Forwarded from: Elizabeth Lennon 

ITL BULLETIN FOR DECEMBER 2007

SECURING EXTERNAL COMPUTERS AND OTHER DEVICES USED BY 
TELEWORKERS

Shirley Radack, Editor
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
U.S. Department of Commerce

Many workers highly value the arrangements that they have with their 
employers to work from home or from other locations away from their 
organizations' facilities. This popular practice of teleworking, or 
telecommuting, benefits both the organizations and their staff members, 
who are able to read and send email, access Web sites, review and edit 
documents, and perform many other tasks from remote sites. These 
teleworkers use devices such as desktop and laptop computers, personal 
digital assistants (PDAs), and cell phones to access their 
organization's nonpublic computing resources and to conduct business 
from them when they are at home or traveling.

For many years, teleworkers were limited in their activities because 
their dial-up modems, which were the primary communications mechanism 
for remote access, operated at slow speeds. Today high-speed Internet 
connectivity and broadband communications provide fast data transfer 
rates, greatly expanding the productive use of remote access 
capabilities by teleworkers. But with increasing intruder attacks and 
other threats in today's computing environment, teleworkers and their 
organizations are challenged to plan carefully to protect the security 
of telework devices, networks, and information resources.

User's Guide to Securing External Devices for Telework and Remote Access

The Information Technology Laboratory of the National Institute of 
Standards and Technology (NIST) has issued a new guide that provides 
practical advice to help workers secure their external devices that they 
need for teleworking. NIST Special Publication (SP) 800-114, User's 
Guide to Securing External Devices for Telework and Remote Access: 
Recommendations of the National Institute of Standards and Technology, 
written by Karen Scarfone and Murugiah Souppaya, focuses on the security 
of the teleworker's computing devices and recommends steps to protect 
the devices, the computer operating systems (OSs) and applications, and 
the home networks that the computers use.

The guide provides an overview of telework technologies and the security 
issues related to the use of telework devices. The basic issues of 
securing information and home networks, and of using external networks, 
are discussed. Recommendations to users cover protecting their devices, 
computer operating systems and applications, and for protecting the 
information stored on telework computers and removable media. Advice is 
provided for protecting the wireless home networks that are used for 
remote access communications.

A section of NIST SP 800-114 focuses on protecting cell phones, PDAs, 
and smart phones, such as hybrid cell phone/PDA devices (for example, 
BlackBerry and Windows Mobile devices). Another section guides 
teleworkers in the safe use of devices that are secured by a third 
party, such as a computer provided for public use at a conference or 
hotel.

The publication's useful appendices present supplemental information and 
supporting material, including security-related considerations for 
telework, such as using cellular phones and Voice over Internet Protocol 
(VoIP) phone services; using wireless personal area network (WPAN) 
technologies such as Bluetooth; using wireless broadband data cards; and 
ensuring the secure destruction of removable media and printed materials 
that might contain sensitive information. Also included in the 
appendices are a glossary, a list of acronyms and abbreviations, and a 
list of in-print resources and online tools and resources that users may 
wish to consult for additional information about securing their telework 
devices.

NIST SP 800-114 is available at NIST's Web site at 
http://csrc.nist.gov/publications/nistpubs/800-114/SP800-114.pdf. 

Security of Telework Devices: A Challenge for Workers and Their 
Organizations

Both personal computers and consumer devices are used for telework, and 
different ownership arrangements apply to the devices. Personal 
computers (PCs) are desktop and laptop computers that run standard PC 
OSs (e.g., Windows, Linux/UNIX, Mac OS).  These devices gain access to 
broadband networks through cable modems, digital subscriber lines, 
satellite, and wireless connections. Consumer devices are small, usually 
mobile, computers that do not run standard PC OSs. Examples are 
networking-capable PDAs, cell phones, and video game systems. Consumer 
devices are most often used for remote access applications that use Web 
browsers, primarily Secure Sockets Layer (SSL) Virtual Private Networks 
(VPNs) and individual Web application access.

Telework devices may be owned, configured, and managed by the worker's 
organization and can be used for any of the organization's access 
methods. Some teleworker devices are owned by the worker, who is 
responsible for securing them and maintaining their security. Another 
arrangement is the devices that are owned, configured, and secured by 
third parties, such as kiosk computers at hotels, and PCs or consumer 
devices owned by friends and family of the worker. Remote access options 
for third party-secured devices are usually limited because users are 
often unable to install software onto them, such as VPN software, 
terminal server software, and Web browser plug-ins.

