Security Staff Remote Access - Risks and Controls

The Information Security Forum is an independent, not-for-profit association of leading organisationsdedicated to clarifying and resolving key issues in information security and developing security solutionsthat meet the business needs of its Members.

Members of the Forum profit from sharing information security solutions drawn from the considerableexperience within their organisations and developed through an extensive work programme. Membersrecognise that information security is a key business issue and the Forum provides a mechanism which canensure that the practices they adopt are on the leading edge of information security developments, whileavoiding the significant expenditure which individual development of solutions would incur.

For further information contact:

The Information Security ForumRoom PCG8

Plumtree CourtLondon EC4A 4HT

United KingdomTelephone: +44 (171) 213 1745Facsimile: +44 (171) 213 4813e-mail: [email protected]: www.securityforum.org

Reference: 1999/09/02 Copyright © 1999 The Information Security Forum.All rights reserved.

September 1999

Remote Access by StaffDirectory ofRisks and Controls

Securing Remote Access by StaffDirectory ofRisks and Controls

SecuringSecu

ring

Rem

ote A

ccess by Staff – D

irectory o

f Risks an

d C

on

trols

INFO

RM

AT

ION

SEC

UR

ITY

FOR

UM

Securing Remote Access by Staff

Contents

An explanation of the benefits

associated with securing remote access

by staff, a summary of the key business

issues and an outline of possible actions

for organisations to consider.

A detailed explanation of how to

secure remote access by staff,

comprising 10 key steps, together with

examples of typical solutions.

A comprehensive directory of the main

risks that apply to securing remote

access by staff and the controls that can

be used to reduce the risks.

Detailed descriptions of how remote

access by staff was secured in practice

by seven case study organisations.

Target audience

Business and technical managers

responsible for implementing or

securing remote access by staff.

Security practitioners, business and IT

managers who are tasked with

ensuring that remote access by staff is

secured.

Security practitioners, business

managers and auditors who wish to

understand the main risks and controls

associated with remote access by staff.

Any reader who wishes to gain an

understanding of ways in which

remote access by staff has been

secured in practice.

Report

Briefing Paper

Implementation

Guide

Directory of Risks

and Controls

Case Studies

Part 1

Part 2

Part 3

Table of contents

Introduction PageThis report 1Objectives and scope 1Who should read it 2What this report contains 2

Examining the risksAn end-to-end remote access service 3Remote environment components 4Telecommunications services components 4Corporate computing infrastructure components 5Evaluating risks 5Business consequences 7Business impact 7

Applying the controlsRationale for controls 8Control categories 8High level controls 9The control matrix 11

Directory of risksUsing the directory of risks 14

Directory of controlsUsing the directory of controls 44

Possible business impacts 70

Part 4

Part 5

Appendix A

1

INTRODUCTION

1Part Introduction

This report presents a detailed directory of the risks and controls associatedwith providing a remote access service to staff. Its aim is to assist Members inevaluating their organisation’s potential exposure and to consider whichcontrol options are appropriate for their environments.

The directory is in two main parts, namely:

• the risks associated with the components of an end-to-end remoteaccess service (referenced A-L)

• the common controls which can reduce these risks (referenced Q-Z).

The directory is a useful reference for those involved in planning a new remoteaccess service or securing an existing one. It is intended as a supplement tothe Forum publication Securing Remote Access by Staff – ImplementationGuide, which outlines a methodology for establishing and maintaining asecured remote access service.

A ‘high level’ view of remote access is provided in the report SecuringRemote Access by Staff – Briefing Paper. This may be used as a backgrounddocument for anyone not familiar with the benefits of securing remoteaccess.

In addition to presenting the detailed risks and controls, this report providesa ‘control matrix’. This shows the extent to which the different controloptions are likely to apply to the risks associated with each main componentof remote access.

This directory has been produced to:

• help Members evaluate risks and apply controls across an entire remoteaccess service

• present detailed risks and controls in an easy-to-use and standard format

• provide a sufficient level of detail to ensure that risks can be evaluatedproperly and a comprehensive set of controls implemented.

This report

Objectives and scope

2

PartINTRODUCTION1

This directory is aimed at staff who are responsible for implementing secureremote access services or ensuring that existing connections are secure.They include:

• security practitioners who wish to evaluate their organisation’spotential exposure and select appropriate controls

• business or IT managers who are tasked with planning, implementingor maintaining remote access facilities

• auditors, in order to help them assess risks and ensure that appropriatecontrols are in place.

The remainder of this report is set out as follows:

Examining the risksProvides an overview of remote access and the components that are requiredto implement an end-to-end service. It also summarises the potential risks ateach component in ‘quick reference’ tables.

Applying the controlsExplains the rationale behind the 10 control categories and describes howcontrols can be applied.

Directory of risksPresents the detailed risks associated with the provision of a remote accessservice.

Directory of controlsSummarises and presents in detail the 10 categories of control that can beapplied to minimise risk.

Possible business impactsContains examples of possible business impacts associated with each of therisk categories described in this document.

What this reportcontains

Part 2

Part 3

Part 4

Part 5

Who should read it

AppendixA

3

EXAMINING THE RISKS

2Part Examining the risks

Whilst remote access can appear simple in theory, there are a numberof complex components that make up a complete end-to-end remoteaccess service. A remote access service can be divided into threeinterconnecting elements – remote environment, telecommunications services andcorporate computing infrastructure – which can be broken down into 12components. These components are shown in Figure 1 below and aredescribed in more detail over the following pages.

REMOTE USER

ROUTING DEVICE

INTERNAL NETWORK HOST SYSTEM TARGET INFORMATION

CLIENT CONNECTION DEVICE

NETWORK PROTOCOLS

NETWORK SERVICES

CORPORATE CONNECTION DEVICE

LOCATION

CLIENT COMPUTER

COMMUNICATIONSSOFTWARE

Remote environment

Telecommunicationsservices

Corporate computinginfrastructure

Figure 1: The main components of an end-to-end remote access service

An end-to-end remoteaccess service

4

Part 2 EXAMINING THE RISKS

Remote users are typically permanent members of an organisation’sworkforce, or individuals who are treated like employees such as somecontract staff, consultants or outsourced personnel.

Remote access is made by staff from locations that can differ widely and aretypically outside the organisation’s direct control. Common examplesinclude an employee’s home, an external office, hotel, public facility (such asa railway station) or car.

Client computers can range from personal computers to sophisticatednetwork management devices. Desktop PCs are typically used by staffworking from home, whilst laptops and palmtops are often used by staff onthe move. Dumb terminals are used infrequently, for example, to access alegacy mainframe system.

Communications software is required to enable the client computer (forexample, a laptop PC) to communicate with the target system via a networkconnection device (typically a modem). It can be an integral part of thecomputer’s operating system (for example, Dial-Up Networking inWindows 95 and 98), proprietary software (for example, Xcellnet’sRemoteWare) or part of a dedicated application (for example, IBM LotusNotes).

Client connection devices are used to connect client computers withexternal network services. Typical examples include modems for analogueconnection and terminal adaptors for digital connections. Mobile phonescan also be used as connection devices, for example to connect a laptopcomputer to the GSM network.

Network services provide the transport mechanism between the remoteenvironment and the corporate computing infrastructure. Public services(for example, PSTN or ISDN) are always used to some extent, but can be re-packaged as part of a managed or Internet-based service. They are notnormally under the control of the organisation and may cover multipletelecommunications carriers in a number of different countries.

Network protocols are the common ‘languages’, used in conjunction withnetwork services, to transmit and receive data over communications links.They will be determined by the organisation’s internal infrastructure and thechosen carrier service.

Remote environmentcomponents

Telecommunicationsservices components

5


The interface between the telecommunications service and the corporatenetwork is provided by some form of corporate connection device. Thetype required is determined primarily by the network services selected andprotocols used, which need to be compatible with those deployed in theremote environment. Common examples are modem ports for PSTN andPrimary Rate Interfaces (PRI) for ISDN.

The client computer’s communication software provides an address wherethe target server can be found within the corporate computinginfrastructure. A routing device connects the remote user to the designatedinternal resource. Corporate connection and routing devices are oftencombined in a single unit, such as a specialised remote access server or anetwork server running an operating system (for example, Windows NT orNovell Netware) which supports Remote Access Services (RAS).

Remote users usually connect to an internal network, or sub-net, which istypically a partition or domain based on a community of interest within thecorporate computing infrastructure. The internal network is usuallyprotected from third party networks (especially the Internet) by some formof network security barrier, typically a screening router and/or firewall.

The host system is the IT facility (for example, server, mainframe,individual workstation or application) on or through which the requiredinformation is accessed.

Remote users require access to target information (for example, a productdatabase, customer presentation or electronic message) to support businessactivities being conducted in the remote location.

Evaluating the risks associated with remote access involves consideration ofthe threats, potential business consequences and the business impact relatedto any particular type of incident. A risk can be defined as the likelihood ofa specific incident occurring (for example, a laptop computer being stolenfrom a Marketing Executive while at an airport). A threat is the circumstanceor set of circumstances that is likely to cause an incident (for example, a gangof thieves operating in an airport). The business consequence is the extent ofdisruption caused by an incident occurring (for example, the MarketingExecutive unable to download product prices). The business impact assesseswhat effect the business consequence will have on the organisation.

Part $ Directory of risks contains a description of 112 detailed risksassociated with remote access. It also includes a brief description of thethreats and possible business consequences associated with each risk.

Evaluating risks

Corporate computinginfrastructurecomponents

Staff make mistakes through ignorance or negligence

Staff behave in an illegal or offensive manner

Staff make inappropriate or unauthorised changes to the client computer

Staff are unable to connect to the corporate network from some remotelocations

The remote location is not physically secure

Remote staff or equipment are not protected adequately

Client computer is not of sufficient technical specification

Client computer is vulnerable to tampering

Security software is configured poorly

Communications software malfunctions

Remote staff use communications software in an inappropriate manner

Client connection device is not secured or does not perform adequately

Client connection device is misused or stolen

Network service provider delivers poor quality service

Communications links are damaged or inadequate

Data is intercepted in transit

Network protocols have inherent weaknesses

Malicious third parties exploit weaknesses in network protocols

Corporate connection devices fail to perform as intended

Malicious third parties exploit poorly configured corporate connectiondevices

Routing devices malfunction or are configured incorrectly

Malicious third parties exploit weaknesses in routing devices

Internal networks are unreliable

Malicious third parties exploit internal network weaknesses

Security barriers are positioned or configured incorrectly

Host system malfunctions

Malicious third parties exploit vulnerabilities in host system

Target information is not properly classified

Target information is insufficiently secured

Inappropriate access provided to target information

Component Ref Risk

6


A: Remote user

B: Location

C: Client computer

A1A2A3B1

B2B3C1C2C3D1D2

E1

E2F1F2F3G1G2H1H2

I1I2J1J2J3K1K2L1L2L3

G: Networkprotocols

Table 1: Summary of risks

F: Network service

E: Client connectiondevice

D: Communicationssoftware

H: Corporateconnection device

I: Routing devices

J: Internal network

K: Host system

L: Targetinformation

7


Members will need to assess the level of risk in their own organisation byconsidering the likelihood of the threat outlined causing an actual incident.Risks should be examined for every component of a remote access service.For this reason, the risks in this report have been grouped under each of the12 components.

A one page summary of the risks is presented in Table 1 opposite.

For the purpose of this report, the business consequences associated withremote access risks have been grouped into six categories. Each category islisted in Table 2 below along with a corresponding symbol and examples ofpossible causes. Each risk in Part $ Directory of risks shows the appropriatesymbols for the business consequences which are most likely to apply.

Malfunction of equipmentNetwork failure

Incompatible technologyNetwork congestion

Virus attackDeliberate modification by a maliciousthird party

Eavesdropping in a public placeLine tapping

TheftDamage in transit

Illegal behaviour by remote staffBreach of encryption laws

Business consequences

Table 2: Categories of business consequence

Symbol Business consequence Possible cause

Unavailability of target network orresources

Degraded performance of remoteconnection

Loss or corruption of sensitive data

Breach of confidentiality

Loss of or damage to equipment

Breach of legal, regulatory or ethicalstandards

Only the main types of business consequence associated with eachrisk have been mapped, eg unauthorised access can result in anetwork being unavailable but the main risk relates to theconfidentiality and integrity of corporate information.

Each organisation will have to assess the likely business impact arising fromeach potential incident. To assist Members in this process Appendix APossible business impacts provides an example of a possible business impactfor each category of risk.

Business impact

8

3Part

APPLYING THE CONTROLS

Applying the controls

Seven case studies were conducted as part of the Forum’s project onSecuring Remote Access by Staff. The overall objective of these was toobtain practical information from organisations that had successfullyimplemented remote access services.

Site visits were conducted at each organisation, the purpose of which was tounderstand the issues they faced and the practical solutions they hadimplemented in order to provide reliable and secure services.

Ten common categories of control were identified and used as the basisfor the controls contained in this directory. They have been verified by aWork Group of Forum Members and supplemented by research carried outby an independent expert and by the Forum Management Team.

For a full description of the seven case studies, refer to the Forum’sreport Securing Remote Access by Staff – Case Studies.

The 10 categories of control are outlined below. In total they comprise 127detailed controls which are described fully in Part % Directory of controls.

Policy and standards – A formally documented and approved high-levelpolicy should be produced to define and communicate the overall strategyfor controlling remote access to the organisation’s information systems. Thisshould be supported by detailed standards and disseminated to all relevant staff.

Legal and regulatory – Most legal and regulatory requirements that applyto staff and equipment in a typical office environment will also apply to theremote environment. Examples often overlooked include insurance, healthand safety legislation, formal agreements with staff and requirements toprotect personal data and company assets.

Authorisation – Staff should not be provided with remote access tocorporate resources until they have been formally approved by persons ofappropriate authority, including the remote user’s line manager and theowner of the corporate resource (for example, a computer, network,application or data) to be accessed.

System and network management – Effective system and networkmanagement is key to the provision of a secure remote access service. Soundmanagement and administration is required in order to protect theorganisation, not only from unauthorised users (for example, disgruntled ex-employees) but also from employees who deliberately or accidentally violatethe organisation’s policies and standards of conduct.

Rationale for controls

Control categories

9

APPLYING THE CONTROLSPart 3

User support – The organisation should provide timely and effectivesupport for all remote access by staff. This will help to improve productivityand minimise disruption to business activities should difficulties arise,particularly if the user is operating in a different country or time zone.

Resilience – Organisations rely on the resilience of their remote accessfacilities to provide remote users with the level of service that is required tosupport business activities. A resilient service will typically provide highavailability and reliable connections while maintaining acceptable responsetimes.

Perimeter security – It is critical to be aware of and protect all entry pointsfrom unauthorised remote access. Routing devices, (for example, remoteaccess servers) and security barriers (for example, firewalls), should beconfigured so that access is provided only to authorised resources within adefined perimeter.

Authentication – To ensure that only authorised users are provided withaccess to the corporate computing infrastructure, authentication is required.The location of office-based users will be known, usually requiring onlyverification of the user’s identity through the input of a User ID,authenticated by a password. However, stronger authentication is typicallyrequired for remote access because of a higher risk of unauthorised access bymalicious third parties.

Cryptography – Cryptography can be used with several of the end-to-endcomponents of remote access. For example, passwords and files can beencrypted. Cryptographic techniques are also employed in some softwareand in hardware devices which may be used for remote access, such asoperating systems, groupware products and mobile phones.

Audit and review – To ensure that risks are kept to a minimum,independent audits and reviews of remote access services should be carriedout on a regular basis. The audit process helps to determine the effectivenessof controls, and can be used to improve processes and procedures formanaging a remote access service.

Each of the 10 categories of control described (see page 10) is broken downinto a number of high-level controls, which in turn comprise sets of moredetailed controls. The high-level controls are summarised by controlcategory in Table 3 overleaf.

High level controls

10

PartAPPLYING THE CONTROLS3

Control category Ref High-level control

Q1

Q2

Q3

R1

R2

R3

S1

S2

T1

T2

T3

U1

U2

U3

V1

V2

V3

W1

W2

W3

W4

X1

X2

X3

Y1

Y2

Y3

Z1

Z2

Z3

Q: Policy andstandards

R: Legal andregulatory

S: Authorisation

T: System andnetworkmanagement

U: User support

V: Resilience

W: Perimetersecurity

X: Authentication

Y: Cryptography

Z: Audit/review

Table 3: Summary of controls

Produce a clear, high-level policy, authorised by senior management

Provide comprehensive standards to support the high-level policy

Ensure staff associated with remote access are aware of the high-levelpolicy and standards

Comply with workplace regulations

Comply with international legislation

Establish contractual arrangements with suppliers of products and services

Assign responsibilities for authorising all elements of remote access

Approve all key elements of remote access

Apply sound system management practices to remote access

Apply sound network management practices to remote access

Employ an effective administration process that covers all remote users

Equip remote users with the necessary skills and equipment to performrequired tasks

Maintain remote user environments

Provide ongoing support

Use robust, high quality equipment for remote access

Apply sound design and support practices to remote access

Provide alternative facilities and services

Design network architecture to restrict remote access

Configure, maintain and actively manage security barriers

Protect system and network components

Protect remote environments and equipment

Authenticate all remote users

Authenticate remote locations

Maintain a complete authentication system

Encrypt passwords and sensitive files stored on disk

Encrypt sensitive data in transit

Consider using an end-to-end cryptographic scheme

Perform formal reviews on a regular basis

Ensure reviews are comprehensive

Perform periodic reviews of remote environments

11


While the risks presented in this directory are mapped to each of the 12components of an end-to-end remote access service, the controls identifiedare those most commonly applied by the case study organisations and are notdirectly mapped to each component. The way in which the categories ofcontrol can be mapped to the components is presented in a ‘control matrix’on the following pages.

