Difference between revisions of "Secure Remote Work Technical Considerations"

From wiki
Jump to navigation Jump to search
Line 43: Line 43:
 
*Use CCCS/CSE [https://cyber.gc.ca/sites/default/files/publications/itsp.40.111-eng_1.pdf approved cryptography] when applicable.
 
*Use CCCS/CSE [https://cyber.gc.ca/sites/default/files/publications/itsp.40.111-eng_1.pdf approved cryptography] when applicable.
  
==Privacy==
+
==Home Network Hardening==
Employee's are encouraged to use approved software such as Zoom, Google Hangouts, and Slack to collaborate and communicate unclassified information. However there are some privacy issues that need to be recognized before using these applications. It is important to remember that these applications are not to be used for any classified work.  
+
Out of the box, most routers have generic passwords, are out of date, and often contain exploits that can easily be used to intercept, manipulate and store network traffic. However, there are a number of actions that you can take to mitigate these security issues at home.  
  
Some general things to consider for increasing privacy on these applications include:
+
*Enable Auto-Updates on endpoint devices. Not only on laptops and smartphones but also on the router itself.
*Enabling two-factor authentication.
+
*Disable remote management and administrator function.
*Post/Send things that you do not mind sharing with the employer and employee's.
+
*Change the routers default password to something that is unique and adheres to the GC Password Guidance.  
*Segregate personal applications and work applications.
+
*Ensure that any web-based management account for the router is also using a strong, unique password.
*Use personal devices for personal applications and work devices for work applications
+
*Place IoT devices on a separate router or VLAN.
 +
*Double check which device address' are connecting to the router if possible.
  
===Slack===
+
For more information, check out this CyberScoop report.
When using a paid license of the application, a feature is unlocked that allows HR and management personnel to export ALL chats. Not only can group chats be exported but also chats that are between you and a colleague that is sent in a private chat. This feature cannot be enabled in the free license. It is important to note that Slack does store data regardless of the license, including after 10,000 messages in the free version.
 
 
 
Slack also retains data such as links, passwords, usernames and chats, however does have options to customize policies on data retention.
 
===Zoom===
 
Zoom has a feature that tracks attention to the webcam in order to see who is actively in the video chat. If a presenter is sharing their screen and a user minimizes the window or leaves their device, a notification will be sent to the meeting hosts. It should be noted that Zoom does not record activity on the device nor does it capture video with this setting.
 
 
 
Unless a meeting host is using Zoom's encrypted video chat option, the company could have access to the conference.
 
 
 
For more information on using Zoom, please see the guide in the references section or [[:en:images/9/90/EN_-_Starter_guide_for_taking_part_in_a_Zoom_call.pdf|click here]].
 
 
 
===Google Hangouts===
 
While there are no glaring privacy concerns with Google Hangouts, it does require a Google account. It is best to use a work account if possible, to avoid details being linked together exposing private interests, and personal activity online when using that Google account. Details such as names, phone numbers, usernames and other information can be pieced together which can be exposed as a single entity.
 
  
 
== References ==
 
== References ==

Revision as of 09:56, 30 March 2020

Telework-nobg.png
Secure Teleworking - User Considerations Secure Teleworking - Technical Considerations

What is Teleworking?

As cloud technology, collaborative applications and internet connectivity increase, teleworking is becoming more prevalent than ever before. Teleworking is often done through the following ways:

  • Tunneling - using a secure communications tunnel between a device and a remote access server, usually through a VPN.
  • Portals - a server that offers access to one or more application via a single interface.
  • Direct Application Access - directly connecting and accessing an application without the use of any remote access software.
  • Remote Desktop(via RDP or VNC) - remotely control a particular host machine through the internet.

Threats and Challenges posed by Teleworking

By connecting via the internet to potentially classified or sensitive applications or data, there are threats to the safety and security of that information.

Security issues may include:

  • Lack of physical security - devices can be stolen, drives can be copied, or people can shoulder surf.
  • Unsecured Networks - connecting on networks that are unsecured such as cafe, hotel and other open public networks are easy targets for exploitation.
  • Providing Internal Access Externally - servers will be facing the internet therefore increasing the potential risk and vulnerability of being compromised.
  • Out of Date Software - When using personal devices system updates and patches cannot be guaranteed.

Mitigation and Prevention Measures

As the employee will be connect via the internet to potentially classified data and applications it is important that measures are taken to reduce the risk of a security breach.

Some helpful considerations to implement include:

  • Mandate the use of multi-factor authentication. Some of these techniques include using an authenticator app, phone verification, etc...
  • Develop and deploy a tiered access control system that ensures permissions are segregated.
  • Ensure remote servers, user endpoints such as smartphones, tablets, laptops and desktops are regularly patched.
  • Secure all remote devices by using anti-malware software and implementing strong firewall rules.
  • Use validated encryption to protect data.
  • Encrypt device storage such as hard drives, SD Cards, USB Keys, etc...
  • Devise policies that detail how a teleworker will access applications remotely as well as what applications and parts of the network they have access to.
  • Disable or limit the ability to install applications on devices such as laptops and smartphones.
  • Use CCCS/CSE approved cryptography when applicable.

Home Network Hardening

Out of the box, most routers have generic passwords, are out of date, and often contain exploits that can easily be used to intercept, manipulate and store network traffic. However, there are a number of actions that you can take to mitigate these security issues at home.

  • Enable Auto-Updates on endpoint devices. Not only on laptops and smartphones but also on the router itself.
  • Disable remote management and administrator function.
  • Change the routers default password to something that is unique and adheres to the GC Password Guidance.
  • Ensure that any web-based management account for the router is also using a strong, unique password.
  • Place IoT devices on a separate router or VLAN.
  • Double check which device address' are connecting to the router if possible.

For more information, check out this CyberScoop report.

References

Retrieved from "https://wiki.gccollab.ca/index.php?title=Secure_Remote_Work_Technical_Considerations&oldid=20722"