Categories Topics
Description
Remote Access (and Teleworking)

Overview
Remote Access is the process of accessing an organization's network from a home office or while traveling in order to perform company business. Many organizations allow users to remotely access their networks from a home or remote office to improve their support coverage and to reduce facility or real estate costs (e.g., lower number of desks, phones, building space). The added flexibility and reduced overhead costs increase the need to secure remote access connectivity and home offices and establish Telecommuting policies for rules employees and contractors must follow to protect the organization's data.

Guidelines
Remote Access (or Teleworking) Policy should include requirements to ensure that teleworking devices on wired or wireless networks, as well as the home office, are properly secured. Examples of controls recommended for teleworking devices include: updated anti-virus software, updated software security patches, login password protection, two-factor authentication, paper shredders and secure wireless networking.

In addition, the Teleworking Policy should include:
  • A definition of the work permitted, the hours of work, the classification of information that may be held and the internal systems and services that the teleworker is allowed to access
  • Physical security of the remote office
  • Rules and guidance on family and visitor access to equipment and information
  • Revocation of authority and access rights, and the return of company equipment when the teleworking activities are terminated.
Remote teleworkers should only be permitted to access approved remote access mechanisms used for authenticating and authorizing access to the organization's network. Examples include secure VPN and access point. Standard issued PC, laptop or mobile devices may also be used to ensure secure configurations can be controlled by the organization for remote access.

Multi-factor authentication (MFA) should also be implemented for remote users in order to connect to the company internal network or to sensitive networks (such as payment cardholder data networks/systems). MFA is simply the process of requiring two or more credentials, such as something you know (e.g., your password or passphrase), something you have (e.g., smartcard, your mobile phone with one-time password) or something you are (such as biometric devices that can read your fingerprint). Hardware and software tokens are available that will issue a one-time passwords. MFA has also replaced the term two-factor authentication (2FA) that only includes two factors of authentication. 

However, some organizations may allow users to leverage personal devices to access their network from remote office to lower equipment costs and provide more flexibility to meet business needs. To that end, organizations should also consider implementing Data Loss Prevention (DLP) to control sensitive data loss through remote channels and Network Access Control (NAC) mechanisms to ensure only secure devices are allowed to connect that meet remote access policies. See DLP and NAC topics for more details.
 

Topic Category
Network Security
 
News Articles
As Predicted, OPM Director Resigns in Wake of Epic Hackwww.wired.com7/10/2015
Traveling business executives targeted through luxury hotel Wi-Fiwww.zdnet.com11/10/2014
Data breach that hit Jimmy John's is larger than first thoughtwww.computerworld.com9/26/2014
HALF of London has outdated Wi-Fi security, says roving World of War, er, BIKERwww.theregister.co.uk5/5/2014
Tumblr beefs up security with two-factor authenticationnakedsecurity.sophos.com3/26/2014
Lessons to learn from the MongoHQ database breachnakedsecurity.sophos.com10/31/2013
Lawyers report steep rise in employee data theft casesnakedsecurity.sophos.com9/3/2013
'Chinese' attack sucks secrets from US defence contractorwww.theregister.co.uk5/2/2013
Security audit finds dev OUTSOURCED his JOB to China to goof off at workwww.theregister.co.uk1/16/2013
WA Police seeks new two-factor authentication providerwww.zdnet.com12/18/2012
Attackers Had Access for Months in South Carolina Data Breachthreatpost.com11/21/2012
Blizzard Sued Over Data Breach, Authenticator Salesthreatpost.com11/12/2012
Malware infects 13 percent of North American home networkswww.csoonline.com11/1/2012
DSL modem hack used to infect millions with banking fraud malwarearstechnica.com10/1/2012
Dropbox Now Offers Two-Step Authenticationkrebsonsecurity.com8/27/2012
Employee password reuse behind Dropbox spam outbreakwww.scmagazine.com8/1/2012
Agencies to dole out new hardware keys for secret networkswww.nextgov.com7/20/2012
SWAT team throws flashbangs, raids wrong home due to open WiFi networkarstechnica.com6/28/2012
Attackers Hit Weak Spots in 2-Factor Authenticationkrebsonsecurity.com6/5/2012
House Committee to Probe e-Banking Heistskrebsonsecurity.com5/31/2012
Jetting off abroad? Pack protection ... for your Wi-Fiwww.theregister.co.uk5/9/2012
Sykipot Malware Now Steals Smart-Card Credentialswww.darkreading.com1/12/2012
White Papers
The Lowdown on Laptops: Data Security for the Road Warriorbusiness.ftc.gov7/1/2007
Standards
NIST SP 800-46 Revision 2, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) SecurityNIST8/5/2016
NIST SP 800-114 Revision 1, User's Guide to Telework and Bring Your Own Device (BYOD) SecurityNIST8/5/2016