The matrix shows the extent to which each control category (shown acrossthe top of the matrix) is likely to apply to each of the 12 end-to-endcomponents of a remote access service (listed to the side of the matrix).

The extent to which a control category applies to a component is denotedby a series of ‘tick’ icons. Three ticks represent a high level of control, whilstno ticks at all show that this control category is unlikely to apply.

Forum Members should ensure that a level of control is appliedwhich meets their security requirements. This matrix is intendedonly as a guide as many controls may be required to reduce anindividual risk, whilst a number of different risks may be mitigated bya single control.

The control matrix

12

PartAPPLYING THE CONTROLS3

Q: Policy andstandards

R: Legal andregulatory

S:Authorisation

T: System and

networkmanagement

U: User support

A: Remote user

B: Location

C: Client computer


E: Client connection device

F: Network services

G: Network protocols

H: Corporate connectiondevice

I: Routing devices

J: Internal network

K: Host system

L: Target information

✓✓✓ ✓✓ ✓✓✓ ✓✓ ✓✓✓

✓✓ ✓✓✓ ✓✓ ✓✓

✓✓ ✓ ✓ ✓✓ ✓✓✓

✓✓ ✓ ✓ ✓ ✓

✓✓ ✓ ✓ ✓

✓✓ ✓✓ ✓✓✓

✓✓ ✓ ✓✓

✓✓ ✓✓

✓✓ ✓✓

✓✓ ✓ ✓✓✓

✓✓ ✓✓ ✓✓✓

✓✓ ✓✓ ✓✓ ✓

13


A: Remote user

B: Location

C: Client computer



F: Network services


H: Corporate connectiondevice

I: Routing devices

J: Internal network

K: Host system


V: Resilience

W: Perimetersecurity

X:Authentication

Y:Cryptography

Z:Audit/review

✓✓✓ ✓✓

✓✓ ✓✓✓ ✓✓

✓✓ ✓✓ ✓✓ ✓✓

✓✓ ✓ ✓✓ ✓✓

✓✓ ✓ ✓ ✓✓

✓✓✓ ✓ ✓✓ ✓✓

✓✓ ✓✓ ✓

✓✓✓ ✓✓ ✓ ✓ ✓

✓✓✓ ✓✓✓ ✓✓✓ ✓✓

✓✓✓ ✓✓✓ ✓✓ ✓ ✓✓

✓✓✓ ✓ ✓✓✓ ✓ ✓✓

✓✓ ✓✓

14

4Part

DIRECTORY OF RISKS

Directory of risks

This section presents the detailed directory of risks.

The directory is laid out in a consistent format as a series of tables whichcomprise three levels, describing:

• 12 end-to-end components of remote access (eg remote user)

• 30 high-level risks (eg staff make mistakes through ignorance ornegligence)

• 112 detailed risks (eg accidental divulgence of key information).

The main business consequences associated with each detailed risk aredenoted by symbols (explained on page 7 of this report).

Figure 2 below shows how the directory of risks is structured.

Using the directoryof risks

Figure 2: Structure of the directory of risks

Remote users are typically permanent members of an organisation’s workforce, orindividuals who are treated like employees. This may include temporary employeesand ‘known’ third parties (for example, contract staff, consultants or outsourcedpersonnel), with whom the organisation has a contract.

Remote staff include a wide range of travelling or home-based individuals.Common examples are senior executives, sales and marketing personnel,maintenance engineers, IT support technicians and research and developmentengineers.

A: Remote user

A1

A1.2


Accidental divulgence ofinformation

A malicious third party, who is aware of the relevant User ID, may gain accessto the corporate network if the remote user unwittingly divulges keyinformation.

While both identification and authentication of a user will usually be necessaryto gain remote access, the User ID (identification) will usually be pre-stored onthe client computer. In this case, only the password will be needed in order togain access. Unless specifically disabled, passwords are also likely to be storedon the client computer.

A1.1 Staff may set up unauthorised (often undetected) remote access connections,exposing the organisation to the possibility of network misuse, unavailabilityof key systems or fraud.

Unauthorised remote connections may result from a need to work out of officehours where remote access has not been provided, or from a malicious intentto cause disruption. In the case of the latter, an employee may use a remoteconnection to gather sensitive information or files and provide them to acompetitor organisation, while going undetected.

Unauthorised remote accessestablished

Business consequencessymbol

Supporting informationabout the nature of the risk

Description of individualrisk

High-level description oftype of risk

Description of end-to-endcomponent and summaryof associated risks

Reference

15

PartDIRECTORY OF RISKS4

Remote users are typically permanent members of an organisation’s workforce, orindividuals who are treated like employees. This may include temporary employeesand ‘known’ third parties (for example, contract staff, consultants or outsourcedpersonnel), with whom the organisation has a contract.

Remote staff include a wide range of travelling or home-based individuals.Common examples are senior executives, sales and marketing personnel,maintenance engineers, IT support technicians and research and developmentengineers.

Remote users have more scope to behave in an irresponsible manner than thoseworking in an office environment, or to compromise security through lack ofawareness. For example, they may provide access to known but unauthorisedindividuals such as family or friends, or inadvertently allow third parties to viewsensitive informtion in a public place (for example, an airport lounge or a traincarriage). Remote users may neglect key housekeeping activities (for example, back-up or virus software updates) which might otherwise be performed automatically orby trained IT personnel when based in an office.

A: Remote user

A1

A1.2


Accidental divulgence ofinformation

A malicious third party, who is aware of the relevant User ID, may gain accessto the corporate network if the remote user unwittingly divulges keyinformation.

While both identification and authentication of a user will usually be necessaryto gain remote access, the User ID (identification) will usually be pre-stored onthe client computer. In this case, only the password will be needed in order togain access. Unless specifically disabled, passwords are also likely to be storedon the client computer.

If a remote access user writes down their PIN or password, and subsequentlyloses this, a third party may use the information to gain unauthorised access tothe corporate network.

A password or PIN may be divulged through ‘social engineering’ (eg someonetricking the user to impart the control by masquerading as an authorisedperson such as a maintenance supplier), or given to unauthorised users throughignorance of the potential consequences.

A1.1 Staff may set up unauthorised (often undetected) remote access connections,exposing the organisation to the possibility of network misuse, unavailabilityof key systems or fraud.

Unauthorised remote connections may result from a need to work out of officehours where remote access has not been provided, or from a malicious intentto cause disruption. In the case of the latter, an employee may use a remoteconnection to gather sensitive information or files and provide them to acompetitor organisation, while going undetected.

Unauthorised remote accessestablished

16


A1.5 Use of client computer byfamily or friends

The remote employee may allow an unauthorised user, either inadvertently ordeliberately, to use the organisation’s remote access facilities.

There is a great temptation for employees to allow friends or family to useremote equipment, particularly a home-based PC. For instance, an employee’schild may use the remote access facility to explore the Internet for homeworkresearch or to play games which may disrupt the system.

Alternatively, sensitive data may be seen by a flatmate who works for a rivalcompany, creating a loss of competitive advantage for the organisation.

A1.6 Neglect of important‘housekeeping’ activities

Valuable corporate data stored on a client computer may be lost or corruptedif routine ‘housekeeping’ activities are not carried out by the remote user.

Routine housekeeping tasks such as taking back-ups and updating anti-virussoftware should not be neglected merely because they are carried out in aremote location. While often seen as an ‘unproductive’ overhead by remoteusers, they should be conscientious about performing these tasks.

Data may be corrupted or lost as a result of the introduction of a virus or lackof back-up. This includes computer software and hardware configurations aswell as user data.

It is usually impractical for remote users to back up data over a dial-up line, soit has to be performed locally. This requires an extra piece of equipment, suchas a tape back-up device.

A1.7 Downloading of maliciouscode from the Internet

Malicious code may be downloaded onto the client computer if the remoteuser accesses Internet sites.

The increasing use of JAVA applets and ActiveX controls to enhance theattractiveness of Internet web sites increases the risk that web servers maycontain malicious code. Such code can adversely affect the client computer (egdisrupt applications or delete data on the hard disk).

A1.8 Introduction of virus fromportable media

The remote user may unknowingly introduce a virus onto the client computerif data is loaded from portable media (eg a diskette or CD).

The remote user may be given a diskette by a friend (eg if the friend wishesto print a document using the remote user’s home facilities or to playcomputer games). Unless properly checked, viruses may be introduced to theclient computer, and from there to the corporate network.

A1.4 Sharing of password or tokenwith another employee

An unauthorised user may gain access to the corporate network if the remoteuser shares their password or token with another employee.

The remote user may share their user name and password/token with anotheremployee, allowing the employee to gain unauthorised access to a criticalbusiness application or sensitive data stored on the corporate network. Whilstthis may be done with good intention by the remote user, it could compromisethe integrity of the entire corporate network while creating a lack ofaccountability.

A1.3 Loss of authentication token A remote user may lose their authentication token, allowing a third party togain unauthorised access to the corporate network.

If a token used to authenticate the remote user is lost, a malicious third partycould use it to access sensitive corporate data, provided they have access to therelevant User ID and password.

A1 Staff make mistakes through ignorance or negligence (continued)

17


A2.2 Downloading of offensivematerial from the Internet

If the client PC is used to download offensive material from the Internet, anorganisation may be exposed to legal action and its reputation impaired.

Internet browsers are available to most users as they are supplied withoperating systems and with most communications packages, free of charge.They often form the cornerstone of many organisations’ use of companyintranets.

Normally thought of as being pornographic in nature, offensive material mayalso include racist, slanderous or religious defamation. International travelexposes the organisation to legal action in countries where sensitivity is high toparticular types of offensive material.

An organisation’s reputation may be impaired if their remote access facilitiesare used to visit offensive Internet sites, as the organisation’s name will berecorded at the offensive site and may be intercepted by people browsingInternet traffic.

A3.1 Loading of unauthorisedsoftware

System software may be compromised if the remote user loads unauthorisedsoftware onto the client computer.

The remote user may load software that is not only unauthorised but alsoillegal. An organisation may be audited by external bodies, such as theFederation Against Software Theft (FAST) in the UK, and fined if software isnot covered by copyright.

Even if software is not illegal, it could bypass security controls already in placeand allow unauthorised access to both the client computer and corporatenetwork. In addition, such software (games, enhancements downloaded fromthe Internet) may cause the client computer to operate unpredictably.

A3 Staff make inappropriate or unauthorised changes to the client computer

A3.2 Unauthorised orinappropriate changes toPC configuration

The corporate computing infrastructure may be unavailable or exposed to theintroduction of malicious code if the remote user removes or changes theconfiguration of software on the client computer.

While this may not be done intentionally, the remote user may unknowinglychange the configuration of software used for remote access (eg to optimisePC performance), rendering access to the corporate network unavailable.

The remote user may disable or reconfigure anti-virus software, allowing theintroduction of malicious code to the client computer and from there to thecorporate network.

A3.3 Unauthorised connection ofclient computer to a homeLAN, allowing access toother networks

The corporate network may be exposed to unauthorised access or theintroduction of malicious code if the remote user connects the client computerto a home LAN which has connections to other networks (eg the Internet).

While the client computer may not be directly connected to an insecurenetwork like the Internet, the remote user may connect it to a home LANwhich in turn does have such a connection.

A2 Staff behave in an illegal or offensive manner

A2.1 Unauthorised use ofcorporate assets

If the remote user makes use of corporate assets for personal purposes, theorganisation may be misrepresented.

If the remote user makes use of the client computer to conduct personalbusiness (eg ordering products or services or joining news groups on theInternet), the organisation may be represented falsely.

18


B1.1 Unreliable power supply Vital data may not be accessible when needed due to variations in powersupply, voltage/frequency and pin configurations in remote locations.

The remote user may not be able to remotely access the corporate network ifthe available power supply is not compatible with the client computer.Frequent international travellers will often need to carry several differentpower adapters in order to use different local power supplies. Such adapterswill not always be easily obtainable in the remote location.

While the battery of a laptop computer will provide power for a short periodof time in the event of unavailable mains supply, it is unlikely to last beyond 3–4 hours.

B1.2 Incompatible telephoneconnectors when travellingabroad

The remote user may not be able to connect to the corporate network iftelephone connectors are not compatible with local telephone sockets.

There are a large number of different types of telephone plugs and sockets inuse throughout the world. Without a compatible adaptor, connection will notbe possible.

Many hotels and public locations are installing ISDN facilities. Connection of aPSTN modem to an ISDN socket may cause irreparable damage to the modem.

B1 Staff are unable to connect to the corporate network from some remote locations

Remote access is made by staff from locations that can differ widely and are typicallyoutside the organisation’s direct control. Common examples include an employee’shome, an external office, hotel, public facility (such as a railway station) or car.

The security of these locations varies considerably. For example, a highly exposedand unknown public place like an airport building is likely to be far less secure thana known and private location such as a branch office.

Furthermore, it is easier to protect corporate assets when members of staff workfrom fixed locations, such as their homes. Risks tend to be higher if access is madeby a member of staff who travels widely (ie a ‘roving’ user) and connects from arange of different locations.

Equipment (for example, laptop computers) in remote locations are moresusceptible to loss or theft than those that are located in the office.

Audit remote sites (including offices owned by other organisations and somehomes) and accredit them as part of the corporate network, providing theymeet security standards.

B: Location

19


B1

B1.3 Unavailabletelecommunications servicewhen travelling abroad

The remote user may not be able to connect to the corporate network if thetelecommunications infrastructure supporting the remote location is pooror unavailable.

The telecommunications infrastructure of some countries or regions may notbe of sufficient quality to support reliable remote access. For example, PSTNcan be variable and ISDN standards differ internationally. Where mobile phonesare used for remote access, GSM or other digital cellular phone networks maynot be available to provide a connection.

Private Automatic Branch Exchanges (PABX) installed in hotels can preventcomputers from accessing the public telephone network, and usually requirecommunications software charges.

Local Points of Presence (PoP) for managed services may not be available insome countries.

B1.4 Unidentifiable remote phonenumber when using CLI

The remote user may not be able to access the corporate network if a CallingLine Identity (CLI) authentication system cannot identify the telephonenumber of the location from which remote access is being attempted.

Even if changes are made to call-back arrangements to accept the number ofthe remote location, access may not be possible.

PSTN Calling Line Identity (CLI) is often withheld by PABX systems, and betweensome public telephone companies, so calling from a hotel or another office maynot be possible. ISDN CLI is not normally transmitted internationally.

B1.5 Remote location notauthenticated

Remote staff may not be able to access the corporate network if connectionis attempted from a location other than their usual remote place of work.

Many remote access solutions use ‘call-back’ to authenticate the location fromwhich access is being attempted. In this case the telephone number of the lineusually used for access will be stored on the remote access server. If a differenttelephone line is used to connect to the corporate network, access may bedenied. Access from the changed location may only be possible if a systemadministrator makes changes to the remote access server configuration.

B1.6 Lack of ‘out-of-hours’support

The remote user may not be able to access the corporate network if technicalsupport is not available outside normal hours.

Especially where remote users are working in different time zones or out ofnormal hours, technical support may not be available when needed.

Some organisations provide a 24-hour Help Desk if senior or numerousremote users access the corporate network outside normal hours.

Staff are unable to connect to the corporate network from some remote locations(continued)

20


B2.1 Loss or theft of equipmentfrom remote location

An organisation may be exposed to loss of valuable data or unauthorisedaccess to target information if equipment is lost or stolen from the remotelocation.

Sensitive data stored on a portable computer (eg data, passwords, User IDs,encryption seeds) can be exposed if the computer is lost or stolen. Both themachine and any data stored on it may be irrecoverable as a result.

Remote access increases the number of portable computers used by travellingstaff. These computers are susceptible to loss through carelessness or targetedtheft when working from insecure remote locations (eg airports, railwaystations). Unless the remote location is another of an organisation’s ownoffices, it is unlikely that the physical access security is as good as in the mainoffice, especially in public places.

Laptop and palmtop computers can be targets in ‘informationwarfare’.

B2.2 Damage to equipment inremote location

An organisation may be exposed to loss of valuable data if equipment in theremote location is damaged.

Portable computers used when travelling are more likely to be damaged thanthose installed in a secure office environment (eg if they are placed in the holdof an aeroplane).

Equipment used for remote access from a fixed location, whether portable ornot will also be at risk from damage if not placed securely and kept free fromdomestic hazards.

B2.3 Calling Line Identity (CLI)authentication compromised

Reliance on Calling Line Identity (CLI) as a means of authentication may allowan unauthorised user to gain access to the corporate network.

CLI verifies the location from which remote access is being attempted, but notthe identity of the user. Complete reliance on this form of authentication mayallow an unauthorised user to access sensitive data on the corporate network,provided the user is attempting access from a known location.

If CLI from a cellular phone is relied on as a means of authentication, thelocation from which the remote access attempt is being made will not alwaysbe known. If the phone is stolen, the organisation faces the risk of unavailableservice or fraudulent use of the corporate network.

