With employees working in alternative, remote locations now and for the foreseeable future, opportunities for cyber criminals to exploit processes and people will increase dramatically. During this time, focus your security efforts on the following critical areas.
Common Concern #1 – Employee Awareness & Training
How do you maintain awareness of security threats with a dispersed workforce and targeted phishing and malware attempts related to COVID-19 on the rise?
With more people logging in from remote locations, they may begin to fall victim to common types of end-user attacks, including specific threats based on current world events. Attacks on remote employee devices may take longer to identify, triage, and remediate, which increases the overall risk profile to your data and systems. Maintaining cybersecurity awareness for users outside of a local office is critical to reduce the risk of compromising any one individual’s device and, therefore, the whole system.
- Resend and refresh work from home policies. Send employees a refresher on work-from-home protocols, both at the beginning of the work-from-home period and periodically throughout the duration. Maintain awareness of appropriate workforce approved tools, company policy, and any other company-specific considerations when moving into a new scenario.
- Provide updated employee training on phishing scams. Train and update employees and contractors (anyone with remote network access) on common phishing scams, which may increase in volume during a work-from-home scenario and include specifically targeted attacks around world events.
Common Concern #2 – Monitoring Remote Networks
How do you maintain the security of devices outside of the corporate environment?
Home and remote environments may introduce additional threats to the end user’s device that may not be present when the device is within your secure, controlled environment. Maintaining secure endpoints will require knowledge of and specifications for an employee’s home network, including specific wireless protocols, remote connectivity, and/or the ability to monitor an endpoint device.
- Monitor and protect devices on end-user networks. This includes the ability to remotely access and manage endpoints, monitor end-user devices for signs of compromise, and harden devices so insecure devices on the same network cannot compromise the security of your endpoint.
- Ensure regular review of suspicious activity. Make sure IT and security teams are still regularly reviewing security consoles and tools for suspicious activity on endpoints. Watch for new attack types that may originate from user home environments – for example, attackers may exploit unpatched or vulnerable Internet of Things devices on the same networks as work-from-home laptops.
- Additional IT support. Additional support from key business partners may be needed to help establish new processes and assist with IT workload to reduce strain on the existing IT team.
- Employee responsibility. Make sure all bring-your-own-devices (BYOD) and third-party applications are patched and operating systems are up to date. The use of commonly used controls including password-protected Wi-Fi, end-user password controls, and end-user patching should all be communicated as requirements if using their own devices for work.
Common Concern #3 – Protecting Access to Data
How do you ensure only authorized resources have access to critical data?
Remote tool sets will require the same level of access and logging controls that are applied within locally maintained items, including file, database, and system access.
- Turn on logging controls. Enable logging controls as required by contractual and compliance requirements around data and system access.
- Enact role-based access. Establish role-based access controls for remote users and data sets that match on-premises controls, including network level controls for users who access the environment through a VPN or virtual desktop interface (VDI)
- Additional controls. Consider additional controls (i.e administrative jump boxes or bastion hosts) for administrator control and access to reduce the total exposure of internal applications to the more dispersed end user population.
Common Concern #4 – Bringing Employee-owned Devices Up to Par
How do you secure access to systems when accessed from the internet on employee-owned devices?
Where work from home is an anticipated part of the job, employees should be provided equipment from the company to continue their duties. Additionally, it’s becoming more common for employees and contractors to use their own devices. Any security controls placed on corporate-provided systems may start to fail once you consider remote devices or the use of employee-owned devices. Security controls may not be applied, or in some cases contractual or compliance requirements may not be able to be met through the use of non-company managed devices.
- Provide secure devices to employees when possible. Don’t just expose systems publicly as a way to get people working – for example, we see ransomware attacks actively exploiting things such as exposed remote desktop protocol (RDP), meaning those additional endpoints are now more open to compromise. Provide secure devices for employees to leverage when working out of the office. This enables you to set specific security controls without requiring the employee to utilize their own device to perform their day-to-day duties.
- Require secure controls on employee’s devices. Should an employee need to or want to leverage their own device, they must maintain secure controls on their network or systems (WiFi security protocol requirements, access controls to employee-owned devices, patching employee devices).
- Use multi-factor authentication liberally. Enable multi-factor authentication and maintain secure password and authorization controls when allowing users to access employee systems remotely. This may also extend down to the desktop level, pending the business and sensitive data that may reside locally. Leverage multi-factor authentication on all remote access points, cloud-hosted software, or employee communication platforms to enforce authorized access.
