Difference between revisions of "Secure Remote Working - Overview"
(100 intermediate revisions by 4 users not shown) | |||
Line 1: | Line 1: | ||
__NOTOC__ | __NOTOC__ | ||
+ | [[File:telework-nobg.png|top|center|frameless]] | ||
{| class="wikitable" style="align:center; border-top: #000000 2px solid; border-bottom: #000000 2px solid; border-left: #000000 2px solid; border-right: #000000 2px solid" width="1125px" | {| class="wikitable" style="align:center; border-top: #000000 2px solid; border-bottom: #000000 2px solid; border-left: #000000 2px solid; border-right: #000000 2px solid" width="1125px" | ||
|- | |- | ||
− | ! style="background: # | + | ! style="background: #2e73b6; color: red" width="250px" height="40px" scope="col" |[[Secure Remote Working - Overview|Overview and User Considerations]] |
− | ! style="background: # | + | ! style="background: #2e73b6; color: white" width="250px" height="40px" scope="col" |[[Secure Remote Work Technical Considerations|Technical Considerations]] |
+ | ! style="background: #2e73b6; color: white" width="250px" height="40px" scope="col" |[[Secure Use of Collaboration Tools|Secure Use of Collaboration Tools]] | ||
+ | ! style="background: #2e73b6; color: white" width="250px" height="40px" scope="col" |[[Secure Remote Working - Device Considerations|Device Considerations]] | ||
|} | |} | ||
− | {| style="width: | + | {| style="width:1125px;" |
|- | |- | ||
− | | style="backgound:# | + | | style="backgound:#2e73b6;width:1000px;text-align:left;weight:normal;" scope="col" | |
− | ==What is | + | ==What is Remote Working?== |
− | + | Remote Working is when an employee can carry out regular business duties from a remote location that is outside of their employers physical work space, typically via the internet. With recent events, remote working has become more popular than previously before and will continue to get more popular as technology evolves. | |
− | ==Threats and Challenges posed by | + | ==Remote Working Vs. Teleworking== |
+ | Although similar and most of the times used interchangeably, remote working and teleworking are similar but are not the same. Employee's who telework and remote work often use the same devices and technology to work such as collaborative tools, cloud platforms, and the internet. | ||
+ | |||
+ | Below are the differences between the two: | ||
+ | |||
+ | {| class="wikitable" | ||
+ | |+ | ||
+ | !Remote Working | ||
+ | !Teleworking | ||
+ | |- | ||
+ | |A more permanent situation. | ||
+ | |Usually on a limited period of time (days instead of months or years) | ||
+ | |- | ||
+ | |Employee likely does not have access to an office. | ||
+ | |Employee has an office but works from somewhere else. | ||
+ | |} | ||
+ | ==Duty to Document== | ||
+ | Under the [https://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=32601 Directive on Service and Digital], employees are '''required''' to document their activities and <u>decisions of business value</u>. If any activities or decisions of business value are made while using department-approved or public cloud tools, then these must be captured (e.g., in a Word document) and saved in a departmental corporate repository (e.g., GCdocs) as soon as possible. | ||
+ | |||
+ | For more information, click [https://www.canada.ca/en/government/publicservice/covid-19/managing-government-information-working-remotely.html here]. | ||
+ | |||
+ | ==Threats and Challenges posed by Remote Working== | ||
By connecting via the internet to potentially classified or sensitive applications or data, there are threats to the safety and security of that information. | By connecting via the internet to potentially classified or sensitive applications or data, there are threats to the safety and security of that information. | ||
Security issues may include: | Security issues may include: | ||
*Lack of physical security - devices can be stolen, drives can be copied, or people can shoulder surf. | *Lack of physical security - devices can be stolen, drives can be copied, or people can shoulder surf. | ||
− | *Unsecured Networks - connecting | + | *Unsecured Networks - connecting to networks that are unsecured such as a cafe, hotel or other open public networks are easy targets for exploitation. |
*Providing Internal Access Externally - servers will be facing the internet therefore increasing the potential risk and vulnerability of being compromised. | *Providing Internal Access Externally - servers will be facing the internet therefore increasing the potential risk and vulnerability of being compromised. | ||