B2 The remote location is not physically secure

B2.4 Confidentiality of sensitivedata compromised throughoverlooking

Sensitive data displayed on the screen of a notebook computer may be visibleto others, particularly on aeroplanes, trains and in airport lounges.

The incidence of eavesdropping is likely to increase as more users neednotebook computers in order to access corporate information when travelling.The increased use of high resolution ‘TFT’ screens compounds this problem, asinformation displayed on the screen is visible from a wide angle.

21


B3.1 Remote location andequipment are not insured

An organisation may face legal action or financial loss due to incidentsoccurring at remote locations which are not covered by insurance.

Employer’s liability insurance may not cover remote locations. If a house isburnt down, or a third party injured due to malfunction of the organisation’sequipment, the organisation may be subjected to legal action.

Computer equipment or data may or may not be covered against loss ordamage in any location. An organisation may therefore suffer financial loss.

B3.2 Remote location does notmeet health and safetyrequirements

An organisation may face legal action if the remote location does not meethealth and safely regulations.

If employees are performing company work at home they may be subject tohealth and safety laws, irrespective of the country in which they reside.For European-based home workers, this includes country and European Unionregulations. US workers will be subject to Federal and State regulations as wellas local ordinances.

European Union Health and Safety regulations include: a working environmentwhich minimises repetitive strain injury; lighting and video refresh rates toprotect eyesight, and a low level of electromagnetic emissions.

B3.3 Restricted use or export ofencryption

In some countries a remote user may be exposed to prosecution or confiscationof equipment if encryption is used in the client computer or modem, withoutappropriate authorisation.

Individuals and organisations can be at risk in countries where use or export ofencryption is restricted. Examples of encryption used in the client PC includepackages such as IBM Lotus Notes and Internet tunnelling technology.

The European Union is actively working on the harmonisation ofencryption legislation throughout Member states.

B3 Remote staff or equipment are not protected adequately

B3.4 Data erased from magneticmedia

All or some data and programs may be erased or corrupted from the hard diskdrive of a laptop computer if it is placed near a strong electro-magnetic source(eg those found on some trains or aeroplanes).

Placing a bag containing a laptop computer on the floor of an undergroundtrain near a traction motor may lead to data being erased from the hard diskof the computer.

Fold-away tray tables on some modern aircraft are secured by magnetism. Placinga laptop computer on such a tray table may lead to the loss of data.

22


C1.1 Client computer not suitablefor remote access

The remote user may not be able to access the corporate network, or datatransfer may be unacceptably slow, if the client computer is not suitable forremote access.

The memory, processor and serial port speed of the client computer may limituse of the remote access service. Large volumes of data may take unacceptableperiods to transfer, severely impairing the user’s ability to work effectively. Thisis particularly true for palmtop computers.

Older laptop computers may not be reliable when running without mainssupply, as batteries degenerate with age.

The organisation should provide all equipment used for remote access,ensuring that a minimum technical specification required to supportthe service has been met.

C1 Client computer is not of sufficient technical specification

Client computers can range from personal computers to sophisticated networkmanagement devices. Desktop PCs are typically used by staff working from home,whilst laptops and palmtops are often used by staff on the move. Dumb terminals areused infrequently, for example, to access a legacy mainframe system.

Remote client computers are more susceptible to failure than those located in theoffice. For example, they can be damaged in transit, incorrectly configured or poorlymaintained by remote users with inadequate technical skills. In the event of amalfunction, it is often difficult to obtain fast and effective support.

Because of their nature, client computers (typically laptop computers) are oftentargeted by those with malicious intent, for example to gain access to data on thehard drive or to steal components such as memory chips. In the wrong hands, thesedevices can be used as tools to gain unauthorised access to the corporate computinginfrastructure. Critical applications could therefore be compromised and sensitivedata revealed, removed or corrupted.

Client computers should be protected by similar or stronger securitytechniques than those used in the office, such as physical protection (forexample, locks), access control mechanisms, anti-virus software andencryption of the hard disk.

C: Client computer

C1.2 Incompatible ‘plug and play’devices

Devices using ‘plug and play’ technology may not operate correctly whenused in conjunction with some operating systems.

Modern peripherals (eg modems) are designed to be compatible with ‘plug andplay’ operating systems which recognise and automatically configure the device.

Some operating systems (eg Windows NT4.0) are not compatible with ‘plugand play’ devices; this can cause problems when trying to use equipment whichis designed for ‘plug and play’ systems (eg Windows 95/98).

23


C2.1 Palmtop computer lost,stolen or accessed withoutauthorisation

Palmtop computers are even more susceptible to theft and unauthorisedaccess than conventional laptop computers.

Palmtop computers, sometimes used for remote access, are much smallerthan conventional laptop computers, thus making them more susceptible toloss or theft.

‘Flash’ memory cards (storing remote access information) used in palmtopcomputers can be unplugged easily by an unauthorised individual and accessedfrom a similar computer.

C2.2 Discovery of passwords storedon the client computer

Passwords stored on the client computer may be discovered, allowingunauthorised access to corporate target information.

In order to save users from having to re-enter passwords each time a resourceis accessed, some operating systems store passwords in a ‘password list’ (eg the‘.pwl’ file in Windows 95).

While such files are often encrypted, gaining access to a client computer mayalso enable an unauthorised user to access all resources protected bypasswords stored in the password list. The list may include passwords tocommunications software or corporate applications which would allow accessto the corporate network or target resources. Passwords may also besusceptible to ‘dictionary attacks’.

C2.3 Encryption keys stored onclient computer compromised

If encryption keys generated in software on the client computer arecompromised, an unauthorised user may gain access to the corporate network.

If discovered, encryption keys stored on a client computer could allow anunauthorised user to complete the authentication process, allowing potentialaccess to the corporate computing infrastructure.

Encryption keys should be changed on a regular basis, or generated bya tamper-proof hardware device.

C2 Client computer is vulnerable to tampering

C2.4 Removal of client computerhard disk

If the hard disk of the client computer is stolen, sensitive data may be lost.

Most notebook computers have removable hard disk drives. If stolen, the drivecould be inserted into another computer and its contents revealed, irrespectiveof whether the client computer is protected by a BIOS password.

Some organisations encrypt the contents of hard disk drives or specific files,where it is legal to do so. The advantage of encryption is that no-one can readthe files if the computer is lost, and files can be transmitted in their encryptedform.

Where encryption is not legal, individuals often travel with aminimum amount of data on a removable drive.

24


C2 Client computer is vulnerable to tampering (continued)

C3.2 Authentication protocolincompatible with clientcomputer operating system

The remote user may not be able to access the corporate network if theauthentication protocol used is incompatible with the client computeroperating system.

A typical example is Microsoft’s MS-CHAP (Microsoft Challenge HandshakeAuthentication Protocol), which is not compatible with the Windows 3.11operating system.

C3.3 Inadequate anti-virusprotection

Unless anti-virus software is installed, configured correctly and kept up-to-date, the corporate computing environment will potentially be exposed to theintroduction of malicious code.

Many organisations now update virus signature files on at least a monthly basis.While use of the remote access link to update virus signatures will ensure thatsoftware is up-to-date, this can be difficult and time-consuming.

C3.4 Virus checker ineffectivewhen hard disk is encrypted

Virus checkers may not function correctly where part or all of the hard disk onthe client computer has been encrypted.

Encryption is an effective guard against unauthorised access to the hard disk ofthe client computer, particularly where the remote user travels with a laptopcomputer. It is likely, however, that anti-virus software will not be able to scanfiles which have been encrypted.

Security features of theclient computer notconfigured by default

An unauthorised user may be able to gain access to the client computer ifsecurity features are not configured properly.

Some PC-based operating systems have many security features, but they arenot usually configured by default. Unless the ability to change configurations isspecifically disabled, these security features may be changed or bypassed.

C3.1

C2.5 Removal of client computerback-up battery

An unauthorised user could gain access to the operating system by removingthe back-up battery on the motherboard.

If the back-up battery is removed, the BIOS may be ‘tricked’ into believing thatno password protection has been set.

Client computer bootablefrom diskette

An unauthorised user may be able to boot the client computer from disketteand bypass security controls.

Even if security features are configured correctly, they may be bypassed if theuser is able to boot the computer from diskette. Security-related files could bedeleted, allowing full access to the operating system and sensitive data.

C2.6

C3 Security software is configured poorly

25


D1.1 Communications softwaremalfunction due toincompatibility with otherremote access components

Remote staff will be unable to access the corporate network if thecommunications software on client computers is incompatible with other components of remote access.

Malfunction may be caused by incompatibility with other software installed onthe client computer, client connection device or network protocols.

D1.2 Unavailability of corporatenetwork due to incorrectcommunications parameters

Remote staff may not be able to access the corporate network ifcommunications software is not configured correctly.

Communications software controls both the connection device (eg PC modem)attached to the client computer and the connection to the corporatecomputing infrastructure. Such software is often technically complex andparameters difficult to configure correctly. Incorrect configuration may resultin failure to connect to the corporate network.

D1 Communications software malfunctions

Communications software is required to enable the client computer (for example, alaptop PC) to communicate with the target system via a network connection device(typically a modem). It can be an integral part of the computer’s operating system(for example, Dial-Up Networking in Windows 95 and 98), proprietary software(for example, Xcellnet’s RemoteWare) or part of a dedicated application (forexample, IBM Lotus Notes).

Such software is complex, notoriously difficult to configure and can be incompatiblewith other types of networking software, hardware or client applications.

D: Communications software

D1.3 Communications softwaremalfunction due tounforeseen effects of change

Remote staff may not be able to access the corporate network if configurationsettings in the communications software are changed inappropriately.

If uncontrolled changes are made to the configuration settings in the clientcommunications software, the software may malfunction, preventing access tothe corporate network.

D1.4 Access to corporate networkdegraded due to incorrectdatabase replicationconfiguration

The corporate network may be unavailable for extended periods if databasereplication software is configured incorrectly.

With even the fastest modem, replication of an entire database between theremote server and client computer can take several hours. Where possible,database replication software should be configured to download only changesmade to the database since replication last occurred.

Some groupware products do not work well with ISDN, as they maintain theconnection even when they do not need it. This may prevent groupware usersfrom being able to access remotely the information they need on a timelybasis.

26


D1.5 Incorrect Internet browserconfiguration

An organisation may be exposed to malicious code if Internet browsers arenot configured properly.

If Internet browsers are configured incorrectly, they may enable access tounauthorised areas and give inadequate warning of potential risks (such as thedownloading of Java applets and ActiveX controls, which could containmalicious code).

D2 Remote staff use communications software in an inappropriate manner

D2.1 Unauthorised use of remotecontrol software

An unauthorised user may be able to take control of corporate networkresources with the aid of remote control software.

Remote control software (such as Symantec’s pcANYWHERE) could be used toprovide access to an office-based computer connected to the corporate network.From here the user could take control of the target system and causeaccidental or malicious damage.

While remote control software will usually require server software to be set upon the computer acting as host (eg the office-based computer), this is notdifficult to configure and may not be noticed by network administrators.Normal remote access controls are bypassed and authentication is usuallyweak.

D2.2 Unauthorised use of remoteaccess server software on theclient computer

An authorised user (eg a disgruntled employee) may be able to remotely readand modify software configurations on the host system, with the aid of dial-up server software on a client computer.

Dial-up server software such as that available with Microsoft Plus! for Windows95 could be used to provide access to an office-based computer connected to thecorporate network. From here the user could access the corporate network asif in the office.

D2.3 Unauthorised use of remotenetwork diagnostic toolsand protocols

An authorised remote user with privileged access may gain access to restrictedparts of the corporate network through the use of a remote networkdiagnostic tool.

Network fault reporting and diagnosis techniques, such as Simple NetworkManagement Protocol (SNMP), can be extremely useful in determiningnetwork problems. They can be used to provide remote out-of-hours support,without having to maintain staff on site.

By their very nature, these tools give ‘privileged’ access to systems and networkcomponents. While this may be acceptable under supervision, authorisedremote staff could access information to which they would not normally beallowed, or modify parameters that would enable other unauthorised users toaccess internal systems.

D1 Communications software malfunctions (continued)

27


E1.2 Malfunction of clientconnection device

The remote user will not be able to connect to the corporate network if theclient connection device malfunctions.

The client connection device may malfunction due to a number of reasons,ranging from power incompatibility when travelling abroad to an inability toconnect with the client connection software.

The risk of malfunction can be reduced by using a standard connectiondevice (which has been tested in different circumstances) for allremote users.

E1.3 Unreliable connection tocorporate network due toincompatible modemstandards

Users may not be able to connect reliably to the corporate network, especiallyover long distance, due to incompatible modem standards.

Modem standards cover speed, data compression and error correction.Modems conforming to different standards may not be able to connect witheach other or be unreliable when connecting over long distances, preventingaccess to the corporate network.

Examples of incompatible modem standards are 3Com/USRobotics X2and Rockwell K56flex, although a new 56Kbps standard (V.90) hasbeen ratified by the ITU-T.

E1 Client connection device is not secured or does not perform adequately

Client connection devices are used to connect client computers with externalnetwork services. Typical examples include modems for analogue connection andterminal adaptors for digital connections. Mobile phones can also be used asconnection devices, for example to connect a laptop computer to the GSMnetwork.

Client connection devices vary greatly in terms of speed, functionality, reliabilityand cost. They are also subject to differing standards and may not be compatiblewith other connection devices. As a result, the speed and reliability of data transfercan be disrupted, particularly for large volumes.


E1.1 Client connection devicepermanently connected tophone line

An unauthorised user may be able to dial into the client computer if the clientconnection device is permanently connected to the phone line.

This is particularly true if a home-based computer is set up with remote accesssoftware so that files can be downloaded by the authorised user whentravelling.

E1.4 Poor performance whenusing an encryption modem

Use of an encryption modem may result in a failure to connect or a poor datatransfer rate between the corporate computing infrastructure and the clientcomputer.

An encryption modem can only connect to a similar device, for decryption atthe corporate network. This device cannot, therefore, be used to connect to alocal Point of Presence (PoP) in a managed network.

While an encryption modem can be used to prevent eavesdropping, theencryption imposes an overhead in terms of throughput performance.This may prove to be unacceptably slow for large volumes of data.

28


E1.5 Poor communications linkwhen using a GSM mobilephone

Use of a GSM mobile phone for remote access may result in a poor datatransfer rate or unavailability of the service.

GSM mobile phones, which are limited to 9,600bps in ideal circumstances, canbe subject to interruptions in areas of poor signal strength.

In addition, there are two GSM standards which are incompatible with eachother (900 Mhz and 1,800 Mhz). A 900Mhz mobile phone will not operate in a1,800 Mhz network and vice versa.

Dual standard mobile phones which operate in either type of GSMnetwork are available. Introduction of the new UMTS mobile phonestandard is likely to solve problems of incompatibility, but this isunlikely to become available for some time.

E2 Client connection device is misused or stolen

E2.1 Theft of GSM mobile phonedata (SIM) card

An organisation may be exposed to unauthorised access if an unprotectedGSM mobile phone storing remote access information is stolen.

A GSM mobile phone Subscriber Identification Module (SIM) card may storetelephone numbers and passwords used for remote access. If stolen, anunauthorised user could use this information to gain access to the corporatenetwork.

While the stolen mobile phone might have been password protectedby the user, the SIM card might not have been. In this case theunauthorised user could access information on the card merely byinserting the SIM card into a similar mobile phone.

Most mobile phones allow the SIM card to be password protected inaddition to the phone itself. Where remote access information isstored, the SIM card should be password protected.

E1 Client connection device is not secured or does not perform adequately (continued)

29


F1.1 Poor quality public networkservice

Remote users may not be able to connect to the corporate network if thepublic network service is of poor quality.

If the network service provider cannot provide a consistent, robust and reliableservice, the remote user will not be able to connect to the corporate networkwhen needed. Problems may relate to insufficient capacity or poor supportarrangements.

F1.2 Lack of support frommanaged network serviceproviders

Remote users may not be able to connect to the corporate network ifarrangements with the managed network service provider are insufficient toprovide a reliable and consistent service.

If the network service provider does not guarantee availability or acomprehensive support service, it is likely that the remote access service will bedisrupted and prevent the remote user from connecting to the corporatenetwork.

F1 Network service provider delivers poor quality service

Network services provide the transport mechanism between the remoteenvironment and the corporate computing infrastructure. Public services (forexample, PSTN or ISDN) are always used to some extent, but can be re-packaged aspart of a managed or Internet-based service. They are not normally under thecontrol of the organisation and may cover multiple telecommunications carriers in anumber of different countries.

The main risk is the quality of the service being provided, particularly in terms ofspeed and reliability. Other risks include eavesdropping (sniffing) and third parties‘masquerading’ as authorised users (spoofing).

Organisations will usually select a network service provider by balancing four mainfactors: speed (bandwidth), coverage (for example, the availability of and distance toa connection point), security and cost. Therefore, security may not always be thefirst requirement to be fulfilled.

F: Network Services

F1.3 Network service withdrawndue to billing or contractualdisputes

Remote users may not be able to connect to the corporate network if thenetwork service is withdrawn due to billing or contractual disputes.

If network service bills are not paid promptly or a contractual dispute arisesbetween the organisation and the network service provider, the communicationsservice may be withdrawn and the corporate network rendered unavailable toremote users.

30


F2.1 Damaged communicationslink

Availability of the remote access service will be compromised if thecommunications link is damaged.

PSTN, ISDN and cable connections from a local telephone exchange to anorganisation’s premises are vulnerable to physical damage by construction orrepair work. Even if duplicate lines are installed, they may run in the sametrench.

