Remote Work or Smart Working

by Francesco Ongaro, 26/02/2020

Remote Work, Agile Working, and Smart Working in IT Security!

Allowing employees and collaborators to access company resources remotely, without time constraints, to perform their tasks and collaborate with colleagues is a topic of great interest that every manager will have to face.

The question is: how to make smart-working secure for company assets?

If the theft of projects, client lists, and documents is a concern for employees working at the desk next to you, imagine how much, at least psychologically, the problem is felt for a remote collaborator that we cannot monitor.

On one hand, access to information is necessary for performing tasks, on the other, this information is often massively duplicable and could end up in the hands of our fiercest competitor.

The security of virtual workspaces must therefore be planned and taken seriously. Perhaps with the help of a trusted partner specialized in Information Security and Ethical Hacking.

Dear reader, I don't write often and when I do, I try to communicate useful information. I hope to succeed in this intent and I gladly accept your suggestions. My personal mailbox is francesco.ongaro@isgroup.it.

Francesco Ongaro is the Sole Director of ISGroup SRL, an Italian company that has been dealing with offensive IT security for 15 years.

Types of Remote Work and Smart Working

Remote work is an increasingly common solution for various types of companies and ensures savings and flexibility for both the worker and the employer. However, smart-working tools expose the company to risks related to IT and Information Security.

A brief introduction to remote work modes:

  • From home (“home working” or “home office”) the worker always performs their duties from their home or for limited periods of time, for example, a few days a week or during certain periods of the year or in case of extraordinary events.

    Equipped with a home office, the worker or teleworker performs their tasks independently with their own tools or those provided by the company.

    The level of security varies depending on the exclusive use of the collaborator's own tools or if the company has decided to invest more by providing them with company tools.

  • On the move (“mobile working”, “working out” or “roadwarrior”) in all cases where work activities are carried out in always different places, such as at a client's office or home, during a car or train journey, or on a construction site.

    For space and portability reasons, the tools do not go beyond the most common ones, such as a laptop (notebook/laptop or mobile workstation), a tablet (iPad, Android, and Windows), and a mobile phone.

    This scenario is the most difficult to protect as logical security issues are compounded by physical security issues, whether with personal or company tools.

  • In telework centers (whether they are “technology cottages” as was fashionable in the past, or the more modern “co-working”) where work is carried out in satellite structures of the company that can be shared among multiple companies or professionals.

    Since the physical location is determined and specifically prepared, advanced technologies can be used that are not conceivable in the previous cases, both in terms of hardware and software.

    In the case of shared structures, the achievable level of security can be very good if one is interested in offering added value. The issue is similar to that of fairs and events. We helped EXPO2015 and Fiera Milano at the time, so feel free to contact us on the subject.

  • Office-to-Office telework where the company provides non-shared and exclusive-use offices in areas distant or different from those of the headquarters. These are fully-fledged offices organized according to different open-space, cubicle, or traditional room schemes.

    This case is particularly common in companies operating over large geographical areas and in multinational companies. The achievable level of security is high thanks to the direct interest in using the best hardware and software technologies.

How to Secure Smart Working with Non-Company Systems

Let's start with the first case where the worker is at their home. If the systems used to interact with company data are owned by the worker, there is no way to know their security and compromise status.

In this case, we recommend starting from the assumption of total compromise of the devices and therefore using tools that create a clear degree of separation between Company resources and the user and devices belonging to the home network.

To give you an idea of the risks, numerous cheap cameras from virtually unknown Asian manufacturers have been found to contain malicious code that scans the network and tries to exfiltrate data. So, it is not necessary for the employee to be unfaithful to suffer data theft.

The architectures capable of creating this separation are mainly two:

  1. Web applications (“Web Application”) effectively making the teleworker a normal internet user of a “website” but which, however, supports a particular business process.

    Security is guaranteed by a defined and known client-server communication protocol on the basis of which the web application, if well designed, can Authenticate the user, Authorize access to only the resources/information they are allowed to operate on, and limit the user's action according to a well-defined business logic (Business Logic).

    To verify that all this happens and that an attacker cannot easily bypass the controls, it falls within the scope of web application security. The advice is to subject the web application to a Web Application Penetration Test performed by experts and according to recognized practices such as the OWASP Testing Guide (OWASP stands for Open Web Application Security Project and is a commendable American project in the field of IT security).

    A Web Penetration Test for a medium-complexity application can last from five to ten days and cost from 3500 to 10000 euros depending on the case. It is able to identify the most important vulnerabilities, including business logic, in a reasonable time and has a strong consultancy connotation that will allow you to know a third-party opinion. If you think that knowing is a fundamental step to act, this is the activity for you and we invite you to contact us.

  2. Remote Desktop solutions (“Remote Desktop” or “VDI”) that allow the user to access graphically and interactively an operating system running on a remote server, usually within the company, and therefore with access to the resources the employee would normally have access to if they were physically in the office.