+ | *Teleconference Hijacking/Zoom - Unauthorized persons gaining access to a conference by joining a public conference, being shared the link or access code. | ||
− | + | For more information please see the references section. | |
− | |||
− | + | ==Recommended Security Measures== | |
− | + | It is important to realize that because remote working uses the internet for connectivity, it may be a target for compromise. That being said, some helpful measures that employees can take to keep information secure are: | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | == | + | ===Device Considerations=== |
− | |||
− | Some general things to consider | + | *When the option for multi-factor authentication is available, use it! |
+ | *Avoid open networks located in coffee shops, public facilities, and hotels. | ||
+ | *Apply operating system updates when available. | ||
+ | *Use your departments VPN for secured connection. | ||
+ | *Password Protect any USB, SD Cards and hard drives. | ||
+ | *Lock devices when not in use. | ||
+ | |||
+ | ===Service Considerations=== | ||
+ | Some general things to consider when using these applications include: | ||
*Enabling two-factor authentication. | *Enabling two-factor authentication. | ||
*Post/Send things that you do not mind sharing with the employer and employee's. | *Post/Send things that you do not mind sharing with the employer and employee's. | ||
*Segregate personal applications and work applications. | *Segregate personal applications and work applications. | ||
*Use personal devices for personal applications and work devices for work applications | *Use personal devices for personal applications and work devices for work applications | ||
+ | *Ensure that teleconferences are set to private, as well as password protected. | ||
+ | *Use collaborative tools when working in an UNCLASSIFIED environment. | ||
+ | |||
+ | ==Privacy and Security of Collaborative Tools== | ||
+ | Employees should always use department-sanctioned tools for collaboration with colleagues, starting with Microsoft Teams (at Protected B if your departmental tenancy has been accredited to that level, or unclassified otherwise), then moving to other sanctioned tools such as GCTools or WebEx. If those options aren’t available, then the [https://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=27122 Policy on Acceptable Network and Device Use] does allow usage of public cloud tools such as Slack, Zoom or Google Hangouts for '''unclassified''' work only. However, there are some privacy issues that need to be recognized before using these applications. It is important to remember that these applications are <u>never</u> to be used for any sensitive or classified work. | ||
+ | |||
+ | The Canadian Center For Cyber Security (CCCS) has provided [https://cyber.gc.ca/en/alerts/considerations-when-using-video-teleconference-products-and-services guidance and considerations] when using public cloud tools for video teleconferencing (VTC). | ||
+ | |||
+ | When choosing a collaborative tool, some things to consider are: | ||
+ | *Prioritizing solutions that do not require participants to install a client unless necessary. | ||
+ | *Choose a solution that allows you to control how your data is handled. Some platforms may route data outside Canada or store shared data on servers they control. | ||
+ | *Ensure all parties using the collaborative software are aware of and comfortable with any data sharing done by the software owner in order to realize a profit. For example, selling data analytics for marketing and advertising purposes. | ||
+ | |||
+ | For a complete list of things to consider visit the [https://cyber.gc.ca/en/alerts/considerations-when-using-video-teleconference-products-and-services CCCS advisory]. | ||
+ | |||
+ | Settings and features that can help keep teleconferencing secure are: | ||
+ | |||
+ | *Disable guest screen sharing | ||
+ | *Require the host to Be present | ||
+ | *Secure the conference with a password | ||
+ | *Keep your personal meeting ID or invites private | ||
===Slack=== | ===Slack=== | ||
Line 44: | Line 90: | ||
Slack also retains data such as links, passwords, usernames and chats, however does have options to customize policies on data retention. | Slack also retains data such as links, passwords, usernames and chats, however does have options to customize policies on data retention. | ||