F2.2 Poor transmissionperformance

Availability and speed of the remote access service will be impaired if thequality of the communications link is poor.

The speed of modem data transfer over telecommunications services is dependenton the quality of the link. A 28,800bps modem will only transmit at that speedif the line quality is extremely good. This is likely to be worse over longerdistances as the number of interconnecting lines increases. Similarly, a 56Kbpsmodem is unlikely to connect above 28,800bps, even to a similar 56Kbpsmodem.

F2.3 Network delay Network delay may prevent the remote user from connecting to the corporatenetwork.

Network delay (latency) can cause modem malfunction, particularly oninternational calls and/or satellite links.

Long distance calls, especially international ones, can be difficult to set up andare relatively unreliable. This is not so important for voice traffic, but if a largedata file is being transferred, even a momentary interruption could drop thecall.

F2 Communications links are damaged or inadequate

F3 Data is intercepted in transit

F3.1 Loss of confidentialitythrough eavesdropping

The confidentiality of sensitive data may be compromised if thecommunications link is ‘eavesdropped’.

Eavesdropping (eg line tapping) on telephone lines carrying data traffic ismore likely in the unprotected link between the remote access user and thelocal telephone exchange (the local loop), although telephone exchangesthemselves have been successfully hacked. There is also a possibility ofeavesdropping on a microwave or satellite link, although data may beencrypted by service providers.

F3.2 Loss of confidentiality ofsensitive data throughnetwork ‘sniffing’

The confidentiality of sensitive data may be compromised if the networkbeing employed for remote access is ‘sniffed’.

On shared media data networks (such as Ethernet), ‘sniffing’ can be used tocapture data traffic, where a ‘promiscuous’ network interface (‘sniffer’ card)inserted into the network accepts all packets, irrespective of address. ‘Sniffing’may take place on the Internet, or on an unprotected link in a remote location,eg on an unused spur in a rented office.

While ‘sniffing’ on a communications link is most likely to result in a loss ofconfidentiality of corporate data, user identification and authentication detailsmay also be gathered which in turn could allow unauthorised access to thecorporate network.

31


G1.1 Unavailability of corporatecomputing infrastructuredue to network flooding

The corporate network may be rendered unavailable if a non-routableprotocol which cannot handle multiple dial-in attempts is used.

Some protocols are non-routable and operate by ‘broadcasting’ to the wholenetwork. An example is Microsoft’s NetBEUI protocol, which is frequently usedfor remote access as it is fast and simple to configure. Such protocols are onlysuitable for small networks, as even in medium size networks they can causebroadcast flooding and render the entire corporate network inoperable.

Microsoft Windows Internet Naming Service (WINS) can be used toadminister NetBEUI networks over routers and eliminate broadcastflooding.

G1.2 Incompatible errorcorrection protocols

Sensitive data may be lost or damaged due to incompatible error correction innetwork protocols.

Insufficient or incompatible error correction protocols may not protect theintegrity of transmitted data. Conversely, too much error correction can causeavailability problems due to reduced transmission rates.

Error correction is essential, particularly for analogue dial-up access,due to electrical noise on telephone lines affecting the modulation ofthe signal.

Each network protocol provides a different level of error correction, whichimposes varying degrees of overhead (checking information that is passedduring transmission). Problems also occur where multiple protocols each havetheir own error correction (such as IPX over X.25).

G1 Network protocols have inherent weaknesses

Network protocols are the common ‘languages’, used in conjunction with networkservices, to transmit and receive data over communications links. They will bedetermined by the organisation’s internal infrastructure and the chosen carrierservice.

There are inherent security problems with nearly all network protocols. Unlessconfigured and monitored effectively, networks may be vulnerable to attack orcongestion, with consequential impact in terms of integrity and availability.

The most common transport protocol for long distance, homogeneousnetworks is TCP, used in conjunction with IP (referred to as TCP/IP). Forremote access, this is particularly suitable through the use of dial-upconnections on client computers using the SLIP or PPP protocols.

The choice of protocol will be dictated to a large extent by the type of network thatis to be used for remote access and what is already in use in the organisation.


32


G1.3 Incompatible datacompression standards

The remote user may not be able to connect to the corporate network or datatransmission may be very slow due to incompatible data compressionstandards.

Higher rates of data transmission (9,600 bps and above) rely on some form ofdata compression. Incompatible data compression standards will limittransmission speed and can cause availability problems, due to the time takento download large files, such as graphics packages or databases.

Data compression can occur at many different stages in the transmissionprocess: user application, communications software, modem and networkservices. It is, therefore, essential that the organisation adopts a datacompression methodology covering all protocols.

G1.4 Susceptibility to ‘denial ofservice’ attacks

Authorised remote users may not be able to connect to the corporate networkdue to ‘denial of service’ attacks.

Arising from network failure, overload or a direct attack on a networkcomputer itself, denial of service will prevent a computer or network fromcommunicating with other computers. Denial of service attacks often form partof the process of ‘spoofing’ (masquerading as a legitimate user).

G1.5 Insufficient networkadministration

Remote users may experience availability problems if network service levelsare not actively monitored and maintained.

This may be difficult when remote access links are not under the control of theorganisation, requiring a significant investment in network management toolsand trained personnel. However, it may be the only way to diagnose poorremote access service levels in a multi-protocol environment.

G2 Malicious third parties exploit weaknesses in network protocols

G2.1 Susceptibility to ‘spoofing’attacks

An unauthorised user may gain access to sensitive data by masquerading asan authorised user (spoofing).

There is an inherent lack of authentication in the Internet Protocol (IP) suite.The most obvious manifestation can be seen in IP ‘spoofing’ attacks, where anintruder attempts to gain access to the corporate network by masquerading asan authorised remote user.

The IP suite, and its weaknesses are described fully in the Forum’sreport The Internet and Security – Implementation Guide.

G2.2 Susceptibility to network‘sniffing’

The confidentiality of sensitive data may be compromised due to thesusceptibility of network protocols to network ‘sniffing’.

‘Broadcast address’ protocols (including TCP/IP) are susceptible to a variety oftools (such as ‘sniffers’) that can be used to gather critical information from thedata stream. This includes passwords, financial account numbers, private dataor protocol information that can be used to mount a subsequent attack on thecorporate network.

G2.3 Unauthorised access due toincorrect configuration ofnetwork protocols

Unauthorised users may gain access to the corporate network if networkprotocols are configured incorrectly.

Network protocols can be extremely complex, involving multiple protocolsoperating at different layers of the Open Systems Interconnection (OSI) stack.Unless configured correctly by experienced administrators, the corporatenetwork may be exposed to attack from unauthorised users.

G1 Network protocols have inherent weaknesses (continued)

33


H1.1 Unavailability of corporatenetwork or devices

The corporate network may not be available to the remote user or data maybe corrupted if the corporate connection device is not fully compatible withequipment used by the network service provider or with the client connectiondevice.

There is a need for a detailed design specification and thorough testing of aproposed remote access solution, end-to-end. Problems are less likely to occurif all networking equipment is supplied by the same vendor, but this may notalways be practical.

Compatibility problems are minimised by the use of a managed network servicewith (for instance) local Points of Presence (PoP), but it is essential that theinterface (gateway) between the supplier’s network and the organisation isalso thoroughly tested.

H1.2 Insufficient number ofmodem ports

Users may not be able to connect to the corporate network if there are notenough ports to cater for the number of simultaneous remote users or thevolume of remote access traffic.

Although more of a capacity planning problem, many organisations havefound it difficult to anticipate the number of ports needed in a modem pool tocater for increases in users and connection time. The resulting risk is that usersare not able to connect to corporate resources when they need to.

H1 Corporate connection devices fail to perform as intended

The interface between the telecommunications service and the corporate network isprovided by some form of corporate connection device.

The type required is determined primarily by the network services selected andprotocols used, which need to be compatible with those deployed in the remoteenvironment. Inappropriate or poorly configured connection devices can potentiallycompromise the confidentiality or integrity of sensitive data in transit. Special typesof modem (for example, password or encryption) can provide integral securitymechanisms which can provide additional protection, but can impact onperformance.

For analogue connections (typically PSTN), a modem at the corporate networkcommunicates with the transmitting modem to negotiate a common transmissionspeed, compression algorithm and error checking protocol. When this is complete,the signals sent by the transmitting modem are received by the corporate modemand converted back into digital information.

For digital connections (typically Primary Rate ISDN or T1), a dedicated interfacecard transmits and receives digital data directly with the client connection device.These modems or dedicated interface cards may be part of a remote access server.

H: Corporate connection device

34


H1.3 Poor performance ofconnection device

Availability and speed of the remote access service will be impaired if thecorporate connection device is inappropriate or incompatible.

Performance issues at the corporate connection device can cause availabilityproblems for remote users.

Corporate connection devices vary widely in performance andmanagement capability. They need to be carefully chosen andthoroughly tested for parameters such as connect time, throughputand troubleshooting capability (eg status, history, monitor log-in).

H1.4 Failed connection to thecorporate network due toexcessively long telephonenumber

Where the telephone number used to gain remote access is very long, log-inand authentication processes may ‘time out’ and fail.

Some organisations manage remote access by using different sets of telephonenumbers for different divisions or business units. This may involve appending asuffix to a standard number. Where the number is very long, remoteconnections may fail or ‘time out’.

H2 Malicious third parties exploit poorly configured corporate connection devices

H2.1 Unauthorised access to thecorporate network by callforwarding

An unauthorised user may gain access to the corporate network bycompromising dial-back modems using call forwarding.

Dial-back can be compromised by using the call forwarding facilities of a PABXor public telephone system. This can be done either from a telephone handset(for instance, in a remote office out of hours) or by ‘hacking’ the PABX orexchange (Central Office).

Many PABX systems have a remote maintenance port which is constantly openand protected only by a simple password. Direct connection of modems toexchange lines (trunks) prevents call forwarding by the PABX.

H2.2 Unauthorised access to thecorporate network due to asingle dial-back modemarrangement

If dial-back is being used as a means of authentication from the same devicethat receives the call, an unauthorised user may gain access to the corporatenetwork.

Many phone systems (and especially some PABXs) will not disconnect a callinitiated from an outside line until the outside line is hung up. If an attacker,therefore, does not hang up, the dial-back modem may try to hang up butthen dial back out on the same incoming line, to be answered by the attacker’smodem.

This risk can be avoided by arranging for dial-back to be from a differentmodem from the one that received the incoming call.

H2.3 Unauthorised modem access An unauthorised user may be able to dial in to a standard modem connectedto the corporate network and from there gain access to sensitive data.

Anyone can connect to a standard modem connected to a corporate network,which has no in-built security mechanism, provided they know the telephonenumber.

There are software programs available which will dial numbers in apredetermined sequence, looking for modems that are open (ie war-dialling).Once the connection is made, the user has access to the computer to which themodem is attached, provided the User ID and password are known, or can beguessed.

H1 Corporate connection devices fail to perform as intended (continued)

35


I1.1 Failure of routing device Remote staff will be unable to connect to the target server if the remoteaccess routing device fails, or is misconfigured.

The remote access router typically handles the delivery of network trafficfrom the client computer to the correct internal network address. If the routeris incorrectly configured or it malfunctions, remote users will not be able toconnect to the required resource.

I1.2 Routing device unauthorisedaccess due to incorrectconfiguration

Unauthorised users may be able to gain access to sensitive information ormount other forms of attack if routing devices are configured incorrectly.

Routing devices rely on the correct configuration and maintenance of complex‘routing tables’ in order to prevent unauthorised access. If these tables are notmaintained or configured correctly, the remote user may be routed to thewrong network address or may not be able to connect to the corporatenetwork at all.

I1 Routing devices malfunction or are configured incorrectly

The client computer’s communication software provides an address where the targetserver can be found within the corporate computing infrastructure. A routing deviceconnects the remote user to the designated internal resource. Corporate connectionand routing devices are often combined in a single unit, such as a specialised remoteaccess server or a network server running an operating system (for example,Windows NT or Novell Netware) which supports Remote Access Services (RAS).

Whilst there are many methods that can be used to provide this kind of access, thetwo most commonly used are:

• Remote access server – a dedicated device that contains the corporateconnection devices such as modems, and/or ISDN interfaces and a networkrouter in a modular, scalable chassis. The software control is normallyprovided by a proprietary operating system.

• Remote Access Services – a software service that is ‘bundled’ with the mostcommon software operating systems (eg Windows NT RAS).

Typical risks relate to poor authentication, lack of scalability, inadequate throughputfacilities and lack of management.

I: Routing devices

I1.3 Remote access server unableto cope with multipleaddresses

The remote user may not be able to access the target information resource onthe corporate network if the remote access server is unable to route tomultiple network addresses.

The process used to gain remote access may require the remote access server toroute the user to several network addresses (eg authentication server, tunnelserver and surveillance server). If the remote access server cannot route tomore than a limited number of addresses, it may not be able to connect theuser to the intended information resource.

36


I2.1 Unauthorised access toremote maintenance port

Malicious third parties may be able to gain access to the corporate network byconnecting to a remote maintenance port on the routing device andmodifying routing tables.

Remote access servers or other servers running remote access services are likelyto be supplied with a remote maintenance port, allowing technicians to dial infrom remote locations. These ports are often less well-secured than those usedby regular remote access users. A malicious third party could connect to aremote maintenance port and modify routing tables. This could then allowaccess to any server specified in the routing tables.

I2.2 RAS server vulnerable toIP spoofing attacks

Unauthorised users may be able to access the corporate network due to avulnerability to spoofing in some remote access services software.

Some remote access services may be vulnerable to IP spoofing, allowing remotesystems to masquerade as another IP address.

I2 Malicious third parties exploit weaknesses in routing devices

I2.3 Unauthorised access torouting devices notprotected by a securitybarrier

Malicious third parties may be able to mount an attack on an unprotectedserver, using a security analysis tool such as SATAN.

Readily available security analysis tools can be used to gain a log-in account onan unprotected server. This is particularly easy if the routing device, corporateconnection device and target server are one and the same (eg Windows NTRAS).

Routing devices should normally be protected by some form of firewall,preferably with a De-Militerized Zone (DMZ) between them to enableunobserved monitoring of attacks.

I1.4 Routing device configured toallow unnecessary publicnetwork services

A malicious third party may be able to disrupt the remote access service byattacking routing devices that allow public network services.

The routing device may be configured to allow public network services (egTFTP or Telnet), allowing anyone to connect to them. These services are notusually required for normal router operation, and may allow an attacker togain information about the router, or disrupt router operation by mounting a‘denial of service’ attack.

I1 Routing devices malfunction or are configured incorrectly (continued)

37


J1.1 Network congestion The remote access service may not be available to users if the corporatenetwork is congested.

Network congestion (insufficient capacity caused by poor design, lack ofnetworking standards or inadequate network monitoring) is likely to causeavailability problems such as slow log-in response and inadequate/slowdata transfer.

J1.2 Lack of networkdocumentation

The remote access service is unlikely to provide a sufficient level of security ifnetwork documentation is not accurate and up-to-date.

Up-to-date documentation is an essential starting point for configurationmanagement of key network components, particularly devices used topartition networks for remote access users.

If the exact number, addresses, connection methods and configuration ofremote access services are unknown, it will be very difficult to implement asecure service.

J1 Internal networks are unreliable

Remote users usually connect to an internal network, or sub-net, which is typicallya partition or domain based on a community of interest within the corporatecomputing infrastructure. The internal network is usually protected from third partynetworks (especially the Internet) by some form of network security barrier,typically a screening router and/or firewall.

It is usually possible to divide the internal network into domains – a number ofsmaller networks based on communities of interest – so that remote access users haveaccess only to those domains to which they have been specifically authorised.

The provision of remote access can open up internal networks, exposing them toexternal attack by malicious third parties.

Corporate networks are therefore usually protected from third party networks(especially the Internet) by some form of network security barrier, typically ascreening router and/or firewall. These are devices that perform a screening functionand only allow packets of data into the corporate network that conform to pre-determined criteria.

J: Internal network

J1.3 Password ageing mayprevent access

The remote user may not be able to gain access to the corporate network iftheir password has expired.

The remote user may not be able to change a network password unlessconnected directly to the internal office network, or with the help of a systemsadministrator.

38


J2 Malicious third parties exploit internal network weaknesses

J2.1 Unauthorised access due topoorly planned partitionstructure

An unauthorised user may gain access to sensitive data if the internal networkpartition structure is poorly planned.

An organisation may be exposed to loss of sensitive data (eg Human Resourceor Finance) if it is not secured behind a second level of defence. The corporatenetwork domain structure should be designed in a way that allows only limitedaccess to sensitive information.

Some organisations divide their network into domains based on communitiesof interest, whereby remote users are able to access only the data they need tocarry out their job. This is particularly important if remote users are given thesame level of access as if they were in the office.

J2.2 Unauthorised access due topoor tracking systems

Unauthorised users such as disgruntled ex-employees may gain access to thecorporate network if user records are not kept up-to-date.

Keeping track of all authorised users can be extremely difficult, especiallyacross multiple business units and computing platforms. A database maintainedat the corporate level and linked to personnel systems is good practice.

J2.3 Unforeseen effects ofchange

Unauthorised users may gain access to the corporate network, or targetresources may be rendered unavailable if untested changes are made to thenetwork configuration.

