Security in the Remote Workspace (Part 1)

 

 

by Danny Cota | March 29, 2020

Introduction
As the country is literally “working” its way through the current “COVID-19 crisis”
(a.k.a. “coronavirus crisis”) and an increasing number of states are mandating “shelter in place” and/or “stay at home” orders, we thought that it would be helpful to post a pair of articles on maintaining cyber-security in the “remote work world”
that has become the “new normal” for architecture firms these days.

Target Audience
This first article is geared primarily toward architecture firm staff and individual contributors. For example: Architects, Designers, Project/Program
Managers, Interns, Sales, Marketing and Administrative team members, etc.

What this Article Will NOT Cover
This article will NOT offer tips on “how to run a great virtual meeting” or “how to make the most of collaboration
tools for your remote workforce”…not because these are not worthy topics but because there are already a HUGE number of articles on the web regarding these topics. (Not the least of which come from the key vendors in these spaces including, Zoom,
RingCentral, Slack, Microsoft, WebEx, Skype, Google and on and on.)

A Brief Note
Before we get into specific security solutions for “telecommuters” it is worth noting that most architecture firms these days use a combination
of centrally-managed and distributed computing resources to deliver projects to their customers. Examples of “centrally-managed computing resources” include traditional servers and network systems at your firm’s office(s); public computing resources,
e.g., Amazon AWS, Google Cloud, Microsoft Azure, etc.; cloud-based applications, e.g., Jira, Asana, Slack, BIM 360, etc. Examples of “distributed computing resources” include end-user computers (desktops and laptops), tablets, smart phones, etc.

Neither
approach is “better” than the other…both approaches have “pros” and “cons” from a cybersecurity and cost perspective and the reality today is that most “modern” architecture firms will employ BOTH types of computing resources in order to get their
jobs done. The “cybersecurity at home” solutions that we suggest below will apply to you regardless of which type of computing resource that you are using or remotely accessing!

Basic Cybersecurity at Home
Firewall: This
is typically a dedicated device (though, it can also be running as software on a multi-function device such as a cable modem/router/wireless access point (WAP)) that is designed to stop/drop malicious traffic from the Internet entering into your home
network (while at the same time allowing you to access everything on the Internet from your home network) and thus sits BETWEEN those two separate networks.

Most Internet Service Providers (ISP) such as Comcast, ATT, etc., allow you to either purchase or lease modems/routers that include firewall functionality but if you are not sure about this, then CALL your ISP and ask them to confirm that your modem/router is providing “basic firewall” functionality.

Pro Tip: There are a lot of Small Office Home Office (SOHO) firewall vendors on the market so, if you would like to take your home network to the “next level” of security (beyond the basic firewall that your ISP provides), then we suggest that you talk to your favorite IT person and get some advice on which SOHO firewall solution might be best for you.

Secure WiFi: This is actually a VERY complicated topic but, in a nutshell, you want your home’s Wireless Access Points (WAP) to support a wireless security/encryption protocol called “WPA2 + AES” (“Wi-Fi Protected Access 2” and “Advanced Encryption Standard”) to ensure that you are limiting the risk of someone trying to maliciously gain access to your home WiFi network. (Older security/encryption protocols such as “WPA + AES”, “WPA + TKIP”, “WEP”, etc., are much more prone to hacking.)

Note: You may hear of something called “WPA2 Personal” and “WPA2 Enterprise”…you do NOT need WAPs that are capable of “WPA2 Enterprise” security/encryption in your home and, in fact, most SOHO WAP vendors do not offer this “Enterprise” protocol in their SOHO product lines.

Pro Tip: There are a head-spinning number of SOHO WAP vendors; however, for price, security and ease of management we would suggest considering two vendors in particular: Ubiquiti and Cisco Meraki. Again, it may be wise to talk to an IT person before you buy your next WAP.

Antivirus: Computer viruses are bits or code (or small applications) that are designed to do (usually malicious) things on your computer…without your consent. Like “real life viruses”, computer viruses are to be avoided as much as possible and good antivirus software is designed to do just that.

The number of antivirus vendors on the market is beyond count…we would simply suggest that you have some commercial antivirus software installed on your computer regardless of whether it’s a Macintosh or Windows-based PC.

DNS Filtering: Like “secure WiFi” this is a bit of a complicated topic but, in a nutshell, a DNS filtering solution is designed to protect end users from accessing places on the Internet that are known to be malicious and/or contain “undesirable” content. (Note: DNS or “Domain Name System” is a service that translates human-readable names of “places” on the Internet, e.g., www.google.com, into machine-readable Internet Protocol (IP) addresses, e.g., “8.8.8.8”.)

