Home Network Security for Remote Workers

The COVID-19 pandemic has presented unprecedented global challenges at all levels of society today, from healthcare to social concerns. With much of the East and West Coasts experiencing government-enforced social distancing lock downs, businesses have had to scramble to turn their daily office operations into a remote workforce. For an organization like Compass IT Compliance with its roots as a virtual company, this was not a challenge. However, many organizations were not prepared to migrate the majority of their employees to work-from-home users. There have been reports of significant layoffs and furloughs, and IT departments scrambling to buy laptops to configure for an enlarged remote workforce.

In this day and age of the internet and cloud computing, this transition has been made easier to establish communications and connections to business data and applications from virtually anywhere. However, Information Security Officers and security teams have to ask themselves, “How do we secure all of these remote workers?” It’s a challenge to secure a network that the company controls. It’s difficult to impossible to enforce controls over remote, home networks. Below is a set of security concerns and suggested control objectives that Compass IT Compliance asks on a daily basis as we support the remote workforces of our clients. The majority of these controls are within the abilities of home workers to configure on their own. A few will require corporate IT’s help and some may only be for the paranoid IT security professional.

Social Engineering Awareness – Ensure employees are informed about the risks and threats of social engineering. Threats don’t stop when staff are out of the office, and information security awareness shouldn’t either.

1. Deliver awareness reminders to remote workers on a regular basis
2. Publish a list of common attack scenarios (e.g. package delivery, third-party support)
3. Watch threat feeds (NIST, SANS, US-CERT) for particular threats targeting remote workers (e.g. Zoom Bombing)

Home Network Equipment – Remote workers will be using their own personal network equipment. It’s not practical to assume this equipment meets any security standards compared to corporate resources. In most cases, the equipment is older and rests in the default configuration left by the telephone/cable company installer. Today, many homes have an all-in-one router or wireless access point. In some cases these may be separate. These recommendations apply to any home networking equipment.

1. Download and/or bookmark router/Wi-Fi equipment documentation
   1. Most internet service providers (ISP) can provide the operating instructions
   2. The device’s manual can be downloaded from the manufacturer’s website
2. If available, update the system software and device firmware
3. Change the default administrator password
   1. By default, many devices have a blank password
   2. A list of default passwords for all types of equipment is just a Google search away
4. Change the default SSID (network name) of the wireless network
   1. The default name might be the manufacturer of the device (Linksys, Ruckus, Cisco), or the name of the service provider (Verizon, Spectrum)
5. Set a secure Wi-Fi pre-shared key (PSK) and only share it with people you trust
   1. Default pre-shared keys are typically the home phone number
6. Use at least WPA2 security for wireless encryption
7. Disable remote WAN configuration access
8. Do not share the administrator password for any devices
9. If a service technician needs the password, make sure to change the password after the technician performs service

The Remote Computer – Whether the organization provides the home worker with a corporate computer or allows the use of a personal device, the remote worker must ensure the system is secure and updated to defend against threats.

1. Remind remote users that all corporate policies apply to any work performed on behalf of the organization, regardless of where and on what equipment
   1. Some organizations restrict business functions to be performed from corporate owned equipment only
   2. Acceptable use of corporate equipment and work done on behalf of the company on personal devices is still enforced
2. Require the use of a VPN (virtual private network) before allowing access to corporate resources across any network connection
   1. The organization does not have control over home network security. Establishing a VPN connection will protect corporate information while it is transmitted over the internet
   2. Remote desktop services such as Microsoft’s Terminal Services are not considered secure enough today to allow direct Remote Desktop Protocol (RDP) connections from the internet. Require VPN connections before allowing RDP access to internal resources
3. Enforce multi-factor authentication (MFA) regardless of the method of remote access
   1. Credential theft/hijacking is one of the top reasons many networks are breached today. MFA can minimize the impact of lost or stolen usernames and passwords
4. Disable split-tunneling on all VPN connections
   1. This setting forces all traffic through the corporate VPN and internet connections
5. Create and use a strong password
   1. At minimum, follow all corporate password policies
   2. Strong passwords are difficult to guess and brute force attack
6. Host-based anti-virus anti-malware software must be installed and configured to continue to update and scan
7. Host-based firewalls must be enabled
   1. Most home networks do not have dedicated hardware-based firewalls configured
   2. Host-based firewalls such as Windows Defender or those that are part of an endpoint protection software package (Norton, AVG, McAfee, etc.) can do a good job in blocking unwanted network traffic and applications from affecting the local computer
8. Maintain security and system update patching
   1. New vulnerabilities and threats emerge on a daily basis. Keeping up with operating system and application patches and security updates is critical regardless of the computer
   2. This is even more critical when working from home considering that home networks are not nearly as secure as the corporate network where next generation firewalls, IDS/IPS, and other security technology may be in place
9. Save all business data, documents, and information on corporate file stores
10. As much as possible, restrict saving files to local drives in favor of corporate file stores
    1. Corporate storage is backed up on a regular basis. Local drives, especially when working remotely will not be backed up normally

Kids and Other Users – Most homes today have at least one computer available for shared use by the family. This computer should not be used for business use. Conversely, if a corporate device was provided for working from home, it should be only be used for business purposes.

1. Do not share the password for the work computer with anyone else
2. If the family computer must be used for business use, ensure that each user has their own sign in and cannot access the business account
3. Do not install personal software/games/entertainment on the work computer

Other Devices (Advanced) – Many homes today have several other devices, not just computers connected to the Wi-Fi network (e.g. smart TVs, gaming consoles, thermostats, cameras, etc). This is referred to as the Internet of Things (IoT). These devices can represent easy targets to attackers as most manufacturers do not consider security when adding network integration into their designs.

1. At a minimum, update all software/firmware periodically on any IoT devices connected to the home Wi-Fi network
2. For those who understand a little about networks and Wi-Fi and if the Wi-Fi access point supports this, consider configuring separate Wi-Fi segments for different types of devices
   1. A network for the work computer can be isolated from the rest of the home network
   2. Non-computer devices can be setup on their own IoT segment

We've condensed the information above into this checklist for free downloading and sharing with your staff. Compass IT Compliance has spent the past decade assisting organizations in various industries with addressing these network concerns. Contact us today to discuss your unique situation!