Because of their security policies and technology limitations, 
organizations often limit the types of devices that can be used for 
remote access. An organization might require the worker to use only the 
organization's PCs. Some organizations have tiered access levels, such 
as allowing the organization's PCs to access many resources, 
teleworker-owned PCs to access a more limited set of resources, and 
consumer devices and third-party PCs to access only one or two 
resources, such as Web-based email. This allows an organization to limit 
the risk it incurs by permitting the most controlled devices to have the 
most access and the least controlled devices to have minimal access. 
Before they use their own or third-party computers for remote access to 
their organization's resources, teleworkers should check to confirm that 
the organization's latest policies allow such access.

There are risks associated with remote access to information resources 
in general, and broadband communications, if not properly protected, can 
be especially vulnerable to intruder attacks. When a telework device 
uses remote access, it is essentially a logical extension of the 
organization's own network. Therefore, if the telework device is not 
secured properly, it poses additional risk not only to the information 
that the teleworker accesses but also to the organization's other 
systems and networks. For example, a telework device infected with a 
worm could spread the worm through remote access to the organization's 
internal computers. Therefore, telework devices should be secured 
properly and have their security maintained regularly.

Many organizations automatically check the security health of each 
telework device that attempts to use remote access to the organization's 
information resources to ensure that the device complies with the 
organization's policies. Examples of the checks that an organization 
might conduct are verifying that the OS is fully patched, that antivirus 
software is installed and up-to-date, and that a personal firewall is 
enabled. The organization can also check if the device has been secured 
by the organization and whether the device is a desktop or laptop 
computer, a PDA, a video game system, or other device. Based on the 
results of these checks, the organization can determine whether the 
device should be permitted to use remote access.

With good planning and careful implementation of sensible guidelines, 
organizations can support the popular practice of telecommuting, while 
protecting their networks and information resources.

Threats to External Devices

People who want to cause mischief, disrupt organizational operations, 
and commit fraud are a major threat to the security of external devices 
used by teleworkers. Telework devices are susceptible to the insertion 
of malware, also known as malicious code.  Malware is a computer program 
that is covertly placed onto a computing device with the intent of 
compromising the confidentiality, integrity, or availability of the 
device's data, applications, or OS. Common types of malware threats 
include viruses, worms, malicious mobile code, Trojan horses, rootkits, 
and spyware. Malware threats can infect devices through email, Web 
sites, file downloads and file sharing, peer-to-peer software, and 
instant messaging. Another common threat for telework devices is the 
loss or theft of the device. Someone with physical access to a device 
has many options for attempting to view the information stored on it.

Teleworkers can increase the security of their devices by adopting 
security protections, or security controls. These measures taken against 
the threats compensate for the device's security weaknesses, or 
vulnerabilities. Some vulnerabilities can be eliminated through security 
protections. For example, the user can enable a feature in an 
application to automatically download and install new versions of the 
application to correct previous errors. Some vulnerabilities cannot be 
eliminated, but security protections can prevent attacks. For example, 
antivirus software can stop an infected email from being opened by a 
user, or hard drive encryption can make files unreadable by others. 
However, not all vulnerabilities can be eliminated. The complexity of 
computing and remote access makes total protection of information 
resources almost impossible. But organizations can realize a more 
realistic goal of applying security protections to give attackers as few 
opportunities as feasible to gain access to a device or to damage the 
device's software or information.

NIST Recommendations

Teleworkers should take an important first step before implementing any 
of the recommendations or suggestions in the guide. They should back up 
all of their data and verify the validity of the backups. Users with 
limited experience in configuring personal computers, consumer devices, 
or home networks should seek expert assistance in applying the guide's 
recommendations to avoid any potential losses of data, device, or 
application functionality.

NIST recommends that teleworkers take the following steps to improve and 
maintain the security of their external telework devices:

* Become thoroughly familiar with their organization's policies and 
  requirements, and know how to protect the organization's information 
  that they may access.

Sensitive information that is stored on or sent to or from external 
telework devices must be protected. It is important to prevent malicious 
parties from accessing or altering information. An unauthorized release 
of sensitive information could damage the public's trust in the 
organization, jeopardize the mission of the organization, or harm the 
individuals whose personal information is compromised. Many methods can 
be employed to protect the personal information that is accessed during 
teleworking, including protecting the physical security of telework 
devices, encrypting files stored on devices, and ensuring that 
information stored on devices is backed up.

* Ensure that all the telework devices used on wired and wireless home 
  networks are properly secured, and that home networks are protected 
  also.

Appropriate security measures should be applied to the PCs and consumer 
devices that use the same wired and wireless home networks to which the 
telework device normally connects. If these other devices become 
infected with malware or are otherwise compromised, they could attack 
the telework device or eavesdrop on its communications. Teleworkers 
should also be cautious about allowing others to place devices on the 
teleworkers' home networks, in case one of these devices is compromised.

