Everyone is now facing a big challenge with the sudden changes due to COVID-19. As an IT Security Manager, going from having on-site workers every day to having the majority of the workforce working from home provides a security challenge. Maintaining our organization’s productivity, connectivity, flexibility, and security is going to take all of us working together in this difficult time.
Before we get started, please ensure the safety of your employees and their families by following the WHO and your local government’s advice. Also, follow the guidelines from the WHO on ‘Getting your workplace ready for COVID-19’.
In times of crisis, the good people in the world stand out, but unfortunately, cybercriminals seize the opportunity. Attacks have increased and multiple COVID-themed attacks are surfacing. Already, cybercriminals are targeting individuals by disguising themselves as legitimate organizations, e.g. WHO, to steal money or sensitive information, and doing this by offering a cure, COVID-related tax refunds, providing misinformation that the virus is airborne, and more. We wrote this post to share our perspective and skills which we hope will help in this new reality.
It’s imperative to provide guidance to remote employees so they can do their part to help you keep your organization secure and protected from breaches. I recommend you do what you can to provide employees with the support they need to set up their home environments securely and efficiently. You have to rely on your employee’s judgment – if you make security too difficult, they will find a way around it. The key is to make doing the right thing easy, and the wrong thing difficult.
In a corporate environment, you have more control over the networks your employees are connecting to. In a remote setting, this is no longer the case, so it’s vital for employees to understand they need to secure their WiFi for the sake of keeping the organization secure from breach, as well as their own sake. You need to help them make sure that only those invited to use the network are able to. You need to make it easy for your people to confirm their home WiFi is secured with a WPA2 set-up and if it’s not, you need to make it easy for your remote staff to set that up. Confirm their home router is updated with no default passwords. Over the years you’ll know that there have been many problems with the embedded systems running on home routers as well as the WPA2 protocol itself, so keeping this often overlooked hardware up to date is essential.
When working remotely many important (and confidential) conversations that may typically happen face to face will be occurring over email, instant messenger, videoconferencing, or telephone. The range and variety of communication and collaboration tools expose the team to phishing and vishing. You need to quickly test and train the team on these types of attacks, especially now where colleagues will be having difficulty gaining access to equipment, resources, and funds—and your employees will want to help.
This leads on to a question of how your team communicates when remote—just via email or instant messengers like Slack or full unified communication systems such as Microsoft Teams or Google Hangouts Chat? Video conferencing via Zoom or Skype? It’s worth thinking about how access to these communication platforms are secured and managed. Knowing who was in which meeting can be provided via call detail records or other auditing systems, and integrating these systems with your directory can go a long way to providing access controls. Slack provides locking of channels for private conversations, and video systems like Zoom can be protected with passwords or pin numbers to control access to calls. Use these capabilities, always.
In case something goes wrong, how does an employee contact the company? If they’re locked out of their account, are there other means of verifying their identity? Can they contact their manager in an emergency without physical presence? All questions that depending on your organization may have higher tech paging systems or something as simple as a group chat via Signal or WhatsApp. In either case, you need to make it easy for employees to understand what to do when an incident occurs.
Employees need access to company resources to do their job, and this access is typically provided via VPNs or cloud-based tools. When people are trying to get work done, it’s very tempting to give employees full rights and open the floodgates — remember you’re potentially giving remote access to attackers too. You need to reduce your risk and damage that could be caused and the way to do that is to provide access on a need-to-know basis. Think about whether you want to split access by department or individual, and how that scales. What tools do you have to help you here, can you integrate this with your directory system and whatever tools you’re using?
Virtual Private Networks (VPN) effectively tunnel your network to your remote employees’ machine wherever they may be located. As with all software, your VPN clients need to be kept up to date as they are not invulnerable to exploitation. There are many implementations from open source such as OpenVPN and Wireguard to proprietary software such as Juniper VPN and F5 Firepass, which all provide different security guarantees and capabilities. As often is the case, open source tends to require more expertise than turnkey enterprise solutions, so consider carefully what works best for you and your workforce.
Alternatively, some companies use application portals to gain access to systems via the web. This often allows for remote desktop or other applications to be tunneled through the website. These mitigate a lot of network-level attacks, but a lot of the same rules apply to these systems as VPNs. Ensure they are protected by strong passwords and think about insisting on multi-factor authentication. You should also consider limiting access to just what the employees need for their particular role within the company and watch out for anomalies in this access.