+ | |||
+ | Settings and features that can help make Slack more secure are: | ||
+ | *Ask group members to use two-factor authentication (2FA) | ||
+ | *Manage the ability to install apps and connect tools to a group workspace | ||
+ | *Limit who has access to the workspace | ||
+ | *Use caution when opening links especially if unsolicited | ||
+ | *Limit administrative functions | ||
+ | |||
+ | For a more in-depth information on how to use Slack securely, visit the [https://slack.com/intl/en-ca/help/articles/115004155306-Security-tips-to-protect-your-workspace Slack Help Center] | ||
+ | |||
===Zoom=== | ===Zoom=== | ||
Zoom has a feature that tracks attention to the webcam in order to see who is actively in the video chat. If a presenter is sharing their screen and a user minimizes the window or leaves their device, a notification will be sent to the meeting hosts. It should be noted that Zoom does not record activity on the device nor does it capture video with this setting. | Zoom has a feature that tracks attention to the webcam in order to see who is actively in the video chat. If a presenter is sharing their screen and a user minimizes the window or leaves their device, a notification will be sent to the meeting hosts. It should be noted that Zoom does not record activity on the device nor does it capture video with this setting. | ||
− | + | When a meeting is created, Zoom generates a seemingly random ID that is 9 to 11 digits long. For someone with computing resources, this can easily be cracked allowing malicious actors to join the call. | |
− | For more information on | + | For more information on how to create a Zoom conference, please see the guide in the references section or [[:en:images/9/90/EN_-_Starter_guide_for_taking_part_in_a_Zoom_call.pdf|click here]]. |
+ | |||
+ | To learn more about best practices and accessibility features please visit ESDC's [https://bati-itao.github.io/resources/zoom-a11y-en.html Accessibility Best Practices for Using Zoom for Meetings and Classes] | ||
===Google Hangouts=== | ===Google Hangouts=== | ||
− | + | Google hangouts does indeed require a Google account. It is best to use a work account if possible, to avoid details being linked together exposing private interests, and personal activity online when using that Google account. Details such as names, phone numbers, usernames and other information can be pieced together which can be exposed as a single entity in order to exploit other personal information and interests. | |
+ | |||
+ | Google stores images that have been sent through hangouts to a public url, meaning anyone can technically see the image provided they have the correct url. | ||
+ | |||
+ | Another issue with Hangouts is that it does not feature "end-to-end" encryption. In simple terms, it is only encrypted when it is being sent. This opens the door for eavesdropping on chats as well as Google having visibility on messages. | ||
+ | |||
+ | ===Cisco Webex=== | ||
+ | Cisco Webex is the official enterprise teleconferencing solution for the Government of Canada offering dial-in call, video teleconferencing and messaging services across smartphones, tablets, and laptops. It is maintained by Cisco and supported by departments within the government for a more tailored solution. Although approved for use, best practices should be followed as if Cisco Webex was a non-managed third party app. It is important to remember that Cisco Webex is for UNCLASSIFIED use only. Some best practices when using Cisco Webex include: | ||
+ | |||
+ | *Not sharing PIN with those outside the meeting invite list. | ||
+ | *Set the room to lock when the meeting starts. This feature enables you to screen users that are requesting to join when the meeting starts. | ||
+ | *Require an account to be used with Webex. | ||
+ | *Accounts should be protected with a strong password/passphrase and two-factor authentication. | ||
+ | *Secure meetings with strong PIN/Password. | ||
+ | *Use entry/exit tone and announce name features. | ||
+ | *Avoid using the "Share Screen" feature. Instead, use "Share Application". | ||
+ | |||
+ | ==Questions and Contact Information== | ||
+ | For questions and other enquiries please email [mailto:ZZTBSCYBERS@tbs-sct.gc.ca TBS-Cyber Security]. | ||
== References == | == References == | ||
+ | ===Documentation=== | ||
