Difference between revisions of "Secure Remote Working - Overview"

What is Teleworking?

Teleworking by definition is an arrangement between an employee and the employer in which the employee does not commute to their physical work space, but can use the internet and other digital mediums to complete work. With recent events, teleworking has become more popular than previously before and will continue to get more popular as technology evolves.

Threats and Challenges posed by Teleworking

By connecting via the internet to potentially classified or sensitive applications or data, there are threats to the safety and security of that information.

Security issues may include:

• Lack of physical security - devices can be stolen, drives can be copied, or people can shoulder surf.
• Unsecured Networks - connecting to networks that are unsecured such as a cafe, hotel or other open public networks are easy targets for exploitation.
• Providing Internal Access Externally - servers will be facing the internet therefore increasing the potential risk and vulnerability of being compromised.
• Teleconference Hijacking/Zoom - Unauthorized persons gaining access to a conference by joining a public conference, being shared the link or access code.

For more information please see the references section.

Mitigation and Prevention Measures

It is important to realize that because Teleworking uses the internet for connectivity, it may be a target for compromise. That being said, some helpful measures that employees can take to keep information secure are:

• When the option for multi-factor authentication is available, use it!
• Avoid open networks located in coffee shops, public facilities, and hotels.
• Apply operating system updates when available.
• Use your departments VPN for secured connection.
• Password Protect any USB, SD Cards and hard drives.
• Lock devices when not in use.

Privacy and Security of Collaborative Tools

Employee's are encouraged to use approved software such as Zoom, Google Hangouts, and Slack to collaborate and communicate unclassified information. However there are some privacy issues that need to be recognized before using these applications. It is important to remember that these applications are not to be used for any classified work.

Some general things to consider for increasing privacy on these applications include:

• Enabling two-factor authentication.
• Post/Send things that you do not mind sharing with the employer and employee's.
• Segregate personal applications and work applications.
• Use personal devices for personal applications and work devices for work applications
• Ensure that teleconferences are set to private, as well as password protected.

Slack

When using a paid license of the application, a feature is unlocked that allows HR and management personnel to export ALL chats. Not only can group chats be exported but also chats that are between you and a colleague that is sent in a private chat. This feature cannot be enabled in the free license. It is important to note that Slack does store data regardless of the license, including after 10,000 messages in the free version.

Slack also retains data such as links, passwords, usernames and chats, however does have options to customize policies on data retention.

Zoom

Zoom has a feature that tracks attention to the webcam in order to see who is actively in the video chat. If a presenter is sharing their screen and a user minimizes the window or leaves their device, a notification will be sent to the meeting hosts. It should be noted that Zoom does not record activity on the device nor does it capture video with this setting.

When a meeting is created, Zoom generates a seemingly random ID that is 9 to 11 digits long. For someone with computing resources, this can easily be cracked allowing malicious actors to join the call.

Settings that can help keep a conference secure are:

• Disable Guest Screen Sharing
• Require the Host to Be Present
• Secure the Conference with a Password
• Enable the "Waiting Room" Feature
• Keep Your Personal Meeting ID Private

Unless a meeting host is using Zoom's encrypted video chat option, the company (Zoom) could have access to the conference.

For more information on using Zoom, please see the guide in the references section or click here.

Google Hangouts

Google hangouts does indeed require a Google account. It is best to use a work account if possible, to avoid details being linked together exposing private interests, and personal activity online when using that Google account. Details such as names, phone numbers, usernames and other information can be pieced together which can be exposed as a single entity in order to exploit other personal information and interests.

Google stores images that have been sent through hangouts to a public url, meaning anyone can technically see the image provided they have the correct url.

Another issue with Hangouts is that it does not feature "end-to-end" encryption. In simple terms, it is only encrypted when it is being sent. This opens the door for eavesdropping on chats as well as Google having visibility on messages.

Some key points to remember when using Hangouts include:

• Avoiding posting classified or sensitive information in groups, private chats or video chats.
• Be aware that messages, attachments and images can be linked to your account.
• Google has the capability of retrieving message at a later date.

References

Documentation

• Secure Teleworking Bulletin - NIST Publication
• Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security - NIST Publication
• Telework Security Issues - CCCS Publication
• Virtual Private Networks - CCCS Publication
• Guidance For the Secure Use of Collaboration Tools - TBS
• Orientation sur la facilitation de l’accès aux services Web - SCT

Collaborative Tool References

• Slack, Zoom, Google Hangouts: Are Your Remote Work Apps Spying on You?
• Zoom Privacy and Security Backlash
• FBI Warns of Teleconferencing and Online Classroom Hijacking
• Secure Messaging Apps - Google Hangout Security Issues
• Starter Guide for Taking Part in a Zoom Call - EN
• Guide de démarrage pour participer un appel Zoom - FR