Difference between revisions of "Secure Use of Collaboration Tools"

From wiki
Jump to navigation Jump to search
(Created page with "__NOTOC__ top|center|frameless {| class="wikitable" style="align:center; border-top: #000000 2px solid; border-bottom: #000000 2px solid; border-lef...")
 
 
(22 intermediate revisions by the same user not shown)
Line 3: Line 3:
 
{| class="wikitable" style="align:center; border-top: #000000 2px solid; border-bottom: #000000 2px solid; border-left: #000000 2px solid; border-right: #000000 2px solid" width="1125px"
 
{| class="wikitable" style="align:center; border-top: #000000 2px solid; border-bottom: #000000 2px solid; border-left: #000000 2px solid; border-right: #000000 2px solid" width="1125px"
 
|-
 
|-
! style="background: #2e73b6; color: white" width="250px" height="40px" scope="col" |[[Secure Teleworking |User Considerations]]
+
! style="background: #2e73b6; color: white" width="250px" height="40px" scope="col" |[[Secure Remote Working - Overview|Overview and User Considerations]]
! style="background: #2e73b6; color: red" width="250px" height="40px" scope="col" |[[Secure Teleworking Technical Considerations|Technical Considerations]]
+
! style="background: #2e73b6; color: white" width="250px" height="40px" scope="col" |[[Secure Remote Work Technical Considerations|Technical Considerations]]
! style="background: #2e73b6; color: white" width="250px" height="40px" scope="col" |[[Secure Use of Collaboration Tools|Secure Use of Collaboration Tools]]
+
! style="background: #2e73b6; color: red" width="250px" height="40px" scope="col" |[[Secure Use of Collaboration Tools|Secure Use of Collaboration Tools]]
 +
! style="background: #2e73b6; color: white" width="250px" height="40px" scope="col" |[[Secure Remote Working - Device Considerations|Device Considerations]]
 
|}
 
|}
 
{| style="width:1125px;"
 
{| style="width:1125px;"
 
|-
 
|-
 
| style="backgound:#2e73b6;width:1000px;text-align:left;weight:normal;" scope="col" |
 
| style="backgound:#2e73b6;width:1000px;text-align:left;weight:normal;" scope="col" |
==What is Teleworking?==
+
==Background==
As cloud technology, collaborative applications and internet connectivity increase, teleworking is becoming more prevalent than ever before. Teleworking is often done through the following ways:
+
The Government of Canada’s (GC) [https://www.gcpedia.gc.ca/gcwiki/images/2/28/Guidance_for_the_Secure_Use_of_Collaboration_Tools.pdf Policy on the Acceptable Network and Device Use (PANDU)] recognizes that
 +
open access to modern tools is essential to transforming the way public servants work and serve Canadians.
 +
This policy requires that public servants have open access to the Internet, including GC and external tools and
 +
services that will enhance communication and digital collaboration, and encourage the sharing of knowledge
 +
and expertise to support innovation.
  
*Tunneling - using a secure communications tunnel between a device and a remote access server, usually through a VPN.
+
Collaboration tools allow public servants to build and maintain interactive dialogue with the communities they
 +
serve. Examples include sites such as Twitter and LinkedIn; online presentation sharing tools such as Prezi or
 +
SlideShare; and real-time discussion tools such as Slack, to name a few.
  
*Portals - a server that offers access to one or more application via a single interface.
+
==Considerations==
 +
From an IT Security standpoint, connections to external tools and services carry the same risks as other connections to the
 +
internet. However, departments should take into account that usage of these sites may require some form of identification of the individual and consequently, their association with an organization (e.g. a GC department or agency).
  
*Direct Application Access - directly connecting and accessing an application without the use of any remote access software.
+
Departments should consider the following:
  
*Remote Desktop(via RDP or VNC) - remotely control a particular host machine through the internet.
+
*Posting of information on external tools and web services will likely divulge the origin of the information;
 +
*All information posted on the internet, regardless of the amount of time it is available, is effectively permanently recorded. There are no control provisions for any information once posted;
 +
*The nature of external tools and web services like social networking sites makes them appealing targets for malicious exploitation. These sites are inherently prone to malicious users providing links to malware content that can propagate to a department’s infrastructure;
 +
*Content on external tools such as Trello, Slack etc. may be stored on servers located outside Canada thus the content along with associated user metadata can be monitored by non-Canadian and /or third party products, services or businesses;
 +
*Everything that is shared using external tools and web services could be subject to Access to Information and Privacy (ATIP). Public servants must ensure that information related to the mandate of the organisation and/or contains decisions on government activities is properly captured and managed, following information management best practices; and
 +
*Public servants are encouraged to verify data retention requirements when using external tools, in accordance with the [https://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=12742 TBS Policy on Information Management]. Some externally provided tools will retain your information even after you have deactivated your account
  