Changes to partitioning devices to accommodate new business opportunitiescan inadvertently modify filtering parameters for remote access users. This mayenable external access to sensitive systems or data.

J2.4 Inability to locate ‘rogue’remote access servers

‘Rogue’ remote access servers connected to the corporate network may goundetected, allowing unauthorised access to sensitive data.

It may be difficult to identify unauthorised remote access servers connected tothe corporate network unless system management utilities and protocols (egMicrosoft SMS, SNMP) and dialler programs are used to detect unauthorisedsoftware, client computer configuration and modems. If such servers goundetected, an unauthorised user may gain access to a client PC (configured asa remote access server) and from there to other parts of the corporatenetwork.

J2.5 Failure to identify a remoteuser as a member of arestricted group

An authorised user may be able to access sensitive data inappropriately if theauthentication process cannot identify that the user is a member of arestricted group.

While an authentication server may verify a remote user as a genuineemployee, it may not be able to determine that the user is a member of agroup which has restricted access rights. For example, a restricted group mayhave been set up, consisting of a number of employees allowed access tosensitive human resource data stored in a specific network domain. If theauthentication process cannot establish whether remote users are members ofthe group or not, unauthorised staff may be able to access the sensitive data.

J2.6 Inconsistent approach tonetwork access

An unauthorised user may gain access to sensitive data if access controls todifferent resources on the network are not consistent.

If multiple log-in processes are required to access target information, theseprocesses may not be consistent in the level of access they provide. Forexample, an initial remote access log-in process may require a User ID to beentered, but other systems may not require the same ID to be enteredthereafter.

39


J3 Security barriers are positioned or configured incorrectly

J3.1 No network security barrieror security barrier placedincorrectly

Unauthorised users may gain access to the corporate network if no securitybarrier is in place or if it is placed incorrectly.

Typically a screening router and/or firewall, a security barrier can preventunauthorised users from connecting to one or more internal servers. If there isno security barrier or if it is placed incorrectly users may have unlimited access.As a consequence valuable data may be lost or corrupted, or the network maybe severely disrupted by the introduction of hostile code such as that known as‘the ping of death’.

J3.2 Network security barrierconfigured incorrectly

Unauthorised users may gain access to the corporate network due to incorrector insufficient security barrier configuration.

As remote access can be performed from a wide range of locations and networks,screening routers and firewalls can be complex to configure. Security controlswill usually be set to a default, requiring rules to be applied to permit accessfrom specific sources. If the necessary rules are not applied, the organisationwill face the risk of unauthorised access.

J3.3 Insufficient administrationof network security barrier

Unauthorised users may gain access to the corporate network due toinsufficient network security barrier administration.

‘Exclusion’ rules and remote user configuration settings may need to be changedfrequently, creating a heavy overhead in terms of administration. If networkbarrier configuration is not closely monitored and reviewed routinely, thereis an increased risk that unauthorised users will gain access to the corporatecomputing infrastructure.

J3.5 Inability to read andinterpret security barrier logs

Unauthorised access or use of the corporate network may not be detected dueto an inability to read or interpret security barrier logs.

Firewall logs can be lengthy, complex and difficult to interpret. As a result,unauthorised access to the corporate network may go unnoticed by networkadministrators who have insufficient time/resource.

Comprehensive training in the interpretation of system logs should beprovided to all administrators involved in monitoring remote networkaccess.

J3.6 Anti-virus software unableto scan encrypted files

Anti-virus software protecting the corporate network may not be able to scanencrypted files.

Internet mail screening software may not be able to scan encrypted files, ormay not be able to re-encrypt files once they have been scanned for viruses.This may either allow the introduction of malicious code to the corporatenetwork, or prevent critical data from being passed on to the intendedrecipient with the required level of security.

J3.4 Excessive use of networkfiltering

Target networks may become unavailable if excessive filtering is performed.

Packet filtering is a good way to partition a network into areas with differentsecurity requirements. It can also be used to limit remote access to networkfacilities. However, too much filtering can become difficult to administerproperly. Following network changes filter tables may become out of datecausing parts of the network to be inaccessible.

40


K1.1 Host system malfunctions The host system may be unavailable to remote users due to malfunction.

Malfunction may be due to hardware or software failure, neglecting routine‘housekeeping’ activities or the result of untested configuration changes.

K1.2 Inadequate management ofhost system

The host system may be unavailable to remote users due to inadequatesystem management.

Uncontrolled changes may be made to the configuration of the host/systemwhich cause it to malfunction, preventing access to target resources.Inadequate back-up may result in the loss of sensitive data in the event ofsystem failure.

K1 Host system malfunctions

The host system is the IT facility (for example, server, mainframe, individualworkstation or application) on or through which the required information isaccessed.

This system will be subject to the full range of ‘standard’ risks associated with anyother system, such as malfunction or user error. However, the risk of unauthorisedaccess is greatly increased if external access has been provided.

The host system should be subject to the same sort of rigorous protection asprovided for critical business applications.

K: Host system

K1.3 Inadequate securitymechanisms in legacy systems

An unauthorised user may gain access to sensitive data stored on a legacysystem due to inadequate security mechanisms.

Older legacy systems (often mainframe) are unlikely to have been designed toaccommodate remote access, and security features may not provide sufficientprotection against unauthorised access. Access to legacy mainframe systemscan be difficult and expensive to manage.

Sensitive data should not be stored on systems where protectionagainst unauthorised remote access is inherently low.

41


K2.1 Operating system vulnerableto unauthorised access

Some operating systems have inherent weaknesses which may allow anunauthorised user to access the corporate network.

Many operating systems were not designed with remote access security inmind and have known weaknesses. For example, the UNIX commands ‘rlogin’,‘rsh’ and ‘rexec’ allow the remote execution of processes on machines withoutrequiring user authentication for each connection.

K2.2 Poorly secured host-to-hostconnections

An unauthorised user may gain access to sensitive corporate data due tounsecured host-to-host connections.

Some operating systems allow access from one host machine to anotherwithout requiring further authentication. If an authorised user gains access toan unsecured host, he/she may not be prevented from accessing otherunsecured hosts and potentially sensitive data. For example, if an IBM AS/400system is not set up correctly, it may be possible for a remote user (withprivileged access to one machine) to access other machines through ‘peer-to-peer’ networking.

K2.3 Poorly secured remotesupport facilities

An unauthorised user may gain access to the corporate network usingunsecured remote support facilities.

Remote support modems connected to a management port, used for accessby authorised administrators, will often bypass the normal authenticationprocess and provide a privileged level of access. They will often be installed byequipment vendors for diagnostic and remedial support purposes, but can beextremely difficult to manage effectively.

The remote support modem on a corporate telephone system also poses apotential risk. It may only have a simple password protection mechanism, butcould be used to subvert a number of different authentication schemes,through call forwarding or call conferencing.

K2 Malicious third parties exploit vulnerabilities in host system

K2.4 Multiple authenticationattempts permitted

An unauthorised user may be able to gain access to the corporate network ifmultiple authentication attempts are permitted.

If users are allowed a large or unlimited number of authentication attemptswhen accessing the host system, it may be possible for unauthorised users toconnect by guessing passwords or using password generation tools. Whilstlimiting access attempts may be a baseline control, it is particularly importantfor remote access.

K2.5 Inadequate review of remoteuser activity

Unauthorised users may not be detected if management reviews are notregularly conducted.

Systems need to be able to provide a satisfactory audit trail of all access byremote users which are regularly reviewed and acted upon by management.This helps to ensure that access is only made by authorised users to appropriateresources.

42


L1.1 Sensitive data not identifiedand thus not properlyprotected

An unauthorised user may gain access to sensitive data if it has not beenclassified as such and secured appropriately.

Most organisations have a policy relating to classification of data, withadditional levels of security for that data classified as sensitive (eg financial,human resources). However, if data is not classified properly or if it has notbeen classified at all, it may reside on systems that could become available toan unauthorised user.

L1.2 Responsibility for ownershipof resources not assigned

If target information is not assigned an ‘owner’, it may be inaccurate, out-of-date or inadequately protected.

There are a number of different types of information that a remote user willaccess, some of which may have no owner assigned. In these cases, there is nodriving force to ensure that information is classified properly, verified on aregular basis and protected in line with corporate policy.

L1 Target information is not properly classified

Whilst some organisations permit remote access to application software or ITfacilities, access is provided most commonly to information.

Target information includes:

• data accessed through specialised business applications (eg product orcustomer databases, spare part inventories or airline reservations)

• material used to support business activity (eg customer presentations or salesfigures stored on spreadsheets)

• electronic messages (eg those used in e-mail or groupware).

The target information to be used remotely may be on multiple host systemsand will normally be accessed across the internal corporate network.

The risks of providing remote access to the different elements of informationsystems will vary both with the nature of the element being accessed (information,applications or facilities) and with the level of access granted (for example, ‘view’ or‘change’).

Without adequate protection:

• remote users may not be able to gain access to data or applications that arevital for them to carry out their day-to-day business

• malicious third parties may gain access to critical applications or sensitive data.


43


L2.1 Inadequate useradministration

Unauthorised users may gain access to key resources, or authorised users maybe able to exceed their authority if user profiles are not kept up-to-date.

Inadequate administration may enable unauthorised access for ex-employeesor terminated contractors. In addition, authorised users may be able to accessinformation for which they are not authorised.

Likewise legitimate remote users may be prevented from connecting to thehost or server.

L2.2 Breach of data protectionlegislation

An organisation may be in breach of data protection legislation wherepersonal data is stored on the corporate network and accessed remotely.

Personal data is a specific form of data classification, and in many countriesthere is a legal requirement to protect it. Failure to take reasonable precautionsto safeguard personal data can result in fines and/or imprisonment for dataowners (ie members of an organisation’s staff). If remote users access personaldata, there is a risk that it could be intercepted in transit or accessed from thehard disk of a stolen client computer.

L2 Target information is insufficiently secured

L3 Inappropriate access provided to target information

L3.1 Uncontrolled database access Sensitive data may be compromised or damaged if database access rights arenot assigned correctly.

If remote users access information stored in databases, access rights associatedwith the database should be configured appropriately. Many databases havesophisticated security controls but they are of little value unless properlyimplemented.

L3.2 Lack of access controlmechanisms

Legitimate remote users may be granted excessive access permissions due tolimitations in access control mechanisms.

Some older database packages may have insufficiently advanced levels ofaccess control to suit different remote user requirements. As a consequence,remote users may be assigned a much higher level of access than needed tocarry out their work.

44

5Part

DIRECTORY OF CONTROLS

Directory of controls

This section presents the detailed directory of controls. The directory is laidout in a consistent format as a series of tables. The tables comprise threelevels, describing:

• 10 categories of control (eg policy and standards)

• 30 high-level controls (eg produce a clear high-level policy, authorisedby senior management)

• 127 detailed controls (eg obtain ‘sign off ’ from senior management).

Figure 3 below shows how the tables are structured.

Using the directoryof controls

Figure 3: Structure of the directory of controls

A formally documented and approved high-level policy should be produced todefine and communicate the overall strategy for controlling remote access to theorganisation’s information systems. Top management support is critical if the policyis to be effective.

The policy should be comprehensive and consistent, and should include the scope ofremote access in the organisation and responsibilities for managing the service. Thepolicy should be supported by a documented set of standards for establishing andmanaging the remote access service.

Q: Policy and standards

Q1.1 Develop a clear,unambiguous policy forsecuring remote access

Policies and standards for remote access should be clear, unambiguous andaligned with corporate security practices. Where necessary, definitions andinterpretations of the organisation’s use of the remote access service should beprovided. This may require the inclusion of a ‘glossary of terms’.

Technical jargon which may not be understood by the target reader should beavoided.

Refer to the Sample Remote Access Policy in Securing Remote Access– Implementation Guide

Q1.2 Include all key aspects ofremote access in the policy

The policy should include all key aspects, such as:

• the scope of remote access in the organisation• the benefits of remote access• the risks associated with remote access• requirements for user authorisation• requirements for user authentication• restrictions on access to extremely sensitive data• a requirement that no user should be provided with access privileges which

exceed those they would otherwise be afforded if working in the office• restrictions on the use of unauthorised modems, remote control software

and ‘rogue’ remote access servers. • a requirement that security barriers are implemented to protect the

corporate network• corporate ownership of all remote equipment and software• sanctions in the event of failure to comply with the policy.

Q1 Produce a clear, high-level policy, authorised by senior management

Explanation of detailedcontrol with supportinginformation

Description of detailedcontrol

Reference

Description of high-levelcontrol

Description of categoryof control

45

PartDIRECTORY OF CONTROLS5

Q1.1 Develop a clear,unambiguous policy forsecuring remote access

Policies and standards for remote access should be clear, unambiguous andaligned with corporate security practices. Where necessary, definitions andinterpretations of the organisation’s use of the remote access service should beprovided. This may require the inclusion of a ‘glossary of terms’.

Technical jargon which may not be understood by the target reader should beavoided.

Refer to the Sample Remote Access Policy in Securing Remote Access– Implementation Guide

Q1.2 Include all key aspects ofremote access in the policy

The policy should include all key aspects, such as:

• the scope of remote access in the organisation• the benefits of remote access• the risks associated with remote access• requirements for user authorisation• requirements for user authentication• restrictions on access to extremely sensitive data• a requirement that no user should be provided with access privileges which

exceed those they would otherwise be afforded if working in the office• restrictions on the use of unauthorised modems, remote control software

and ‘rogue’ remote access servers. • a requirement that security barriers are implemented to protect the

corporate network• corporate ownership of all remote equipment and software• sanctions in the event of failure to comply with the policy.

Q1 Produce a clear, high-level policy, authorised by senior management

A formally documented and approved high-level policy should be produced todefine and communicate the overall strategy for controlling remote access to theorganisation’s information systems. Top management support is critical if the policyis to be effective.

The policy should be comprehensive and consistent, and should include the scope ofremote access in the organisation and responsibilities for managing the service. Thepolicy should be supported by a documented set of standards for establishing andmanaging the remote access service.

Policies and standards should cover each of the end-to-end components and everyaspect of the remote access service. They will apply to a wide range of staff includingremote users, senior management, technical support staff (for example, IT andtelecommunications) as well as specialists in the human resources and legaldepartments.

Q: Policy and standards

Q1.3 Obtain ‘sign off’ from seniormanagement

The organisation’s policy on remote access should have the formal backing andapproval of a senior executive or body (eg the information security steeringgroup or equivalent).

46


Q2.1 Produce formal, detailedstandards in line with policy

A set of standards should be produced which support the high-level policy onremote access. They should provide guidance on the implementation of a secureservice and lay out minimum levels of conduct required from remote users.

Q2

Q2.2 Ensure standards cover allkey areas

Standards should include:

• a code of conduct for homeworking and teleworking• the process to be adopted in establishing new remote access connections• personnel procedures for the return of authentication tokens and

notification of leavers• methodologies and tools for risk analysis of remote access connections• specification of approved methods of identifying and authenticating

remote access users• specification of approved methods of connecting remote access users• specification of a standard client computer configuration• arrangements for the purchase of hardware and software• arrangements for third party network services• procedures to be followed for remote maintenance of information systems• change and incident management arrangements• procedures to be followed for monitoring use of remote access connections• procedures to be followed in the event of loss of equipment.

Q3

Q3.1 Provide copies of the remoteaccess policy and supportingstandards to all relevant staff

Distribute a copy of the high-level policy on remote access along withsupporting standards to all personnel associated with remote access.

Provide remote users with a ‘toolkit’ of policies, standards and other relevantmaterial to support remote access. Each individual should sign to confirmreceipt of the toolkit.

Consider the use of a corporate intranet or other electronic media as ameans of distributing the policy and standards.

Q3.2 Distribute awarenessmaterial to all remote users

Material aimed at making staff aware of corporate policy and standards onremote access should be distributed to all relevant staff.

Consider undertaking an awareness campaign, aimed at promotinggood practice among all staff associated with remote access. This mayinclude the production of brochures and posters, displayed inprominent places.

Q3.3 Implement an agreementbetween remote users andthe organisation

For each remote access connection, the remote user should sign an agreement.Agreements typically supplement contracts of employment and are likely tocover roles and responsibilities, resources to be accessed, access rights,frequency of data transfer and methods of appraisal.

Provide comprehensive standards to support the high-level policy

Ensure staff associated with remote access are aware of the high-level policy andstandards

47


R1.1 Comply with standard‘office’ regulations in allremote locations

Ensure that all regulations applicable to a fixed office location are alsocomplied with in remote environments, especially homes and remote offices.This will include health and safety legislation, insurance arrangements andregulations covering telecommunications.

R1

Virtually all legal and regulatory requirements that apply to staff and equipment in atypical office environment will also apply to the remote environment. Examplesoften overlooked include insurance, health and safety legislation, formal agreementswith staff and requirements to protect data and company assets.

Remote access is also subject to various legal provisions which may not apply tooffice-based working (for example, encryption or protection of personal data). It isnot only the legislation in the home country or state that needs to be evaluated, butin any country or state that an employee may travel.

Contracts or service level agreements should be established with all third partiesinvolved with the provision or support of remote access equipment and services.This could apply to providers of managed network services, vendors of remoteaccess solutions or to suppliers of service arrangements (for example, supply andmaintenance of remote equipment, Help Desk support).

R: Legal and regulatory

R1.2 Implement warning screensto remind employees ofobligations

Warning screens should be implemented to remind the remote user of theirlegal and contractual obligations and to protect against unauthorised use.Displayed at remote log-in, these should remind employees that use and accessto the organisation’s assets and data should be restricted to authorisedpurposes only.