*[https://csrc.nist.gov/CSRC/media/Publications/Shared/documents/itl-bulletin/itlbul2020-03.pdf Secure Teleworking Bulletin - NIST Publication] | *[https://csrc.nist.gov/CSRC/media/Publications/Shared/documents/itl-bulletin/itlbul2020-03.pdf Secure Teleworking Bulletin - NIST Publication] | ||
*[https://doi.org/10.6028/NIST.SP.800-46r2 Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security - NIST Publication] | *[https://doi.org/10.6028/NIST.SP.800-46r2 Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security - NIST Publication] | ||
Line 61: | Line 138: | ||
*[https://wiki.gccollab.ca/images/2/28/Guidance_for_the_Secure_Use_of_Collaboration_Tools.pdf Guidance For the Secure Use of Collaboration Tools - TBS] | *[https://wiki.gccollab.ca/images/2/28/Guidance_for_the_Secure_Use_of_Collaboration_Tools.pdf Guidance For the Secure Use of Collaboration Tools - TBS] | ||
*[https://wiki.gccollab.ca/images/4/4e/Orientation_sur_la_facilitation_de_l%E2%80%99acc%C3%A8s_aux_services_Web.pdf Orientation sur la facilitation de l’accès aux services Web - SCT] | *[https://wiki.gccollab.ca/images/4/4e/Orientation_sur_la_facilitation_de_l%E2%80%99acc%C3%A8s_aux_services_Web.pdf Orientation sur la facilitation de l’accès aux services Web - SCT] | ||
+ | *[https://www.cisa.gov/sites/default/files/publications/CISA_Video_Conferencing_Tips_S508C.pdf Video Conferencing Tips - CISA] | ||
+ | ===Collaborative Tool References=== | ||
*[https://onezero.medium.com/slack-zoom-google-hangouts-are-your-remote-work-apps-spying-on-you-cf1e33809cf7 Slack, Zoom, Google Hangouts: Are Your Remote Work Apps Spying on You?] | *[https://onezero.medium.com/slack-zoom-google-hangouts-are-your-remote-work-apps-spying-on-you-cf1e33809cf7 Slack, Zoom, Google Hangouts: Are Your Remote Work Apps Spying on You?] | ||
+ | *[https://www-theverge-com.cdn.ampproject.org/c/s/www.theverge.com/platform/amp/2020/4/1/21202584/zoom-security-privacy-issues-video-conferencing-software-coronavirus-demand-response Zoom Privacy and Security Backlash] | ||
+ | *[https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic FBI Warns of Teleconferencing and Online Classroom Hijacking] | ||
+ | *[https://www.avg.com/en/signal/secure-message-apps Secure Messaging Apps - Google Hangout Security Issues] | ||
*[[:en:images/9/90/EN_-_Starter_guide_for_taking_part_in_a_Zoom_call.pdf|Starter Guide for Taking Part in a Zoom Call - EN]] | *[[:en:images/9/90/EN_-_Starter_guide_for_taking_part_in_a_Zoom_call.pdf|Starter Guide for Taking Part in a Zoom Call - EN]] | ||
*[[:en:images/0/09/FR_-_Guide_de_démarrage_pour_participer_un_appel_Zoom.pdf|Guide de démarrage pour participer un appel Zoom - FR]] | *[[:en:images/0/09/FR_-_Guide_de_démarrage_pour_participer_un_appel_Zoom.pdf|Guide de démarrage pour participer un appel Zoom - FR]] | ||
|} | |} |
Latest revision as of 09:25, 20 July 2020
Overview and User Considerations | Technical Considerations | Secure Use of Collaboration Tools | Device Considerations |
---|
What is Remote Working?Remote Working is when an employee can carry out regular business duties from a remote location that is outside of their employers physical work space, typically via the internet. With recent events, remote working has become more popular than previously before and will continue to get more popular as technology evolves. Remote Working Vs. TeleworkingAlthough similar and most of the times used interchangeably, remote working and teleworking are similar but are not the same. Employee's who telework and remote work often use the same devices and technology to work such as collaborative tools, cloud platforms, and the internet. Below are the differences between the two:
Duty to DocumentUnder the Directive on Service and Digital, employees are required to document their activities and decisions of business value. If any activities or decisions of business value are made while using department-approved or public cloud tools, then these must be captured (e.g., in a Word document) and saved in a departmental corporate repository (e.g., GCdocs) as soon as possible. For more information, click here. Threats and Challenges posed by Remote WorkingBy connecting via the internet to potentially classified or sensitive applications or data, there are threats to the safety and security of that information. Security issues may include:
For more information please see the references section. Recommended Security MeasuresIt is important to realize that because remote working uses the internet for connectivity, it may be a target for compromise. That being said, some helpful measures that employees can take to keep information secure are: Device Considerations
