In most cases, businesses do not realize the repercussions of providing remote access for users, and they do little to protect themselves from threats that result from this remote access.
The higher levels of remote access, such as that which comes from a VPN, extend the LAN to include the employee's home computer, network and Internet connection. By default, many financial businesses employ Microsoft's VPN tool, which is included at no additional cost with Windows NT/2000 servers and is straightforward to configure.
A typical IT administrator will verify that corporate workstations are running current antivirus applications, will hopefully have a firewall in place to protect the LAN from external threats, and may even have set acceptable use policies regarding such items as password strength or music-download software/spyware. But has the administrator done the same for the employees' home computers? More often than not, the answer is "no." This creates a problem when the employee's children (or the employee) are running games, downloading software and opening email with the subject "congratulations, you're a winner."
A financial company can implement security and save dollars, dollars and more dollars of lost revenue due to security compromises by insisting that the home employee, including the CEO and other executives, follow some simple rules:
- Antivirus (AV) software: Insist that the user maintain the latest version of AV software and keep the definitions up to date. Ask the user to provide the make/version of the software for you. If it doesn't match the corporate standard, purchase it for that employee. At only $25-$50 per installation, it's petty cash for insurance.
- Firewall: While it would be wonderful for each employee to own a hardware-based, stateful-packet inspection firewall, it can be a costly solution. Instead, purchase a trusted software-based system.
- VPN: Does the user connect by VPN? Whether it's a hardware-based tool or a Microsoft Windows-based tool, instruct the user how to configure it so that it becomes the default gateway to the Internet. This will protect the corporate LAN from being accessed by an Internet "guest" through the user's computer while the user is connected to the VPN.
- Technical assistance: If practical, inspect the home computer for all required software, security patches and settings as if it were a computer that you had built at the office. That way you can "sign off" on it as a secure system.
- Guidelines: Finally, knowledge, knowledge and more knowledge. Provide guidelines and make the employee an informed one through acceptable use policies. Ask the employee to sign a document stating that he understands the risks of remote access. A hand-written signature goes a long way to cultivating a level of responsibility from the employee once he knows the consequences of inaction.
Bradley Dinerman is an MCSE in Windows NT and 2000 and a Certified SonicWall Security Administrator (CISSA). He is the founder and chair of the New England Information Security User Group and is a founding director of Boston User Groups, Inc. Brad is the vice president of information technology at MIS Alliance in Newton, Mass., and holds a Ph.D. in physics to help him determine how long it will take his monitor to be launched across the local highway.