R2

R2.1 Avoid use of encryption inlocations where it is illegal

Equip travelling users with a removeable hard disk drive which can be replacedwith an unencrypted one which does not breach national legislation.

Illegal use or export of encryption will include encrypted hard disks as wellas the use of link encryption when connecting to the corporate network(eg Tunnelling software which creates a Virtual Private Network). Extra careshould also be taken with products such as IBM Lotus Notes and pcANYWHEREwhich also make use of encryption.

Be aware of international regulations which are subject to change.

R2.2 Comply with data protectionlegislation

Organisations should take care to ensure that personal data is protected.

Some countries restrict the movement of personal data beyond nationalboundaries. Where it is known that a remote-working employee will betravelling to such a country, precautions should be taken to remove any datawhich is likely to break data protection legislation.

The 1995 European Union Data Protection Directive requires Membercountries to alter existing national data protection laws whichparticularly impacts the cross-border flow of information.

Comply with international legislation

Comply with workplace regulations

48


R3.2 Ensure contracts arecomprehensive

Contracts should specify:

• the obligations of both parties (eg agreed controls, incident reportingprocesses)

• roles and responsibilities• the terms of any license agreements.

R3.3 Provide adequate insurance Insurers should be notified of remote access and asked to advise the organisationof any impact on insurance arrangements. Modifications to arrangements shouldbe made where necessary. Staff should be advised to inform their householdinsurers of remote working activity.

Providing access to the organisation’s information systems by remote accessusers could have an impact on insurance arrangements, particularly thoserelating to business interruption, loss of intellectual property or fraud.

R3 Establish contractual arrangements with suppliers of products and services

R3.1 Establish service levelagreements

Services obtained from external service providers (eg hardware and softwarevendors, suppliers of communications services) should be defined in formalservice level agreements and obtained from reputable sources. Focal points ofcontact should be established so that changes can be made, and incidents dealtwith, in a disciplined manner.

R3.4 Maintain records ofownership

Clear records of ownership should be maintained for all equipment used forremote access, eg in the form of an inventory. This should avoid potentialdifficulties when resolving any future dispute or claim.

Records should cover all hardware, software, media and cabling.

49


S1.1 Establish high-levelresponsibility for managingremote access

Organisations should identify an individual, or more likely, a group withoverall responsibility for all remote access connections and security issues.These high-level responsibilities should be documented and include:

• monitoring high-level risks and trends• revising high-level policy on remote access as necessary• monitoring compliance with policy• instigating central projects, eg infrastructure enhancements needed to

support secure remote access• approving non-compliance with policy• ensuring all remote access connections are identified• allocating ownership for individual remote access connections• resolving disputes over remote access issues.

S1.2 Appoint managers toauthorise key elements

All remote connections should be authorised by a person of appropriateseniority. This should include both the remote user’s line manager and theowner of the resource (eg a computer, network, application or information) tobe accessed.

S1 Assign roles and responsibilities for authorising all elements of remote access

Staff should not be provided with remote access to corporate resources until theyhave been formally approved by persons of appropriate authority, including the:

• remote user’s line manager

• owner of the corporate resource to be accessed (for example, a computer,network, application or information).

A process should be established to ensure that all remote staff and equipment areproperly authorised. This authorisation process should be supported by an effectivesystem that:

• allows authorisation to be granted quickly

• records information about the authorisation, eg name of manager, date

• keeps track of authorised locations users and equipment

• provides technical details about the connection

• ensures users are aware of their responsibilities.

This authorisation process should take into account all relevant aspects of the remoteaccess connection. These will typically include the business purpose, method ofaccess and the remote environment. It should define the applications and data to beaccessed and the level of access privilege to be granted (for example, ‘view’ or‘change’).

S: Authorisation

50


S2.1 Approve staff who will beprovided with remote access

All staff should be authorised before they are granted remote access. Thebusiness need for the remote connection should be reviewed before accessis authorised. This may be done on an individual basis or associated with aparticular job role or function (eg travelling salespeople).

S2.2 Approve remote locations Where the remote user will be working from a fixed remote location, thelocation should be reviewed and authorised. The review should includecompliance with legislation (eg health and safety), placing of equipment andtelecommunications services available.

Some organisations put in place a system whereby each remote locationis ‘accredited’ against a pre-determined standard. Only if this standard ismet will the remote connection be authorised.

S2.3 Approve the remotetechnical architecture

The remote technical architecture should be reviewed and approved whereappropriate. The technical environment will include the client computer to beused, the connection device and connection software. Such a review is especiallyimportant where equipment being used to make the connection has not beensupplied by the organisation or does not conform to a ‘standard configuration’specified by the organisation.

S2 Approve all key elements of remote access

S2.4 Define the access rights tobe conferred on remoteaccess users

The access rights granted to remote users should be defined and documented.Access rights should be kept to the minimum level required to meet thebusiness purpose of the remote connection. They should be based on:

• the agreed business role of the remote user• the security classification of target networks, applications and data• corporate access control policies• legal, regulatory and contractual obligations.

S2.5 Approve high riskconnections on a case-by-case basis

Some remote connections may be considered to be high risk, and should bereviewed on a case-by-case basis. They should be given specific authorisationonly where necessary and for a restricted length of time. Such connectionsmight include the provision of remote maintenance tools or protocols whichprovide privileged access (eg ‘sniffer’ or SNMP-based tools) to remoteadministrators or technicians.

51


T1.1 Allocate clear responsibilitiesto trained individuals

Responsibility for all day-to-day tasks should be allocated, including theinstallation and configuration of equipment. Computers and networks thatsupport the remote access service should be run by personnel who areequipped with the necessary skills, time, operating procedures and supervision.

T1.2 Establish virus protectionmechanisms

The way in which PCs are often used in remote environments makes themparticularly susceptible to viruses. Software and procedures should beimplemented to prevent infection by viruses. Arrangements should be madeto:

• install, configure and update anti-virus software correctly • identify viruses that have been introduced into the installation, either

accidentally or deliberately• deal with viruses in an effective manner.

All personnel associated with the remote access service should be madeaware of:

• the dangers posed by computer viruses• the dangers of failing to update virus signatures and disabling/changing

configurations• arrangements for dealing with incidents.

T1 Apply sound system management practices to remote access

Effective system and network management is key to the provision of a secure remoteaccess service. Sound management and administration is required in order to protectthe organisation, not only from unauthorised users (for example, disgruntled ex-employees) but also from employees who deliberately or accidentally violate theorganisation’s policies and standards of conduct.

To allow authorised users to gain access to the resources they require it is importantthat the creation and maintenance of User IDs and access permissions is performedin a disciplined manner. This should be supported by strict administration ofpasswords, tokens and encryption seeds.

To meet remote user service requirements, networks should be well managed. Thisranges from the configuration of network components, through the monitoring ofnetwork traffic to the diagnosis and detection of faults.

Sophisticated systems and network management tools, backed up by comprehensiveup-to-date documentation, are often used to maintain control over many of theend-to-end components.

T: System and network management

52


T1.3 Implement a changemanagement system

Any changes made to the configuration of the remote access service ornetwork should be made in accordance with a formal process. The processshould apply to all forms of change, eg:

• software upgrades and fixes• revisions to application and network parameters• data adjustments.

Before acceptance into the production environment:

• the impact of changes should be assessed• changes should be tested and ‘fall-back’ arrangements identified• authorisation should be obtained from an individual of appropriate

authority (eg the business ‘owner’).

T1.4 Maintain incident and faultreporting logs

Incidents and faults (eg malfunctions, loss of power/communications services,overloads, mistakes by users or computer staff, access violations) should bedealt with in accordance with a formal process. Incidents should be:

• identified• reported to a focal port (eg a Help Desk)• prioritised for action.

T1.5 Apply software updates in atimely and rigorous manner

Software upgrades should be carried out in a timely and rigorous manner. Thisprocess would include regular anti-virus updates and implementation ofconsistent versions of business applications. Where possible this should beautomated to avoid reliance on remote users to carry out manual updates.Tools such as Microsoft’s SMS can be used to remotely update the clientcomputer and other computers on the internal network.

T2 Apply sound network management practices to remote access

T2.1 Monitor network logs todetect unauthorised access

All network security logs and audit trails should be reviewed to identify actualor attempted security breaches or any access outside agreed terms. This willinclude the monitoring of PABX Call Detail Reports to detect unauthorisedmodems and the review of firewall logs. Telephone and network invoicesshould be reviewed and unusual call volumes noted and investigated.

Logs should show the number of successful and failed access attempts alongwith port availability. Logs should be reviewed periodically to identify securityincidents, the pattern of incidents and how they are resolved. Where necessarynetwork administrators should be trained in the intrepretation of system logs.

T2.2 Use standards-based toolsand protocols for managingnetwork devices

Use automated standards-based tools for managing network devices. Theexclusive use of such a tool (eg SNMP, RMON) can allow a single product tobe used as a ‘manager of managers’ and hence improve control over systemsmanagement.

T2.3 Monitor performance levels The performance of the network supporting the remote access service shouldbe monitored to identify potential bottlenecks and overloads, and to enableremedial action to be taken before they materialise.

This will involve the use of network monitoring tools to measure traffic levelsin total or by individual protocol and the examination of call logs to determinefrequency of use and duration of access.

T1 Apply sound system management practices to remote access (continued)

53


T2.5 Maintain comprehensivenetwork documentation

Up-to-date documentation of all key network components should bemaintained. This should include the exact number, addresses, connectionmethods and configuration of remote access services. Periodic checks shouldbe carried out to confirm documentation is up-to-date and no unauthorisedchanges have been made to the network.

T2.6 Configure network devicesaccurately

Key network components such as modems, routers and security barriers shouldbe configured accurately. ‘Exclusion’ rules should be applied to prevent accessfrom unauthorised sources. All access should be excluded except that which isspecifically authorised.

T3 Employ an effective administration process that covers all remote users

T3.1 Implement a usermanagement process

Documented procedures should be established to administer remote accessUser IDs and passwords. This should include the addition and deletion of users,setting and changing access permissions and the registration of any tokens.

T3.2 Apply access policyrigorously

Access to the remote access service should be restricted to authorisedpersonnel. Access restrictions should reflect the principles:

• of individual accountability• that access should be controlled in line with business risk (ie the greater the

risk, the more stringent the control).

Access restrictions should be in accordance with:

• policies and standards that apply across the enterprise• access policies set by business ‘owners’ of target applications or target

information• any legal, regulatory or contractual obligations.

T3.3 Document details of eachremote access connection

For each remote access connection the following information should bedocumented:

• name of remote access user and contact details• name of the business ‘owner’ responsible for the connection• details of the internal systems/applications/information accessed by the

remote user• telephone, dial-back and ISDN numbers• details of the remote location• remote technical environment (including an inventory)• frequency of access by the remote user• details of any risk analyses carried out on the connection• details of the security measures employed and how these have been

approved• when the connection was last reviewed for security purposes• how well the connection has worked in practice.

T3.4 Implement a user trackingmechanism

By maintaining a central repository of information about all authorised users,which is accessible across all platforms, the organisation can reliably provideaccess only to those users who are authorised. Current solutions include:

• standards-based ITU-T X.500 solutions • proprietary-based solutions, such as Novell’s Domain Naming Service (DNS)

for its NetWare operating system.

T2.4 Manage third partycommunications serviceproviders

Data communications services required from service providers should bedefined in formal agreements (eg service level agreements, contracts). Focalpoints of contact should be established so that changes can be made andincidents dealt with in a disciplined manner.

T2 Apply sound network management practices to remote access (continued)

54


U1.1 Develop a ‘toolkit’ forremote access users

A ‘toolkit’ of policies, standards and other relevant material should bedeveloped to provide support to remote access users.

This toolkit should include:

• the high-level policy on remote access• standards and procedures• a full definition of remote users’ responsibilities• guidelines outlining the connection process• procedures for dealing with problems• corporate awareness material about remote access exposures.

U1.2 Provide training in use ofthe remote access service

Each remote user should be fully trained in the use of the remote accessservice. This should include awareness of high-level policy, the log-in process,housekeeping activities (eg back-up) and simple ‘troubleshooting’ such as a listof Frequently Asked Questions (FAQ).

User training should be supported by comprehensive documentation. Thisshould include any ‘code of conduct’ covering remote access, instructions onthe use of the remote access service, simple ‘troubleshooting’ suggestions andcontact details of the support Help Desk. If this is provided in electronic formatit can be loaded onto a laptop PC’s hard disk, for easy access when travelling.

U1 Equip remote users with the necessary skills and equipment to perform requiredtasks

The organisation should provide timely and effective support for all remote access bystaff. This will help to improve productivity and minimise disruption to businessactivities should difficulties arise, particularly if the user is in a different country ortime zone.

The most common method of providing user support is to establish a Help Desk asa single point of contact for remote users, backed up by technical and businessspecialists. Services will typically include responsive ‘help’ facilities, problemmanagement and out-of-hours support. Other methods of support can include userguides and web site assistance.

The provision of support will be more effective if all users are equipped with thesame type of hardware and consistent versions of software. This is a key reason whya number of organisations provide a standard technical configuration across allremote environments.

U: User support

U1.3 Provide mobile users witha travel pack

Provide mobile remote users with a pack designed to minimise the risksassociated with travel. The pack should include:

• power and telecommunications adaptors• a travel bag to protect the laptop computer without ‘advertising’ the

contents• a portable lock to secure the laptop computer when in use• a unique number etched on the laptop computer to aid identification in

case of theft• a back-up device and media.

55


U2.1 Implement a standardtechnical configuration

Where possible, the remote technical environment should comprise apre-configured computer with a standard operating system, applications andcommunications software.

Equipment provided should be durable and powerful. It should be suppliedand configured by the organisation, removing the need to perform anindividual review of every remote technical environment, while simplifyingmaintenance.

U2.3 Configure client computer toallow remote fault diagnosisand software updates

Client computers should be configured to allow remote fault diagnosis andsoftware updates. This may involve configuring protocols such as SimpleNetwork Management Protocol (SNMP) in Windows 95 or NT, or the installationof Microsoft SMS or remote control software for remote software updates.

U2.4 Establish ‘on site’maintenance arrangements

Arrangements should be put in place whereby on-site support is provided tothe remote user where necessary. This may include the supply of equipment,preventative maintenance or problem resolution activities.

Such activities may be outsourced to a third party organisation whichspecialises in rapid response.

U2 Maintain remote user environments

U3 Provide ongoing support

U3.1 Establish a remote accessHelp Desk

Where remote access is being implemented on a large scale, a Help Deskshould be established which provides ‘first line’ support to remote access users.‘Out-of-hours’ Help Desk support should be considered for remote users whooperate in different time zones.

The Help Desk may form part of a larger organisation-wide facility and shouldhave access to technical and business experts who will be able to respondquickly and effectively to problems in the remote environment.

Remote support functions (eg the Help Desk) should have access toremote administration tools to enable problems on the clientcomputer to be diagnosed and remedied.

U3.2 Provide general supportto remote access users

Where remote access is implemented on a small scale or does not warrant afull Help Desk facility, responsibility for supporting remote users should beassigned to an individual or individuals. These individuals should be availableto provide technical support and answer queries within a reasonable timescale.They should also have access to sufficient technical expertise to deal with morecomplex problems should they arise.

Remote access queries can cover a wide range of technical issuesrelating to a variety of software and hardware components.

U2.2 Install a comprehensive setof security software

Install effective security mechanisms on the client computer, including back-up,access control and anti-virus software. This reduces risk and enables usersupport to be provided more easily.

56


U3.3 Log all incidents Incidents (eg malfunctions, loss of power/communications services, overloads,mistakes by users or computer staff, access violations) should be dealt with inaccordance with a formal process. Incidents should be:

• identified• reported to a focal port (eg a 24-hour helpline)• logged (eg for trend analysis)• prioritised for action• resolved on a timely basis.

U3.4 Maintain comprehensivedocumentation

Comprehensive documentation of all elements of the remote access serviceshould be maintained in order to provide swift and informed user support.Documentation should include a full inventory of equipment, cabling, locationsand ‘ownership’ along with configuration settings for communications links.

U3 Provide ongoing support (continued)

57


V1.1 Purchase robust hardwareand software

Give high priority to reliability in selecting computer equipment, softwareand services. Acquisition of system components should be in accordance withformal procedures. All hardware and software should be:

• of the highest quality possible• purchased from a reputable supplier with whom the organisation has an

enforceable support agreement• selected from an approved list• up-to-date (ie not obsolete).

V1.2 Ensure network equipmentand services conform tocommon standards

Resilience is more likely to be assured if network equipment and servicesconform to a recognised standard.

There are a number of standards bodies who may specify network standards.An example is the Internet Engineering Task Force (IETF), which is responsiblefor developing Internet standards, including the Internet Protocol (IP) suite.The primary telecommunications standards body is the ITU-T (previously CCITT).

V1 Use robust, high quality equipment for remote access

Organisations rely on the resilience of their remote access facilities to provideremote users with the level of service that is required to support business activities.Such a service will typically provide high availability and reliable connections whilemaintaining acceptable response times.

Resilience will often be built into the corporate computing infrastructure, includingwide area networks, through techniques such as triangulation of leased lines. Withremote access, there are often so many links in the chain that it is sometimes difficultto duplicate every facility.

