Difference between revisions of "Secure Remote Work Technical Considerations"

From wiki
Jump to navigation Jump to search
 
(37 intermediate revisions by 2 users not shown)
Line 3: Line 3:
 
{| class="wikitable" style="align:center; border-top: #000000 2px solid; border-bottom: #000000 2px solid; border-left: #000000 2px solid; border-right: #000000 2px solid" width="1125px"
 
{| class="wikitable" style="align:center; border-top: #000000 2px solid; border-bottom: #000000 2px solid; border-left: #000000 2px solid; border-right: #000000 2px solid" width="1125px"
 
|-
 
|-
! style="background: #2e73b6; color: white" width="250px" height="40px" scope="col" |[[Secure Teleworking | Secure Teleworking - User Considerations]]
+
! style="background: #2e73b6; color: white" width="250px" height="40px" scope="col" |[[Secure Remote Working - Overview|Overview and User Considerations]]
! style="background: #2e73b6; color: red" width="250px" height="40px" scope="col" |[[Secure Teleworking Technical Considerations|Secure Teleworking - Technical Considerations]]
+
! style="background: #2e73b6; color: red" width="250px" height="40px" scope="col" |[[Secure Remote Work Technical Considerations|Technical Considerations]]
 +
! style="background: #2e73b6; color: white" width="250px" height="40px" scope="col" |[[Secure Use of Collaboration Tools|Secure Use of Collaboration Tools]]
 +
! style="background: #2e73b6; color: white" width="250px" height="40px" scope="col" |[[Secure Remote Working - Device Considerations|Device Considerations]]
 
|}
 
|}
 
{| style="width:1125px;"
 
{| style="width:1125px;"
 
|-
 
|-
 
| style="backgound:#2e73b6;width:1000px;text-align:left;weight:normal;" scope="col" |
 
| style="backgound:#2e73b6;width:1000px;text-align:left;weight:normal;" scope="col" |
==What is Teleworking?==
+
==What is Remote Working?==
As cloud technology, collaborative applications and internet connectivity increase, teleworking is becoming more prevalent than ever before. Teleworking is often done through the following ways:
+
As cloud technology, collaborative applications and internet connectivity increase, remote working is becoming more prevalent than ever before. Remote work is often done through the following ways:
  
 
*Tunneling - using a secure communications tunnel between a device and a remote access server, usually through a VPN.
 
*Tunneling - using a secure communications tunnel between a device and a remote access server, usually through a VPN.
  
*Portals - a server that offers access to one or more application via a single interface.
+
*Portals - a server that offers access to one or more applications via a single interface.
  
 
*Direct Application Access - directly connecting and accessing an application without the use of any remote access software.  
 
*Direct Application Access - directly connecting and accessing an application without the use of any remote access software.  
Line 20: Line 22:
 
*Remote Desktop(via RDP or VNC) - remotely control a particular host machine through the internet.
 
*Remote Desktop(via RDP or VNC) - remotely control a particular host machine through the internet.
  
==Threats and Challenges posed by Teleworking==
+
==Threats and Challenges posed by Remote Working==
 
By connecting via the internet to potentially classified or sensitive applications or data, there are threats to the safety and security of that information.
 
By connecting via the internet to potentially classified or sensitive applications or data, there are threats to the safety and security of that information.
  
 
Security issues may include:
 
Security issues may include:
 
*Lack of physical security - devices can be stolen, drives can be copied, or people can shoulder surf.
 
