Changes

3,056 bytes added , 10:25, 20 July 2020

Line 3: Line 3:

{| class="wikitable" style="align:center; border-top: #000000 2px solid; border-bottom: #000000 2px solid; border-left: #000000 2px solid; border-right: #000000 2px solid" width="1125px"

|-

−

! style="background: #2e73b6; color: red" width="250px" height="40px" scope="col" |[[Secure ~~Teleworking~~ |Overview and User Considerations]]

+

! style="background: #2e73b6; color: red" width="250px" height="40px" scope="col" |[[Secure Remote Working - Overview|Overview and User Considerations]]

−

! style="background: #2e73b6; color: white" width="250px" height="40px" scope="col" |[[Secure ~~Teleworking~~ Technical Considerations|Technical Considerations]]

+

! style="background: #2e73b6; color: white" width="250px" height="40px" scope="col" |[[Secure Remote Work Technical Considerations|Technical Considerations]]

! style="background: #2e73b6; color: white" width="250px" height="40px" scope="col" |[[Secure Use of Collaboration Tools|Secure Use of Collaboration Tools]]

+

! style="background: #2e73b6; color: white" width="250px" height="40px" scope="col" |[[Secure Remote Working - Device Considerations|Device Considerations]]

|}

{| style="width:1125px;"

|-

| style="backgound:#2e73b6;width:1000px;text-align:left;weight:normal;" scope="col" |

−

==What is ~~Teleworking~~?==

+

==What is Remote Working?==

−

~~Teleworking by definition~~ is ~~an arrangement between~~ an employee ~~and the employer in which the employee does not commute to~~ their physical work space, ~~but can use~~ the internet ~~and other digital mediums to complete work~~. With recent events, ~~teleworking~~ has become more popular than previously before and will continue to get more popular as technology evolves.

+

Remote Working is when an employee can carry out regular business duties from a remote location that is outside of their employers physical work space, typically via the internet. With recent events, remote working has become more popular than previously before and will continue to get more popular as technology evolves.

−

==Threats and Challenges posed by ~~Teleworking~~==

+

==Remote Working Vs. Teleworking==

+

Although similar and most of the times used interchangeably, remote working and teleworking are similar but are not the same. Employee's who telework and remote work often use the same devices and technology to work such as collaborative tools, cloud platforms, and the internet.

+

Below are the differences between the two:

+

{| class="wikitable"

+

|+

+

!Remote Working

+

!Teleworking

+

|-

+

|A more permanent situation.

+

|Usually on a limited period of time (days instead of months or years)

+

|-

+

|Employee likely does not have access to an office.

+

|Employee has an office but works from somewhere else.

+

|}

+

==Duty to Document==

+

Under the [https://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=32601 Directive on Service and Digital], employees are '''required''' to document their activities and <u>decisions of business value</u>. If any activities or decisions of business value are made while using department-approved or public cloud tools, then these must be captured (e.g., in a Word document) and saved in a departmental corporate repository (e.g., GCdocs) as soon as possible.

+

For more information, click [https://www.canada.ca/en/government/publicservice/covid-19/managing-government-information-working-remotely.html here].

+

==Threats and Challenges posed by Remote Working==

By connecting via the internet to potentially classified or sensitive applications or data, there are threats to the safety and security of that information.

Line 25: Line 47:

==Recommended Security Measures==

−

It is important to realize that because ~~Teleworking~~ uses the internet for connectivity, it may be a target for compromise. That being said, some helpful measures that employees can take to keep information secure are:

+

It is important to realize that because remote working uses the internet for connectivity, it may be a target for compromise. That being said, some helpful measures that employees can take to keep information secure are:

===Device Considerations===

Line 48: Line 70:

Employees should always use department-sanctioned tools for collaboration with colleagues, starting with Microsoft Teams (at Protected B if your departmental tenancy has been accredited to that level, or unclassified otherwise), then moving to other sanctioned tools such as GCTools or WebEx. If those options aren’t available, then the [https://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=27122 Policy on Acceptable Network and Device Use] does allow usage of public cloud tools such as Slack, Zoom or Google Hangouts for '''unclassified''' work only. However, there are some privacy issues that need to be recognized before using these applications. It is important to remember that these applications are <u>never</u> to be used for any sensitive or classified work.

−

Settings and features that can help keep a teleconferencing secure are:

+

The Canadian Center For Cyber Security (CCCS) has provided [https://cyber.gc.ca/en/alerts/considerations-when-using-video-teleconference-products-and-services guidance and considerations] when using public cloud tools for video teleconferencing (VTC).

+

When choosing a collaborative tool, some things to consider are:

+

*Prioritizing solutions that do not require participants to install a client unless necessary.

+

*Choose a solution that allows you to control how your data is handled. Some platforms may route data outside Canada or store shared data on servers they control.

+

*Ensure all parties using the collaborative software are aware of and comfortable with any data sharing done by the software owner in order to realize a profit. For example, selling data analytics for marketing and advertising purposes.

+

For a complete list of things to consider visit the [https://cyber.gc.ca/en/alerts/considerations-when-using-video-teleconference-products-and-services CCCS advisory].

+

Settings and features that can help keep teleconferencing secure are:

*Disable guest screen sharing

*Require the host to Be present

*Secure the conference with a password

−

*Enable a "Waiting Room"/Queue type feature, if available

*Keep your personal meeting ID or invites private

Line 60: Line 90:

Slack also retains data such as links, passwords, usernames and chats, however does have options to customize policies on data retention.

