COVID-19: Securing Work From Home

Existing cybersecurity principles still applyWhile the coronavirus global pandemic continues to race across the globe, businesses everywhere are challenged to secure and support a sudden work from home (WFH) business model. Choosing the most effective cybersecurity strategies to ensure business continuity is paramount to endure this crisis and mitigate risk.

Employing proven strategies – like expanding what you currently have, creating alternative access methods and redesigning your cybersecurity program at scale – can replace uncertainty with confidence. These approaches, and the actionable technical steps below, provide the foundational support needed to enable and secure a WFH model.

In all of these solutions, ensure that proper validation and testing of security solutions is taken into account. Attack surface management and penetration testing for validation ensures the guidance put in place reduces risk to you and your WFH employees.

Bring Your Own Device (BYOD)

Data Management

Security Operations

Remote Access Policy

Remote Collaboration/Meeting Solution

Additional Security Controls

Corporate Communications

Vacant Facility Considerations

DO NOT expose risky or vulnerable protocols directly to the internet in WFH scenarios, such as remote desktop protocol (RDP)

Apply advanced authentication mechanisms, such as multifactor authentication

» Use something you know and something you have

» Validate authentication with password auditing and testing of MFA

» If you have an existing multi-factor authentication system, validate the capacity and enrollment requirements of the system to provide functionality for all remote users

With advanced authentication mechanism, ensure that users understand how to use the solutions

With any remote access solution, implement a zero-trust architecture if applicable

VPN » Ensure certificates are installed properly,

and properly chained; Ensure cryptography associated with installed certificates is strong; DO NOT use MD5 or SHA1 associated certificates

» Understand all aspects of your solution capacity (concurrent and/or total users), including users per appliance, and technical specifications around capacity

» Know your solution’s licensing model (concurrent vs. provisioned) and understand how to rapidly provision and de-provision licenses

» Discern all aspects of provisioning users and machines for remote access, ensuring user-facing documentation is up-to-date and accessible

» Measure current bandwidth and project future bandwidth needs leveraging existing solution monitoring tools

» Add additional internet circuits or upgrade to higher-bandwidth circuits

» Meter VPN usage for both bandwidth and licensing concerns by introducing multiple shifts for workers to spread out peak remote access usage

VPN (continued) » Implement browser proxy through VPN

solution if the solution supports it for lower bandwidth internal applications

» Implement DNS security where possible to validate queries and block queries of malicious domains; A properly configured remote VPN solution will query in-tunnel DNS servers for internal resources

» Restrict non-essential traffic over VPN connections (e.g. limit non-essential URL categories)

» Configure full-tunneling VPN solutions if bandwidth is not an issue. This reduces the attack surface area

» Allow split-tunneling for VPN connections in conjunction with a robust least-privilege policy for VPN traffic if bandwidth is a concern

» Validate your remote access endpoint enrollment process

» Review update procedures and validation techniques for system patches and security solution updates through using a remote access solution

» Use host checking capabilities to ensure compliance with policy – the asset type, the asset posture, etc. Use continuous host checking if the solution supports it

» Consider hardware VPN solutions (remote access points and others) for long-term WFH solutions

VDI » Ensure end-point standards are met

with image management and validation with testing

» VDI images should be hardened and tested against benchmark providers, such as CIS

» Ensure that the VDI solution is logging to a security operations infrastructure

» Validate identities through AAA on both VDI download (off-line VDI) and online VDI access

» Ensure strong encryption in VDI streams is configured

Adopt a Best, Better, Good strategy for endpoint connectivity to networks

» Best option - Company-managed and compliant endpoint

» Better option - BYOD endpoint connecting to a company-managed VDI instance

» Good option - BYOD endpoint validated to meet baseline security posture

Decide on a minimum security baseline for the Good standard (minimum anti-malware requirements, minimum patch level, etc.)

Determine if corporate security tools can be installed on user-owned machines to meet the Good standard; This requires a lot of consideration in terms of privacy, data integrity, and capacity/licensing

Validate the security posture of BYOD devices with the defined minimum baseline security standard

If mobile devices are part of the WFH strategy, ensure an MDM/MAM solution is in place and follows the Best, Better, Good strategy

Provide user awareness training

Ensure that WFH employees are aware of increases in:

» Social engineering

» Phone pretexting

» Spear phishing

» COVID-19 disinformation campaigns

» Unexpected MFA/2FA prompts

Ensure security personnel are aware of these same increases including an increase in focused attacks based on their vertical

Leverage cloud for internal service elasticity

Migrate workloads to the public cloud where appropriate based on capacity and architecture

Audit authentication and authorization settings for cloud access

Implement MFA for all apps, especially SaaS based apps

Use the same SSO strategy for cloud apps as on-premise

Implement compliance monitoring

Increase visibility by adopting CASB

Ensure internal business stakeholders are aware of the security challenges and risks associated with purchasing unauthorized cloud services

Secure remote access and associated entitlements

MFA including policy review and end-user education

Ensure validity of current identities

Remove inactive identities from key systems

Ensure adequate authentication and authorization controls for privileged users

Establish inventory/baseline of identities, directories

Enable SSO/MFA for chatty and high usage critical apps

Set self-password reset capabilities and processes (identity-proofing)