*Lack of physical security - devices can be stolen, drives can be copied, or people can shoulder surf.
*Unsecured Networks - connecting on networks that are unsecured such as cafe, hotel and other open public networks are easy targets for exploitation.  
+
*Unsecured Networks - connecting to networks that are unsecured such as cafe, hotel and other open public networks are easy targets for exploitation.  
*Providing Internal Access Externally - servers will be facing the internet therefore increasing the potential risk and vulnerability of being compromised.
+
*Providing Internal Access Externally - servers will be exposed to the internet therefore increasing the potential risk and vulnerability of being compromised.
*Out of Date Software - When using personal devices system updates and patches cannot be guaranteed.
+
*Out of Date Software - When using personal devices system updates and patches cannot be guaranteed. These software vulnerabilities can give attackers a window of of opportunity to compromise information and employee data.
 +
*Conference Hijacking - An unauthorized person joins a conference because it is public or by obtaining the link.
 +
*Targeted by APT actors - Advanced persistent threat (APT) actors can target open communications to exploit employee data and enterprise information.
  
==Mitigation and Prevention Measures==
+
==Recommended Security Measures==
As the employee will be connect via the internet to potentially classified data and applications it is important that measures are taken to reduce the risk of a security breach.
+
As the employee will be connected via the internet to potentially classified data and applications it is important that measures are taken to reduce the risk of a security breach.
  
 
Some helpful considerations to implement include:
 
Some helpful considerations to implement include:
Line 37: Line 41:
 
*Ensure remote servers, user endpoints such as smartphones, tablets, laptops and desktops are regularly patched.
 
*Ensure remote servers, user endpoints such as smartphones, tablets, laptops and desktops are regularly patched.
 
*Secure all remote devices by using anti-malware software and implementing strong firewall rules.
 
*Secure all remote devices by using anti-malware software and implementing strong firewall rules.
*Use validated encryption to protect data.
+
*Use validated encryption to protect data at rest and in transmission.
 
*Encrypt device storage such as hard drives, SD Cards, USB Keys, etc...
 
*Encrypt device storage such as hard drives, SD Cards, USB Keys, etc...
 
*Devise policies that detail how a teleworker will access applications remotely as well as what applications and parts of the network they have access to.
 
*Devise policies that detail how a teleworker will access applications remotely as well as what applications and parts of the network they have access to.
 
*Disable or limit the ability to install applications on devices such as laptops and smartphones.
 
*Disable or limit the ability to install applications on devices such as laptops and smartphones.
 
*Use CCCS/CSE [https://cyber.gc.ca/sites/default/files/publications/itsp.40.111-eng_1.pdf approved cryptography] when applicable.
 
*Use CCCS/CSE [https://cyber.gc.ca/sites/default/files/publications/itsp.40.111-eng_1.pdf approved cryptography] when applicable.
 +
 +
When traveling to foreign countries it is important to stay vigilant and remember acceptable use policies such as the [https://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=32611 Directive on Security Management] as well as [https://cyber.gc.ca/en/guidance/mobile-devices-and-business-travellers-itsap00087 Mobile Devices and Business Travellers]. If there are no private networks available, use a VPN when connecting to public wifi.
 +
 +
Considerations when using networks and VPNs in foreign countries:
 +
*Avoid using the "remember me" feature.
 +
*Disable location and wifi sharing.
 +
*Be aware of unusual connection attempts, connection attempts at unusual times, and unauthorized VPN activity.
 +
*Report any suspicious activity or incidents to an organizational IT Security Manager.
 +
 +
For more information, read CSE's [https://cyber.gc.ca/sites/default/files/publications/itsb-88-eng.pdf Mobile Technologies in International Travel] guidance.
  
 
==Home Network Hardening==
 
==Home Network Hardening==
Out of the box, most routers have generic passwords, are out of date, and often contain exploits that can easily be used to intercept, manipulate and store network traffic. However, there are a number of actions that you can take to mitigate these security issues at home.  
+
Out of the box, most routers have generic passwords, are out of date, and often contain exploits that can easily be used to intercept, manipulate and store network traffic. However, there are a number of actions that you can take to mitigate these security issues at home. The following were taken from a CyberScoop report that details measures to protect home networks.  
  
 
*Enable Auto-Updates on endpoint devices. Not only on laptops and smartphones but also on the router itself.  
 
