Securing Teleworker Attack Vector

Wednesday, March 16, 2016 @ 12:03 PM gHale


As the number of employees who telework trends upward, and new kinds of devices end up used, there is new guidance to include the latest technology available to strengthen an organization’s remote-access data security.

“Organizations are realizing that many data breaches occur when attackers can steal important information from a network by first attacking computers used for telework,” said Murugiah Souppaya, a National Institute of Standards and Technology (NIST) computer scientist. Those computers include bring-your-own-device (BYOD) smart phones and tablets, as well as laptops and mobile devices used by contractors and vendors.

RELATED STORIES
ICS-CERT Releases CSET 7.1
Cyber Evaluation Tool Update Releases
Coalition for Cyber Security Policy
Security Framework Grows in Usage

Data breaches can also occur when sensitive organizational data ends up stored on unsecured laptops and mobile devices that can either end up infected by malware or stolen.

“To prevent breaches when people are teleworking, organizations need to have stronger control over their sensitive data that can be accessed by, or stored on, telework devices,” Souppaya said.

NIST is revising its telework publications, published in 2009, to now cover the booming use of BYOD and the use of contractor and vendor devices to access organizational resources. The guidance also explains two new technologies critical in securing telework devices.

Virtual mobile infrastructure (VMI) technologies deliver a secure virtual environment to a mobile device used for telework. The VMI establishes a temporary secure environment when the teleworker needs to access the organization’s data and applications. When the session is over, the environment ends up securely destroyed, leaving no traces of the data and applications on the mobile device.

Another newer technology, mobile device management (MDM), can enforce security policies on mobile devices, including BYOD and vendor/contractor devices, on behalf of the organization. For example, MDM software could check each mobile device for signs the user has deactivated the device’s built-in security controls, before allowing the mobile device to use the organization’s computing resources.

The NIST publications recommend teleworkers should understand their organization’s policies and requirements and appropriate ways of protecting the organization’s information they access.

They also call for organizations to strongly consider establishing a separate, external, dedicated network for BYOD devices if the organization allows them.

NIST is seeking comments on the two draft publications—Special Publication 800-46 Rev. 2 Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security (Draft), and Special Publication 800-114 Rev. 1 User’s Guide to Telework and Bring Your Own Device (BYOD) Security (Draft). The deadline for comments is April 15.