Time to Move from Reaction Mode to Proactive Security Management
Many DD Boards have been in reaction mode for the past week or so, rapidly implementing work-from-home capabilities for employees. The priority was mission continuity – to keep serving your community even if it required short term compromises. With the initial scramble complete, as part of adjusting to the “new normal,” there is opportunity to move from reaction mode to proactive security management.
Unfortunately, none of us knows how long the COVID-19 challenges and need for “social distancing” will last. Eagle’s guidance:
- Based on the experience of the one country with the most COVID-19 experience – China – we can expect significant “social distancing” and “stay at home” restrictions for a minimum of 6 weeks, which is how long it took them to control person-to-person transmission within the country, and
- After 6 weeks, China hasn’t solved the problem of new infections, with the cycle beginning again when foreigners arrive and re-infect the population. So, a longer period is possible, and if operations return to normal, we could revert to additional periods of “social distancing” over the next 12 months.
In short, remote workforce requirements are not going away soon. Agency leaders have a responsibility to review and improve the short-term arrangements from the past weeks to strengthen the security and reliability of their remote work infrastructure.
The Question of Personal Computers
The first major consideration is whether the agency has permitted employees to access the internal network from personal computers. Many employees may not have agency-owned laptops. How will they work from home for an extended period?
- Allowing employee-owned computers to connect to the internal network, for example through a VPN, may be expedient, but it means you are letting unmanaged, potentially insecure computers access critical servers and protected databases. You have no idea whether those computers are infected by malware, what security protections are on them, or who else is using them.
- Prohibiting work on employee-owned computers means that every remote worker – possibly your entire workforce – must be set up with company equipment. That could be a big and expensive job for your IT team. It would also take time to set up and distribute the necessary computers, resulting in more lost productivity and interrupted services.
There are additional factors which affect the risk related to remote workers, including
- Whether the agency uses primarily cloud-based applications (e.g. Brittco) vs. systems operating on the agency network (e.g. Primary Solutions/Gatekeeper).
- The technical architecture – traditional PCs as workstations, with servers, vs. use of a “Virtual Desktop Infrastructure”.
Agencies are advised to evaluate the risk, based on their unique circumstances, and take appropriate action.
If Allowing Personal Computers…
There are some strategies which are could be appropriate, including:
- Provide patching instructions and regular reminders for staff to keep their computers and software updated with the latest operating system and software patches. Consider whether your organization’s remote management / patch management tools could be extended to employee personal computers.
- Require Anti-malware Endpoint Protection on all computers connecting to the agency network. Consider providing centrally managed endpoint protection to employee personal computers in addition to your agency-owned machines. Many endpoint protection vendors are offering free or discounted packages during this crisis so organizations can expand endpoint protection to employee personal devices. A few such examples we have identified include: CrowdStrike, Kaspersky, Carbon Black, and Sophos. Check with your current provider if they offer a similar benefit.
- Segment Internal Networks to increase the layers of protections between employee personal devices and your agency’s most sensitive assets. You want to avoid a “flat” network where a malware infection on one device (ex: employee personal computer connected over VPN) can easily spread across the network to other machines.
If Requiring Agency-Managed Computers…
There is a different set of considerations, including:
- Provide managed computers to all staff that need them. Many agencies don’t have laptops for all employees, so your IT team will need to update and distribute whatever “spares” they have, then figure out how to address any inventory shortage. One option is to send employees home with their desktop workstations. Another is to buy inexpensive laptops to bridge the gap. Ensure any machine you send out the door has agency-standard configuration, including hard drive encryption.
- Validate that your patch management processes will continue to work for devices not connected to the local network. If current patch management processes require computers to be in the office or directly attached to the network, it may be time to find a more robust Remote Monitoring and Management (RMM) system.
- Endpoint Protection remains critical for off-network devices. Make sure your agency uses a high quality, centrally managed endpoint protection product and that you have enough licenses for any new computers. See above for some endpoint protection vendors offering discounts or support during this crisis.
Other Key Considerations
VPN / RDP Security
With expanded usage, the security, configuration, and monitoring of remote access services is more important than ever. Whether your organization uses a VPN for remote access, Remote Desktop Protocol (RDP), RD Gateway, or some other solution, make sure the service is fully patched and updated. Also, review and implement secure configuration standards, such as those published by NIST or the Center for Internet Security. Finally, ensure someone is monitoring the remote access service for abuse or compromise, such as red-flag login attempts from strange times or locations. In general, a well-configured VPN is recommended over RDP, because of the numerous security vulnerabilities related to RDP usage, but now is probably not the time for a systems overhaul.
Use of stolen credentials was the top hacking technique identified in the 2019 Verizon Data Breach Investigation Report. Multifactor authentication (MFA), also known as two-factor authentication, provides a critical extra layer of security for remote logins even if a user’s credentials are stolen or guessed. If you do not have multifactor authentication for remote network access, do it now! Your VPN may already provide this capability, or consider third party services such as Cisco Duo, Okta, PulseSecure, and others.
Security Monitoring Service
Traditional network security tools, such as firewalls and intrusion detection systems, often only work well for on-site staff. A distributed workforce needs a different approach. A security monitoring service, such as a managed cybersecurity operations center (SOC), can provide critical monitoring, detection, and defense against cyber threats to your organization, even when employees work from home. Agencies with fewer than several thousand employees (which includes all DD Boards) are unable to justify the expense of a 24/7 SOC, so outsourcing is the only practical option. There are many commercial SOCs who can help. Here are some currently used by DD agencies:
- MS-ISAC, a federal government-sponsored non-profit which provides services to government agencies
- Binary Defense, an Akron-based organization used by at least one DD board, and
- Agile1, an emerging SOC located in Cleveland.
In conclusion, Eagle advises that social distancing and work-from-home will likely continue for months. Agency leaders should ensure that weak security related to a hastily implemented work-from-home solution does not result in bad outcomes such as data breaches, ransomware, or other security failures. A risk assessment should be completed to consider the agency’s unique situation, identify risks, and prioritize any corrective action.