In this blog we talk about the security of hybrid working models and preventative measures you should take when connecting remotely to your office computer. This could be the home office or a public place that requires even more attention. Employees could be sent on a business trip and work from an airport, hotel room, café, restaurant and the like. Since the pandemic, more and more companies are supporting hybrid working models to be more attractive to their employees. The question, however, is whether they have also adapted their network infrastructure and technology accordingly to ensure an adequate level of security?

Recent analyses of Internet port usage have shown that the use of dedicated remote desktop ports is growing rapidly. This means that more and more people and businesses are using remote desktop tools to access their devices remotely (Trends in internet exposure).

We have already discussed the topic of new work models in the blog Can Remote Work Prevent Employee Resignation and provided some general security guidelines in the Basic Guidelines for Securing Your Remote Desktop Sessions – this blog presents general security at various levels.

As we have learnt from these two blogs, the proportion of remote workers has increased significantly after the pandemic, so more attention needs to be paid to security – not only at the enterprise level, but especially when working remotely (off-site).

Connect via remote desktop software

The easiest and most reliable way to move to a hybrid working model without compromising security is remote desktop software. It allows workers to access their company’s systems and applications remotely and securely. However, despite the highest security standards that such software ensures, we would like to point out some precautions that are still the responsibility of the users.

Advantages of remote access

Using remote access eliminates the need for home devices, VPN and most storage devices. Deletion of corporate data on private devices is also not required. This is possible because remote access allows work to be done on the office PC and only the contents of the screen are transferred while all data remains in the office. File transfer and the clipboard can also be disabled, which further increases security.

Enable unattended access

At ISL Online, we provide software solutions for unattended remote access. We will therefore present examples of the use of our software ISL Always On and ISL Light.

The requirements for successful remote access are that the target computer is turned on, that ISL AlwaysOn (unattended access) is enabled and installed on the target computer, that you have network access to the remote computer, and that you have permission to connect. It is also recommended that you connect to the company’s device (not your personal device). The computer initiating the session should have ISL Light installed.

Ways to Connect

There are several ways how to establish remote connection:

1. Connect to an unattended computer running Windows via RDP, SSH or another protocol
2. Connect to an unattended computer with any OS
3. Connect to an unattended computer via a custom tunnel

1. Connect to an unattended computer running Windows via RDP, SSH or another protocol

Given the widespread use of Windows OS, we’ll discuss this option first. RDP, a proprietary Microsoft protocol, typically requires a VPN connection tunnel and firewall modifications for added security. However, when combined with ISL Always On, these extra measures are unnecessary, as our software automatically creates a protected tunnel for your traffic.

By routing an RDP connection through ISL Always On, you solve the biggest security problem. ISL Light technology allows you to avoid port forwarding, VPN tunneling, and firewall configuration changes. If you currently have any ports open for RDP, you can close them and route your RDP sessions through ISL Light’s secure tunnel. This way you can connect to another computer on a local or remote network without compromising your security.

Compared to normal unattended access using the ISL Online software, connecting via RDP offers a number of advantages. Besides increasing your security, it allows you to:

• see the screen of the remote computer in its original resolution
• see the remote desktop on all your monitors
• use all the features of Remote Desktop, such as sharing printers, files and the clipboard
• access Windows systems from non-Windows platforms
• super-fast audio and video transfers thanks to RDP’s peer-to-peer technology
• connect your USB devices to your local computer and work with their content on the remote Windows computer
• have your remote desktop connections protected with 256-AES SSL encryption

2. Connect to an unattended computer with any OS

If your company’s computer is not running the Windows OS you can still establish a secure remote connection via ISL Always On but in this case some of the above mentioned advantages of RDP can not be used. You can find more information on how to set up unattended access on our website.

3. Connect to an unattended computer via custom tunnel

Besides RDP and SSH, you can also define completely custom tunnels that allow you to use the software of your choice to connect to the remote computer. This feature is particularly helpful when you are dealing with outdated industrial machines that don’t support the current internet protocols but the old ones – like Telnet. In this case, it is still possible to access them remotely by doing the following.

Install ISL Always On on a computer that is on the same LAN as the machine, and install ISL Light on the computer that initiates the session. ISL Light creates a custom tunnel to secure Telnet (or any other type of legacy Internet connection tool).

This is very useful for industrial environments to allow remote control and monitoring of obsolete machines.

Security guidelines you must apply on the client’s side

So far we have explained how to establish a secure connection to a remote computer, but you should also pay as much attention to the other side, the one that initiates the connection from outside the corporate network.

Following the motto “Better safe than sorry“,” we want to make sure that you use remote desktop software responsibly. To help you achieve this, we offer some tips and recommendations on preventive measures you should take to ensure compliance with the ISO 27001 security standard and make your systems even more secure.

Tip #1 – It is not recommended that a company supports so-called Bring-Your-Own-Device policy since it is very difficult to ensure the adequate level of security in this case.

Tip #2 – Physical security is important (never leave your remote work machine unattended, allow someone else to work on it etc.).

Tip #3 – If you have a machine at work, then it is recommended to use your Remote Work Device to connect to your machine at work through a secure tunnel (e.g., ISL Always On, ISL Light + RDP etc.) and then do all your work through that secure tunnel.

Tip #4 – All electronic devices should be adequately protected. This includes:

• All electronic devices used to access the organization’s documents and services (e.g., Jira, email, etc.)
• Computer hard drives should be encrypted
• Phones should be encrypted and protected by a PIN (at least 6 characters long), password, or biometrics (drawing a pattern alone does not provide sufficient protection)
• USB sticks and other portable media should be encrypted (used only in exceptional circumstances and deleted immediately after use)
• It is strongly recommended not to use unlicensed software

Tip #5 – Never lend the company’s devices assigned to you to other people.

Tip #6 – Never use the company’s devices for other (non-work related) purposes, such as gaming, streaming online content, etc.

Tip #7 – Always use strong passwords:

• Use a password generator
• Use at least 8 alphanumeric characters, 1 special character and some uppercase letters
• Each system should have its own password
• Use a special program to store the passwords, e.g. KeePass, LastPass, Team Pass

Tip #8 – If you lose a device mentioned in Tip#1, immediately inform the security engineer and the manager of your area. The same applies to lost access cards, forgotten access codes, etc.

Tip #9 – If confidential information about your work accidentally “slips out” – immediately inform the Security Engineer.

Tip #10 – Automatic locking of the devices’ screens should be set to the maximum of 5 minutes.

Tip #11 – Do not use public networks.

Tip #12 – If you are in a public place, such as a coffee bar or an airport, it is better to connect through your cell phone and set up a hotspot.

Tip #13 – In a public place, be especially careful that no one is looking over your shoulder or listening to a business call.

This is just a brief summary of the top risky behaviors we have noticed our users engage in. By following these guidelines, you can safely use remote desktop software like ISL Online and work efficiently from virtually anywhere.

However, be aware that incidents can happen to anyone. So if you suspect something, do not  try to hide it, but report any strange behavior on your computer or other work-related equipment to your security officer immediately.