Difference between revisions of "Secure Remote Working - Device Considerations"

From wiki
Jump to navigation Jump to search
Line 66: Line 66:
 
*Avoid substituting numbers for letters or symbols. For example, "P@$$W0RD1" is not a secure password.
 
*Avoid substituting numbers for letters or symbols. For example, "P@$$W0RD1" is not a secure password.
 
*Enable Two-Factor Authentication (2FA). Choose to authenticate via an "authenticator" app which provides a one-time passcode. Most times SMS is the default second factor however this can be spoofed with a method called sim-swapping.  
 
*Enable Two-Factor Authentication (2FA). Choose to authenticate via an "authenticator" app which provides a one-time passcode. Most times SMS is the default second factor however this can be spoofed with a method called sim-swapping.  
*Avoid using "remember me" for apps and websites.
+
*Avoid using "remember me" features for apps and websites.
 +
 
 +
==Social Media==
 +
 
  
 
|}
 
|}

Revision as of 08:19, 23 April 2020

Telework-nobg.png
Overview and User Considerations Technical Considerations Secure Use of Collaboration Tools Device Considerations

Background

With the increase in BYOD (Bring Your Own Device) and remote working, it is important to be mindful of what and how devices are used to conduct business activities. Each type of device be it a router, smartphone, laptop or tablet can be used to remote work which if not properly secured, become a target for compromise.

It is important to remember that these devices and the software that runs on them should be used for unclassified and non-sensitive work only.

This page will provide some tips and tricks as well as some common risks and security issues that come along with a BYOD model.

Risks and Security Concerns

Personal Devices in an enterprise work environment can create security risk some of which include:

  • Target for Social Engineering - Attackers tailor attacks towards certain individuals based on collect personal data or interests.
  • Data Loss and Data Leaks - Sensitive data being dispersed to people who should not have access to it or erased/destroyed all together.
  • Lack of Patch Management - Attackers can leverage out-of-date and flawed software to exploit and gain access to a device.
  • Device/Asset Loss - Theft or loss of a device which cannot be accounted for.
  • Weak Anti-virus or Firewall Configurations - Attackers can exploit these weak security postures to gain access to a device.

These are a subset of a large list of potential areas of exploitation if a device is not secured adequately.

Device Security Recommendations

Using personal devices when working in an unclassified and non-sensitive environment is encouraged, however employee's should keep in mind best practices and recommendations when using these devices.

Some general ways to protect personal devices of any kind include:

  • Lock device with a strong password, PIN or bio-metric if applicable.
  • Apply updates to software applications and operating systems regularly.
  • Do not leave devices unattended especially in public places.
  • Avoid installing non-approved apps.
  • Disable or avoid using the "remember me" feature for password and credential storing.
  • Avoid using free charging stations.
  • Be aware of your surroundings.

Smartphones and related mobile devices

Smartphones enable us to have a direct connection to conferences, team meetings and collaboration applications. If left unprotected, devices can become and easy target for attackers.

While there are many mobile devices such as smartphones, smartwatches, tablets, laptops, etc..., each device usually features the same types of communications, security settings, and in some cases share the same operating systems.

Bluetooth

For devices that have bluetooth capabilities, consider the following:

  • Disable bluetooth when not in use.
  • Turn off "discovery" or broadcast mode.
  • Avoid pairing the device via bluetooth in a public space.
  • Do not use bluetooth keyboards to type sensitive text.
  • Pair with only recognized devices such as personal headphones or home audio systems.
  • For Apple devices, disable the AirDrop feature.

Authentication on Mobile Devices

There are multiple ways of securing mobile devices such as using biometrics like a fingerprint or retina scan, and traditional passphrases or PIN numbers. While all of these are better than having no authentication at all, it is important that passphrases are robust, PIN numbers are random and uneasily guessable. An example of what NOT to do is to have your birth year as your PIN. This is easily guessable by the most trivial types of attackers, which can leave your device and data open for attack.

When setting up authentication on these devices, consider the following:

  • Avoid using personal numbers, phrases or names when creating a password. Try using something that people might not be able to guess. An example that would be easy to remember would be to use the first letter of each word in a phrase. For example the phrase "I played competitive hockey as a kid and my number was 19!" could be converted into a password such as "Ipchaakam#w19!"
  • Create complex passwords involving special characters ("@", "#", "&", "_"), numbers, and capital and lowercase characters.
  • Avoid substituting numbers for letters or symbols. For example, "P@$$W0RD1" is not a secure password.
  • Enable Two-Factor Authentication (2FA). Choose to authenticate via an "authenticator" app which provides a one-time passcode. Most times SMS is the default second factor however this can be spoofed with a method called sim-swapping.
  • Avoid using "remember me" features for apps and websites.

Social Media