+

Settings and features that can help make Slack more secure are:

+

*Ask group members to use two-factor authentication (2FA)

+

*Manage the ability to install apps and connect tools to a group workspace

+

*Limit who has access to the workspace

+

*Use caution when opening links especially if unsolicited

+

*Limit administrative functions

+

For a more in-depth information on how to use Slack securely, visit the [https://slack.com/intl/en-ca/help/articles/115004155306-Security-tips-to-protect-your-workspace Slack Help Center]

+

===Zoom===

Zoom has a feature that tracks attention to the webcam in order to see who is actively in the video chat. If a presenter is sharing their screen and a user minimizes the window or leaves their device, a notification will be sent to the meeting hosts. It should be noted that Zoom does not record activity on the device nor does it capture video with this setting.

Line 65: Line 105:

When a meeting is created, Zoom generates a seemingly random ID that is 9 to 11 digits long. For someone with computing resources, this can easily be cracked allowing malicious actors to join the call.

−

~~Zoom has two applicable use cases in an enterprise government sense:~~

+

For more information on how to create a Zoom conference, please see the guide in the references section or [[:en:images/9/90/EN_-_Starter_guide_for_taking_part_in_a_Zoom_call.pdf|click here]].

−

*Installation of Zoom on government-furnished devices: No software (free or otherwise) should be installed on a ~~government-furnished device (i.e. laptop~~, ~~tablet or corporate “side” of government-issued smartphone) unless it goes through a security assessment, and all software needs to have a patch management strategy~~ in ~~place to ensure updates can be applied promptly. This applies to Zoom as well.~~

−

*Installation of Zoom on personal devices (or ~~the personal “side” of government~~-~~issued smartphones): This is impossible to manage because we have no control over what users can do in this scenario~~. ~~This is where education about when and how to use comes into a play~~.

−

~~In either case, the product itself is only approved for unclassified (i.e. open discussions only) and we strongly recommend following~~ best practices ~~that are listed on the~~ [https://~~blog~~.~~zoom~~.us/~~wordpress~~/~~2020/03/20/keep~~-~~uninvited~~-~~guests-out-of-your-zoom-event/~~. Zoom ~~blog].~~

+

To learn more about best practices and accessibility features please visit ESDC's [https://bati-itao.github.io/resources/zoom-a11y-en.html Accessibility Best Practices for Using Zoom for Meetings and Classes]

−

~~For more information on how to create a Zoom conference, please see the guide in the references section or [[:en:images/9/90/EN_-_Starter_guide_for_taking_part_in_a_Zoom_call.pdf|click here~~]].

===Google Hangouts===

Line 82: Line 116:

Another issue with Hangouts is that it does not feature "end-to-end" encryption. In simple terms, it is only encrypted when it is being sent. This opens the door for eavesdropping on chats as well as Google having visibility on messages.

−

~~Some key points~~ to remember when using ~~Hangouts~~ include:

+

===Cisco Webex===

−

*~~Avoiding posting or discussing classified or sensitive information in groups, private chats or video chats~~.

+

Cisco Webex is the official enterprise teleconferencing solution for the Government of Canada offering dial-in call, video teleconferencing and messaging services across smartphones, tablets, and laptops. It is maintained by Cisco and supported by departments within the government for a more tailored solution. Although approved for use, best practices should be followed as if Cisco Webex was a non-managed third party app. It is important to remember that Cisco Webex is for UNCLASSIFIED use only. Some best practices when using Cisco Webex include:

−

*~~Be aware~~ that ~~messages, attachments and images can be linked~~ to ~~your~~ account.

+

−

*~~Google has~~ the ~~capability of retrieving message at a later date~~.

+

*Not sharing PIN with those outside the meeting invite list.

+

*Set the room to lock when the meeting starts. This feature enables you to screen users that are requesting to join when the meeting starts.

+

*Require an account to be used with Webex.

+

*Accounts should be protected with a strong password/passphrase and two-factor authentication.

+

*Secure meetings with strong PIN/Password.

+

*Use entry/exit tone and announce name features.

+

*Avoid using the "Share Screen" feature. Instead, use "Share Application".

+

==Questions and Contact Information==

+

For questions and other enquiries please email [mailto:ZZTBSCYBERS@tbs-sct.gc.ca TBS-Cyber Security].

== References ==

Line 95: Line 138:

*[https://wiki.gccollab.ca/images/2/28/Guidance_for_the_Secure_Use_of_Collaboration_Tools.pdf Guidance For the Secure Use of Collaboration Tools - TBS]

*[https://wiki.gccollab.ca/images/4/4e/Orientation_sur_la_facilitation_de_l%E2%80%99acc%C3%A8s_aux_services_Web.pdf Orientation sur la facilitation de l’accès aux services Web - SCT]

+

*[https://www.cisa.gov/sites/default/files/publications/CISA_Video_Conferencing_Tips_S508C.pdf Video Conferencing Tips - CISA]

===Collaborative Tool References===

*[https://onezero.medium.com/slack-zoom-google-hangouts-are-your-remote-work-apps-spying-on-you-cf1e33809cf7 Slack, Zoom, Google Hangouts: Are Your Remote Work Apps Spying on You?]

Greggory.elton

802

edits

Changes

Secure Remote Working - Overview (view source)

Revision as of 10:25, 20 July 2020

Navigation menu

Search