teleworkers must be responsible for configuring their computers to automatically download the latest virus signatures and other security upgrades whether they are working from home or in the office. They must never disable security software or block or disable downloading of the updates. Their antivirus software must use its real-time detection capability to scan new programs or files before writing them to the computer’s hard drive.

Outside the office, a desktop firewall is also critical because remote workers are no longer behind the agency’s enterprise firewall, which protects an office at the electronic gateway to the network. A desktop (or personal) firewall provides similar functionality, residing on the computer and providing a protective shell that reduces the risk of unauthorized users accessing the computer.

Secure the Data

Just as drivers should not leave valuables unprotected in their vehicles, teleworkers must take care to protect sensitive information that resides on their notebooks.

By minimizing the amount of sensitive data on their machines and leveraging encryption technology, teleworkers can lessen the potential for data loss. They should back up any stored information at least once a week to minimize the risk of losing critical information if the computer is lost or stolen. Many agencies have policies and tools available to help teleworkers appropriately back up data.

Secure the Physical Space

Drivers who ignore the physical safety of their vehicles do so at their own peril. Stories abound of drivers who left their cars running with the keys in the ignition when they ran into the store, only to find their cars missing when they came out. Similar problems can befall teleworkers. A sometimes overlooked aspect to security outside the office is physical security, which is particularly important when teleworking. Physical security includes maintaining a clean-desk policy, physically securing computers and disposing of hard copy safely.

Teleworking employees might be tempted to let other family members use their work computers while at home. Many agencies prohibit this. Family members can inadvertently lose files or accidentally transfer them off the machine. They also might not be as well trained on security issues and might open the system up to attacks from malware.

A clean-desk policy means that when work is done, no sensitive data remains on the desk. Sensitive documents on paper, CD or other storage devices should be put away after use so they are not lost or inadvertently thrown out. Workers should shred sensitive documents even when at home. Putting important papers in the trash is not a secure method of disposal. Dumpster diving can happen as easily at the curb as on the loading dock. And just as at the office, teleworkers cannot assume documents have no value. When in doubt, shred all documents.

Unfortunately, theft can happen in the home as well. Teleworkers should consider securing their computers, especially notebook systems, with a cable lock.

In the end, telework, like driving, opens up new realms of freedom and productivity. It also requires teleworkers to take more personal responsibility to prevent security problems that could put essential government equipment and data at risk.


Illustration: Ken Orvidas