July 2018: Secure Remote Access—Easy as A, B, C

min read

Campus Security Awareness Campaign 2018
This post is part of a larger campaign designed to support security professionals and IT communicators as they develop or enhance their security awareness plans. View all 12 monthly blog posts with ready-made content by visiting our security awareness resource page.

Given current norms and today's prevailing culture of a mobile "connect from anywhere" user population, institutions have no alternative recourse but to extend connectivity beyond and across their network perimeter in support of campus IT operations. But providing remote access to critical information systems, servers, and applications is a perilous endeavor. So what's an institution to do in order to help end users ensure secure remote access to IT resources? Use the information below to educate your staff, students, and faculty.

Get the Word Out

Newsletter or Website Content

It is well publicized that today's attackers are ever vigilant in their attempts to uncover weak points in networks, computers, and mobile devices to establish a foothold and leverage vulnerabilities, thus resulting in the compromise of critical assets or personal information. Areas of concern that can lead to a breach include the lack of physical security controls available at remote locations, the use of unsecured networks, and the connection of infected devices to internal networks. The challenge is especially daunting when:

  1. Staff, faculty, and students are accustomed to using use free public Wi-Fi hot spots, and some will use them to access institutional e-mails and documents.
  2. Some campus employees will e-mail work documents to and from their personal account, despite numerous security problems this creates.  
  3. Some campus employees will use free USB charging ports available at airports and other public places. These ports pose the risk of transferring viruses and malware to unsuspecting users.

Planning for Secure Remote Access

  • Assume the worst will occur and plan accordingly. Laptops and other wireless devices are prone to loss or theft. External networks not controlled by an institution are especially susceptible to compromise and data interception. Finally, remote users' devices may eventually become infected with malware.
  • Develop an appropriate remote access policy. It should define what's allowable in terms of remote access. Data sensitivity is another factor to be considered, as access to confidential or sensitive information should be restricted.
  • Configure remote access servers to enforce policies. Consider the placement of remote access servers at the network perimeter, so it serves as a single point of entry to the network and enforces the security policy before any remote access traffic is permitted into internal networks.
  • Ensure personal devices are secured against common threats. Remote devices should receive the same security applications, software, and devices as those found on campus. They should employ antivirus software and data loss protection capabilities, whenever possible.
  • Employ strong user authentication. Many external security threats will be mitigated through the deployment of multifactor authentication.
  • Create a remote access policy. Users should take every reasonable precaution to ensure their remote access connections are secured from interception, eavesdropping, or misuse. To facilitate this, anyone remotely accessing campus resources for business, maintenance, or upgrade actions should use a virtual private network (VPN) provided by the institution. Also remind staff and faculty not save or store sensitive or restricted institutional data on any remote host or external computing (access) device.

Additional Requirements for System Administrators and End Users

  • Apply computer and mobile device security software, applications, and operating system patches and updates regularly.
  • Install and use antivirus, antispyware, and VPN software on computers, laptops, and mobile devices, keeping software definitions up-to-date and running regular scans.
  • Install and enable a hardware and/or software firewall.
  • Configure devices so that authentication is required (e.g., password, passphrase, token, or biometric authentication), runs in "least privilege" mode (e.g., user instead of admin), and times out after a 15-minute period of inactivity.
  • Activate and use a "lock" feature prior to leaving the computing device unattended.
  • Set the security settings to the highest level on Internet browsers and adjust downward as necessary for Internet use.
  • At no time should a campus employee provide usernames or passwords to anyone, not even family members.
The next 18,000 FT are the only thing you should be worried about. #lockdownURlogin Lock Down Your Login
Source: STOP. THINK. CONNECT. skydiving meme

Figure 1. Use this image to support your message

Social Posts

Note: These are Twitter-ready, meeting the 140-character length restriction.

E-Mail Signature

Ask staff members to add a tip to their e-mail signature block and link to your institution's information security page.


Jane Doe

Information Security Office

XYZ College

Secure your home network to ensure that your remote access connections are protected from interception, eavesdropping, or misuse! Learn more. [Link "Learn more." to your institution's information security department page or the FTC's tips for securing your wireless network.]

Embed or Share Videos

How to Protect Your Home Network [https://www.youtube.com/watch?v=mQCWU8q-xS4] (1:49 min)

Computer Security | Federal Trade Commission (3:32 min)


Share these resources with end users or use them to inform your awareness strategy:

Brought to you by the Awareness and Training Working Group of the EDUCAUSE Higher Education Information Security Council (HEISC).

© 2018 EDUCAUSE. This EDUCAUSE Review blog is licensed under Creative Commons BY-NC-SA 4.0.