    Security is guaranteed by the restrictions at the operating system level set up at the terminal system such as Microsoft Terminal Services, Microsoft Remote Desktop, Citrix XenApp, VMware Horizon just to name a few of the most well-known.

    The potential of a remote desktop is many (user familiarity, a unified environment for office and remote operations, the ability to run Windows applications and management systems, etc.) but also the potential risks as the opportunities for interaction with the operating system are more numerous and varied than with a web application.

    The advice is to conduct a Penetration Test on the specific scenario, i.e., a simulation of an authenticated attacker belonging to the teleworkers' user group. The result will be a detailed report on the identified impacts and accessed resources.

In both cases, whether web applications accessed via browser or systems accessed via Virtual Desktop Infrastructure, the security of communications (i.e., how data, including connection credentials, is transported from the worker's connection to the company's connection) is particularly important. In this regard, the Best Practices for configuring secure communication channels HTTPS and TLS should be followed.

How to Secure Smart Working with Company Systems

If, on the other hand, it has been decided to provide the worker with company-owned tools, it is possible to “extend” company security policies remotely through MDM (Mobile Device Management) tools for mobile phones and tablets and Windows Group Policy for Windows laptops.

For the choice and configuration of these systems, such as MobileIron Unified Endpoint Management, VMWare AirWatch, or Kaspersky Security Center to name a few, it is advisable to use expert consultants who can effectively protect the company from IT risks. Sometimes these tools are not made effective and represent only an expense.

Verify the Security of Mobile Workers/Roadwarriors

To verify the security of roadwarriors, specific simulations can be carried out, such as Man in The Middle (MitM, i.e., traffic interception), where company devices are connected to a deliberately insecure and malicious network to capture information and cause damage to both the company and the worker.

The Security of Company Computers Used for Remote Work

In medium and large companies, the installation of laptops is done automatically and starting from images that contain most of the configurations and improvements that the technical staff has identified over time.

Remote Work Meme

For smaller companies, it is still advisable to have a list of basic requirements that both the hardware and the operating system must meet, otherwise, you may end up with Windows versions that do not support the security features you need.

Where it is possible to implement a traditional infrastructure, therefore both in the case of structures shared among multiple companies like Co-Working or peripheral offices, it is possible to achieve an excellent level of security using a mix of technologies including:

  • Network-level security (802.1x network port authentication) and WiFi networks (WPA 2 Enterprise with personal credentials);

  • Site-to-Site VPN, firewall, and UTM systems capable of identifying and preventing the most common attacks and viruses;

  • Logging, IDS, and IPS to identify attacks and anomalies;

  • Some of the solutions seen so far in this article.

It is important to involve security experts in the design phase of such infrastructures to avoid architectural macro-errors.

Once implemented, they should be periodically subjected to:

  1. Vulnerability Assessment activities at least quarterly to verify the correct execution of Patch Management processes (maintaining the systems' update status), the secure configuration of devices, and the quality of access credentials, thus ensuring that the maintainers of such infrastructures never lower their guard by using default passwords or weak passwords or reusing common passwords across various systems;

  2. Penetration Test activities at least annually to verify network visibility rules, correct network segmentation, and identify potential impacts from peripheral offices to central offices.

In Summary

Remote work or Smart Working is an interesting opportunity for companies, especially when done securely thanks to the verification of an independent and trusted third party.

We are fully available to provide you with a free consultation that will allow you to direct your efforts and clarify your ideas. Feel free to contact us at our email address sales@isgroup.it

Request more information about this

Or call us at
(+39) 045 4853232

Author
author
Francesco Ongaro
Founder @ ISGroup SRL, Hacker, CEH, ISO 27001 LA
Tags
Cyber Security, Best Practice
Social
Request more information about this

Or call us at
(+39) 045 4853232

Recent Posts

Visit the blog

Popular Tags

Publications

A brief collection of publications, materials and presentations that our staff members produced and presented during their career.

This is a demonstration that IT Security is not just a profession for us but also a great passion.

Our publications

Research

Research is a fascinating activity that puts the computer security expert always against scenarios and challenges. For years, even through our non-commercial embodiment, ush.it - a beautiful place, we dedicated ourselves to the publication of advisories, exploit development and bug hunting.

Our researches

Certification and Training

Thanks to the experience gained during technical activities performed so far, the results of our research and our knowledge of IT Security issues and solutions, we are able to provide different training paths for those who are in position to execute offensive (auditor, penetration tester) or defensive (network administrators, developers) activities.

The Training

ISGroup SRL
Via Cantarane, 14
37129 Verona VR
CF e P.IVA 04164220230
REA VR-397513

Contacts

Certified company ISO 9001 and ISO 27001

Cybersecurity made in Italy

© 2005-2025 ISGroup SRL. All Rights Reserved.

Sitemap  Privacy Policy  Cookie Policy

IQNET Certification ISO/IEC 27001:2022 Certification ISO/IEC 9001:2015 Certification

🎉 We want to talk to you! Book an appointment!