With the ongoing disruptions and uncertainties surrounding the spread of COVID-19, most organizations are working to implement plans for transitioning to a fully remote workplace. However, having employees work from home can present various cybersecurity risks that must be evaluated and addressed. Remote employees are more susceptible to hackers and inadvertently allowing unauthorized access to organizational systems and data. This is especially true now as many employees will be working from home for the first time and are expected to learn new protocols and policies quickly.
Even if processes were in place to allow a portion of your staff to work remotely before, not all organizations are equipped with the right systems and infrastructure to support a fully remote workforce. This dramatic and urgent shift is putting a strain on the IT and security teams. Testing and deployment tools that allow large groups of users to access systems and prevent network overload are key to continued productivity. In a crisis, harried staff will be rushing to get the infrastructure setup so it is critical to ensure that everything is properly configured and processes are followed so that the organizational risks are minimized.
Many vendors, like Cisco, Prisma, and Duo, have quickly jumped in to help scale remote work. Take advantage of the expertise of your partners (e.g. for assistance with available technologies), but below are some common best practices to also keep in mind:
- Limit Access to Sensitive Information
Remind employees of organizational policies for protecting sensitive data and the consequences for failing to do so. Administrators may also want to increase permissions necessary to access certain data sets and monitor access. Set alerts or require additional approvals before allowing users to download or transfer large amounts of data.
- Secure Access
Take advantage of technologies like single sign-on (SSO) and multi-factor authentication (MFA). If your organization doesn’t already use MFA, it may be a good time to start. MFA should be deployed for all sensitive systems, HR platforms, student or patient records systems, etc. Having this additional layer of security will go a long ways in preventing unauthorized access if passwords are inadvertently compromised or shared.
- Secure Connections
Remote workers are more likely to connect via insecure Wi-Fi, either at their own home or at public locations (e.g. coffee shops, etc.). If employees are accessing organizational accounts or systems using unsecured Wi-Fi, any data sent in plaintext can be easily intercepted and stolen by cybercriminals. Home networks may also be connected to consumer IoT devices like Peloton bikes, baby monitors, Roombas, etc. which can create new entry points for attackers to access the network and then reach corporate targets.If possible, mandate use of a Virtual Private Network (VPN) connection for all remote workers. This software enables a secure network connection between remote devices and a host network, and ensure that all network traffic is encrypted, even if employees are connecting via a public or unsecured Wi-Fi connection. VPN software also allows organizations to ensure remote computers
have security patches installed and are monitored for signs of infection. As mentioned above, ensuring the organization’s VPN can support an increased number of users will be important.
- Use of Approved Devices
Employees working from home are also more inclined to mix personal and organizational equipment and use other devices, mobile phones, etc. Employees may transfer files between work and personal computers for convenience.This presents a myriad of potential risks as personal devices are not managed by the organization’s IT department and may be running un-approved software, applications, etc. Additionally, personal devices may not be running functional anti-virus software or have the latest critical updates installed. Because of this, they are significantly more vulnerable to hackers. Provide employees with clear guidance on the use of approved devices.With a focus on PCI compliance and payment card related activities, employees may also be tempted to continue business as usual/provide customer service and accept payments over the phone from their remote locations or home offices. Verify all staff understand acceptable payment processing methods and technologies. For example, outside of directing customers to online payment options, it may also be possible to continue accepting payments using a validated P2PE solution by allowing staff to take the approved P2PE payment terminals home. In this situation, it is recommended that employees continue to follow normal processing procedures wherever the card terminal is located. They should also acknowledge that they would be attending to the physical
security of the card readers and the devices should be inspected upon return. If you have questions regarding possible payment methods outside of your typical office locations/procedures, please don’t hesitate to reach out to your dedicated CampusGuard team.
- Clearly Defined Procedures
Create a detailed plan for communication and training related to remote working. Remote workers should understand what they need to do to secure their remote workspaces. Define approved equipment and applications, including approved cloud storage platforms, file-sharing platforms, video conferencing tools, project management software, etc. Ensure all remote and in-office employees are using only approved tools. Procedures should include clear requirements for passwords, systems updates, data storage, etc.Making sure employees know where information should be stored and how to back-up files is important so no organizational information is lost or compromised. Organizations should also remind employees that other family members should not be using their designated work devices for personal use as this may lead to potential security issues or data compromise.
- Ongoing Awareness
Continue to provide employees with ongoing training and best practices for protecting information. Outside of your annual security awareness training, keeping your users up to date on new risks, especially those that are new to them as remote workers, is critical. One topic to address with employees again is phishing and ensuring they are not falling for increased phishing attacks that are taking advantage of new remote working procedures or capitalizing on the Coronavirus. One recent attack encouraged users to download an application that would keep users updated by showing a map of how the COVID-19 virus was spreading. When downloaded, the application installed malware on the users’ workstations. Users should be reminded not to click on links on social media, email, forums, or elsewhere. Rather, direct them to secure sites like WHO or the CDC for accurate and safe information.Organizations should also remind employees of the incident reporting process and provide clear guidance on what should be reported, who they should contact, etc.
Additional guidance from our Offensive Security Services team below:
[Sullivan]: While much of the world prepares to contain the outbreak of this current pandemic, attackers are unfortunately going to use the confusion and chaos to strike at the weak points of your organization. In times like these, it’s important to do what you can to maintain the security controls you already have in place. While productivity issues can lead to emergency fixes, it’s important that those fixes don’t make you an easy target.
Make sure that insecure “fixes” aren’t used that will expose the organization to greater risk. One example might be an organization needing to expand the bandwidth of their VPN to support the remote staff. If they were to open up RDP to the internet, they risk becoming vulnerable to a new wormable remote code execution vulnerability that was just found earlier this week. Or giving end users local administrator access while they’re at home because their machines can’t be administered by the Help Desk. While seemingly insignificant temporary fixes, they are both huge targets to attackers looking to take over a network and, especially with the RDP vulnerability, can lead to the compromise of your network within minutes. Combine that with user’s having local
admin access and now the attackers can possibly gain admin access on the domain within minutes of opening RDP to the internet.
Use a 2-factor VPN to connect to your network from the outside, and if a user needs local admin, give them a separate account for it. When operations return to normal, be sure to review all emergency changes that were made and revert them.