With many workplaces now using cloud services to store their data, there’s less of a need for access to their internal network. With G-Suite, Office 365, Dropbox and others, many employees don’t need a VPN or an application portal to do their jobs (for example, we collaborated on this blog post without needing access to our internal network). We do recommend setting this up but with a requirement of using 2FA upon login. These can be worthwhile approaches and often have low overhead in terms of management—but be sure that you understand how data can move through these systems and where you can audit what it’s being used. One of the upsides of using these services is that the team can easily share documents in a secure way between themselves, encrypted both at rest and in transit. Unfortunately, employees can also share documents more widely than they intend and need to be familiar with how file sharing works and what the defaults are. Understanding how you can apply access control policies here can help mitigate some of these problems.
Workforces using secure tokens for software licensing or signing keys for signing software have to think about how to manage these. Often these are held securely in physical locations - how do you use these if your team is remote? Can your vendor supply duplicate keys, cloud, or network-based solutions? For signing keys, can you take advantage of cloud key management? Some of these solutions have cost implications and also require thinking about who is allowed to use these keys and when.
When working remotely, employees will be using a device to work—whether it’s a phone, tablet, laptop, or desktop. Does the device belong to the company, or is it a personal device? The answers shouldn’t change the security posture necessarily, but it does change what level of enforcement you may be able to achieve. If the laptop is a personal machine, will the employee be willing to have all traffic monitored or corporate software policies applied?
A good place to start is to consider where it is acceptable to have workplace data reside. If it’s challenging to apply corporate policies on a personal machine, then perhaps only allow some limited access from personal machines. As risk mitigation, guides for hardening personal machines could be linked or produced for companies where it is difficult to roll out laptops for every team member.
Once you’ve decided what you want to protect, you can start by applying some security policies to your systems. Microsoft security baselines can help provide the initial security posture for Windows-based systems, and Jamf provides useful guides on checklists for macOS. The NCSC offers many guides for the hardening of different client environments, including Ubuntu 18.04. These provide advice along the lines of keeping your software up to date and using antivirus software, but also actionable scripts and controls to check and use.
For mobile devices (depending on how you’re allowing access) mobile device management could help. Most major directory providers like Office 365 or G-Suite now offer some form of management. Consult their documentation to see the relative guarantees they give on how data can move from a device, between applications and how this is audited and can be revoked.
You should ensure your software is up to date and set to update automatically. Software patching and patch management isn’t the most glamorous security task, but vendors are constantly finding and fixing security vulnerabilities in your software, so getting on top of it is crucial.
On antivirus software, many vendors exist that provide great tools, including Windows Defender, ClamAV, Malwarebytes, and Eset, all available on many platforms. This needs to be part of your security posture, but it shouldn’t end here.
We’ve talked a lot about using secure passwords and multi-factor authentication, but remembering complex passwords is difficult. Using services like LastPass, OneLogin, Apple Keychain, Mozilla Lockwise, and others can help increase password complexity whilst retaining your employees’ sanity. Often these services provide password auditing and checking against common passphrases, and enterprise versions often offer auditing of the resources your organization is using.
Two-factors authentication tools in the past were expensive and awkward to deploy, but with standards like U2F and authenticator applications for many cloud services, such as Google Authenticator, these are easy to deploy and use with just the use of a mobile phone. They help mitigate credential stuffing and other attacks.
As a security professional, you know that keeping your company safe is a process, and as a result, it’s never done. You’ll want to re-examine your security posture regularly, audit what is happening and whether it’s doing what you need it to. Priorities change even if you do everything perfectly, so it’s important to revisit what you’re doing frequently. You’ll want to build this into your own processes, and consider looking at external assessments as well as internal ones. Plan, Do, Check, and Act. Consider your threat models and what you’re trying to protect.
The advice we provide above is applicable no matter the tools you use or the vendors you go with, but if you’d like to hear more about our approach we recommend reaching out to our security team for advice—no strings attached. We can also offer a 30-day free trial for some immediate peace of mind. This includes:
We hope this advice is useful to your workplace as we all adapt and help our colleagues move to a more remote way of working. Good luck, stay safe and stay secure.