Corporate Risk

---

 Abstract 

The article has the purpose of underlining few but  specific concept, fundamental to address the cyber security risk working from home.

The information contained has been extracted from a publication of the National Institute of Standards Technology: Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security.

Protecting the confidentiality of information should be a concern for everyone, from the businesses to home users:

1. Introduction

2. Major security concerns

3. Best practice 

4. What about telework 

5. A compromised Server 

6. Threats to telework 

7. Personal third-party device 

8. Focus on the fundamental 

9. In Conclusion

10. Solutions 

1. Introduction

Preliminary, we should be aware that the efficient and effective management of information from inception through disposition is the responsibility of all those who have handled the data.

The application of sophisticated access controls and encryption help to reduce the risk that an attacker can have direct access to sensitive information, but cannot erase it.

Often, the most vulnerable access to the company data is the occasional use of personal devices to transfer data to our work bubble, BYOD (Bring Your Own device).

In this scenario, the company must identify the risks through a threat model.

2. Major security concerns

As mentioned above, the nature of teleworks device places them at higher risk than similar technologies only accessed from inside the organization.

In fact, Remote access technologies permit access to protect resources from an external network, which is often externally controlled, creating the right opportunity for external breach. 

Immediately after, within the same risk category, the internal resources made available to users through remote access.

Major security concerns include also: 

- the lack of physical security controls, 

- the use of unsecured networks, 

- the connection of infected devices to internal networks, 

- the availability of internal resources to external hosts

- third party-controlled technologies.

3. Best Practice 

In conclusion, best practice is to assume that external facilities, networks, and devices contain hostile threats that will attempt to gain access to the organization's data and resources.

Organizations should also assume that communications on external networks, which are outside the organization's control, are susceptible to interception and modification.

However, we should be aware that this type of risk can be mitigated, but not eliminated, as well as authenticating each of the endpoints to verify their identities.

Compliance and cybersecurity department must develop a telework security policy defining:

- which forms of remote access the organization permits,

- which types of telework devices are permitted to use,

- each form of remote access, 

- the type of access,

- each kind of teleworker granted,

- how the organization's remote access servers are administered, 

- how policies in those servers are updated.

4. What about telework 

For telework situations, the organization may choose to specify additional security requirements.

First, an organization shouldensure that the Remote access server is secured and configured to enforce telework security policies.

The security of remote access servers is important because they provide a way for external hosts to gain access to internal resources, as well as:

- a secured, isolated telework environment for organization-issued

- third-party-controlled 

- BYOD client devices.

5. A compromised Server

A compromised server could eavesdrop on communications and manipulate them, as well as provide a “jumping off” point for attacking other hosts within the organization.

Organizations should also carefully consider the network placement of remote access servers; in most cases, a server should be placed at an organization’s network perimeter to act as a single point of entry.

6. Threats to telework 

There are many threats to telework client devices, including malware and device loss or theft. Generally, telework client devices should include all the local security controls used in the organization’s secure configuration baseline for its non-telework client devices.

Finally, organizations should ensure that all types of telework client devices are secured, including PCs, smartphones, and tablets.

7. Personal third-party device 

Allowing personally owned and third-party-controlled client devices to be connected to an organization’s enterprise networks adds considerable risk, because these devices are often not secured to the same degree as the organization’s own devices.

However, this risk can be mitigated by setting up a separate wired or wireless network within the enterprise dedicated to these devices.

This network should be secured and monitored in a manner consistent with how remote access segments are secured and monitored.

8. Focus on the fundamental  

Telework and remote access solutions typically need to support several security objectives. The most common security objectives for telework and remote access technologies are as follows:

- Confidentiality 

- Integrity

- Availability.

To achieve these objectives, all of the components of telework and remote access solutions, including client devices, remote access servers, and internal servers accessed through remote access, should be secured against a variety of threats.

9. In Conclusion 

Organizations should develop system threat models for the remote access servers and the resources before designing and deploying telework and remote access solutions.

Threat modelling involves identifying resources of interest and the possible threats, vulnerabilities, and security controls related to these resources, then quantifying the likelihood of successful attacks and their impacts, and finally analysing this information to determine where security controls need to be improved or added.

Major security concerns for these technologies that would be included in most telework threat models are as follows:

- Lack of Physical Security Controls

- Unsecured Networks

- Infected Devices on Internal Networks

- External Access to Internal Resources.

Organizations shouldcarefully consider the balance between the benefits of providing remote access to additional resources and the potential impact of a compromise of those resources.

10. Solutions

Following the recent developments in cybersecurity, the most adopted countermeasures put in place to mitigate those risks are the remote access methods below indicated:

- Tunnelling

- Application Portals

- Remote Desktop Access

- Direct Application Access

However, it remains crucial to consider establishing a separate, external, dedicated network for BYOD use within enterprise facilities.

May 2020

by  Daniele Lupi