Secure remote working tips and VPN insights from our senior penetration tester
Leon Teale is a senior penetration tester at IT Governance. He has more than ten years’ experience performing penetration tests for clients in various industries all over the world.
In addition, Leon has won hackathon events in the UK and internationally, and is accredited for multiple bug bounties. He’s also been featured in various articles relating to cyber security.
We sat down to chat to him.
What have organisations been asking you about lately?
Well, for many people, working from home almost feels like the norm now. I find it interesting that only a few years ago, most organisations never even considered it an option. But the COVID-19 lockdowns forced organisations to quickly create and provide remote working solutions, usually without the luxury of time to properly plan things and consider the risks involved. That left a lot of organisations without a proper security procedure or set of guidelines to follow, even if the solutions themselves were working.
Now, as we come to the end of 2023, we have thousands of organisations whose workforces are predominantly working from home. Perhaps because of this, I’m seeing evidence of suboptimal implementations becoming less acceptable. Specifically, companies are increasingly asking me about how to secure their data and infrastructure while continuing to be able to work remotely.
So how can organisations efficiently secure their remote infrastructure?
I think organisations should start by considering their baseline security posture. Cyber Essentials and Cyber Essentials Plus cover the basics such as ensuring secure configurations, using firewalls, controlling user access, and protecting against viruses and other malware. The NCSC [National Cyber Security Centre] also added requirements for home working to the scheme in January 2022.
What other best-practice guidance could organisations follow?
Organisations may also find the NCSC’s home working guidance helpful. This partially overlaps with Cyber Essentials, but also offers advice on setting up new accounts and access controls, controlling device access and ensuring secure communications.
In addition, the NCSC has published a useful set of VPN principles to help with choosing a secure VPN [virtual private network] solution for accessing corporate environments. It also offers guidance on deploying and configuring the VPN.
Could you talk us through some different VPN technologies?
OpenVPN is a newer VPN method that’s very configurable and secure. Actually, it’ll be at its most secure if it’s set to use AES [Advanced Encryption Standard] encryption instead of the weaker Blowfish encryption. Beware, however, that you’ll need to install a third-party application to use OpenVPN.
SSTP [Secure Socket Tunneling Protocol] is like OpenVPN, but mostly just for Windows and less auditable. However, it’s much better than PPTP and, because it can be configured to use AES encryption, arguably more trustworthy than L2TP/IPsec.
L2TP/IPsec [Layer 2 Tunneling Protocol/Internet Protocol Security] is easy to set up, but has trouble getting around firewalls and isn’t as efficient as OpenVPN. IPsec is theoretically secure, but there are concerns the NSA [National Security Agency] could have weakened the standard – no one knows this for certain, though. If you can, stick with OpenVPN, but definitely use L2TP/IPsec over PPTP.
PPTP [Point-to-Point Tunneling] is integrated into common operating systems and easy to set up, but old and vulnerable. In short: stay away.
So you would recommend OpenVPN to organisations?
In general, OpenVPN stands out as a solid choice. However, if you’re using Windows and need an alternative, SSTP is the way to go. If you’re limited to L2TP/IPsec or PPTP, opt for L2TP/IPsec. It’s best to steer clear of PPTP, unless it’s the only protocol your VPN server accepts.
To wrap things up, could you give us your top ten tips for secure remote working?
If I had to narrow it down to the ten most important things, I’d focus on these:
- Choose a secure VPN.
- Ensure remote workers’ devices are up to date and patched in accordance with your organisation’s policy.
- Anti-malware software should be active and up to date.
- Enable MFA [multifactor authentication] for when the device is authenticating to the corporate network, and consider using certificate-based access.
- Educate employees to not use untrusted wireless networks, such as those in public spaces, for work-related tasks, unless a VPN is enabled.
- Ensure full-disk encryption, especially for laptops and other portable devices.
- Data should be backed up securely to help prevent data loss, whether due to technical issues or malicious activity.
- Remind remote workers to keep their devices secure and out of sight when not in use.
- Provide regular security training and staff awareness to remote workers. This could be delivered through elearning and/or newsletters on the latest security threats and policy changes.
- Once you think you have followed all the guidance you can, get a third-party security company to audit your devices and VPN to ensure nothing has been missed.
We hope you enjoyed the first of our ‘Expert Insight’ series. Please do leave a comment below to let us know what you think, and if you have any questions you’d like our experts to answer.
We’ll be back next week, chatting to another expert within the Group.