The COVID-19 global pandemic has forced organizations worldwide to implement work from home policies to sustain business operations. Working from home requires remote access to IT systems for organizational staff and critical third-party service providers.
Some of the ways of providing remote access services:
- Direct access to corporate IT systems using remote desktop services, such as Microsoft Remote Desktop Protocol (RDP) software for Windows and Network Computing (VNC) based on the Remote Frame Buffer Protocol (RFB) for Linux.
- Virtual Private Networks (VPNs) for allowing individual users to connect to the organization’s private network (e.g., LAN, WAN) from a remote location using a laptop, desktop, or mobile device connected to the Internet. VPN creates a tunnel and encrypts transmission data between the organization’s network and remote user. The VPN is usually implemented as IPSec VPN or an SSL VPN.
- Virtual Desktop Infrastructure (VDI), via Citrix or VMware, a centralized server running virtual machines on a hypervisor that provides either persistent or non-persistent desktop instances for each user.
Though the above mentioned remote access services are common among organizations, attackers do lurk around to exploit vulnerabilities in insecure remote access implementations.
Most frequent threats include:
- Brute force attacks used to gain access to systems through password guessing.
- Man-in-the-middle attacks to gather sensitive information via intercepting network communications.
- Targeted attacks by employing specialized tools to exploit vulnerabilities or deliver malicious payloads.
- Social engineering or phishing attacks to entice users to reveal critical information needed for compromising systems.
Please adhere to these general security measures for adequate protection of remote access services:
- Define, document, and communicate remote access policies. Provide additional security guidelines based on the work environment and conduct awareness sessions on security best practices for staff. Monitor policy compliance and manage exceptions. Ensure security guidelines are included in third party contracts and make sure these guidelines are strictly practiced.
- Limit access to IT systems to authorized users and only provide access for a specific period.
- Monitor every remote access to IT systems, especially privileged access, and that of third-party providers.
- Enforce the practice of strong passwords, make sure the passwords include upper and lower case alphabets, special characters, and avoid guessable words or identity information associated with the user.
- Choose robust authentication methods depending upon the remote access service and enforce 2 Factor/Multi-factor authentication, wherever allowed.
- Select the most robust encryption method available and implement TLS-based session authentication, Blowfish or AES-256 encryption, and SHA1 authentication of tunnel data, wherever possible.
- Change the default port while using remote desktop services.
- Ensure the recommended security patches is applied to relevant IT systems and network devices before providing remote access.
- Access through VPN or VDI servers should only be provided when the remote access user machine is scanned thoroughly and found compliant to the organization’s security standards.
- For VDI environments, local or remote access of sensitive resources must be separated from other commonly used assets exposed to the Internet.
- Ensure security architecture of the VDI environment prevents network boundary jumping by enforcing different trust levels in the DMZ environment.
- Ensure strong containerization of mobile applications by using a securely configured and properly managed Mobile Device Management (MDM) solution.
Looking for a remote access policy document template for your organization? You can download it from here.