We all know that our television remote controls are working overtime right now, but what about your IT security controls?
When an employee is at the office, they are typically working behind layers of preventive security controls. However, a change to the work environments on this scale, has dramatically increased the attack surface for most organizations. When computers and devices leave the perimeter, they are more susceptible to attacks from third-parties and additional security practices are essential. Previously, IT was focused on protecting the organizational network; organizations should now focus on protecting users and applications regardless of whether they are within the organizational network or in the cloud.
Organizations had to work quickly to set up remote environments in order to ensure business continuity, but now that we are home and unsure of how exactly how long we will remain here, it is important for IT security to take a step back, evaluate these new environments, and ensure they are built to last.
Outside of your own policies and procedures, you can always rely on existing cybersecurity frameworks to provide a baseline of security controls. Below is a high level look at the NIST SP 800-171 that has been customized to fit your freshly altered remote environments. You can use this as a cross-reference to help protect your organization from unauthorized access.
- 3.1 Access Control
- Verify system access is limited to only authorized users.
- Make sure your list of authorized users (including roles and functions) is up-to-date and accurate.
- Restrict access to sensitive information and increase necessary permissions to access certain data sets. Tightly control remote access through management approvals.
- Set alerts or require additional approvals before allowing users to download large amounts of data.
- 3.2 User Awareness Training:
- Implement or update remote working policies and ensure all staff have reviewed and acknowledged their responsibilities.
- Continue to provide security awareness training and update users on new risks.
- Focus on phishing and remind users not to click on suspicious links in e-mails, social media, etc.
- 3.3 Audit and Accountability
- Log and monitor all remote access connections (and attempts).
- Ensure all actions of individual system users can still be uniquely traced to those users.
- Verify teams are receiving logs from approved cloud service providers and regularly reviewing them for unauthorized access and/or data exfiltration.
- 3.4 Configuration Management
- Provide guidance to users on securing Wi-Fi connections.
- Limit applications available for remote access.
- Restrict off-network communications from virtual desktops to limit exposure.
- Review configurations and controls for cloud applications on a regular basis.
- Shifting from full-tunnel to split-tunnel VPN may be necessary, but it can restrict endpoint visibility. Consider augmenting network visibility with a cloud proxy.
- 3.5 Identification and Authentication
- If possible, implement Multi-factor Authentication (MFA) for all organizational applications.
- Review cloud services to verify MFA has also been implemented for these services.
- Ensure any traffic originating from the VPN can be appropriately tied to approved IP addresses, and the assignment of IP addresses can be appropriately correlated to user accounts.
- Implement a method to validate only known devices establish connectivity to the network.
- 3.6 Incident Response
- Provide clear guidance on what should be reported, who should be contacted, updated help desk information, etc.
- Clearly define the process if a breach or security threat occurs.
- Update your incident response plan with lessons learned based on this massive incident response effort you are in the middle of right now!
- 3.7 Maintenance
- Ensure your timeline for routine maintenance is being followed (installing critical patches, updates, etc.).
- Focus on those applications that are seeing increased usage right now. Cybercriminals are also shifting their focus to remote technologies.
- 3.8 Media Protection
- Verify all devices being used for remote working have been secured accordingly.
- Deploy a multi-layer endpoint agent on employee endpoints to detect, protect, and respond to malicious activity.
- Verify systems and data are being backed-up according to policy. Identify administrators that have remote access to data back-ups.
- 3.9 Personnel Security
- Are all employees screened prior to access? Verify if this procedure has changed with the move to remote environments.
- There may need to be additional consideration to family members who now have access to organizational devices and information.
- 3.10 Physical Protection
- Provide users with necessary equipment (e.g. privacy screens, device locks, secure headsets, etc.) and training on privacy and security best practices including passwords.
- Consider the increased potential for lost or stolen laptops. Ensuring devices have full disk encryption enabled to help protect sensitive data in the event the resource goes missing.
- 3.11 Risk Assessment
- Partner with information security to conduct an updated risk assessment that considers risks created by home environments and the appropriate controls to mitigate those risks.
- Scan for vulnerabilities in organizational systems and applications.
- 3.12 Security Assessment
- Verify security processes and procedures are still effective.
- Update system security plans to account for new environments.
- 3.13 System and Communications Protection
- Monitor and control information at key transmission points.
- Encrypt all sensitive data in transit.
- Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e. split tunneling).
- Terminate network connections after a defined period of inactivity.
- Establish standards for the use of VoIP technologies on home networks.
- Harden devices to a common baseline standard such as CIS benchmarks to reduce the ability for an attacker to gain access.
- Limit local administrator rights.
- 3.14 System and Information Integrity
- Ensure possible threats are quickly detected, identified, and corrected.
- Ensure anti-virus software has been implemented/updated on all remote devices.
- Implement controls over configurations at both ends of remote connection (i.e. firewalls, restricting ability to download, etc.).
As mentioned, you can use the above as a starting point for verifying your remote working environments are configured securely. You may also want to review some of the below resources as we continue to navigate this new normal:
The National Institute of Standards and Technology (NIST) bulletin: Security for Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Solutions
summarizing key concepts and recommendations from NIST SP 800-46
NIST SP 800-46 Rev. 2 Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security
NIST Cybersecurity Recommendations for Working from Home
Some additional guidance from the Security Advisor team:
[King]: While work environments have changed for many of us, those who make money from stolen data have not seen the same disruption. In fact, opportunities to infiltrate and exploit systems have increased as we have dispersed workforces and bring numerous external networks and devices into our data environments. Securing external networks and devices to the standards required by organizational standards has not always been an easy task to accomplish, but that task is now magnified by the sudden increased number of remote workers. Even so, it is important not to relax attention to security but to consider the additional risks and ensure the proper controls are in place to manage these risks. Reviewing these controls will allow organizations to discover gaps in security and proactively modify controls to protect the organization as staff work remotely.