Service ConsiderationsSome general things to consider when using these applications include:
Privacy and Security of Collaborative ToolsEmployees should always use department-sanctioned tools for collaboration with colleagues, starting with Microsoft Teams (at Protected B if your departmental tenancy has been accredited to that level, or unclassified otherwise), then moving to other sanctioned tools such as GCTools or WebEx. If those options aren’t available, then the Policy on Acceptable Network and Device Use does allow usage of public cloud tools such as Slack, Zoom or Google Hangouts for unclassified work only. However, there are some privacy issues that need to be recognized before using these applications. It is important to remember that these applications are never to be used for any sensitive or classified work. The Canadian Center For Cyber Security (CCCS) has provided guidance and considerations when using public cloud tools for video teleconferencing (VTC). When choosing a collaborative tool, some things to consider are:
For a complete list of things to consider visit the CCCS advisory. Settings and features that can help keep teleconferencing secure are:
SlackWhen using a paid license of the application, a feature is unlocked that allows HR and management personnel to export ALL chats. Not only can group chats be exported but also chats that are between you and a colleague that is sent in a private chat. This feature cannot be enabled in the free license. It is important to note that Slack does store data regardless of the license, including after 10,000 messages in the free version. Slack also retains data such as links, passwords, usernames and chats, however does have options to customize policies on data retention. Settings and features that can help make Slack more secure are:
For a more in-depth information on how to use Slack securely, visit the Slack Help Center ZoomZoom has a feature that tracks attention to the webcam in order to see who is actively in the video chat. If a presenter is sharing their screen and a user minimizes the window or leaves their device, a notification will be sent to the meeting hosts. It should be noted that Zoom does not record activity on the device nor does it capture video with this setting. When a meeting is created, Zoom generates a seemingly random ID that is 9 to 11 digits long. For someone with computing resources, this can easily be cracked allowing malicious actors to join the call. For more information on how to create a Zoom conference, please see the guide in the references section or click here. To learn more about best practices and accessibility features please visit ESDC's Accessibility Best Practices for Using Zoom for Meetings and Classes Google HangoutsGoogle hangouts does indeed require a Google account. It is best to use a work account if possible, to avoid details being linked together exposing private interests, and personal activity online when using that Google account. Details such as names, phone numbers, usernames and other information can be pieced together which can be exposed as a single entity in order to exploit other personal information and interests. Google stores images that have been sent through hangouts to a public url, meaning anyone can technically see the image provided they have the correct url. Another issue with Hangouts is that it does not feature "end-to-end" encryption. In simple terms, it is only encrypted when it is being sent. This opens the door for eavesdropping on chats as well as Google having visibility on messages. Cisco WebexCisco Webex is the official enterprise teleconferencing solution for the Government of Canada offering dial-in call, video teleconferencing and messaging services across smartphones, tablets, and laptops. It is maintained by Cisco and supported by departments within the government for a more tailored solution. Although approved for use, best practices should be followed as if Cisco Webex was a non-managed third party app. It is important to remember that Cisco Webex is for UNCLASSIFIED use only. Some best practices when using Cisco Webex include:
Questions and Contact InformationFor questions and other enquiries please email TBS-Cyber Security. ReferencesDocumentation
Collaborative Tool References
|