Chris Kubic is the Chief Information Security Officer (CISO) at Fidelis Cybersecurity. Kubic brings with him more than 30 years of experience driving Information Assurance and Cybersecurity initiatives... Read More
Comments
In response to the ongoing national emergency for COVID-19, organizations and federal agencies are using a wide variety of technology capabilities to ensure operations and missions continue advancing, especially as most organizations increase their telework presence. This unprecedented volume of telework brings with it a number of new security challenges and considerations. Here’s a brief overview of best practices for ensuring your telework program is being carried out effectively and securely.
Organizations should begin by ensuring their Standard Operating Procedures are capable of supporting telework and remote monitoring/management of your infrastructure. Some may already have a large telework presence, in which case their SOPs may already cover work at home and remote management of the infrastructure – but now is a good time to verify that. Test each SOP by asking “how would we do that remotely?” If the SOP doesn’t cover work at home and remote management of your infrastructure, then considering extending procedures so that it has clear and repeatable processes for supporting remote operations. This is especially important now as security operations teams may not be as available as they were under a more traditional work environment.
Federal agencies can find more information by referring to OPM’s Telework Guidance or NIST’s Security for Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Solutions documentation.
Virtual Private Network connections are the most common remote access method used by enterprise organizations and federal agencies. However, VPN vulnerabilities are constantly being discovered and exploited by malicious actors. As the backbone of telework, VPN security and policy needs to be carefully considered. Here are some of the most important steps agencies can take:
Federal security teams can find more detailed guidance on CISA’s VPN-Related Guidance webpage.
Last but not least, your work at home employees will likely be getting their Internet access via a home network, so it certainly helps to ensure your remote workers are securing those networks with best practices.
Federal agencies can refer to CISA’s webpage for Securing Wireless Networks for more information on securing home networks.
One of the primary avenues of attack for cyber adversaries is phishing. Phishing attacks trick end users into responding to a phone call, opening an email link or visiting a compromised domain in order to solicit personal information or introduce malware onto the victim’s device or larger enterprise. All teleworking employees should be aware of the danger of phishing and take steps to actively protect themselves against it. Best practices include:
Federal agencies seeking additional information, including what to do if you are the victim of a phishing attack, can refer to CISA’s Security Tip page for Avoiding Social Engineering and Phishing Attacks.
Threat actors continue to take advantage of the COVID-19 pandemic and continue to evolve and adapt their attack techniques to bypass detection. Enterprises and agencies need to plan for how they will remotely respond to cyber incidents, perform digital forensics to determine the extent of the infection, and remediate the infected devices or their telework employees.
Endpoint Detection and Response capabilities allow security operations personnel to quickly determine the extent of the infection, quarantine and clean-up infected machines, and bring those machines back online – all remotely. Automation features within EDR enable your agency’s security operations team to remotely and globally change device configurations and deploy updated cybersecurity detection and response rules to your EDR agents, allowing you to deploy synchronized changes across your distributed assets in response to an intrusion and/or emerging cyber threats.
EDR also allows you to better manage and track vulnerabilities by generating an inventory of software loaded on your endpoints, comparing that against CVEs, and reporting the update and patch status of each endpoint – helping you to identify and mitigate risks that can be exploited through Phishing attacks.
Finally, EDR can be used to report other threat indicators such as reading and writing to USB devices and excessive processor and disk utilization that could be an indicator of an ongoing attack. This reporting enables your security operations team to track your exposure to threats in real time and coordinate remediation of unpatched devices.