Monitor and review new IDs or changes to permissions

Integrate SIEM rules or UEBA to analyze remote access

Enhanced authentication (where applicable), onboarding/offboarding

Review PoLP (Policy of Least Privilege)

Review current acceptable use policies to ensure the applicable volume of remote access to sensitive data is accounted for

Just in time privilege escalation and user lifecycle management (automated or manual)

Increase frequency of credential reviews (or automate alerts based on change policies)

Apply existing data policy and classification to WFH scenarios

Identify critical, IP and sensitive data (“crown jewels”) and review controls to support remote use

Prohibit excessive permissions to sensitive data

Review and update DLP policies (particularly in motion/in use)

Ensure data encryption policies are applied in WFH scenarios

Ensure corporate devices have drive encryption enabled in case of loss or theft

Configure security operations infrastructure to accept remote access and WFH solutions

Ensure existing security operations infrastructure has the capacity (licensing, storage, etc) to ingest WFH logging solutions

Correlate and tune security operations infrastructure to account for WFH scenarios

Consider both UEBA and threat intelligence enhancements to security operations to increase monitoring capabilities in the COVID-19 world

Develop a remote access policy or review if already established

Inspect and restrict the VPN-connected user activities required by identity policies

Follow onboarding/offboarding as required by identity governance policies

Establish and monitor roles and appropriate access restrictions for users that have not previously worked remotely

Determine the total number of users the solution will support

Understand if there are limitations to the number of participants in a single meeting/call

Be aware of licensing model, especially per-usage/per-minute billing

Deliver clear enrollment instructions to users

Optimally, enforce remote collaboration authentication behind SSO/MFA

Provide guidance on remote meeting standards like noting who is attending meetings (internal-only, internal and client, internal and unknown participant)

» Be aware of “Zoombombing” and other collaboration “squatting” activities

Document meeting etiquette guidance on sharing sensitive data, background/ambient noise and camera awareness

Consider turning off voice-activated assistant technology during remote meetings to limit leaking of data in these scenarios

Extend on-premise security controls (content filtering, email security, data leakage prevention (DLP)) to WFH scenarios

Scrutinize traffic entering your organization over VPN connections to identify potential attackers

Employing web gateway functionality is an important security control to prevent users from inadvertently accessing malicious sites, preventing infected machines from reaching command and control servers and enforcing acceptable use policies

Look for ways to tune alerts and consider adjusting logging levels in preparation of a sharp increase in event volume related to VPN access and remote machines

Consider cross-training or outsourcing to manage a sharp increase in IT, security, administrative and analyst workloads

Plan for cross-training or outsourcing support desk help for new remote users and situations

Publish enrollment and access steps to remote company resources and policies

Require users to complete security awareness training if they haven’t recently

Send frequent key security reminders (i.e., “Even in these unprecedented working conditions, the support desk will never ask you for your user password.”)

Provide secure data handling training and corporate policies to all remote workers

Require that users review your company data classification policy

Remind users to exercise caution when considering clicking on links or opening attachments in (especially unsolicited) emails

Establish COVID-19 communication expectations and create an email alias so users can easily identify “official” corporate communications related to how the virus is affecting the company

Provide a feedback loop for the remote user experience and act on valid feedback quickly to reduce Shadow IT solutions to remote user problems

Deliver WFH resources to users, including general guidance on working from home including; setting aside a workspace, adhering to a schedule, etc.

Be aware of COVID-19 disinformation campaigns

Consider disabling guest WiFi and any other wireless access that is not well-secured as users will not be available to spot suspicious loitering around your facility

Ensure that the temperatures are monitored, and alerts are sent remotely, especially for datacenter sites

Look for ways to send audible failure alerts over your network (consider using web cams with audio to provide visibility if necessary)

Make plans for any system that needs media physically rotated

Establish alternate receiving locations (i.e., shipper locations) for inbound deliveries to prevent potentially sensitive materials from being left in an unsecured location

Remote Access Solution

.

3.20 | F1

WFH Awareness

Cloud and Digital Transformation

Identity and Identity Governance

Optiv is a security solutions integrator – a “one-stop” trusted partner with a singular focus on cybersecurity. Our end-to-end cybersecurity capabilities span risk management and transformation, cyber digital transformation, threat management, security operations, identity and data management, and integration and innovation, helping organizations realize stronger, simpler and more cost-efficient cybersecurity programs that support business requirements and outcomes. At Optiv, we are leading a completely new approach to cybersecurity that enables clients to innovate their consumption models, integrate infrastructure and technology to maximize value, achieve measurable outcomes, and realize complete solutions and business alignment. For more information about Optiv, please visit us at www.optiv.com.

© 2020 Optiv Security Inc. All Rights Reserved.

Secure your security.™

Optiv Global Headquarters

1144 15th StreetSuite 2900Denver, Colorado 80202800.574.0896optiv.com

IMMEDIATE ACTIONABLE STEPS TO TAKE

In times of need or crisis, it can be challenging to know who to turn to for help and support. Optiv is here to provide our valued clients with the expertise, staffing and technology needed to ensure business continuity.

Please contact your Optiv sales representatives, as needed, during this tumultuous time.

TECHNICAL CHECKLIST