Security risks of home working and public Wi-Fi, tips to mitigate them, VPN insights, and more
Home-based teams? Flexible working? Staff often working on the go?
Only a few years ago, most organisations never considered working from home as an option. But the COVID-19 lockdowns forced organisations to quickly create and provide remote working solutions.
Organisations didn’t have the luxury of time to properly plan things and consider the risks involved. So, many lacked a proper security procedure or set of guidelines to follow, even if the solutions themselves were working.
Now, thousands of organisations have predominantly home-based workforces. Countless others permit flexible or hybrid working.
Perhaps because of this, Leon Teale – our senior penetration tester – is seeing evidence of suboptimal implementations becoming less acceptable. Specifically, organisations are increasingly asking him about how to secure their data and infrastructure while continuing to offer remote working.
We sat down with him to get more details.
About Leon Teale
Leon is one of our senior penetration testers. He has more than ten years’ experience performing penetration tests for clients in various industries all over the world.
In addition, Leon has won hackathon events in the UK and internationally, and is accredited for multiple bug bounties. He’s also been featured in various articles in the press relating to cyber security.
We’ve previously talked to him about the ‘mother of all breaches’, the CVSS (Common Vulnerability Scoring System) and zero-day exploits.
In this interview
How to secure remote infrastructure
Best-practice guidance for home working
Risks of working in public areas and using public Wi-Fi
How to remain secure while working in public, e.g. in airports
Pros and cons of different VPNs: OpenVPN, SSTP, L2TP/IPsec and PPTP
Leon’s top 10 tips for secure remote working, whether at home or in public
How can organisations efficiently secure their remote infrastructure?
Organisations should start by considering their baseline security posture.
Cyber Essentials and Cyber Essentials Plus cover the basics, such as:
Using firewalls;
Controlling user access;
Ensuring secure configurations; and
Protecting against viruses and other malware.
The NCSC [National Cyber Security Centre] also addedrequirements for home working to the Cyber Essentials scheme in January 2022.
What other best-practice guidance could organisations follow?
Organisations may also find the NCSC’s home working guidance helpful. This partially overlaps with Cyber Essentials, but also offers advice on:
Setting up new accounts and access controls;
Controlling what devices can access; and
Ensuring secure communications.
The NCSC also published a useful set of VPN principles to help with choosing a secure VPN solution for accessing corporate environments. It includes guidance on deploying and configuring the VPN.
Interviewer note: ‘VPN’ stands for ‘virtual private network’. Leon goes into more detail about specific VPN solutions below
What if people are working remotely in a public area – in an airport, for example?
Despite their rigorous security, airports are a haven for criminal activity.
Passengers are often preoccupied with getting to their destination. They don’t tend to question suspicious activity. In fact, it might not even register.
Plus, airports are busy. This makes it easier for criminals to blend in, and it gives them plenty of victims to choose from.
However, airports aren’t fundamentally different from working in other public places – their risks are similar. Around public Wi-Fi, for example.
What are the risks around using public Wi-Fi?
Criminals often create wireless networks to trick unsuspecting people into connecting to them. In an airport setting, the attacker probably uses one of the following social engineering attacks:
1. The victim is duped into connecting to ‘Airport Wi-Fi’.
When in fact, this Wi-Fi network is controlled by the attacker. Specifically, all traffic gets routed through the attacker.
This allows an attacker to potentially intercept the data. This means they’d be able to read all communications and perhaps even modify requests. This could allow them to fully compromise any accounts you’ve logged into, be that social media, banking, or anything else.
2. The attacker creates a fake airport login portal.
Supposedly, this gives users access to a ‘super-fast’ Wi-Fi connection, or another type of upgrade. In exchange for a small fee, of course.
In other words, you have to enter payment card data – which the attacker can see.
How can people and organisations protect themselves?
Staff training goes a long way. People must be taught to:
Avoid connecting to untrusted or unknown wireless networks;
Use a VPN if they must use public Wi-Fi. By routing traffic through it, you prevent monitoring; and
Never enter sensitive information, such as credit card data, into an untrusted wireless network portal, even with a VPN.
Basic physical security measures, like always storing devices in your hand luggage, and not letting your luggage out of your sight, go a long way.
Want to stay in the loop about our latest blogs and interviews? Subscribe to our free weekly newsletter: the Security Spotlight.
