Actually Helpful Security Tips To Actually Help Your Security Team
There’s a good chance you’ve heard about COVID-19 and the global pandemic that’s been taking the world by storm. There’s also a good chance that you are, or know, an IT or Security professional that has had their world upended to support a 100% remote workforce that was otherwise non-existent a couple of weeks ago.
As Information Technology and Security professionals scramble to enable a remote workforce overnight, people from all corners of the Internet seem to be offering advice; most of which is dubious at best. Is a user’s home Internet or printer anymore risky today than it was a week ago? I want to be clear, there is no malware villain going door-to-door infecting machines and a user’s home wifi should be the least of your worries.
The simple reality is this, nothing has changed. Nothing. People just don’t sit at their desks in the office or stand awkwardly by the watercooler waiting to chat. Users are still the riskiest part of any security program, and all the standard best practices and advice that the security community has been following for years still applies. You probably already have a workforce that works remotely at least part of the time, and BYOD probably isn’t appearing on your radar for the first time.
So, if you’re wondering how to best enable a workforce to work remotely and securely, you have to start by addressing the most common risks - user risks. Check the areas below and hopefully, it will become clear where to focus your attention to make sure your workforce is working securely.
Establish Clear, Easy to Use Communication Channels
It is critical that users have a direct path to IT and Security departments via email, instant messaging like Slack or Teams, text, or phone. Users need to feel like they have an easy place to ask questions to get quick answers. Some questions will still need tickets, sure, but for remote teams, it is important to over-communicate and to make getting answers simple. Users will seek out solutions to enable them to work, including file sharing, remote access, and more. You can help them by giving them clear guidance on approved vendors for such solutions and what to look for if they do need to use a new solution.
Refresh Security Policies and Procedures
Making security policies easy to find and understand is the next most important piece of enabling remote workers - How does a user create a ticket? What if they get a suspicious email? Is there a procedure to validate that an employee contacting them is actually who they say they are?
Make sure your security policies are well communicated and easy to find. Users want to do the right thing and as professionals, we should make processes that are exceptionally easy to find and follow.
When it comes to remote workers, you can put your mind at ease if you’ve implemented the following on user endpoints:
Remote Lock & Wipe
Using enterprise tools or an MDM package, you’ll want to maintain control over the endpoint if it is lost or stolen. You’ll want to make sure that users know how to report an endpoint as ‘missing’ as quickly as possible and also reinforce that this is a shame-free/blame-free process.
Full Disk Encryption
Enabling strong full disk encryption for all internal drives is critical if you have a workforce with mobile endpoints. If an endpoint is lost with disk encryption enabled, it becomes much more difficult, if not impossible to recover information from the disk - including code repositories, ssh keys, etc.
Automatic Screen Lock
Whenever possible, administrators should make sure endpoints have a short period of inactivity before the screen locks or the screensaver turns on, requiring a password. On many platforms, you can configure this service to re-enable disk encryption by deleting the key from memory when the machine sleeps. This will increase wake up time but makes it more difficult to recover data off the endpoint in the event it is lost or stolen.
The endpoint firewall is a simple method for dropping bad packets and services from connecting to your endpoint. While not fool-proof, when configured properly they provide an excellent layer of protection against basic network threats.\
This one is absolutely essential with a remote workforce. Once updates (i.e. security patches) are made available to an operating system, it’s only a matter of time before someone tries to exploit it. Enforcing automatic updates should be a non-negotiable benchmark from the CEO all the way down the ranks. To be clear, in most cases you don’t need to force immediate adoption, but administrators should be clear about what the standard grace-period is for updates, and how updates will be remediated if not completed within the grace period.
Explicit Application Block/Allow Lists
Hey kids, do you like malware!?! Not when it’s running on an endpoint you control, right? Admittedly, this is a much harder recommendation to meet - but on the off chance you’ve got some spare cycles, this is an excellent way to eliminate all those pesky programs you never wanted to support in the first place. Both Windows and Mac have either native controls or 3rd party programs that can be leveraged to enable this recommendation.
Force the use of a strong, modern and up-to-date browser
Unless there is a very compelling business reason, it’s time to retire Internet Explorer. Even then, maybe just use it for that one thing. If you’re thinking, “Who would even still be using that”. Inspect your web application logs. Unless you’re protecting these applications with a solution that can control which browsers are allowed to connect, there is a very good chance you’ve got a couple of users still rocking IE.
This likely isn’t a problem you can solve overnight. To be truly effective, you’ll need to identify users running legacy or out of date browsers and ask them to upgrade. This will likely take some training, good documentation, and 1 on 1 time. This would be a good time to create some short screen captures of how to do simple tasks and store them in a company wiki.
Force the use of HTTPS everywhere
Related to using a strong, modern and up-to-date browser, administrators should encourage the use of HTTPS Everywhere, a free browser plugin from the Electronic Frontier Foundation. As the name suggests, it will enable HTTPS or secure browsing by default on any site that supports it.
Overall, there isn’t much different here than if everyone were coming to the office every day. The big change is that your VPN appliance is probably getting more attention and the Security Team should be on the lookout for shadow IT, shadow cloud, and phishing campaigns.
Take inventory of applications that are exposed externally and require a login. As a matter of precaution and best practices, any externally exposed web application should require TLS. If you’re not sure where to get a certificate, they’re available from a number of low-cost providers, or you can get a free one from our friends at Let’s Encrypt.
Update your VPN Appliance
Unless you’ve embraced the BeyondCorp Model for corporate security there is a good chance your company is using a VPN to encrypt traffic between the endpoint and the internal corporate network. While a VPN does offer some level of security, the VPN appliance is an often overlooked component when updates are coming around - and with a 100% remote workforce it’s even harder to find time to update it. Looking across VPN hardware manufacturers over the last two years reveals at least two major vulnerabilities. This device is likely the most important piece of hardware securing your network, make sure you’re treating it as such.
Monitor on-prem and cloud services
This recommendation is necessarily new, but it is much more critical as your workforce moves offsite. Security and IT teams should make sure they have a thorough understanding of their exposed services both in cloud environments and for on-premise servers. It’s not uncommon for new firewall ports opened “temporarily” that can expose your business to unwanted risk and unwanted visitors. It is relatively simple for your external attack surface to change dramatically as users create temporary servers to work from, provision new assets in the cloud to “work remotely”, or begin using 3rd party services to store and share data.
Stay Safe Out There
Managing security across a remote workforce is challenging. Don’t let perfect be the enemy of good when reviewing the items above. Understanding what to prioritize is an important step in securing your environment and allowing users to work safely in a remote setting. By taking a holistic approach and focusing on the most critical areas first, you can make sure your organization is ready to support remote workers in a way that is safe and secure.
Censys is continuously scanning the entire Internet and provides visibility into both known and unknown assets that an organization owns. Censys offers a free tier account that users can take advantage of to monitor their attack surface. We also offer an open-source tool to make searching via the command line or scripting easier.