6 Tips for Safe Remote Computing
As a provider of IT services for a variety of businesses, I have witnessed a myriad of Internet vulnerability issues, especially as more and more work is performed on the road. My company, Synametrics, is a leading provider of software solutions that help companies share their valuable, often crucially private information both securely and efficiently. But these tools must be combined with user vigilance.
We put the best security capabilities we can into our products, but we can't do it all. You should be aware of other products and - more importantly - safe practices that thwart the common attacks that victimize innocent users.
In our last blog entry, we talked about password security and password managers. Here are some of other important security measures you can - and should - take:Use a VPN (Virtual Private Network
I am writing this in a Starbucks using the 'Google Starbucks' Wi-Fi network. Even though I had to open a web browser and click a button to connect to the Internet, the connection is completely open and unencrypted. Anyone else in the caf? could intercept my communications.
But I'm not concerned and I'm not vulnerable. I'm running a VPN client. I pay for a service that has points of presence all over the world. Once I'm connected to the Internet my VPN client connects to one of those points of presence. From that point until I disconnect, the VPN connection acts as a network proxy, encrypting all Internet communications, sending them to the point of presence where they are decrypted and redirected on to their destination. Incoming communications work the same, going through the VPN before getting to me.
As a result, even plain text communications are opaque to anyone snooping on the local network. HTTPS sites, which use SSL (Secure Sockets Layer) to encrypt communications with web sites, also protect communications with web sites even on open networks, but the connection information is still open: A network intruder would see what sites you're communicating with. When you use a VPN, all they can see is that you're on a VPN.
can and often do provide VPN services for users on the road, but if
yours doesn't, or just for your own personal communications, you
may want to subscribe to a service. We don't endorse any in
recently reviewed 10 of them.
No VPN? Insist on SSL
Sometimes a VPN is not available. In that case, you need to be conscious of what you are doing on the Internet and try, wherever possible, to use SSL, a protocol used by many programs to encrypt communications with a server.
In a web browser, an SSL connection will have an 'https://' prefix rather than 'http://' and you will see a ?lock? icon of some kind near the address, such as this one from Google Chrome:
Facebook is one of the many sites which will only connect now over SSL. Through a standard called HSTS (HTTP Strict Transport Security), if you attempt to connect to it through http it will redirect your request to https. But not everyone does this yet. And some protocols, like the classic SMTP, IMAP and POP3 email protocols, don't usually have SSL support.
When you connect to an SSL site, it is important not to ignore errors reported by the browser. Consider this image, also taken from Google Chrome:
There is a problem with the SSL certificate on this web site. Specifically, the certificate is 'self-signed' and not issued by a trusted certificate authority, but you will also see such errors if the certificate has expired or been revoked, or any of a number of other errors. Before connecting you, current versions of web browsers will display an error message describing the problem. In such a case, you should almost certainly not connect.
Modern versions of SSL are actually called TLS (Transport Layer Security) but, as a practical matter, 'SSL' is acceptable for them too. SSL is popular with other programs for encrypted communications, but these are less visible to the end user.
Install Software Updates
Many organizations and individuals are still lax about applying updates to software or upgrading from old versions known to be insecure. This is one of the main ways that systems actually get exploited in the real world.
There are a few products which are the main targets of such attackers: Microsoft Office, Adobe Flash, and Oracle's Java. Windows itself (including Internet Explorer) is also a very large target, but not so much for very recent versions. Adobe has done a good job of minimizing vulnerabilities in Acrobat and the PDF Readers. But you should make a point of applying updates on all of these products promptly.
If your company allows you to install personal software on a company device, remember that they may not update your software. It's your job to do so.
Secunia sells products which check systems for outdated, vulnerable software.
For Admins: Insist on Auditable Logs
When things go wrong you need the information to determine what happened. Applications that offer to write liberally to system logs, allowing you to determine which events you want logged, are your best hope for getting to the root of the problem. It's best that they write to the system event logs, support the syslog standard or at least they should be importable into analysis products.For Admins: Turn in Intrusion Alerts
Both at the level of the network and individual systems you should run intrusion prevention software and don't be cheap with enabling alerts. It may be that certain innocuous alerts show up a lot, but It's the unusual things you're looking for. Alerts allow you to jump on them quickly before an attacker can gain a privileged foothold on your network.For Admins: Use Blacklists for Attacks
Blacklists are dismissed by many for being too reactive, but reactivity can be underrated. Many systems, once under the control of attackers, can be a steady source of attacks for a long time. Spam blocking systems for email make extensive use of blacklists and server-based reverse proxy security software generally supports them. You can use what you learn from logs and alerts to block malicious systems.