In light of Coronavirus / Covid-19 and in particular, the key CDC recommendation that we implement social distancing (work from home), we wanted to try to write a helpful post about how to stay secure as a remote employee.
Jemurai has always been remote-friendly, with employees sprinkled across the US and we can talk about what makes our remote teams work. This post however, is aiming to focus on the security angles of working from home.
We also put together a checklist for securing your remote work environment that you can download and use across your teams.
THE GOOD NEWS™
The good news is that it is practical to work from home when the appropriate infrastructure is in place.
For some companies that already have a VPN and maybe use primarily cloud-based SaaS tools to get work done, there may be more of a social impact than a technical impact to working remotely. In other words, people can be productive and secure working remotely in this scenario.
There are also a lot of companies that are quite close to being able to unleash a remote workforce with just a few safety measures put in place to ensure that information isn’t exposed or compromised in the process.
THE BAD NEWS™
The bad news is that there are a lot of companies that aren’t well prepared for lots of remote work. Either they have internal systems that are not easily exposed outside of their office or they have paper trails or other physical security measures that they need to have in place.
Consider also that many classic security tools are running in the corporate network. What happens if most users aren’t really in the network?
The following sections provide detail around different things we need to do to ensure our work environment is safe.
Often, employees working at home are using their home wireless network. To ensure that organizational information is not compromised through this process we need to take several steps to secure the WIFI.
When we work from home, even if our WIFI is secure, usually other devices on the home network can see our computer and often our specific location is available to sites and services that we visit.
A VPN is a strong countermeasure for both local computers on the network being able to see our traffic and for obscuring our exact physical location.
It is ideal if the company can offer a VPN service with tested configurations that work with supported devices. If they cannot, there are commercial VPN services (eg. ProtonVPN) and even do it yourself options like Algo, which is what we at Jemurai use.
In security, we talk about confidentiality, availability and integrity. It turns out that availability is an important part of successful remote work. That may mean paying a little more for better internet service.
- Use WPA 2 or stronger algorithm (Not WEP)
- Use a strong passphrase for connecting to the wireless network
- Do not share this wireless network with anyone that you do not trust
- Always use a VPN when working from home.
- Have reliable and fast internet
- Set up a separate network for the work WIFI so that other home devices cannot connect to the work network
We expect to see increased phishing and social engineering activity related to both coronavirus specifically and more people working remotely in general. That means that phishing campaigns and other attempts to manipulate employees are more likely even than they were before. We advocate for specific awareness campaigns against these types of manipulative campaigns.
In some corporate environments, there are countermeasures in place to ensure that employees cannot accidentally browse to a malicious website. Essentially, the corporate network has a directory (DNS) that your computer uses to look up where it is going to visit and the directory contains information about “bad” or “malicious” sites and doesn’t let you go there.
Sometimes the corporate protections work if you are on a company VPN.
There are also public and free DNS services that can also protect you from malicious URL’s, including Quad9.
- Redouble Phishing awareness campaigns, especially pertinent to Coronavirus
- Don’t click on links or attachments that are not internal resources
- Use Corporate VPN that sets DNS or set DNS to
It sounds obvious, but when you are working from home your conversations are not private to a company audience and your desk is not private from casual observers. Whether it is your spouse, a cleaning lady, your kids friends, or a relative at a party, you probably don’t control or want to watch your physical environment at home the same way it is managed in an office space.
Most companies implement a clean desk policy anyway to ensure that passwords, client data or other sensitive information is never sitting exposed to passersby.
- Get a room with a door that closes
- Get locking storage in either a desk or file cabinet
- Your work computer should not be shared by others at home
Company Internal Networking
In the event that there are internal services that are not easily exposed, a company will have to do some soul searching and decide how to address this gap.
On the one hand, it is technically possible to expose internal systems using solutions like Citrix, or even VPN. On the other hand, if the remote part of this setup isn’t established yet it may be costly and complicated to set up a solution like that.
It may be that the best approach is to focus on identifying cloud-based alternatives or workflows that do not require the on site systems. On some level, being able to overcome this centralization should be part of a business continuity plan already - where critical systems are identified and ways to use them under changing circumstances are understood and tested.
There are some basic issues that can arise. One is related to group policies, that IT should be pushing out to users. This is a challenge if the user isn’t connecting to a central domain controller. Another concrete example is that security mechanisms like windows event forwarding (WEF) must be set up to report to a place they can reach, and an internal forwarding address won’t be visible from outside.
- Identify and communicate approved communications platforms
- Identify internal services and agree on workarounds or alternatives
- Consider what internal tools may be ineffective (eg. SIEM) and try to put in place cloud based alternatives
It is very important that laptops and other work devices used for remote work have encryption enabled. This is true even when employees work in an office, but the risk of a laptop “disappearing” may be higher at home or in other remote locations.
It is also important that systems are patched regularly.
Although tools like AntiVirus and AntiMalware programs are important in the office, they are arguably even more important out of the office because an event, incident or compromise might be much harder to detect at an infrastructure level. Therefore, in an ideal world, we would mandate and enforce that these endpoint controls are in place before connecting to valuable company services.
Commercial VPN tools provide these types of controls but most more open VPN tools do not. The risk we take here should be commensurate with the size of the organization and the sensitivity of the data involved.
To say that another way, use commercial VPN tools that let you enforce endpoint configuration (OS Updated, Programs Patched) if your data is extremely sensitive.
- Ensure encryption is enabled (File Vault(Mac), Bitlocker(Windows)),
- Ensure systems are patched
- Implement AntiVirus/AntiMalware (Enforce if necessary)
The best rule to use with storage, i.e. where your files live, is to use the same locations when working remotely that you use when on site. This can be a problem if the typical approach is to use a Windows File Share, for example. Sometimes a VPN can provide access to these shared resources, but that requires an enterprise grade managed VPN.
On the other hand, if there are approved storage solutions like Dropbox, Box, Drive or OneDrive, these can be used the same way remotely as they are in person.
That being said, it is important that users do not use personal file storage solutions to work around company shortcomings. This can result in unintended data exposure.
- Identify appropriate shared storage and use this for internal sharing
Things Not To Do
There are some things that people naturally do when they want to be productive from home that are not probably a good idea.
- Trying to use Remote Desktop into an onsite computer
- Using a LogMeIn or reverse proxy, etc. to get access to a computer “in the network”
- Putting their files in a personal dropbox folder to use from home
- Using their personal computer for company work without taking the appropriate precautions
Monitoring and Support
To support remote work, there is an onus upon the organization to update and enhance their security monitoring capabilities.
We would generally want to see the detection of:
- Any inbound corporate traffic
- Outbound traffic to eg. logmein
- Unpatched endpoints
- Users not using VPN
- Security related events
The environment outside the office when employees work remotely is often quite different from the office network.
Many of the same security measures are important in both cases, but out of the office, there is usually less support around technology and “drive by help” may not be accessible. It may be helpful to work through the details and publish specific guidance (even a WFH Policy) for employees to help them navigate this.
We wanted to help companies shifting to remote setups maintain secure work environments so we collected the safety measures into a handy checklist for employees to use when thinking about their setup at home. You can download it here.
Also, feel free to reach out at firstname.lastname@example.org.