Secure Remote Working - Overview

What is Teleworking?

Teleworking by definition is an arrangement between an employee and the employer in which the employee does not commute to their physical work space, but can use the internet and other digital mediums to complete work.

Methods of teleworking include:

• Tunneling - using a secure communications tunnel between a device and a remote access server, usually through a VPN.

• Portals - a server that offers access to one or more application via a single interface.

• Direct Application Access - directly connecting and accessing an application without the use of any remote access software.

• Remote Desktop (RDP or VNC) - remotely control a particular host machine through the internet.

Threats and Challenges posed by Teleworking

By connecting via the internet to potentially classified or sensitive applications or data, there are threats to the safety and security of that information.

Secure Issues Include:

• Lack of physical security - devices can be stolen, drives can be copied, or shoulder surfing.
• Unsecured Networks - connecting on networks that are unsecured such as cafe and hotel wifi networks and other open public networks are easy targets for exploitation.
• Providing Internal Access Externally - servers will be facing the internet therefore increasing the potential risk and vulnerability of being compromised.

Mitigation and Prevention Measures

It is important to realize that because Teleworking uses the internet for connectivity, it may be a target for compromise. That being said, there are a number of measures to help prevent security breaches when teleworking through all mediums.

• Mandate the use of multi-factor authentication. Some of these techniques include using an authenticator app, phone verification, etc...
• Develop and deploy a tiered access control system that ensures permissions are segregated.
• Ensure remote servers, user endpoints such as smartphones, tablets, laptops and desktops are regularly patched.
• Secure all remote devices by using anti-malware software and implementing strong firewall rules.
• Use validated encryption to protect data.
• Encrypt device storage such as hard drives, SD Cards, USB Keys, etc...
• Devise policies that detail how a teleworker will access applications remotely as well as what applications and parts of the network they have access to.
• Disable or limit the ability to install applications on devices such as laptops and smartphones.

Privacy

Employee's are encouraged to use approved software such as Zoom, Google Hangouts, and Slack to collaborate and communicate unclassified information. However there are some privacy issues that need to be recognized before using these applications.

Slack

When using a paid license of the application, a feature is unlocked that allows HR and management personnel to export ALL chats. Not only can group chats be exported but also chats that are between you and a colleague that is sent in a private chat. This feature cannot be enabled in the free license.

Slack also retains data such as links, passwords, usernames and chats, however does have options to customize how long this data is retained.

References

• Secure Teleworking Bulletin - NIST Publication
• Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security - NIST Publication
• Telework Security Issues - CCCS Publication
• Virtual Private Networks - CCCS Publication
• Guidance For the Secure Use of Collaboration Tools - TBS
• Orientation sur la facilitation de l’accès aux services Web - SCT