However, there are a number of ways in which a resilient remote accessinfrastructure can be designed, including the following:

• installation and rigorous testing of high quality, robust equipment fromreputable suppliers

• supply of standard hardware and software, particularly for devices that areoften prone to compatibility issues (eg modems)

• adoption of common protocols

• elimination of single points of failure, eg by the provision of multiple networkservices, communication lines and remote access servers.

V: Resilience

V1.3 Minimise the risk ofmalfunction

Steps should be taken to minimise the risk of malfunction by:

• avoiding use of obsolete or irreplaceable equipment/software• servicing equipment properly• applying strict change management disciplines.

58


V1.4 Ensure hardware andsoftware are interoperable

Hardware (communications equipment in particular) and software componentsshould be compatible to avoid malfunction and hence reduce unavailability.Equipment should conform with international standards such as those issuedby the International Standards Organisation (ISO).

Obtain hardware and software from an approved vendor to create ahomogenous rather than heterogeneous environment. This willminimise interoperability problems.

V1.5 Consider using managednetwork services

The use of managed network services can sometimes help to provide greaterresilience. For example, access to PoPs on a managed network can increase thelikelihood of successful connections.

V2 Apply sound design and support practices to remote access

V2.1 Provide adequate capacity The remote access service should be supported by computers and networksof adequate capacity that are available on the dates and times that serviceis required.

Capacity requirements should be monitored regularly so that additionalresources can be commissioned before performance deteriorates.

V2.2 Limit the number ofprotocols in use

Limit the number of network, transport and session protocols in use. Protocolconversion, or embedding one in another, increases overhead and reducesthroughput of data. It also increases the complexity of managing traffic overremote links.

V2.3 Configure hardware andsoftware in a consistentmanner

Communications software, web browsers or groupware should be pre-configuredwith standard scripts and settings. The client connection device shouldcomprise a pre-installed company standard modem, terminal adaptor or GSMdatacard.

V2.4 Establish maintenancecontracts

Suitable maintenance contracts should be put in place to assure timely repairin the event of equipment failure.

V3 Provide alternative facilities and services

V3.1 Establish stand-by powersupplies for criticalapplications

For critical applications, emergency or stand-by power supplies should beinstalled for use in the event of loss of mains power. This should include theinstallation of Uninterruptible Power Supplies (UPS) in addition to specialistequipment to avoid transient surges and outages.

V3.2 Implement alternativetelecommunications services

More than one communications service provider should be used, so that in theevent of loss of one of the services, the other can be used as an alternative.Alternative technologies may be considered such as PSTN back-up to ISDN orGSM mobile phones.

V3.3 Provide multiple lines todifferent telephoneexchanges

Multiple lines to different telephone exchanges should be implemented wherepossible, so that if one line or exchange fails, an alternative communicationslink is available. This typically applies to PSTN exchange lines (trunks) andPrimary Rate ISDN for external access.

V3.4 Consider using dual standardmobile phones

There are two types of GSM standards for mobile phones. Organisations shouldtherefore consider using ‘dual standard’ phones that will operate in locationsgoverned by either standard.

V1 Use robust, high quality equipment for remote access (continued)

59


V3.5

V3.6 Implement mirroreddisks/RAID architecture

Servers storing critical information or sensitive data (such as authenticationdetails or cryptographic keys) should be installed with a disk mirroring or RAIDarchitecture, so that in the event of failure of a hard disk, the informationresource can be accessed quickly from the alternative disk.

V3.7 Implement multiple(synchronised) remote accessand authentication servers

Multiple remote access and authentication servers should be installed andsynchronised so that in the event of failure of one server, an alternative can beused with no interruption to the remote access service.

V3 Provide alternative facilities and services (continued)

Install multiple LANs andnetwork switchingcomponents

Internal network resilience can be improved by triangulating leased lines andusing multiple switching nodes or SDH architecture. Multiple LANs and serversshould be installed, so that an alternative network is available in the event offailure.

60


W1.1 Implement effective networkpartitioning

The structure of internal networks should be planned carefully to preventunauthorised access to sensitive data. This may involve dividing the networkinto partitions based on ‘communities of interest’, whereby remote users areable to access only the data they need to carry out their job.

Where physical partitioning is not practicable, implement logical partitioning(using gateways, routers and bridges, etc).

W1.2 Restrict the routing ofnetwork traffic

Methods of connection and communications paths should be restricted inaccordance with defined policies and agreements. Restrictions should beenforced by:

• network configuration (eg provision of fixed links with particular hosts)• limiting the number of access points• automated controls (eg checking of source/destination addresses by

communications controllers)• preventing the disclosure of routing information (eg address network

nodes) to unauthorised personnel.

W1 Design network architecture to restrict remote access

By the very nature of remote access, external connections have to be made to thecorporate computing infrastructure. It is critical to protect these entry points fromunauthorised access.

Routing devices, such as remote access servers, should be configured so that accessis provided only to authorised resources within a defined perimeter. Organisationsoften divide their internal network into domains (smaller segments of the corporatenetwork which can be secured individually) so that external connections are madeonly to that part of the network which contains the target information.

Corporate networks are usually protected from third party networks (especially theInternet) by firewalls. These are devices that perform a screening function and allowonly those packets of data into the corporate network that conform to pre-determined criteria. Firewalls vary enormously in the degree of protection theyprovide. The key is not so much in the type of firewall employed, but how well it isadministered (firewalls are not ‘fit and forget’ devices).

Network security barriers, usually screening routers and/or firewalls, should beimplemented between the corporate computing infrastructure and any externalconnection.

W: Perimeter security

61


W1.4 Use reserved ranges forinternal IP addresses

Use the reserved IP address ranges, (10.0.0.1 to 10.255.255.254) if a range hasnot been allocated by the Internet authority. All routers on the Internet ignorethis range of addresses, making it impossible for external users to discoverinternal IP addresses.

W2 Configure, maintain and actively manage security barriers

W2.1 Implement appropriatesecurity barriers

Security barriers should be positioned to control information flow between theinternal network and third party networks, especially external managednetworks and the Internet. They should be configured to filter traffic andblock unauthorised access in accordance with defined requirements.

The difference between different types of firewall is at which layer of theOSI stack they screen traffic. As an example, a firewall that screens at layerseven (the application layer) is generally more secure than one that screens atlayer three (the network layer).

Some organisations have implemented ‘De-Militarised Zones’ (DMZ)whereby an additional quarantine area (typically a LAN) existsbetween the external and internal networks. This can allowunobserved monitoring of traffic and detection of attacks whileproviding an additional security barrier.

W2.2 Ensure security barriers areconfigured properly

Security barriers should be configured properly by trained professionals.Regular checks should be made to ensure that these important devices remainconfigured accurately.

Exclusion rules should be applied rigorously to firewalls to prevent unauthorisedaccess. The security barrier should screen all network traffic for code whichmay have hostile content such as JAVA and ActiveX.

W2.3 Scan e-mail content formalicious code

All incoming e-mail content (including attachments) should be scanned formalicious code such as viruses, and outgoing mail for confidential information,using keyword searching.

W2.4 Monitor security barriersfor attacks

System tools and utilities (including specialised intrusion detection techniques)should be employed to monitor for unauthorised penetration of the corporatenetwork (eg using SATAN).

W1.3 Protect access tounauthorised parts ofthe internal network

Implement a ‘forced path’ providing fixed routes from the point of remoteaccess entry to defined hosts or applications. For example, if remote usersrequire access only to e-mail, place an e-mail server in a seperate domain, withaccess to the remaining internal network protected by an internal routingdevice.

Reduce the level of network ‘roaming’ by setting appropriate parameters incontrol tables and communications devices (eg front-end processors,concentrators, routers, switches, servers, bridges).

W2.5 Disable unnecessary publicnetwork services on keynetwork components

Key network components (eg routers) should be configured to allow onlythose public network services which are necessary. All additional servicesshould be disabled.

Examples of such services are the standard ‘small’ TCP and UDP services (eg‘echo’, ‘chargen’ and ‘discard’). While these services are designed for networktesting, they can also be used by an attacker to mount a ‘denial of service’attack by overloading the network or routing device.

W1 Design network architecture to restrict remote access (continued)

62


W4.1 Disable diskette drive in theclient computer

Disable the removable media drive (eg diskette or CD) in the client computerto avoid the risk of tampering or the introduction of malicious code. This canbe done by:

• purchasing client computers without removable media drives• removing drives where possible• securing drives by using locking devices.

W4.2 Fit a removable hard disk inthe client computer

Fit a removable hard disk in the client computer which can be stored securelywhen not in use.

W4.3 Restrict access to the clientcomputer and connectiondevice

Access to the client computer and connection device should be restricted usinga range of techniques, such as keylocks, steel cables, passwords or tokens.

W4 Protect remote environments and equipment

W4.4 Set password restrictionson client equipment

Implement password protection in the client connection software where possible.Implement a BIOS password to prevent tampering with the underlying system,along with an operating system password. Disable password caching and setminimum password length in the operating system. Where mobile phones areused for remote access, protect both the phone and the SIM card with apassword.

W4.5 Set password restrictions ontarget information

Implement password protection on all target information that can be accessedby remote users such as databases, or e-mail. This may involve the defining ofgroups of users and the setting of strict permissions.

W4.6 Supervise third party visitorsto the remote environment

Third party visitors to the remote environment should be supervised by theremote user. This is particularly important where the remote user works fromhome, and computer and connection equipment is in close proximity to visitingcustomers or suppliers. Visitors will also include maintenance engineers whomay work on computer equipment directly.

W4.7 Keep screens and equipmentout of view

Remote computer equipment should be kept away from windows which canbe overlooked from public places (eg a street), to prevent eavesdropping andguard against theft.

W4.8 Protect the remoteenvironment from hazards

Where the remote environment is a fixed location (eg an employee’s home),take steps to protect company assets from fire, flood and other environmentalhazards such as smoke, dust and chemicals. Smoke detectors and fireextinguishers should be installed, and remote workers should be warnedagainst placing food or drink near computer equipment.

W3.3 Protect equipment fromhazards

Critical equipment and facilities should be protected against fire, flood,environmental and other hazards.

W3.2Restrict physical access tointernal network facilities

Physical access to equipment rooms and other critical areas should be restrictedto authorised personnel. Physical access to internal network equipment eghubs, routers, communications controllers should be restricted. Access toparameter tables and settings in communications controllers and serversshould be restricted to authorised network staff, using automatedmechanisms.

W3 Protect system and network components

W3.1 Restrict physical access totelecommunications facilities

Physical access to termination points for PSTN, ISDN and any other publictelecommunications service should be restricted. Physical access to host systems,PABX systems, management consoles and Call Detail Reporting (CDR) systemsshould be restricted.

63


X1.1 Authenticate usersappropriate to the levelof risk

The identity of remote access users should be confirmed using a mechanism orcombination of mechanisms that is matched to the risk of unauthorised access.As a minimum, a User ID/password combination should be used, and passwordsshould be sent in encrypted form.

Stronger methods of authentication may often be needed, particularly whereaccess is provided via public networks (eg PSTN/Internet) or to users withpowerful capabilities.

X1 Authenticate all remote users

To ensure that only authorised users are provided with access to the corporatecomputing infrastructure, authentication is required. The location of office-basedusers will be known, requiring only verification of the user’s identity through theinput of a User ID, authenticated by a password.

However, stronger authentication is required for remote access because of the higherrisk of unauthorised access by malicious third parties. There are many reasons forthis risk, including weaker security in remote environments and the opening up ofthe corporate network to external access.

Authentication of a user will be based on who they are, what they know or whatthey have, or a combination of these. Examples of stronger user authenticationmethods include software or hardware tokens, one-time password generators andbiometrics (for example, fingerprint or retina scanning).

Additional protection can be provided by requiring the authentication of a remotelocation, for example by using Calling Line Identity (CLI), Global Positioning orcall-back modems. However, such techniques should only be used in conjunctionwith user authentication as they all have inherent weaknesses.

Authentication can take place at several of the end-to-end components, such as onthe corporate connection device, routing device, host system or target application.However, many organisations implement centralised authentication schemes basedon separate authenticator servers. These may be de facto standards-based (such asRadius/TACACS+) or proprietary (eg for use with tokens or smartcards). Whereimplemented, strict management is required to co-ordinate what may be manydifferent authentication and access control mechanisms.

X: Authentication

64


X1.2 Implement strongauthentication

For critical applications or those storing sensitive data, strong authenticationshould be considered. Strong authentication systems will usually be token-based.

With such systems, not only will the user need to know a password, but they willalso need to be in possession of a token or smartcard before access is granted.

Where other types of token are used the authentication system willrequire its own separate authentication server. Smartcards requiresome form of smartcard reader which can be both costly and difficultto administer.

In addition to token and smartcard-based systems, password modemscan be used to provide additional protection.

X1.3 Implement a sign-on process Users should be required to sign-on before gaining access to the capabilities ofthe remote access service. The sign-on process should support individualaccountability and enforce sound access disciplines, such as:

• displaying no information that could facilitate unauthorised use• validating sign-on information only after it has all been entered• disconnecting users after a defined number of unsuccessful sign-on attempts.

X1.4 Apply sound management tothe authentication process

Whichever authentication scheme is adopted, it should be well designed andadministered. The following principles should be applied:

• avoid users sharing User IDs wherever possible• terminate or re-authorise users after a defined period of time or inactivity• employ strong password management (eg minimum length, limited

characters, regular change)• do not display information about the system until authentication is successful• do not provide on-line assistance after an unsuccessful sign-on attempt• design access mechanisms to ‘fail secure’ in the event of loss of access

control functions (eg due to power failure).

X2 Authenticate remote locations

X2.1 Implement Calling LineIdentity (CLI)

Where PSTN, ISDN, or GSM is being used from a fixed remote location, CallingLine Identity (CLI) can be used to verify the phone number of the location fromwhich access is being attempted.

Where Calling Line Identity (CLI) is implemented as a means ofauthenticating the remote location, strict controls should be exercisedover the entering and editing of authorised telephone numbers.

X1.5 Make use of established,reliable protocols

Ensure authentication techniques make use of established and reliableprotocols such as PAP (Password Authentication Protocol) or CHAP (ChallengeHandshake Authentication Protocol).

For stronger authentication, CHAP should be used in preference toPAP as the latter is fairly easy to ‘spoof’.

X1 Authenticate all remote users (continued)

X2.2 Install call-back modems Call-back modems can be used to verify the remote location. Ensure that call-back is made from a different modem from that which received the incomingcall, preventing call forwarding. Where call-back is used as a means ofauthentication, connect modems directly to exchange lines (not through aPABX) and do not use the receiving modem to dial out. Ensure that modemswill drop a connection even if a caller does not hang up.

65


X3 Maintain a complete authentication system

X3.1 Implement an authenticationdatabase

Implement a centralised authentication database such as RADIUS or TACACS+.In addition to authenticating the identity of the remote user, these systemsdetermine the information resource which the user is entitled to access andrecord what actions have been performed.

The implementation of a separate server (eg a Radius server) is goodpractice as they can be well protected and administered by trustedindividuals.

X3.2 Consider a completeauthentication system

Often making use of AAA (Authentication, Authorisation and Accounting)technology, a complete authentication system should:

• support target information requiring different levels of protection• enable the secure flow of information within and between technical

environments• provide authorised users with an efficient means of gaining access to target

information in different technical environments• enable access privileges for individual users to be revoked quickly when

users leave or change jobs• provide security reports to support monitoring/audit activities.

X3.3 Implement a singleauthentication technique

Where all remote access is supported by one platform, domain-wideauthentication (as available on NT RAS servers, for instance) with secure userauthentication (eg MS-CHAP) will provide more resilience than a combinationof different techniques and systems.

X3.4 Consider the use ofenterprise-wideauthentication systems

Consider the use of enterprise-wide authentication systems such as DCE-enabled (Distributed Computing Environment) software. DCE consists ofcomponents such as a Distributed File System, Security Services, RemoteProcedure Calls, Naming Services and uses Kerberos for authentication.

X3.5 Implement an integratedauthentication system

Strong authentication and firewall security mechanisms should be integratedwith enterprise directory services, single sign-on services and other legacyLAN-based authentication mechanisms. This will help to ensure that all accesspoints inside and outside the enterprise are given consistent protection.

X2.3 Check network sourceaddresses

Verify the pre-stored network address (eg IP, X.25) of the client computer whengranting access.

X2 Authenticate remote locations (continued)

66


Y1.1 Encrypt passwords Passwords (or equivalent) used to gain access to the corporate network shouldbe encrypted.

Use a simple encryption algorithm to enable regeneration of non-specificpasswords without having to write them down. Where possible a tamper proofhardware device (eg token or smartcard) should be used to do this inpreference to software encryption.

Y1.2 Encrypt sensitive files on thehost system

Sensitive data stored on the host system should be encrypted to protectagainst unauthorised access.

Y1 Encrypt passwords and sensitive files stored on disk

Cryptography works by using a mathematical process or ‘algorithm’ in conjunctionwith a digital ‘key’ to transform data, a process the recipient can reverse to reveal theoriginal message.

Cryptography can be used with several of the end-to-end components of remoteaccess. For example, passwords and files can be encrypted. Cryptographictechniques are also employed in some software and in hardware devices which maybe used for remote access, such as operating systems, groupware products andmobile phones.

To protect the confidentiality of information, encryption is used to scramble data tohide its content. For particularly sensitive data, ‘link’ encryption should be used toprotect data in transit from possible interception.