==Threats and Challenges posed by Teleworking==
+
==Do's and Don'ts==
By connecting via the internet to potentially classified or sensitive applications or data, there are threats to the safety and security of that information.
+
{| class="wikitable"
 
+
|+
Security issues may include:
+
!Do's
*Lack of physical security - devices can be stolen, drives can be copied, or people can shoulder surf.
+
!Don'ts
*Unsecured Networks - connecting on networks that are unsecured such as cafe, hotel and other open public networks are easy targets for exploitation.
+
|-
*Providing Internal Access Externally - servers will be facing the internet therefore increasing the potential risk and vulnerability of being compromised.
+
|Protect your identity by using privacy settings on all tools and devices, and limit the amount of information you provide on your profile page.
*Out of Date Software - When using personal devices system updates and patches cannot be guaranteed.
+
|Never share protected or sensitive information, unless you have express consent from your departmental information technology group.
 
+
|-
==Mitigation and Prevention Measures==
+
|Use strong authentication mechanisms (for example, multi-factor authentication) where possible to protect from unauthorized access and enable auto-lock of your device.
As the employee will be connect via the internet to potentially classified data and applications it is important that measures are taken to reduce the risk of a security breach.
+
|Open unsolicited links, attachments, or when prompted to install any software. If you don’t know the sender or were not expecting to receive a link or attachment, think twice before opening.
 
+
|-
Some helpful considerations to implement include:
+
|Use unique passwords for every account, especially separate passwords for personal and work accounts.
*Mandate the use of multi-factor authentication. Some of these techniques include using an authenticator app, phone verification, etc...
+
|Do not re-use the same passwords that are used for your internal corporate credentials.
*Develop and deploy a tiered access control system that ensures permissions are segregated.
+
|-
*Ensure remote servers, user endpoints such as smartphones, tablets, laptops and desktops are regularly patched.
+
|Be conscious of what you are sharing and with whom and assume that everything you share could be made public
*Secure all remote devices by using anti-malware software and implementing strong firewall rules.
+
|Use caution and avoid using untrusted networks or free Wi-Fi.  
*Use validated encryption to protect data.
+
|-
*Encrypt device storage such as hard drives, SD Cards, USB Keys, etc...
+
|Use modern operating systems and web browsers that are maintained with up-to-date software and configured with appropriate hostbased protections.  
*Devise policies that detail how a teleworker will access applications remotely as well as what applications and parts of the network they have access to.
+
|Never post or share passwords or credentials on web services and tools
*Disable or limit the ability to install applications on devices such as laptops and smartphones.
+
|-
*Use CCCS/CSE [https://cyber.gc.ca/sites/default/files/publications/itsp.40.111-eng_1.pdf approved cryptography] when applicable.
+
|Report any suspicious activity or security incidents so that your departmental security team can address the issue.
 
+
|Do not ignore SSL certificate errors and unsecure (e.g. HTTP) websites
==Home Network Hardening==
+
|}
Out of the box, most routers have generic passwords, are out of date, and often contain exploits that can easily be used to intercept, manipulate and store network traffic. However, there are a number of actions that you can take to mitigate these security issues at home. The following were taken from a CyberScoop report that details measures to protect home networks.  
 
 
 
*Enable Auto-Updates on endpoint devices. Not only on laptops and smartphones but also on the router itself.
 
*Disable remote management and administrator function.
 
*Change the routers default password to something that is unique and adheres to the GC Password Guidance.  
 
*Ensure that any web-based management account for the router is also using a strong, unique password.
 
*Place IoT devices on a separate router or VLAN.
 
*Double check which device address' are connecting to the router if possible.
 
 
 
For more information, check out this [https://www.cyberscoop.com/dns-hijacking-covid-19-oski-bitdefender-telework/ CyberScoop report].
 