Teleworkers should also apply security measures to the home networks to 
which their telework devices normally connect. One example of such a 
security measure is to use a broadband router or firewall appliance to 
prevent computers outside the home network from initiating 
communications with telework devices on the home network. Another 
example is to ensure that sensitive information transmitted over a 
wireless home network is adequately protected through strong encryption.

* Secure the operating systems and primary applications of desktop or 
  laptop PCs that the teleworker owns and uses for telework.

Securing a telework PC includes the following actions:

-- Use a combination of security software, such as antivirus and 
antispyware software, personal firewalls, spam and Web content 
filtering, and popup blocking, to stop most attacks, particularly 
malware.

-- Restrict who can use the PC by having a separate standard user 
account for each person; assign a password to each user account; use the 
standard user accounts for daily use; and protect user sessions from 
unauthorized physical access.

-- Ensure that updates are regularly applied to the operating system and 
primary applications, such as Web browsers, email clients, instant 
messaging clients, and security software.

-- Disable unneeded networking features on the PC and configure wireless 
networking securely.

-- Configure primary applications to filter content and stop other 
activity that is likely to be malicious.

-- Install and use only known and trusted software.

-- Configure remote access software based on the organization's 
requirements and recommendations.

-- Maintain the security of the PC on an ongoing basis, such as changing 
passwords regularly and checking the status of security software 
periodically.

* Secure the consumer devices that the teleworker owns and uses for 
  telework, based on the security recommendations of the devices' 
  manufacturers.

A wide variety of consumer devices exists, and security features 
available for these devices also vary widely. While some devices offer 
only a few basic features, others offer sophisticated features similar 
to those offered by PCs. Devices with less sophisticated features are 
not necessarily less secure than those with many more security features.  
Many devices offer more security features because the capabilities that 
they provide, such as access to wireless networking and capabilities for 
instant messaging, make them more susceptible to attack than devices 
without these capabilities.

General recommendations for securing telework devices are:

-- Limit access to the device, such as setting a personal identification 
number (PIN) or password and automatically locking a device after an 
idle period.

-- Disable networking capabilities, such as Bluetooth, except when they 
are needed.

-- Use additional security software, such as antivirus software and 
personal firewalls, if appropriate.

-- Ensure that security updates, if available, are acquired and 
installed at least monthly, preferably weekly.

-- Configure applications to support security, such as blocking activity 
that is likely to be malicious.

* Consider the security state of a third-party device before using it 
  for telework.

Teleworkers often want to perform remote access to their organization's 
network from third-party devices. They may want to check their email 
from a kiosk computer at a conference, for example. However, they may 
not know if such devices have been secured properly or if they have been 
compromised. Consequently, a teleworker could use a third-party device 
infected with malware that steals information from users (e.g., 
passwords or email messages). Many organizations either forbid 
third-party devices to be used for remote access or permit only limited 
use, such as for Web-based email. Teleworkers should consider who is 
responsible for securing a third-party device and who can access the 
device before deciding whether or not to use it. Whenever possible, 
teleworkers should not use publicly accessible third-party devices for 
telework, and teleworkers should avoid using any third-party devices for 
performing sensitive functions or accessing sensitive information.

More Information

NIST SP 800-114 was originally issued for public comment as an update to 
NIST SP 800-46, Security for Telecommuting and Broadband Communications. 
However, as the scope of NIST SP 800-114 evolved, NIST decided to issue 
it as a supplement to SP 800-46, rather than as a replacement.

NIST SP 800-114, NIST SP 800-46 and other NIST publications assist 
organizations in planning and implementing a comprehensive approach to 
information security. For information about NIST standards and 
guidelines that are referenced in the security guide for teleworker 
devices, as well as other security-related publications, see NIST's Web 
page at http://csrc.nist.gov/publications/index.html. 

For information about standards and guidance for protecting information, 
communications, and operations through the application of cryptographic 
security techniques, see 
http://csrc.nist.gov/groups/ST/toolkit/index.html. 

Many manufacturers document their security recommendations in their 
product documentation or on their Web sites. Some manufacturers also 
make security checklists available for securing their operating systems, 
applications, and devices. Many of these checklists are posted on the 
NIST Security Checklists for IT Products site, located at 
http://csrc.nist.gov/checklists/. 

Disclaimer Any mention of commercial products or reference to commercial 
organizations is for information only; it does not imply recommendation 
or endorsement by NIST nor does it imply that the products mentioned are 
necessarily the best available for the purpose.



Elizabeth B. Lennon
Writer/Editor
Information Technology Laboratory
National Institute of Standards and Technology
100 Bureau Drive, Stop 8900
Gaithersburg, MD 20899-8900
Telephone (301) 975-2832
Fax (301) 975-2378



__________________________________________________________________      
Visit InfoSec News
http://www.infosecnews.org/