Practicing good remote access hygiene in times of uncertainty
As the business world reacts to the current health crisis, companies are offering remote access to any role that can work from home. Taking a cue from the changing environment, cyber-criminals are already taking advantage. Already (03/15/2020) the US Health and Human Services Department suffered a cyber-attack with the intention of distributing false information.
Here are some recommendations on continuing to practice good information security hygiene as more of the access moves outside of the physical office.
Security Awareness Training
- New Remote Access Users
Remote access privileges come with a new set of responsibilities. Ensure that the newly enabled group of remote access participants are aware of and follow company procedures with regards to remote access. This isn’t just about good Wi-Fi practices (discussed later), it should also include activities like plugging in personal flash drives or downloading movies to company owned equipment. If employees can connect with personal devices, there are even more risks to consider.
- Help Desk Personnel
A popular attack that will gain attention in the coming weeks will be password reset requests against the helpdesk teams. Establishing and training on proper verification and secure password reset techniques will be essential for the helpdesk to identify who they should be helping and who they should be hanging up on.
Access and Data Storage
- Multifactor Authentication (MFA)
Extending remote access to company networks and data should be accompanied by a requirement for MFA use. Properly implemented MFA makes it much more difficult for a bad actor to gain access to any account. This isn’t the time to wonder how many users have weak and easily guessed passwords like “Winter20”.
- Secure Data Storage
Devices that will be used to perform remote work may or may not have encrypted storage. Make sure care is taken when employees work with company data and remind them not store that data in unsecure locations or media.
- Wireless Access Points
While users may not be going to many coffee shops or hotels the next few weeks, the guidelines for performing safe wireless access still apply. When connecting to public Wi-Fi, ensure you are using a VPN and examine the name of the network closely to avoid evil twins. [Evil twins are Wi-Fi hotspots that look legitimate but have a small change in the lettering: HOTSpot vs. H0TSpot.] When setting up wireless access points at home, use WPA2 encryption with a long and difficult to guess passphrase.
- Endpoint Security
Whether it is company owned equipment or employee owned equipment, endpoint controls are crucial for protecting the information assets they will be working with. Ensure endpoint software is in place, properly configured, and up-to-date before allowing these devices to connect to the enterprise network.
- Split Tunneling
This one might be tougher to deal with, especially with employee owned equipment. Split tunneling is the process of allowing a remote VPN user to access a non-corporate network at the same time that the user is allowed to access the corporate network via the VPN. This method of network access enables the user to access corporate devices, such as a network data share, at the same time as accessing non-corporate network devices, like a home network printer. With split tunneling there is increased risk of exposing company IT assets to external threats and attacks.
Incident Response Planning
- The Right Tools
Incident response plans often call for the assembly of the incident response team. With those team members possibly being remote, ensure that the tools they need are available where they are working.
CEO Fraud Prevention
- You Will See More
Count on an increase in attempts by fraudsters to impersonate company executives. Their goal is to trick employees into sending information or wiring funds to less than desirable recipients. It will no longer be as easy as peeking your head through the boss’s door to ask if the email request for all of the W-2 information came from him this morning was legitimate.
- Establish Secure Verification Procedures
Email addresses, caller ID, and even voice messages face the possibility of being spoofed. When confirming the authenticity of a request, use a different channel than how the request was initiated. If you received an email, call a known number to verify (not a number that came from the email.)
- Review Wire Transfer and Other Vulnerable Financial Controls
Controls that require actions by multiple people may have to be modified to accommodate the increase in remote workers. Review those procedures to make sure they are remote workforce capable.
The need to immediately increase remote access capabilities is here, much sooner than a lot of companies were prepared for. But just as it is not prudent to take shortcuts to meet a deadline from your boss, now is not the time to sacrifice security for expedience or convenience. We have already seen examples of people sharing links to private company meetings via social media sites, virtually opening the meeting to anyone who happens upon the link. It is essential that these users who now have new methods of access, understand and protect that access. The bad guys are actively looking to prey upon those who are unprepared.