The rapid increase of the coronavirus has forced many organizations to implement telework policies to stop the spread of the virus. Telework is an alternative work arrangement available to employees and it allows employees, contractors, and third-party vendors to work from remote locations other than the organization facilities. Teleworkers utilize different devices, “such as laptop computers, smartphones, and tablets, to read and send an email, access websites, review and edit, and perform many other tasks”(NIST, 2020). While this is convenient there is a significant security risk associated with teleworkers.
For security administrators, network engineers and computer security managers this presents a huge security challenge and risk because it increases the threat environment for organizations. A recent report by the National Institute of Standard Technology (NIST) found that “telework and remote access technologies often need additional protection because their nature generally places them at higher exposure to external threats than technologies only accessed from inside the organization” (NIST, 2020).
This is because when employees and third-party vendors use companies’ equipment outside the organization’s IT security structure, it weakens the overall IT infrastructure. This is why it is essential for security teams to design and implement security policies to address some of these challenges so that these remote connections can’t be exploited by threat actors. Threat actors can potentially jeopardize the confidentiality, integrity and availability of important informational assets if remote workers’ devices get compromised. The key security objectives when security personnel are designing telework and remote access security features are ensuring:
Confidentiality — ensure that remote access communications and stored user data cannot be read by unauthorized parties;
Integrity — detect any intentional or unintentional changes to remote access communications that occur in transit; and;
Availability — ensure that users can access resources through remote access whenever needed (NIST, 2020).
All of the elements of telework and remote access solutions, such as remote servers, internal servers which are used by employees, third-party vendors and contractors should be secured against threats actors. To achieve these objectives the National Institute of Standard and Technology (NIST) suggests all organizations conduct threat modelling to ensure important information assets are protected. NIST defines threat modelling related to telework as “Identifying resources of interest and the feasible threats, vulnerabilities, and security controls related to these resources, then quantifying the likelihood of successful attacks and their impacts and finally analyzing this information to determine where security controls need to be improved or added”(NIST, 2020).
Threat modelling is most effective when organizations identify the most important assets and apply security policies and protocols to protect these assets. Companies need to continuously monitor security threats so they can develop new protocols as threats environment changes and new potential threats develop or eliminated. Organizations’ priorities need to change because the threat is continuously evolving.
Security Issues of Teleworking
Since nearly all remote access work occurs over the Internet, companies usually do not have as much control over external networks used by employees working remotely. “Communications systems used for remote access include broadband networks such as cable, and wireless mechanisms such as IEEE 802.11 and cellular networks” (NIST, 2020). These communications channels are more susceptible to “eavesdropping”. Eavesdropping is one of the ways threat actors can intercept sensitive information communicated over the internet during employees working from remote locations. Remote workers are also susceptible to man-in-the-middle (MITM) attacks and threat actors can intercept and modify communications.
To address some of these challenges, security teams setting up remote access security plans should assume the network's employees and clients’ devices are connected to are not safe and cannot be trusted. Companies can use “encryption technologies to protect the confidentiality and integrity of communications, as well as using mutual authentication mechanisms to verify the identities of both endpoints” (NIST, 2020). Using firewalls, updated antivirus software, and virtual private networks (VPN) — and more importantly, avoiding public networks can help prevent eavesdropping attacks.
To illustrate how critical it is for companies to secure their network, and prevent eavesdropping and MITMAs in 2015, cybercriminals in Belgium stole a total of $6 million through MITMA. The cybercriminals were able to gain access to corporate email accounts by intercepting communication and carefully monitor and take over payment accounts and request money from clients using hacked accounts.
Bring Your Own Device (BYOD)
Since, almost all employees, and third-party vendors and, particularly BYOD are connected to unsecured external networks that are much more susceptible to cyber-attacks. Companies have to take the appropriate steps to mitigate these risks. A threat actor who gains access to employees and clients devices can “install malware on the device to gather data from it and from networks and systems the individual is connected to”. Moreover, if employee devices get compromised or infected with malicious malware, the malware can spread to other internal networks connected to that individual device. When security teams are planning for remote access security policies they should assume all devices which will be used while employees are working remotely are infected or will become infected and “plan their security controls accordingly”.
To make sure employees’ devices are protected, organizations should implement policies that ensure all employee’s devices are using the appropriate antimalware technologies, such as antivirus software on laptops and the use of network access control (NAC).NAC solutions help organizations control access to their networks by “enforcing policies for all operating scenarios without separate products or additional modules”. “Mitigates network threats by enforcing security policies that block, isolate, and repair noncompliant machines without administrator attention”.
There are a lot more security challenges that teleworking presents that this brief article can not possibly cover. The most important step organizations can take is ensuring that the necessary security control policies are in place to guide and help employees, contractors and third-party vendors working remotely.
It’s critical that organizations developed, a telework security policy and training awareness programs for employees. The policy should contain and define which forms of remote access the company permits “ which types of telework devices (e.g., organization-controlled PCs and mobile devices, BYOD mobile devices, contractor-controlled PCs) are permitted to use which form of remote access, the type of access each type of teleworker is granted, and how user account provisioning should be handled” (NIST, 2020). Additionally, it should cover how remote access servers are managed and the policy should be documented in the system security plan.
Another important consideration remote access security policy should consider is which devices get access to an organization’s internal networks. NIST suggests “organizations should have tiered levels of access, such as allowing organization-controlled PCs to access many resources, BYOD PCs and third-party-controlled PCs to access a limited set of resources, and BYOD mobile devices to access only one or two resources, such as webmail”. This will limit the risk by allowing only the most controlled devices to have “most access and the least-controlled devices to have minimal access or no access at all”(NIST, 2020). Remote access security policy should not be created separately from the overall security policy of the organization. An organization’s overall security policy should be prioritized when creating a telework security policy. Additionally, organizations should tailor their policies to their organizational needs and based on their financial resources.
Security Awareness Training Program (SETA)
A Security Education, Training and Awareness (SETA) program is an educational program that is designed to mitigate the number of security breaches that occur through a lack of employee security awareness. A SETA program is an excellent way to educate new employees and retrain older employees about security protocols. SETA programs define an employee’s role in the area of Information Security. The purpose of security awareness is to ensure all employees are participating and are equipped with the necessary knowledge to defend against all forms of social engineering attacks.
Employees have access “to the most vital information a company has and either knows how to circumvent the systems that have been put in place to protect the organization’s information or have a lack of knowledge that is needed to protect this information” (Hight, 2005). Technology is not sufficient enough to address or solve the problem that is controlled by individuals. Thus, companies have to train their employees on security awareness.
Organizations must periodically evaluate the implementation of the remote access policy is meeting the security objectives and be able to demonstrate that teleworking arrangements comply with the conditions outlined in this policy every year, there are many changes in telework device capabilities, the security controls available to organizations, the types of threats made to different types of devices, and so on. Therefore, organizations should periodically reassess their policies for telework devices and consider changing which types of client devices are permitted and what levels of access they may be granted. Organizations should also be aware of the emergence of new types of remote access solutions and major changes to existing remote access technologies, and ensure that the organization’s policies are updated accordingly as needed.