Dec 31 2009

Don't Fear Telework — Set Smart Security Parameters

Photo: Forrest MacCormack

Just like their private-sector counterparts, government employees increasingly desire to telecommute. But can it be safe and secure?

Telecommuting can lower an agency’s costs and improve its employee morale, yet many managers have well-founded concerns about the security risks. At the National Institute of Standards and Technology, I developed approaches to improve telecommuting security.

Agencies need to to look at five areas to make teleworking a viable alternative: firewalls, Web browsers and operating systems, virus protection, virtual private networks and telework policies.

No. 1: Firewalls

Firewalls are the first line of defense. All home networks connected to the Internet via a broadband connection should have firewall devices installed. Personal software firewalls installed on each computer are useful and effective, but adding a separate, dedicated and relatively inexpensive hardware firewall provides greater protection.

The features to look for in personal firewall products include:

Port hiding or “stealth” mode: A system in stealth mode will not respond to unsolicited requests for a port, effectively hiding the target machine.

Automatic lockout: This will let a user set a timer to bar all Internet access to and/or from the machine after a specified period of inactivity.

Connection notification: When a program initially attempts to send out packets, the firewall will interrupt the user with a message such as “Should [program name] be permitted to connect to the Internet?” This feature sometimes detects the presence of spyware or backdoor programs that may have been installed without the user’s knowledge.

NIST strongly recommends that agencies consider using both software and hardware firewall devices for high-speed connections. When a software personal firewall and a separate device are operating, the user can screen out intruders and identify rogue software attempts to transmit messages from the user’s computer to an external system.

No. 2: Browsers and OSes

Agencies need to configure users’ Web browsers to limit vulnerability to intrusion. Browsers usually require configuration beyond their default settings.

It’s important to allow only those plug-ins absolutely required by end users. Active code should be disabled or used only in conjunction with trusted sites. Up to 90 percent of security problems can be avoided by keeping browser and operating system software updated with the latest security patches. Automatic update should be turned on and configured to run at least every day.

No. 3: Virus Protection

Once malicious code purposely attaches itself to a computer program or document, it replicates itself by using some of the resources of the co-opted program or document and then attaches itself to other host programs and documents.

90% of security problems can be avoided by keeping browser and OS software updated with the latest security patches

All computers need to have an antivirus program installed. But if the antivirus program is not configured properly, it won’t offer full protection. Systems administrators should provide users with properly configured antivirus tools.

Another concern for many telecommuters is the surreptitious installation of spyware. Spyware apps often install themselves on a PC without the user’s knowledge and then report information about browsing habits back to the spyware’s home site. Most spyware simply gathers market research data, but computer criminals use similar tools to sniff credit card numbers when users make purchases over the Internet. Spyware detection tools should be installed and configured for daily automatic update.

No. 4: VPNs

A virtual private network can provide telecommuters with a high degree of security but can be expensive and complex to administer. A VPN serves as an encrypted tunnel between two organizations, or hosts, that makes it possible for secured communications over public networks.

To ensure correct operation, an agency must carefully configure the VPN on both its central office systems and telecommuters’ remote systems. Users will need training on VPN operation because VPNs are neither as simple nor as transparent as some other security options. Organizations considering a VPN should proceed with caution, first ensuring that they can’t achieve their security goals through less complex mechanisms.

If a VPN is used, sysadmins should correctly configure the VPN and provide telecommuters with properly configured software for their offsite systems. If a compromise occurs at either end of the VPN, the data will not be secure. In particular, spyware or viruses on a computer can sniff passwords and thereby circumvent the VPN security, putting the agency at risk.

No. 5: Policies

Finally, every agency needs to give users guidance on selecting appropriate technologies, software and tools that are consistent with the agency’s network and security policies.

Ideally, the agency should provide each user with a preconfigured system preloaded with security features appropriate for the user’s job, although this is not always necessary or even possible.

Many users, particularly if they do not require interactive access to agency databases, can obtain an adequate degree of security at low cost and with little additional software.

Agency IT teams should assume that at some point the system is likely to be used by someone other than the employee, introducing an increased risk of malicious software gaining access to the system. Security for both a worker’s home computer and an agency’s servers must be based on this assumption.

The Long Haul

The benefits and risks of telecommuting are here to stay. Computing resources and access to office networks while on the road or working from home are too valuable for most agencies or employees to give up. While there will always be risks associated with remote access to an organization’s resources, most of these risks can be mitigated through careful planning and implementation.