Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
COVID-19: Securing Work From Home
Existing cybersecurity principles still applyWhile the coronavirus global pandemic continues to race across the globe, businesses everywhere are challenged to secure and support a sudden work from home (WFH) business model. Choosing the most effective cybersecurity strategies to ensure business continuity is paramount to endure this crisis and mitigate risk.
Employing proven strategies – like expanding what you currently have, creating alternative access methods and redesigning your cybersecurity program at scale – can replace uncertainty with confidence. These approaches, and the actionable technical steps below, provide the foundational support needed to enable and secure a WFH model.
In all of these solutions, ensure that proper validation and testing of security solutions is taken into account. Attack surface management and penetration testing for validation ensures the guidance put in place reduces risk to you and your WFH employees.
Bring Your Own Device (BYOD)
Data Management
Security Operations
Remote Access Policy
Remote Collaboration/Meeting Solution
Additional Security Controls
Corporate Communications
Vacant Facility Considerations
DO NOT expose risky or vulnerable protocols directly to the internet in WFH scenarios, such as remote desktop protocol (RDP)
Apply advanced authentication mechanisms, such as multifactor authentication
» Use something you know and something you have
» Validate authentication with password auditing and testing of MFA
» If you have an existing multi-factor authentication system, validate the capacity and enrollment requirements of the system to provide functionality for all remote users
With advanced authentication mechanism, ensure that users understand how to use the solutions
With any remote access solution, implement a zero-trust architecture if applicable
VPN » Ensure certificates are installed properly,
and properly chained; Ensure cryptography associated with installed certificates is strong; DO NOT use MD5 or SHA1 associated certificates
» Understand all aspects of your solution capacity (concurrent and/or total users), including users per appliance, and technical specifications around capacity
» Know your solution’s licensing model (concurrent vs. provisioned) and understand how to rapidly provision and de-provision licenses
» Discern all aspects of provisioning users and machines for remote access, ensuring user-facing documentation is up-to-date and accessible
» Measure current bandwidth and project future bandwidth needs leveraging existing solution monitoring tools
» Add additional internet circuits or upgrade to higher-bandwidth circuits
» Meter VPN usage for both bandwidth and licensing concerns by introducing multiple shifts for workers to spread out peak remote access usage
VPN (continued) » Implement browser proxy through VPN
solution if the solution supports it for lower bandwidth internal applications
» Implement DNS security where possible to validate queries and block queries of malicious domains; A properly configured remote VPN solution will query in-tunnel DNS servers for internal resources
» Restrict non-essential traffic over VPN connections (e.g. limit non-essential URL categories)
» Configure full-tunneling VPN solutions if bandwidth is not an issue. This reduces the attack surface area
» Allow split-tunneling for VPN connections in conjunction with a robust least-privilege policy for VPN traffic if bandwidth is a concern
» Validate your remote access endpoint enrollment process
» Review update procedures and validation techniques for system patches and security solution updates through using a remote access solution
» Use host checking capabilities to ensure compliance with policy – the asset type, the asset posture, etc. Use continuous host checking if the solution supports it
» Consider hardware VPN solutions (remote access points and others) for long-term WFH solutions
VDI » Ensure end-point standards are met
with image management and validation with testing
» VDI images should be hardened and tested against benchmark providers, such as CIS
» Ensure that the VDI solution is logging to a security operations infrastructure
» Validate identities through AAA on both VDI download (off-line VDI) and online VDI access
» Ensure strong encryption in VDI streams is configured
Adopt a Best, Better, Good strategy for endpoint connectivity to networks
» Best option - Company-managed and compliant endpoint
» Better option - BYOD endpoint connecting to a company-managed VDI instance
» Good option - BYOD endpoint validated to meet baseline security posture
Decide on a minimum security baseline for the Good standard (minimum anti-malware requirements, minimum patch level, etc.)
