Remote Workforce: Ensuring Operations Move Forward in the New Normal

In response to the ongoing national emergency for COVID-19, organizations and federal agencies are using a wide variety of technology capabilities to ensure operations and missions continue advancing, especially as most organizations increase their telework presence. This unprecedented volume of telework brings with it a number of new security challenges and considerations. Here’s a brief overview of best practices for ensuring your telework program is being carried out effectively and securely.

Reaffirming Standard Operating Procedures (SOPs)

Organizations should begin by ensuring their Standard Operating Procedures are capable of supporting telework and remote monitoring/management of your infrastructure. Some may already have a large telework presence, in which case their SOPs may already cover work at home and remote management of the infrastructure – but now is a good time to verify that. Test each SOP by asking “how would we do that remotely?” If the SOP doesn’t cover work at home and remote management of your infrastructure, then considering extending procedures so that it has clear and repeatable processes for supporting remote operations. This is especially important now as security operations teams may not be as available as they were under a more traditional work environment.

Federal agencies can find more information by referring to OPM’s Telework Guidance or NIST’s Security for Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Solutions documentation.

Securing Virtual Private Networks (VPNs)

Virtual Private Network connections are the most common remote access method used by enterprise organizations and federal agencies. However, VPN vulnerabilities are constantly being discovered and exploited by malicious actors. As the backbone of telework, VPN security and policy needs to be carefully considered. Here are some of the most important steps agencies can take:

• Ensure VPN servers and services are up to date and well patched.
• Ensure VPN routing policy is properly configured on endpoints (e.g., Split vs. Full tunneling)
• Increase focus on cybersecurity and performance monitoring of your VPN servers to enable you to quickly detect attacks against your VPN infrastructure.
• Monitor VPN utilization and make adjustments as necessary (e.g., rate limiting).
• Implement multifactor authentication for VPN access and/or require remote users to utilize strong passwords.

Federal security teams can find more detailed guidance on CISA’s VPN-Related Guidance webpage.

Fortifying Home Networks

Last but not least, your work at home employees will likely be getting their Internet access via a home network, so it certainly helps to ensure your remote workers are securing those networks with best practices.

• Change default passwords and update firmware on all devices connected to your home network, including wireless access points.
• Secure wireless connections, preferably using WPA2 or WPA3, as using the other protocols could leave your network open to exploitation.
• Update and maintain antivirus software on computers connected to your home network.
• Disable file sharing between devices when not in active use, and never allow file sharing on public networks.

Federal agencies can refer to CISA’s webpage for Securing Wireless Networks for more information on securing home networks.

Protecting Against Phishing

One of the primary avenues of attack for cyber adversaries is phishing. Phishing attacks trick end users into responding to a phone call, opening an email link or visiting a compromised domain in order to solicit personal information or introduce malware onto the victim’s device or larger enterprise. All teleworking employees should be aware of the danger of phishing and take steps to actively protect themselves against it. Best practices include:

• Treating unsolicited phone calls, or emails with skepticism, especially if they are asking about employees or other organizational information. Verify identities and affiliations whenever possible.
• Never providing personal information or organizational information, such as its structure or networks to unverified or unauthorized persons.
• Never disclosing personal or financial information in email. Do not respond to or click on links within emails that ask for this information.
• Always checking a website’s security and URL before entering sensitive information. Be sure to look for “https” over “http”.
• Installing and maintaining anti-virus, firewalls, and email filters to minimize spam, junk and phishing.
• Training end users to utilize anti-phishing features offered by your organization, email client or browser.
• Enforcing multi-factor authentication practices and policies.

Federal agencies seeking additional information, including what to do if you are the victim of a phishing attack, can refer to CISA’s Security Tip page for Avoiding Social Engineering and Phishing Attacks.

Mitigating Threats to Remote Workers

Threat actors continue to take advantage of the COVID-19 pandemic and continue to evolve and adapt their attack techniques to bypass detection. Enterprises and agencies need to plan for how they will remotely respond to cyber incidents, perform digital forensics to determine the extent of the infection, and remediate the infected devices or their telework employees.

Endpoint Detection and Response capabilities allow security operations personnel to quickly determine the extent of the infection, quarantine and clean-up infected machines, and bring those machines back online – all remotely. Automation features within EDR enable your agency’s security operations team to remotely and globally change device configurations and deploy updated cybersecurity detection and response rules to your EDR agents, allowing you to deploy synchronized changes across your distributed assets in response to an intrusion and/or emerging cyber threats.

EDR also allows you to better manage and track vulnerabilities by generating an inventory of software loaded on your endpoints, comparing that against CVEs, and reporting the update and patch status of each endpoint – helping you to identify and mitigate risks that can be exploited through Phishing attacks.

Finally, EDR can be used to report other threat indicators such as reading and writing to USB devices and excessive processor and disk utilization that could be an indicator of an ongoing attack. This reporting enables your security operations team to track your exposure to threats in real time and coordinate remediation of unpatched devices.