The number of DNS filter vendors is actually relatively small but we would recommend looking at solutions from the following vendors: OpenDNS, TitanHQ, DNSFilter, and Webroot.

Password Management: These tools are designed for the easy storage of passwords (and usually various other types of content requiring security, e.g., credit card numbers, documents, etc.) into a single application and that can typically be access on multiple platforms including computers (Mac and PC) and mobile devices (iOS and Android).

Writing down computer passwords has always been a “no no” but these days there really is no excuse for this type of behavior when there are a myriad of inexpensive, secure and yet simple to use password manager applications on the market including, Dashlane, LastPass, Keeper and 1Password. Do yourself a favor and get yourself a Password Manager tool if you haven’t already!

Multi-Factor Authentication (MFA): We know…having to pull out your smart phone every time you login to a web-based application so that you can enter in some “one-time password” (OTP) code (usually four to six digits) AFTER you’ve already entered in your password for the application login is REALLY annoying but the simple fact is that MFA works! Combining something you know (your password) with something only you have (your smart phone) is currently the best method that we have for keeping random “Ukrainian hackers” from taking over your online accounts where they only have “something you know” (thanks to the wonders of the “Dark Web”) in their misanthropic little hands.

Unlike the various other technologies mentioned above, MFA is not something that you can “buy” but it is something that you CAN implement on any online applications that allow you to turn it on. In fact, we strongly suggest turning MFA “on” for any applications that support it and resist the urge to turn it off…especially on any applications having to do with finance/accounting, HR or that handle any form of payment processing (credit cards, ACH, etc.).

Remote Security “On the Road”
While the current “coronavirus crisis” has a LOT of employees working from home there are still various architecture firm people working “on the road”, e.g., hotels, airports, Starbucks, etc. The following three items apply to those “road warriors”:

Physical Security: Yes, good old-fashioned stealing of laptops, mobile devices and other computing resources still happens…a LOT! Here are some “dos” and “don’ts” that should help limit the risk of physical theft of mobile devices/laptops:

DON’T leave your laptop in your car’s trunk! Take it with you instead!
DO leave your laptop/tablet in your hotel room’s safe (assuming that it has one) when you leave your room!
DON’T leave your laptop on the table at Starbucks while you go the restroom…again, TAKE IT WITH YOU!

Disk Encryption: Despite all the “dos” and “don’ts” above, you could still have your laptop/mobile device stolen from you…it happens. BEFORE this happens, though, you should have enabled disk encryption on your Mac (via “FileVault”) or Windows-based PC (via “BitLocker”) so that the person(s) who stole your laptop cannot easily decrypt/access the files on your laptop’s “hard disk”. (Mobile device encryption is beyond the scope of this document but most iOS devices are encrypted “by default” assuming that you enable a “Touch ID”, “Face ID” or “passcode” on them.)

VPN Services: The use of “public WiFi” for work-related usage on corporate laptops (or personal laptops) and mobile devices used to be strongly DISCOURAGED by “corporate IT types.” These days, though, those same “corporate IT types” have realized the futility of discouraging users from using “free WiFi” and simply ask that they access corporate data/applications either over the corporate “Virtual Private Network” (VPN) if they offer one or via a secure and reputable VPN Service Provider. (VPNs are “tunnels” designed to encrypt network traffic and communications between a VPN “client” and a VPN “server” or destination.)

Such “secure and reputable VPN Service Providers” include: ExpressVPN, PIA and NordVPN.

Conclusion
As the length of this article illustrates, the topic of “cybersecurity at home/on the road” is neither short nor “easy” but it is not “too complicated” either. It requires time to research and implement; it requires some amount of money (unfortunately, few of the solutions above are “free” in the strict sense of the word); it also requires just a little bit of “grit” as well to “get ‘er done” but, in the end, the peace of mind WILL be worth it!

In “Part 2” of this article pair, our target audience will primarily be Management/Principals and IT Managers at architecture firms and will focus on centrally managed cloud/server-side technologies such as, Virtual Desktop Infrastructure (VDI), remote desktop applications, Mobile Device Management (MDM), Single Sign On (SSO), etc.

Danny Cota
Co-Founder
GSDSolutions LLC
danny@gsdsolutions.io

GSDSolutions is an IT services firm that specializes in servicing small business and non-profits in the Bay Area and Southern California.