  
 
== References ==
 
== References ==
*[https://csrc.nist.gov/CSRC/media/Publications/Shared/documents/itl-bulletin/itlbul2020-03.pdf Secure Teleworking Bulletin - NIST Publication]
+
*[https://www.gcpedia.gc.ca/gcwiki/images/2/28/Guidance_for_the_Secure_Use_of_Collaboration_Tools.pdf Guidance for the Secure Use of Collaboration Tools]
*[https://doi.org/10.6028/NIST.SP.800-46r2 Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security - NIST Publication]
 
*[https://cyber.gc.ca/sites/default/files/publications/itsap.10.016-eng.pdf Telework Security Issues - CCCS Publication]
 
*[https://cyber.gc.ca/sites/default/files/publications/ITSAP.80.101-en.pdf Virtual Private Networks - CCCS Publication]
 
*[https://wiki.gccollab.ca/images/2/28/Guidance_for_the_Secure_Use_of_Collaboration_Tools.pdf Guidance For the Secure Use of Collaboration Tools - TBS]
 
*[https://wiki.gccollab.ca/images/4/4e/Orientation_sur_la_facilitation_de_l%E2%80%99acc%C3%A8s_aux_services_Web.pdf Orientation sur la facilitation de l’accès aux services Web - SCT]
 
*[https://onezero.medium.com/slack-zoom-google-hangouts-are-your-remote-work-apps-spying-on-you-cf1e33809cf7 Slack, Zoom, Google Hangouts: Are Your Remote Work Apps Spying on You?]
 
*[[:en:images/9/90/EN_-_Starter_guide_for_taking_part_in_a_Zoom_call.pdf|Starter Guide for Taking Part in a Zoom Call - EN]]
 
*[[:en:images/0/09/FR_-_Guide_de_démarrage_pour_participer_un_appel_Zoom.pdf|Guide de démarrage pour participer un appel Zoom - FR]]
 
*[https://cyber.gc.ca/sites/default/files/publications/itsp.40.111-eng_1.pdf Cryptographic Algorithms for Unclassified, Protected A and Protected B Information - ITSP.40.111]
 
 
|}
 
|}

Latest revision as of 08:04, 24 April 2020

Telework-nobg.png
Overview and User Considerations Technical Considerations Secure Use of Collaboration Tools Device Considerations

Background

The Government of Canada’s (GC) Policy on the Acceptable Network and Device Use (PANDU) recognizes that open access to modern tools is essential to transforming the way public servants work and serve Canadians. This policy requires that public servants have open access to the Internet, including GC and external tools and services that will enhance communication and digital collaboration, and encourage the sharing of knowledge and expertise to support innovation.

Collaboration tools allow public servants to build and maintain interactive dialogue with the communities they serve. Examples include sites such as Twitter and LinkedIn; online presentation sharing tools such as Prezi or SlideShare; and real-time discussion tools such as Slack, to name a few.

Considerations

From an IT Security standpoint, connections to external tools and services carry the same risks as other connections to the internet. However, departments should take into account that usage of these sites may require some form of identification of the individual and consequently, their association with an organization (e.g. a GC department or agency).

Departments should consider the following:

  • Posting of information on external tools and web services will likely divulge the origin of the information;
  • All information posted on the internet, regardless of the amount of time it is available, is effectively permanently recorded. There are no control provisions for any information once posted;
  • The nature of external tools and web services like social networking sites makes them appealing targets for malicious exploitation. These sites are inherently prone to malicious users providing links to malware content that can propagate to a department’s infrastructure;
  • Content on external tools such as Trello, Slack etc. may be stored on servers located outside Canada thus the content along with associated user metadata can be monitored by non-Canadian and /or third party products, services or businesses;
  • Everything that is shared using external tools and web services could be subject to Access to Information and Privacy (ATIP). Public servants must ensure that information related to the mandate of the organisation and/or contains decisions on government activities is properly captured and managed, following information management best practices; and
  • Public servants are encouraged to verify data retention requirements when using external tools, in accordance with the TBS Policy on Information Management. Some externally provided tools will retain your information even after you have deactivated your account

Do's and Don'ts

Do's Don'ts
Protect your identity by using privacy settings on all tools and devices, and limit the amount of information you provide on your profile page. Never share protected or sensitive information, unless you have express consent from your departmental information technology group.
Use strong authentication mechanisms (for example, multi-factor authentication) where possible to protect from unauthorized access and enable auto-lock of your device. Open unsolicited links, attachments, or when prompted to install any software. If you don’t know the sender or were not expecting to receive a link or attachment, think twice before opening.
Use unique passwords for every account, especially separate passwords for personal and work accounts. Do not re-use the same passwords that are used for your internal corporate credentials.
Be conscious of what you are sharing and with whom and assume that everything you share could be made public Use caution and avoid using untrusted networks or free Wi-Fi.
Use modern operating systems and web browsers that are maintained with up-to-date software and configured with appropriate hostbased protections. Never post or share passwords or credentials on web services and tools
Report any suspicious activity or security incidents so that your departmental security team can address the issue. Do not ignore SSL certificate errors and unsecure (e.g. HTTP) websites

References