Time to Move from Reaction Mode to Proactive Security Management
How do you deal with work-from-home security management during ongoing cases of COVID? Some have gone back to the office, but mandates are changing as we write this and as part of adjusting to the “new normal,” there is still more opportunity to move from reaction mode to proactive security management.
Unfortunately, none of us knows how long the COVID-19 challenges and need for “social distancing” will last. We believe that remote workforce requirements are not going away soon. Your firm’s leaders have a responsibility to review and improve arrangements to strengthen the security and reliability of their remote work infrastructure.
The Question of Personal Computers and Security
The first major consideration is whether the your firm has permitted employees to access the internal network from personal computers. Many employees may not have your firm-owned laptops. How will they work from home for an extended period?
- Allowing employee-owned computers to connect to the internal network, for example through a VPN, may be expedient, but it means you are letting unmanaged, potentially insecure computers access critical servers and protected databases. You have no idea whether those computers are infected by malware, what security protections are on them, or who else is using them.
- Prohibiting work on employee-owned computers means that every remote worker – possibly your entire workforce – must be set up with company equipment. That could be a big and expensive job for your IT team. It would also take time to set up and distribute the necessary computers, resulting in more lost productivity and interrupted services.
There are additional factors which affect the risk related to remote workers, including
- Whether the your firm uses primarily cloud-based applications (e.g. Brittco) vs. systems operating on the your firm network (e.g. Primary Solutions/Gatekeeper).
- The technical architecture – traditional PCs as workstations, with servers, vs. use of a “Virtual Desktop Infrastructure”.
Agencies are advised to evaluate the risk, based on their unique circumstances, and take appropriate action.
If Allowing Personal Computers…
There are some strategies which are could be appropriate for work-from-home security management, including:
- Provide patching instructions and regular reminders for staff to keep their computers and software updated with the latest operating system and software patches. Consider whether your organization’s remote management / patch management tools could be extended to employee personal computers.
- Require Anti-malware Endpoint Protection on all computers connecting to the your firm’s network. Consider providing centrally managed endpoint protection to employee personal computers in addition to your firm-owned machines. Many endpoint protection vendors are offering free or discounted packages during this crisis so organizations can expand endpoint protection to employee personal devices. A few such examples we have identified include: CrowdStrike, Kaspersky, Carbon Black, and Sophos. Check with your current provider if they offer a similar benefit.
- Segment Internal Networks to increase the layers of protections between employee personal devices and your firm’s most sensitive assets. You want to avoid a “flat” network where a malware infection on one device (ex: employee personal computer connected over VPN) can easily spread across the network to other machines.
If Your Organization is Requiring Managed Computers…
There is a different set of considerations for work-from-home security management, including:
- Provide managed computers to all staff that need them. Many agencies don’t have laptops for all employees, so your IT team will need to update and distribute whatever “spares” they have, then figure out how to address any inventory shortage. One option is to send employees home with their desktop workstations. Another is to buy inexpensive laptops to bridge the gap. Ensure any machine you send out the door has your firm-standard configuration, including hard drive encryption.
- Validate that your patch management processes will continue to work for devices not connected to the local network. If current patch management processes require computers to be in the office or directly attached to the network, it may be time to find a more robust Remote Monitoring and Management (RMM) system.
- Endpoint Protection remains critical for off-network devices. Make sure your firm uses a high quality, centrally managed endpoint protection product and that you have enough licenses for any new computers. See above for some endpoint protection vendors offering discounts or support during this crisis.
Other Key Considerations for Work-From-Home Security Management During COVID (And Beyond)
VPN / RDP Security
With expanded usage, the security, configuration, and monitoring of remote access services is more important than ever. Whether your organization uses a VPN for remote access, Remote Desktop Protocol (RDP), RD Gateway, or some other solution, make sure the service is fully patched and updated. Also, review and implement secure configuration standards, such as those published by NIST or the Center for Internet Security. Finally, ensure someone is monitoring the remote access service for abuse or compromise, such as red-flag login attempts from strange times or locations. In general, a well-configured VPN is recommended over RDP, because of the numerous security vulnerabilities related to RDP usage, but now is probably not the time for a systems overhaul.
Use of stolen credentials was the top hacking technique identified in the 2019 Verizon Data Breach Investigation Report. Multifactor authentication (MFA), also known as two-factor authentication, provides a critical extra layer of security for remote logins even if a user’s credentials are stolen or guessed. If you do not have multifactor authentication for remote network access, do it now! Your VPN may already provide this capability, or consider third party services such as Cisco Duo, Okta, PulseSecure, and others.
Security Monitoring Service
Traditional network security tools, such as firewalls and intrusion detection systems, often only work well for on-site staff. A distributed workforce needs a different approach. A security monitoring service, such as a managed cybersecurity operations center (SOC), can provide critical monitoring, detection, and defense against cyber threats to your organization, even when employees work from home. Agencies with fewer than several thousand employees (which includes all DD Boards) are unable to justify the expense of a 24/7 SOC, so outsourcing is the only practical option. There are many commercial SOCs who can help. Here are some currently used by DD agencies:
- MS-ISAC, a federal government-sponsored non-profit which provides services to government agencies
- Binary Defense, an Akron-based organization used by at least one DD board, and
- Agile1, an emerging SOC located in Cleveland.
In conclusion, Eagle advises that social distancing and work-from-home could continue for some time. Your organizations’ leaders should ensure that weak security related to a hastily implemented work-from-home security management solution does not result in bad outcomes such as data breaches, ransomware, or other security failures. A risk assessment should be completed to consider the your firm’s unique situation, identify risks, and prioritize any corrective action.