*Enable Auto-Updates on endpoint devices. Not only on laptops and smartphones but also on the router itself.  
Line 52: Line 66:
 
*Place IoT devices on a separate router or VLAN.  
 
*Place IoT devices on a separate router or VLAN.  
 
*Double check which device address' are connecting to the router if possible.
 
*Double check which device address' are connecting to the router if possible.
 +
*Use WPA2 or WPA3 security instead of WEP if possible.
 +
*Disable guest-network features.
 +
*If possible use an ethernet cable to connect directly to the router. This provides typically better performance and increased security.
 +
*Disable WPS (Wi-Fi Protected Setup). Tools can be used to leverage this feature in order to steal passwords.
 +
*Disable SSID broadcasting. This allows your network to become discoverable by those especially in range of the router.
 +
*On occasion reboot the router. (weekly, monthly, etc...)
 +
*Use the lower powered router setting. This helps shrink the attack surface, especially in dense residential areas.
 +
*If purchasing a new home networking equipment, avoid using second-hand/preowned or unsupported routers.
 +
 +
For more information, check out this [https://www.cyberscoop.com/dns-hijacking-covid-19-oski-bitdefender-telework/ CyberScoop report].
  
For more information, check out this CyberScoop report.
+
===Canadian Shield===
 +
The Canadian Internet Registration Authority (CIRA) have recently launched a free protected DNS service that prevents users from connecting to malicious websites and hosts.
 +
 
 +
Over 80% of cyber attacks leverage DNS servers. If attackers are able to connect your device to their compromised DNS, they can begin dropping and installing malware.
 +
 
 +
DNS servers translate human readable addresses into machine readable addresses. For example, if the "wiki.gccollab.ca" address is typed in on a web browser in a human language, the DNS server will match the address to another machine readable address as a set of numbers like "52.139.83.135".
 +
 
 +
Canadian Shield uses data and threat intelligence to determine which DNS address request is being sent and if it is likely to be malicious. Once Canadian Shield determines that it is in fact malicious, it blocks the your request preventing your device from being infected.
 +
 
 +
Canadian Shield is offered on workstations, laptops, tablets and smartphones that are running iOS or Android.
 +
 
 +
==Criteria to Consider when Choosing a Collaborative Application==
 +
When choosing or deciding which public applications to use for your work, consider the following excerpt from the Nation Security Agency's [https://media.defense.gov/2020/Apr/24/2002288652/-1/-1/0/CSI-SELECTING-AND-USING-COLLABORATION-SERVICES-SECURELY-LONG-FINAL.PDF publication]:
 +
 
 +
*Does the application the application support end-to-end (E2E) encryption?
 +
*Are strong, well-known, testable encryption standards used?
 +
*Is multi-factor authentication (MFA) used to validate users’ identities?
 +
*Can users see and control who connects to collaboration sessions?
 +
*Does the service privacy policy allow the vendor to share data with third parties or affiliates?
 +
*Do users have the ability to securely delete data from the service and its repositories as needed?
 +
*Has the collaboration service’s source code been shared publicly (e.g. open source)?
 +
*Is the service developed and/or hosted under the jurisdiction of a government with laws that could jeopardize government standards and policy?
  
 
== References ==
 
== References ==
Line 63: Line 108:
 
*[https://wiki.gccollab.ca/images/4/4e/Orientation_sur_la_facilitation_de_l%E2%80%99acc%C3%A8s_aux_services_Web.pdf Orientation sur la facilitation de l’accès aux services Web - SCT]
 
*[https://wiki.gccollab.ca/images/4/4e/Orientation_sur_la_facilitation_de_l%E2%80%99acc%C3%A8s_aux_services_Web.pdf Orientation sur la facilitation de l’accès aux services Web - SCT]
 
*[https://onezero.medium.com/slack-zoom-google-hangouts-are-your-remote-work-apps-spying-on-you-cf1e33809cf7 Slack, Zoom, Google Hangouts: Are Your Remote Work Apps Spying on You?]
 
