There’s no going back – the world has gone mobile. More and more financial institutions – credit unions included – are allowing employees to telecommute. Therefore, when securing your credit union’s network, you need to think that they are no longer just the small local area network inside your office, with one Internet access point.
Our networks are growing less well–defined, with more than one entry point and each access having a different level of trust. Securing this increasingly complex environment now takes some serious effort.
Whether you allow a select number of credit union employees to work from home, from the airport, or from anywhere else – any time, all the time – there are some important and serious security implications you need to consider. Here, we’ll attempt to analyze them and provide valuable insights about what to do to ensure that your remote workstations, laptops – and, especially, data – are properly protected.
Challenges and Hazards
The security challenges you will face are not necessarily the same for each remote scenario, so let us analyze first the issues with an employee working from home. We will assume that by now no credit union will allow a simple, unprotected connection to an office LAN. Your remote employee will use a virtual private network.
The three most prevalent types of VPNs today are PPTP, IPSEC and SSL. IPSEC and SSL are the most secure because they can use the highest security encryption (AES 256), i.e., 256 bits of encryption and a protocol (AES) that took almost 10 years to develop and was designed to last well into the 21st century, even with the power of computing increasing at the usual rate. SSL VPN is the most flexible, and the one we prefer.
So, the data travels from the credit union to the remote workstation and back, well encrypted and very secure. But when it gets to the workstation, it is unencrypted and written at least into temporary files. When the user disconnects from the VPN, these temporary files remain on the remote workstation, unencrypted and, most likely, unprotected. And if the information exchanged was confidential, you now have confidential data stored on a remote workstation you have no control over.
Now, picture the situation where this home computer is also used by someone else in the house, someone who might browse to a website that will download a Trojan on this workstation. Another hazardous home-computing scenario involves peer-to-peer networks, where users can share files with other participants without the need for a central server – even accessing another user’s documents without permission. Suddenly, those possibly confidential files that were left over from a VPN session are being shared with millions of people.
Ensuring that the data traveling through the VPN also stays protected when it reaches the remote computer is something we rarely consider but is something that can cost your credit union quite dearly.
Solutions and Tips
There are several steps you can take to ensure higher security for this traveling data. First the most obvious thing to do is to not allow your users to connect to the VPN using their home computer. If you have telecommuters and are in a position to enforce this, ensure that they use an employer-issued laptop and that you have full control over what’s installed on it and how it’s configured. Also, have fully working, well-updated anti-virus and endpoint security on it.
Second, ensure that the user can’t get to the Internet using that laptop unless he or she is connected through the VPN. There are plenty of software solutions on the market that allow you to block direct access to the Internet unless the VPN is on.
If for any reason you are not in a position to issue laptops to your telecommuters, but still want to allow them to work remotely, at least make sure they are not allowed to have an administrative account, and limit what their account can see and do. This won’t protect you completely, but, at a minimum, it should greatly reduce the risk of exposure.
Demand that their remote PC be kept up-to-date with patches and anti-virus signatures. Also consider issuing an endpoint security license for that workstation, even though it will be installed on an asset that does not belong to your company.
If the remote user is connecting from a hotel or other remote place away from home, you run into another issue – that this computer is connecting to a network that is not yours and can be exposed to local attacks.
A wireless connection at the airport is open to anyone who wants to connect. The downside of this is that your computer ends up in a possibly large network, with other people you do not know. Therefore, the possibility that someone with ill intentions may be connected to the same network is a real one.
The most important thing to do in this case, and, perhaps, the only really serious protection you have, is to install endpoint security software on the laptop that can intercept connection attempts, Trojans, unauthorized or surreptitious data transfer, and other possible intrusions.
In addition, your users should be advised to stay logged onto the wireless only for the time strictly necessary and to use a VPN when transferring confidential information. It’s also a good idea to protect the laptop physically, because a high number of laptops are stolen every year.
If you allow your users to check their mail remotely (by using Outlook Web Access, for example), you should ensure they do this from their own laptop and not from a public computer, which will remain at the mercy of the next customer once your user leaves.
The temporary files left on that computer during your user’s session might contain data you do not want left around, and they are fully accessible to the next customer and to the administrators of that computer. This will lead to leakage of information, even though you have everything else well protected.
Whether your telecommuters are working from home or on the road, there are some general considerations that are valid in all cases. One very good way to protect potential data loss is to encrypt it, either the entire disk or only certain file systems. The second option gives you more flexibility and allows recovery of the data – if the encrypted data is on a separate logical disk – should the operating system become corrupted. Either one is a good solution to ensure that the data cannot be stolen.
Another great way to limit your risks is to avoid having the data transferred to the remote computer altogether. This is achieved by using thin-client technology, such as Citrix. With this technology, the application runs on the server, the data is processed on the server, and it never leaves the server.
What does leave the server is the graphic information to ”paint” the remote screen, which contains the data in visual form but does not usually contain anything worth stealing. Even if it does, the data is usually kept in memory and is lost when the client computer is turned off. The files in the swap area will be quickly overwritten as well, so no trace of the data should be left on the client computer.
Now, we come to the subject of passwords – strangely enough, still a common issue. Too many users choose birthdates, common names, pets’ names and similarly easy-to-remember passwords. Unfortunately, what is easy for us is often even easier for hackers.
A strong password is paramount to protecting your data, no matter where it is. This is particularly important for roaming users, since their computers are more likely to be stolen or somehow hacked into: an estimated 10% of all laptop computers are stolen at some point, and 97% of them are never recovered.
Passwords need to be changed but try to strike a balance so that changing the password does not become a weak point in the security chain.
The bottom line: secure your credit union’s network and data when employees are working from home or on the road. Implement the above suggestions, and the chances of remote workers’ files being compromised will indeed be remote.
Pierluigi Stella is chief technology officer at Network Box USA in Houston, Texas.