Some organisations encrypt files stored on hard disk drives. The advantage of fileencryption is that, not only can no-one read the files if the computer is lost but thesefiles can be transmitted in their encrypted form.

Remote access connections via the Internet can be protected using Secure SocketsLayer (SSL) to encrypt HTTP connections from web browsers. Greater protectioncan be provided through the use of ‘tunnelling’ technology to create an encryptedVirtual Private Network (VPN).

Refer to the Forum reports Cryptography in Business – Briefing Paper andA Framework for Using Cryptography for more detail on the use ofcryptography.

Y: Cryptography

Y1.3 Encrypt files stored on theclient computer

Sensitive data stored on the client computer should be encrypted to protectagainst unauthorised access and eavesdropping during transmission.

67


Y2.1 Encrypt data streams For sensitive files, implement full IP data encryption at the address level toensure that packets sent on public networks cannot be decoded.

Y2.2 Employ encryption modems For highly sensitive data in transit, encryption modems (employed at each endof the remote access link) can be used.

Y2.3 Encrypt e-mail E-mail sent from the client computer to the corporate network should beencrypted using techniques such as S-MIME (Secure/Multipurpose Internet MailExtensions). S-MIME protects mail through the use of digital signatures andencryption.

Y2 Encrypt sensitive data in transit

Y2.4 Use Secure Sockets Layer (SSL)for web-based applications

Where web-based applications are used as part of the remote access service,SSL can be used to encrypt data flow between the web browser and the webserver.

Y2.5 Consider using MessageAuthentication Code (MAC)for the transfer of sensitivefiles

Message Authentication Code (MAC) can be used to verify the integrity of anelectronic message. It is derived using an authentication scheme, together witha secret key. MACs are computed and verified with the same key so, in contrastto digital signatures, they can be verified only by the intended receiver.

Y3.1 Use tunnelling technologyto create a Virtual PrivateNetwork (VPN)

Where a managed network or the Internet is being used to provide remoteaccess connectivity, tunnelling technology (eg PPTP, IPSEC, SSH) can be usedto create an encrypted link between the client computer and the corporatenetwork.

Y2.6 Use SOCKS-based toolswhere fixed IP addressesare not used

Use SOCKS-based tools where remote users have not been assigned fixed IPaddresses.

Y3 Consider using an end-to-end cryptographic scheme

Y3.2 Consider implementing aproprietary cryptographicscheme

Consider implementing a proprietory scheme such as ‘Permit’, which encryptsdata between the client computer and a Permit server within the corporatenetwork.

68


Z1.1 Ensure reviews areconducted properly

Audits and reviews should be carried out in a structured manner. They shouldbe agreed by appropriate management, clearly defined in scope and carriedout with the agreement of the individuals responsible for the targetinformation under review.

Reviews should be underpinned by a formal process (such as the Forum’s SARAor SPRINT methodologies) to ensure that risks are thoroughly analysed.

Z1.2 Assign reviews to specificindividuals

Responsibility for carrying out reviews should be assigned to specific individualsand supported by independent technical expertise.

Z1 Perform formal reviews on a regular basis

To ensure that risks are kept to a minimum, independent audits and reviews ofremote access services should be carried out on a regular basis. The audit processhelps to determine the effectiveness of controls, and can be used to improveprocesses and procedures for managing a remote access service.

Audits and reviews should be carried out in a structured manner and supported byrelevant technical expertise. They should cover all key aspects to ensure thatconnections are implemented and managed in accordance with agreed policy andstandards.

Z: Audit and review

Z1.3 Ensure reviews areperformed regularly

Typically, remote access connections should be monitored regularly (eg weekly)and reviewed at least annually. Results of reviews should be documented,actioned and reported to management. Reviews should also be initiated in theevent of significant changes to the technical infrastructure supporting theremote access service.

Z2 Ensure reviews are comprehensive

Z2.1 Ensure each connection hasbeen authorised

Audits should include checks to ensure that each remote access connection hasbeen authorised by the connection ‘owner’ as well as the remote user’s linemanager.

Z2.2 Ensure each remoteconnection is necessaryand compliant

Connections which are discovered to be inactive or unnecessary should beterminated promptly. Retrieval of corporate assets and equipment from theremote locations should be carried out in accordance with formal procedures.Connections which are active but which do not comply with corporatestandards should be:

• brought into compliance with standards, or• approved for non-compliance by senior management following a full

consideration of the risks, or• removed.

Z2.3 Identify non-approvedor unknown connections

Unauthorised remote connections should be identified. Possible approachesinclude:

• manual audits of network equipment and documentation to identifydiscrepancies with records of known connections

• use of network management and diagnostic tools• checking of accounting records of bills paid to telecommunications suppliers • ‘war dialling’ the organisation’s PABX to detect unauthorised modems.

69


Z2.4 Examine significant securityincidents

The audit process should include review of significant security incidents(eg breach of perimeter security by unauthorised personnel) and recommendappropriate actions.

Z2.5 Review access privileges Access privileges associated with each remote connection should be reviewedand revised where appropriate. Access levels should be commensurate withthe type of work required of the remote user, and match human resourceprofiles and records.

Z2.6 Confirm that regular reviewsare being conducted

The audit process should confirm that regular reviews of individual remoteaccess connections are being carried out.

Z2.7 Confirm that adequatecontractual measures arein place

Contractual arrangements with third party service providers should be reviewedto ensure an adequate level of service.

Z2.8 Review the use ofcryptography andauthentication

Security audits/reviews should be conducted of authentication and cryptographicmechanisms in use (eg to check that satisfactory provision has been made formanaging cryptographic keys).

Z2.10 Review the use of powerfultools and protocols

Cases where the use of powerful tools, such as intrusion detection or remotemaintenance tools have been authorised should be reviewed individually.The use of such tools can expose the organisation to additional risk ofunauthorised access and should therefore be restricted to a minimum.

Z2.11 Ensure that security softwareis installed and configuredcorrectly

Reviews should ensure that security software (eg access control, anti-virus) isinstalled on client and host systems and configured correctly.

Z3 Perform periodic reviews of remote environments

Z3.1 Review a sample of remotelocations

Where remote users work from a fixed remote location, spot checks should beperformed to ensure compliance with high-level policy, good security practiceand legislation (eg health and safety regulations). Physical security proceduresshould be reviewed along with back-up procedures.

Z3.2 Check for illegal orunauthorised software andhardware

Spot checks should be performed to detect unauthorised or illegal software(eg remote control) or hardware (eg modems).

Z3.3 Review inventories ofremote hardware andsoftware

Inventories of remote hardware and software licenses should be comparedwith actual hardware and software in place by performing physical checks.

Z3.4 Review procedures in theevent of loss/theft

Procedures for the replacement or recovery of equipment in the event of lossor theft should be reviewed and verified. This will include the review ofinsurance arrangements as well as procedures put in place to ensure the timelyreplacement of equipment.

Z2.9 Ensure key networkequipment is configuredproperly

Configuration settings on all key network devices should be reviewed to ensurethat they are correct.

Z2 Ensure reviews are comprehensive (continued)

70

POSSIBLE BUSINESS IMPACTS

Component Ref Risk Example of business impact

A: Remote user

B: Location

C: Client computer

Possible business impacts

This appendix contains examples of possible business impacts associated witheach of the risk categories described in this document. These examples arepresented in Table A below.

Table A: Summary of risks and possible business impacts

Staff make mistakesthrough ignorance ornegligence

Staff behave in an illegal oroffensive manner

Staff make inappropriate orunauthorised changes to theclient computer

Staff are unable to connectto the corporate networkfrom some remote locations

The remote location is notphysically secure

Remote staff or equipmentare not protectedadequately

Client computer is not ofsufficient technicalspecification

Client computer isvulnerable to tampering

Security software isconfigured poorly

Sensitive customer data is seen by asalesman’s flatmate who works for a rivalcompany, creating a loss of competitiveadvantage for the organisation.

The organisation’s reputation is damagedwhen a member of staff is caughtdownloading explicit pornographic materialfrom the Internet.

A critical parts inventory database iscorrupted when a virus is loaded from agame on a home PC by a maintenanceengineer.

An important deal does not get closed whena senior executive travelling overseas isunable to access vital data, as he does nothave a telephone adaptor compatible withthe local phone network.

Confidential product designs displayed on alaptop computer being used by a travellingdevelopment engineer are seen by a fellowpassenger who works for a competitor.

The organisation is prosecuted when aremote user’s home environment is found tobe in breach of health and safety regulations.

Constant malfunction of laptops used forsales and marketing activity, supplied to thecompany as part of a bulk deal to savemoney.

Details about a proposed merger areobtained by a newspaper as a result of dataobtained from the hard disk of a seniormanager’s PC. A start-up password wasbypassed by removing the back-up batteryon the motherboard.

A reservations system is rendered inoperablewhen a home worker’s PC is infected by avirus from the Internet as a result ofincorrect virus checking softwareconfiguration.

A1

A2

A3

B1

B2

B3

C1

C2

C3

AppendixA

71

INTRODUCTION


G: Networkprotocols

F: Network services

E: Client connectiondevice


Communications softwaremalfunctions

Remote staff usecommunications software inan inappropriate manner

Client connection device isnot secured or does notperform adequately

Client connection device ismisused or stolen

Network service providerdelivers poor quality service

Communications links aredamaged or inadequate

Data is intercepted in transit

Network protocols haveinherent weaknesses

Malicious third partiesexploit weaknesses innetwork protocols

A travelling Sales Executive is preventedfrom accessing key product prices whencommunications software fails, preventingremote access to the corporate network.

The organisation is defrauded of large sumsof money when a Finance Clerk sets up aconnection to his office-based PC usingremote control software. He uses theconnection out of office hours to createfalse transactions.

A development engineer is unable to accessimportant designs from another country asthe remote connection is degraded due todiffering modem standards between theclient computer and corporate gateway.

The corporate network is severely disruptedwhen a mobile phone used by a systemengineer for remote access is stolen. Thethief uses passwords stored on the phone toexploit the engineer’s privileged networkaccess rights.

A Senior Executive is unable to access criticalinformation needed to close a deal, as theInternet Service Provider (used by theorganisation to provide remote access) isunable to cope with a surge in Internetusage.

A Marketing Executive working from home has to wait several hours whiledownloading a customer database from thecorporate network, due to a poor qualitytelephone line.

Confidential patent information is obtainedby a competitor by eavesdropping on atelephone line being used by a remoteresearch and development team to connectto the corporate network.

A sales force is unable to place orders forclients as network flooding prevents them from accessing the sales orderprocessing system. This is caused by theimplementation of a non-routable networkprotocol which broadcasts to the wholenetwork.

A vital dealing system is disrupted when ahacker mounts an attack on the corporatenetwork of a large bank. The attackerexploits weaknesses in network protocols by‘masquerading’ as a trusted remote user.

Table A: Summary of risks and possible business impacts (continued)

D1

D2

E1

E2

F1

F2

F3

G1

G2

AppendixAPOSSIBLE BUSINESS IMPACTS

72


J: Internal network

K: Host system

H: Corporateconnection device

I: Routing devices

Corporate connectiondevices fail to performas intended

Malicious third partiesexploit poorly configuredcorporate connection devices

Routing devices malfunctionor are configured incorrectly

Malicious third partiesexploit weaknesses inrouting devices

Internal networks areunreliable

Malicious third partiesexploit internal networkweaknesses

Security barriers arepositioned or configuredincorrectly

Host system malfunctions

Malicious third partiesexploit vulnerabilities inhost system

Products are sold for far less than theyshould be when a Marketing Executive isunable to obtain updated pricinginformation due to incompatibility betweenthe modems connected to the home PC andthe organisation’s remote access server.

Top secret marketing strategies areobtained by a competitor organisationwhen a hacker dials in to the organisation’stelephone exchange and uses its callforwarding facilities to gain access to thecorporate network.

A senior manager working abroad is unableto access data needed for a critical meeting,as a complex routing table has beenconfigured incorrectly.

A student disrupts a global manufacturingorganisation’s remote access service, bydialling in to an insecure remotemanagement port on a remote access server.

Connection to a vital financial estimatingsystem is unavailable to hundreds of off-site advisors shortly after theintroduction of a wide scale remote accessservice. Poor network design has resulted inthe network becoming overloaded.

A hacker is able to disrupt the corporatenetwork by ‘war dialling’, after remoteaccess firewall configuration changes(required to accommodate a new businessopportunity) are carried out incorrectly.

A remote teleworker is inadvertentlyprovided with access to highly sensitivehuman resource data due to a poorlyplanned network domain structure.

Travelling salesmen are unable to access keyproduct information causing loss of sales,after a power cut renders the host systemunavailable.

A disgruntled ex-employee defrauds theorganisation by making use of knownsystem commands to obtain unauthorisedremote access to the corporate billingsystem and change key account information.


H1

H2

I1

I2

J1

J2

J3

K1

K2


73


L: Targetinformation

Target information is notproperly classified

Target information isinsufficiently secured

Inappropriate accessprovided to targetinformation

Highly sensitive organisational restructureplans are leaked to the press, as they havenot been classified as ‘top secret’ andprotected accordingly.

A rival organisation gains competitiveadvantage when a former research anddevelopment engineer accesses thecorporate network and development plansstored there. The engineer’s access rightswere not revoked upon moving from onecompany to another.

A temporary teleworker who is providedwith remote access to a customer databasedeletes important records by mistake. Whilethe user requires only ‘read’ access to thecustomer records, limitations in the accesscontrol mechanism used means that fullaccess was granted.


L1

L2

L3


74

INTRODUCTIONACKNOWLEDGEMENTS

Acknowledgements

The Information Security Forum acknowledges the positive contribution tothis project by the following individuals:

Klaus Simonsen AP Møller DKJerry Nelson Abbey National UKMary McCrohan AIB Group IEPeter Heywood AstraZeneca UKPaul Wood Baltimore UKSam Phillips Bank of America USMike McNamara Bank of Ireland IEMichael Hanna Bank of Ireland IEAndris Brieze Bank of Latvia LVGraham Allan Bank of Scotland Group UKDavid Morgan Barclays Bank UKNigel Espin BMW, FI-1 UKAndrew Longyear Boots Company UKRoger Sutton British Airways UKDominic Steinitz British Airways UKColin Dixon British Broadcasting Corporation UKStephen Pearman British Energy UKDavid Sutton BTcellnet UKJames Rankin C.G.U. UKDave McLinton Cable & Wireless Communications UKGarry Parker Cable & Wireless Communications UKDavid Jones Cadbury Schweppes UKSteve Jarrett Chase Manhattan Corporation UKSusan Davis Computer Sciences Corporation UKSteve Cornish Cylink Corporation UKStefan Karsch debis IT Security Services DEJohan Furuskjeg Den Norske Bank NOBernard Orians Dresdner Kleinwort Benson UKJim Smith Electricity Supply Board IETrygve Espedal ELF Petroleum Norge NOPatrick Lynam Eurocontrol BEPhil Cogger Ford Motor Company UKAndrew Wilson ICL UKSteen Christensen Kommunedata DKRod Ellis Lloyds TSB UKErik Höijer LM Ericsson Data SELawrie Lee Motorola UKPaul Almond Nestlé CHRené Kronig Novartis International CHBart van den Heuvel Origin NLDavid Church PricewaterhouseCoopers UKPraful Parmer Prudential Corporation UK

Work Group

75

INTRODUCTIONACKNOWLEDGEMENTS

Pat Reed PruTech UKJean-Francoise Fava Verde Racal Air-Tech UKPaul Singleton Royal & SunAlliance UKRonald Skoog Scania SESteffen Herzog Schumann Unternehmensberatung DEIngbert Haas Siemens SBS DEVic Dewhurst ST Microelectronics FRJoe Norman ST Microelectronics FRDebbie Munro The BOC Group UKJon Measham The Post Office Research Group UK

Jason Creasey Information Security Forum UKSimon Rycroft Information Security Forum UKPeter Brookes Communications & Business Consultants UK

Alan Stanley Information Security Forum UKSteve Thorne Information Security Forum UKSimon Oxley Solarity UK

Louise Liu Information Security Forum UK

Project Team

Review and QualityAssurance

Production

The Information Security Forum is an independent, not-for-profit association of leading organisationsdedicated to clarifying and resolving key issues in information security and developing security solutionsthat meet the business needs of its Members.

Members of the Forum profit from sharing information security solutions drawn from the considerableexperience within their organisations and developed through an extensive work programme. Membersrecognise that information security is a key business issue and the Forum provides a mechanism which canensure that the practices they adopt are on the leading edge of information security developments, whileavoiding the significant expenditure which individual development of solutions would incur.

For further information contact:

The Information Security ForumRoom PCG8

Plumtree CourtLondon EC4A 4HT

United KingdomTelephone: +44 (171) 213 1745Facsimile: +44 (171) 213 4813e-mail: [email protected]: www.securityforum.org

Reference: 1999/09/02 Copyright © 1999 The Information Security Forum.All rights reserved.

September 1999

Remote Access by StaffDirectory ofRisks and Controls

Securing Remote Access by StaffDirectory ofRisks and Controls

Securing

Securin

g R

emo

te Access b

y Staff – Directo

ry of R

isks and

Co

ntro

lsIN

FOR

MA

TIO

N SE

CU

RIT

Y FO

RU

M

Security Staff Remote Access - Risks and Controls

Documents

Transcript of Security Staff Remote Access - Risks and Controls