Answer:
In today's dynamic economy, we need to be as effective and efficient as possible. Often that mandate has been interpreted to mean "any time, any where" access to our core business computer systems. There is no question that our normal hours of operation are approaching 24x7, and there is no question that technology had the capability to free us from the bonds of the office. But, there is also no question that poorly implemented remote access techniques can have devastating effects on the viability of your business should access be gained by competitors, criminals, or vandals.
Listed below are some issues that RedSiren strongly suggests your company should consider if your company is either enabling or expanding the use of remote access for your employees, partners and/or others:
1. Develop a Remote Access policy that specifically states:
a. who will be permitted access to the internal systems from remote locations, e.g., salespersons, vendors, consultants, contractors salespersons
b. what restrictions apply, e.g., do not connect a computer 'shared' by family members, roommates, or others not permitted access to corporate systems; time of day; day of week, etc.
c. the Authentication techniques to be used.
2. Implement one-time passwords to reduce your exposure to 'sniffing' exploits
3. Consider the sensitivity of the system or specific information being accessed. If the information is worthy of protection while stored in the host computer (access control), it is worthy of protection in transit (encryption), and it should be protected while on the remote system (access control)
4. Implement a procedure to protect the company should a laptop computer be stolen (file encryption). Company events held at hotel conference facilities offer an idealopportunity for someone interested in obtaining sensitive information - the event is announced in the hotel lobby on bulletin boards for all to see, how difficult would it be to walk out with one of your company's laptops?
Users who require remote access to your systems from a fixed site, e.g., home offices, will soon be establishing connections using high-speed services such as DSL and cable services. Be very careful in your consideration of these services as they can pose a significant security exposure to your company; RedSiren's counsel is to consider:
- Implementing a policy requiring personal firewalls be installed on every PC using broadband (DSL/cable) connections to the corporate systems
- The use of VPN connections in conjunction with your remote access services
In all cases, be certain to include your company's Help Desk in any and all plans involving Remote Access services. You can expect users to contact the Help Desk for assistance when they are experiencing difficulty. The Help Desk will require training to ensure they are able to provide proper user support services.
? Consider implementing a system to help authenticate persons contacting the Help Desk seeking assistance in gaining access to your corporate computer systems. The technique of using the Help Desk is known as Human or Social engineering and it is widely used to gain unauthorized access to computer systems. Effective authentication techniques include:
- various password generating tokens
- voice recognition technology
- Challenge and Response systems wherein the user must cite the correct response when asked a predetermined question. If the person is unable to do so, the Help Desk has a specific right to question the validity of the request for access.
Whatever system is implemented to support your company's remote access requirements, ensure the system is managed by a qualified (trained) sysadmin and ensure the system log files are reviewed daily.
If you need any help, call us at 1-800-REDSIREN.
print
share