You mentioned VPNs a couple of times. Could you talk us through some VPN technologies?
Sure. Here are four options:
1. OpenVPN
OpenVPN is a very configurable and secure VPN method.
OpenVPN is at its most secure if set to use AES [Advanced Encryption Standard] encryption, rather than the weaker Blowfish encryption.
Beware, however, that you’ll need to install a third-party application to use OpenVPN.
2. SSTP [Secure Socket Tunneling Protocol]
SSTP is like OpenVPN, but mostly just for Windows and less auditable.
However, SSTP is much better than PPTP and, because you can configure it to use AES encryption, SSTP is arguably more trustworthy than L2TP/IPsec.
3. L2TP/IPsec [Layer 2 Tunneling Protocol/InternetProtocol Security]
L2TP/IPsec is easy to set up, but has trouble getting aroundfirewalls and isn’t as efficient as OpenVPN.
IPsec is theoretically secure, but there are concerns the NSA [National Security Agency] could have weakened the standard. No one knows thisfor certain, though.
If you can, stick with OpenVPN, but definitely use L2TP/IPsec over PPTP.
4. PPTP [Point-to-Point Tunneling]
PPTP is integrated into common operating systems and easy to set up, but old and vulnerable.
In short: stay away.
So, you would recommend OpenVPN to organisations?
In general, OpenVPN stands out as a solid choice. However, if you’re using Windows and need an alternative, SSTP is the way to go.
If you’re limited to L2TP/IPsec or PPTP, opt for L2TP/IPsec. Steer clear of PPTP, unless your VPN server will only accept this protocol.
To wrap things up, could you give us your top 10 tips for secure remote working?
If I had to narrow it down to the ten most important things, I’d focus on these:
People
Provide regular security training and staff awareness to remote workers. This could be delivered through elearning and/or newsletters on the latest security threats and policy changes.
Educate employees to not use untrusted wireless networks, such as those in public spaces, for work-related tasks, unless a VPN is enabled.
Remind remote workers to keep their devices secure and out of sight when not in use.
Processes
Ensure remote workers’ devices are up to date and patched in accordance with your policy.
Securely back up data to help prevent data loss, whether due to technical issues or malicious activity.
Technology
Choose a secure VPN.
Ensure anti-malware software is active and up to date.
Ensure full-disk encryption, especially for laptops and other portable devices.
Enable MFA [multifactor authentication] for when the device is authenticating to the corporate network, and consider using certificate-based access.
Once you think you’ve followed all the guidance you can, get a third-party security company to audit your devices and VPN to ensure nothing has been missed.
Interviewer note: I grouped Leon’s tips by the three security pillars fundamental to an ISO practice. The pillars – people, processes and technology – interlink, so some tips fall into multiple categories.
Need more expert advice?
Want to work with one of the leading penetration testing companies in the UK?
All our penetration testing services offer one-to-one expert advice, from qualified ethical hackers such as Leon, at any stage of the engagement.
If you want to identify the vulnerabilities within your public-facing infrastructure and remediate them before an attacker can exploit them, our External Infrastructure Penetration Test is for you.
What do our customers say?
Gordon:
I always find ITG easy to work with. The consultant involved was very professional and friendly, providing plenty of updates throughout the test and clearly explained his findings.
The report provided plenty of information on any vulnerabilities found and the corrective actions needed to be taken.
Tim:
Good grief, what an eye-opener this was! We chose ITG because the initial scoping call revealed their pen testers had heard about our not-so-common software setup and their cost was more realistic than the other quotes.
I cannot recommend ITG enough – the whole service from beginning to end was exceptional with Loreta organising everything to Ross performing the actual pen testing.
We are an educational institution with a complex network setup and I thought I knew enough to get by with IT Security, but Ross has brought me down a peg (or seven) and we will be employing ITG’s services regularly to make sure there is nothing I’ve missed in the future.
We hope you enjoyed this edition of our ‘Expert Insight’ series. We’ll be back soon, chatting to another expert within GRC International Group.
In the meantime, why not check out our previous interview with Leon on the implications of a 26-billion-record data breach?
If you’d like to get our latest interviews and resources straight to your inbox, subscribe to our free Security Spotlight newsletter. Alternatively, explore our full index of interviews here.
The post Security Tips and Concerns for Remote Working appeared first on IT Governance UK Blog.