*[https://onezero.medium.com/slack-zoom-google-hangouts-are-your-remote-work-apps-spying-on-you-cf1e33809cf7 Slack, Zoom, Google Hangouts: Are Your Remote Work Apps Spying on You?]
 +
*[https://media.defense.gov/2020/Apr/24/2002288652/-1/-1/0/CSI-SELECTING-AND-USING-COLLABORATION-SERVICES-SECURELY-LONG-FINAL.PDF Selecting and using collaborative tools securely - NSA]
 
*[[:en:images/9/90/EN_-_Starter_guide_for_taking_part_in_a_Zoom_call.pdf|Starter Guide for Taking Part in a Zoom Call - EN]]
 
*[[:en:images/9/90/EN_-_Starter_guide_for_taking_part_in_a_Zoom_call.pdf|Starter Guide for Taking Part in a Zoom Call - EN]]
 
*[[:en:images/0/09/FR_-_Guide_de_démarrage_pour_participer_un_appel_Zoom.pdf|Guide de démarrage pour participer un appel Zoom - FR]]
 
*[[:en:images/0/09/FR_-_Guide_de_démarrage_pour_participer_un_appel_Zoom.pdf|Guide de démarrage pour participer un appel Zoom - FR]]
 
*[https://cyber.gc.ca/sites/default/files/publications/itsp.40.111-eng_1.pdf Cryptographic Algorithms for Unclassified, Protected A and Protected B Information - ITSP.40.111]
 
*[https://cyber.gc.ca/sites/default/files/publications/itsp.40.111-eng_1.pdf Cryptographic Algorithms for Unclassified, Protected A and Protected B Information - ITSP.40.111]
 +
|-
 +
|
 
|}
 
|}

Latest revision as of 10:13, 27 May 2020

Telework-nobg.png
Overview and User Considerations Technical Considerations Secure Use of Collaboration Tools Device Considerations

What is Remote Working?

As cloud technology, collaborative applications and internet connectivity increase, remote working is becoming more prevalent than ever before. Remote work is often done through the following ways:

  • Tunneling - using a secure communications tunnel between a device and a remote access server, usually through a VPN.
  • Portals - a server that offers access to one or more applications via a single interface.
  • Direct Application Access - directly connecting and accessing an application without the use of any remote access software.
  • Remote Desktop(via RDP or VNC) - remotely control a particular host machine through the internet.

Threats and Challenges posed by Remote Working

By connecting via the internet to potentially classified or sensitive applications or data, there are threats to the safety and security of that information.

Security issues may include:

  • Lack of physical security - devices can be stolen, drives can be copied, or people can shoulder surf.
  • Unsecured Networks - connecting to networks that are unsecured such as cafe, hotel and other open public networks are easy targets for exploitation.
  • Providing Internal Access Externally - servers will be exposed to the internet therefore increasing the potential risk and vulnerability of being compromised.
  • Out of Date Software - When using personal devices system updates and patches cannot be guaranteed. These software vulnerabilities can give attackers a window of of opportunity to compromise information and employee data.
  • Conference Hijacking - An unauthorized person joins a conference because it is public or by obtaining the link.
  • Targeted by APT actors - Advanced persistent threat (APT) actors can target open communications to exploit employee data and enterprise information.

Recommended Security Measures

As the employee will be connected via the internet to potentially classified data and applications it is important that measures are taken to reduce the risk of a security breach.

Some helpful considerations to implement include:

  • Mandate the use of multi-factor authentication. Some of these techniques include using an authenticator app, phone verification, etc...
  • Develop and deploy a tiered access control system that ensures permissions are segregated.
  • Ensure remote servers, user endpoints such as smartphones, tablets, laptops and desktops are regularly patched.
  • Secure all remote devices by using anti-malware software and implementing strong firewall rules.
  • Use validated encryption to protect data at rest and in transmission.
  • Encrypt device storage such as hard drives, SD Cards, USB Keys, etc...
  • Devise policies that detail how a teleworker will access applications remotely as well as what applications and parts of the network they have access to.
  • Disable or limit the ability to install applications on devices such as laptops and smartphones.
  • Use CCCS/CSE approved cryptography when applicable.