Determine if corporate security tools can be installed on user-owned machines to meet the Good standard; This requires a lot of consideration in terms of privacy, data integrity, and capacity/licensing
Validate the security posture of BYOD devices with the defined minimum baseline security standard
If mobile devices are part of the WFH strategy, ensure an MDM/MAM solution is in place and follows the Best, Better, Good strategy
Provide user awareness training
Ensure that WFH employees are aware of increases in:
» Social engineering
» Phone pretexting
» Spear phishing
» COVID-19 disinformation campaigns
» Unexpected MFA/2FA prompts
Ensure security personnel are aware of these same increases including an increase in focused attacks based on their vertical
Leverage cloud for internal service elasticity
Migrate workloads to the public cloud where appropriate based on capacity and architecture
Audit authentication and authorization settings for cloud access
Implement MFA for all apps, especially SaaS based apps
Use the same SSO strategy for cloud apps as on-premise
Implement compliance monitoring
Increase visibility by adopting CASB
Ensure internal business stakeholders are aware of the security challenges and risks associated with purchasing unauthorized cloud services
Secure remote access and associated entitlements
MFA including policy review and end-user education
Ensure validity of current identities
Remove inactive identities from key systems
Ensure adequate authentication and authorization controls for privileged users
Establish inventory/baseline of identities, directories
Enable SSO/MFA for chatty and high usage critical apps
Set self-password reset capabilities and processes (identity-proofing)
Monitor and review new IDs or changes to permissions
Integrate SIEM rules or UEBA to analyze remote access
Enhanced authentication (where applicable), onboarding/offboarding
Review PoLP (Policy of Least Privilege)
Review current acceptable use policies to ensure the applicable volume of remote access to sensitive data is accounted for
Just in time privilege escalation and user lifecycle management (automated or manual)
Increase frequency of credential reviews (or automate alerts based on change policies)
Apply existing data policy and classification to WFH scenarios
Identify critical, IP and sensitive data (“crown jewels”) and review controls to support remote use
Prohibit excessive permissions to sensitive data
Review and update DLP policies (particularly in motion/in use)
Ensure data encryption policies are applied in WFH scenarios
Ensure corporate devices have drive encryption enabled in case of loss or theft
Configure security operations infrastructure to accept remote access and WFH solutions
Ensure existing security operations infrastructure has the capacity (licensing, storage, etc) to ingest WFH logging solutions
Correlate and tune security operations infrastructure to account for WFH scenarios
Consider both UEBA and threat intelligence enhancements to security operations to increase monitoring capabilities in the COVID-19 world
Develop a remote access policy or review if already established
Inspect and restrict the VPN-connected user activities required by identity policies
Follow onboarding/offboarding as required by identity governance policies
Establish and monitor roles and appropriate access restrictions for users that have not previously worked remotely
Determine the total number of users the solution will support
Understand if there are limitations to the number of participants in a single meeting/call
Be aware of licensing model, especially per-usage/per-minute billing
Deliver clear enrollment instructions to users
Optimally, enforce remote collaboration authentication behind SSO/MFA
Provide guidance on remote meeting standards like noting who is attending meetings (internal-only, internal and client, internal and unknown participant)
» Be aware of “Zoombombing” and other collaboration “squatting” activities
Document meeting etiquette guidance on sharing sensitive data, background/ambient noise and camera awareness
Consider turning off voice-activated assistant technology during remote meetings to limit leaking of data in these scenarios
Extend on-premise security controls (content filtering, email security, data leakage prevention (DLP)) to WFH scenarios
Scrutinize traffic entering your organization over VPN connections to identify potential attackers
Employing web gateway functionality is an important security control to prevent users from inadvertently accessing malicious sites, preventing infected machines from reaching command and control servers and enforcing acceptable use policies
Look for ways to tune alerts and consider adjusting logging levels in preparation of a sharp increase in event volume related to VPN access and remote machines
Consider cross-training or outsourcing to manage a sharp increase in IT, security, administrative and analyst workloads
Plan for cross-training or outsourcing support desk help for new remote users and situations
Publish enrollment and access steps to remote company resources and policies
Require users to complete security awareness training if they haven’t recently
Send frequent key security reminders (i.e., “Even in these unprecedented working conditions, the support desk will never ask you for your user password.”)
Provide secure data handling training and corporate policies to all remote workers
Require that users review your company data classification policy
Remind users to exercise caution when considering clicking on links or opening attachments in (especially unsolicited) emails
Establish COVID-19 communication expectations and create an email alias so users can easily identify “official” corporate communications related to how the virus is affecting the company
Provide a feedback loop for the remote user experience and act on valid feedback quickly to reduce Shadow IT solutions to remote user problems
Deliver WFH resources to users, including general guidance on working from home including; setting aside a workspace, adhering to a schedule, etc.
Be aware of COVID-19 disinformation campaigns
Consider disabling guest WiFi and any other wireless access that is not well-secured as users will not be available to spot suspicious loitering around your facility
Ensure that the temperatures are monitored, and alerts are sent remotely, especially for datacenter sites
Look for ways to send audible failure alerts over your network (consider using web cams with audio to provide visibility if necessary)
Make plans for any system that needs media physically rotated
Establish alternate receiving locations (i.e., shipper locations) for inbound deliveries to prevent potentially sensitive materials from being left in an unsecured location
Remote Access Solution
.
3.20 | F1
WFH Awareness
Cloud and Digital Transformation
Identity and Identity Governance
Optiv is a security solutions integrator – a “one-stop” trusted partner with a singular focus on cybersecurity. Our end-to-end cybersecurity capabilities span risk management and transformation, cyber digital transformation, threat management, security operations, identity and data management, and integration and innovation, helping organizations realize stronger, simpler and more cost-efficient cybersecurity programs that support business requirements and outcomes. At Optiv, we are leading a completely new approach to cybersecurity that enables clients to innovate their consumption models, integrate infrastructure and technology to maximize value, achieve measurable outcomes, and realize complete solutions and business alignment. For more information about Optiv, please visit us at www.optiv.com.
© 2020 Optiv Security Inc. All Rights Reserved.
Secure your security.™
Optiv Global Headquarters
1144 15th StreetSuite 2900Denver, Colorado 80202800.574.0896optiv.com
IMMEDIATE ACTIONABLE STEPS TO TAKE
In times of need or crisis, it can be challenging to know who to turn to for help and support. Optiv is here to provide our valued clients with the expertise, staffing and technology needed to ensure business continuity.
Please contact your Optiv sales representatives, as needed, during this tumultuous time.
TECHNICAL CHECKLIST