Several companies have shifted their workforce from an environment they believe they control to an environment they definitely do NOT control; the employee’s home. There is still A LOT of misunderstanding between traditional IT infrastructure personnel and the penetration testing community regarding the “state of cybersecurity.” I don’t want to delve too deeply into that but while you still MUST have antivirus, firewall, logging/monitoring, and IDS, those will not completely protect you throughout time. New vulnerabilities are found in protocols every day and scanning/patching is only one layer of protection within a robust defense-in-depth/layered security architecture.
All that aside, many people are being asked or told to work from home and there are many ways you can do this securely. There is one way you SHOULD NOT DO; do not just open 3389/TCP (Windows Remote Desktop) to the Internet. If you must open that you have to:
- enable network level authentication (NLA)
- be fully patched
- use multi-factor authentication (MFA)
- whitelist the IP addresses you are allowing to connect
There are better solutions which require different levels of overhead to deploy. Overhead can come in many forms including but not limited to:
- ongoing maintenance
- learning curve for support and users
- ease of implementation
The best solution for remote access is the implementation of a secure virtual private network (VPN) connection. A VPN connects an outside device or network to your internal network or DMZ. Even when implementing these, authenticating against your standard internal servers, keeping patches up to date, and using MFA are necessary. Adding logging and monitoring connections and whitelisting who can connect are also good ideas . Something else to consider here is disabling split tunneling; this will force all of the traffic from the remote device or network through your internal protective measures. If you allow split tunneling you can bridge an insecure network to yours.
If that is too difficult, you may want to consider deploying a client-based solution such as Teamviewer, LogMeIn, Splashtop, or something similar. Most of these offer centralized management, are simple to use, and can use MFA.
If you’re struggling to deploy a remote workforce please reach out to Contextual Security Solutions with any questions you might have. Our workforce is primarily remote and has implemented solutions for employees with a varied level of technical ability.