When traveling to foreign countries it is important to stay vigilant and remember acceptable use policies such as the Directive on Security Management as well as Mobile Devices and Business Travellers. If there are no private networks available, use a VPN when connecting to public wifi.

Considerations when using networks and VPNs in foreign countries:

  • Avoid using the "remember me" feature.
  • Disable location and wifi sharing.
  • Be aware of unusual connection attempts, connection attempts at unusual times, and unauthorized VPN activity.
  • Report any suspicious activity or incidents to an organizational IT Security Manager.

For more information, read CSE's Mobile Technologies in International Travel guidance.

Home Network Hardening

Out of the box, most routers have generic passwords, are out of date, and often contain exploits that can easily be used to intercept, manipulate and store network traffic. However, there are a number of actions that you can take to mitigate these security issues at home. The following were taken from a CyberScoop report that details measures to protect home networks.

  • Enable Auto-Updates on endpoint devices. Not only on laptops and smartphones but also on the router itself.
  • Disable remote management and administrator function.
  • Change the routers default password to something that is unique and adheres to the GC Password Guidance.
  • Ensure that any web-based management account for the router is also using a strong, unique password.
  • Place IoT devices on a separate router or VLAN.
  • Double check which device address' are connecting to the router if possible.
  • Use WPA2 or WPA3 security instead of WEP if possible.
  • Disable guest-network features.
  • If possible use an ethernet cable to connect directly to the router. This provides typically better performance and increased security.
  • Disable WPS (Wi-Fi Protected Setup). Tools can be used to leverage this feature in order to steal passwords.
  • Disable SSID broadcasting. This allows your network to become discoverable by those especially in range of the router.
  • On occasion reboot the router. (weekly, monthly, etc...)
  • Use the lower powered router setting. This helps shrink the attack surface, especially in dense residential areas.
  • If purchasing a new home networking equipment, avoid using second-hand/preowned or unsupported routers.

For more information, check out this CyberScoop report.

Canadian Shield

The Canadian Internet Registration Authority (CIRA) have recently launched a free protected DNS service that prevents users from connecting to malicious websites and hosts.

Over 80% of cyber attacks leverage DNS servers. If attackers are able to connect your device to their compromised DNS, they can begin dropping and installing malware.

DNS servers translate human readable addresses into machine readable addresses. For example, if the "wiki.gccollab.ca" address is typed in on a web browser in a human language, the DNS server will match the address to another machine readable address as a set of numbers like "52.139.83.135".

Canadian Shield uses data and threat intelligence to determine which DNS address request is being sent and if it is likely to be malicious. Once Canadian Shield determines that it is in fact malicious, it blocks the your request preventing your device from being infected.

Canadian Shield is offered on workstations, laptops, tablets and smartphones that are running iOS or Android.

Criteria to Consider when Choosing a Collaborative Application

When choosing or deciding which public applications to use for your work, consider the following excerpt from the Nation Security Agency's publication:

  • Does the application the application support end-to-end (E2E) encryption?
  • Are strong, well-known, testable encryption standards used?
  • Is multi-factor authentication (MFA) used to validate users’ identities?
  • Can users see and control who connects to collaboration sessions?
  • Does the service privacy policy allow the vendor to share data with third parties or affiliates?
  • Do users have the ability to securely delete data from the service and its repositories as needed?
  • Has the collaboration service’s source code been shared publicly (e.g. open source)?
  • Is the service developed and/or hosted under the jurisdiction of a government with laws that could jeopardize government standards and policy?

References