- Remote access controls should be carefully managed. Remote access controls should be secured and reviewed by the IT team. These controls should be some of the most secure access methods in the business, incorporating multiple layers of controls prior to access being granted.
Common Concern #5 — System-wide Data Security
How do you maintain data security across all systems?
When employees use their own devices and own networks, it’s vital to monitor where data is stored and exchanged to prevent data loss and ensure that all compliance and contractual requirements are followed. A lack of defined storage locations and protocols will lead to increased data spread, increasing the likelihood that data is stored in an insecure location once workers return to normal working conditions.
- Require multi-factor authentication (MFA) to access sensitive data and critical applications. Maintain logging and monitoring controls and establish increased security tool sets including data loss prevention (DLP) and a cloud access security broker (CASB).
- Maintain role-based access controls. Place restrictions on what data an individual user can access through a remote toolset. Maintain role-based access controls or other means to enforce the same access controls that are present with local file systems.
- Standardize file sharing. Standardize on a single provider to allow end users to access files remotely and securely. Many tools allow for active collaboration in a shared environment, reducing the need to share individual files back and forth.
- Data storage & third-party systems. Establish clear storage locations and security protocols around data stored in third-party systems. Validate contractual requirements around this data and maintain these requirements across any location of stored data.
Common Concern #6 — Secure Communications
How do you enable your employees and clients to communicate through secure channels?
Various forms of collaboration and messaging software may open up risks to data security and compliance. Controls around user access, logging, monitoring, and data encryption may be lost through employee collaboration tools. This may lead to insecure data transfer and storage, and additionally, once workers return to the office, an increased footprint of company data may exist that may be secured.
- Remote data access. Ensure that there is a secure method of accessing data remotely, through cloud hosting, virtual private network access, virtual desktop infrastructure , or other means. Without a function to allow end users to access files securely, end users may fall back on insecure methods of data transfer (file transfer protocol (FTP) server, email, public facing file shares) or unauthorized means (cloud storage providers not approved by the company).
- Security controls for audio/video software. Maintain security controls not just on data, but also on audio/video forms of communication. The use of these methods of communication may also open up additional security or contractual concerns.
- Reduce storage of personally identifiable information (PII). If recording is enabled for any of these call methods, compliance or security requirements may require disabling call recording to reduce the storage of PII.
- Turn notifications on. Where applicable, have items such as meeting join notifications turned on. Sensitive conversations may occur, and this can alert you to someone joining who may not need to be present.
- Scale remote access. Ensure that a remote access solution is scalable to the entire workforce. If there is a heavy use of on-prem/centralized resources that require access, performance and contention may be a concern.
- Review remote access performance. Review remote access licensing for performance limits and review monitoring and metrics around remote access to make sure employees can still be productive remotely.
- Standardize security. Expand the centralized security and filtering tools to maintain the same level of monitoring and security controls across all remote endpoints.
Common Concern #7 — Incident Responses in Remote Environments
What do you do if there is a security incident when users are remote?
As workers become remote, the incident response plan must scale to account for disaster recovery/incident response for a remote workforce.
- Employees should know what to do. Ensure your employees know how to reach support if their device is stolen or they believe they have been the victim of a scam. This should include both an email address and phone number.
- Amend existing incident response plan. Increase the existing incident response plan to account for remote workers. Account for remote device updates and pushing changes if you do not have direct access to the system.
- Maintain alternate communication system. Maintain an out-of-band communication system to alert employees of emergencies without relying on current communication channels. (Ex. Send Word Now)
Common Concern #8 — IT Support for Remote Workers
How do you maintain the security of your environment once users work remotely?
Remote workers will need a way to contact IT for support. Additionally, companies must establish methods to allow for effective remote support.
- Help desk process for verifying requests.The help desk will need to maintain a process to validate the end-user making a request for access to systems, changes to permissions, or other security controls. An attacker may leverage this insecure channel to gain the access.
- Help desk process for IT remote workers. Implement a ticketing system to track and spread out helpdesk efforts. Implement secure methods of support, including multi-factor authentication for remote access to systems. Maintain a process to allow your help desk to maintain effectiveness, including maintaining monitoring and alerting, end-user support, and enforcement of end-user controls.
- Maintain clear documentation to allow employees to get up and running remotely, should remote access needs suddenly arise.
- Identify how you will lock down a device to mitigate against an attack on an off-network device.
Contributors: Nathan Beu, Zach Savage, David Chaddock, Nate Ulery, Sean Curran