Friday, March 13, 2020

Recommendations for reducing cybersecurity risk while working remotely

You're probably aware of the COVID-19 / coronavirus pandemic. As the pandemic continues to unfold, our research and security communities will be increasingly impacted.  Numerous conferences have been canceled, and it has already been made public that two people who attended the cybersecurity conference, RSA, tested positive for coronavirus. Many institutions are now recommending or even requiring students and employees to work from home. While you may already be prepared to deal with one or two staff members working remotely or being out sick, most organizations are unprepared for the majority of their staff suddenly being in these categories.  Thus, Trusted CI would like to share some critical risks that we think are relevant to this situation and provide recommendations for how to mitigate them over the coming weeks.  Here are some questions to help you consider these risks.

Do you have all the passwords you need?
As people switch to working from home or go on extended leave, they may take passwords with them that other staff do not have. Do they normally keep the superadmin password on a sticky note on their monitor and now can't access it? This is a good opportunity to quickly review who has access and that they will have the necessary credentials for working remotely. We recommend the use of password managers (such as KeePass, 1Password, LastPass, etc.) to keep passwords securely stored and readily accessible through online means.

How will backups be handled?
Backups may require physical presence to change disks or tapes, but may be difficult to manage remotely. Still, these backups are essential for being able to make a proper recovery from a security incident. You may first want to check with your institutional IT group to see if they have the ability to manage these backups for you to reduce the need to travel to work.

Is your regular office environment's physical space being monitored and access controlled?
Reduced staffing at your facility may increase the risk of unauthorized/unmonitored physical access to your systems and information. Locking doors is recommended and checking with your institutional security for their practices will help you understand what is being monitored and how unauthorized access is determined.  Consider letting your custodial staff know your plans as normal security procedures such as locking doors may lapse during crisis mode and become a problem. On the upside, the chances of tailgating happening in the next few weeks is near zero.

Are you leaving unpatched workstations running?
Some staff may need to leave desktop or workstation systems in an unattended office for a long period of time. If these systems are not running services required for normal operation, it is recommended that these systems be turned off to avoid them becoming a liability if a critical vulnerability is released while away. Upon returning to the office, you should enforce an immediate vulnerability scan on these systems and patch as necessary. Check with your local institutional IT staff to make sure this would not interfere with their operations as they may expect systems to be kept running to remotely backup and patch computers.

Do you have enough redundancy of staff?
Redundancy of staffing is always important, but with the coronavirus threat, there is an increased chance of redundant staff being affected as well, leading to lack of coverage. We recommend designating additional staff to be prepared to act in a maintenance or security role, if needed, as an additional redundancy.

Do you have a secure channel to communicate?
When direct interpersonal communications are no longer possible for sharing of sensitive  information, the need for having a secure online communication channel increases. We recommend that identifying a secure channel that can be used (for example, Signal, SMIME, PGP/GPG, or another one recommended by your institution) and testing this channel with your staff in advance of any need to use it.  This becomes especially important when you forgot to share an important password with other staff and have no way of securely communicating it.

Will you be able to meet without your normal teleconferencing?
Demand for videoconferencing is expected to be at an unprecedented high as online classes and meetings begin to utilize it. It is possible that your normal video conferencing meetings will be disrupted or unavailable for a period of time. It is recommended that you identify an auxiliary method of holding such meetings. Also, if you are not doing so already, set a password on your teleconferencing meetings if possible and test that it works to prevent unauthorized access.

Can you perform all the steps in an incident response remotely?
Now would be a good time to review your security incident response plan to ensure that all the steps can be performed remotely, and if not, come up with an alternative approach.

Do you have enough VPN licenses?
One common method of providing remote access for employees is through a virtual private network (VPN).  However, the increased remote activity could mean a shortage of VPN licenses, so now would be a good time to check the number of available licenses and ensure that it matches with the expected load over the next few weeks.

Is there a bastion host you can use for remote access?
Those who use SSH, RDP or similar for accessing servers remotely may want to consider the use of a bastion host to provide a control point. This is a safer alternative than opening up direct remote access ports on internal systems. However, rather than rushing to set up a new bastion server, instead look for an existing one that has been provided by your institutional IT or ask for their recommendations.

Do you have a secure working space at home?
For many, the next couple weeks may mean sharing your working space with family who are also working or attending school remotely. It's important to consider the potential for sensitive information in meetings to be overheard across meetings happening simultaneously. If you haven't already, it would be a good idea to find or setup an isolated space in your home for holding such meetings.

Be aware of new phishing tactics and scams.
There have been reports that attackers are taking advantage of the fear and demand for information about COVID-19 to spread malware. One such attack is the "Coronavirus map", which "had weaponized coronavirus map applications in order to steal credentials such as user names, passwords, credit card numbers and other sensitive information that is stored in the users’ browser".

There are also additional resources that we've found online for raising your awareness about cybersecurity issues during the coronavirus threat that we're including in the list below: