[Please Suggest] Corona Virus: Security advisory for work from home

(question posted on behalf of a CISO member)

Due to CORONA virus most of the organizations are allowing their employees to work form home.Has any one issued security advisory for work from home ?

Views: 339

Reply to This

Replies to This Discussion

Hi, Yes,many orginazation has started work from home.you need to have VPN access which will take care of all security concerns with company provided laptop.no separate advisory required.

The use of a VPN does not create a secure environment.  Many other factors, as noted below in other comments, are required to create a holistic security process.  

Check list for Work from Home:

1. First thing IT should check is the remote working capability in case of Work From Home (WHF) is required
2. Segregate laptop and desktop users first.
3. Desktop users should be allowed for “use your own device” or company-owned or rented laptops
4. Deploy the endpoint monitoring agents and restrict the access as per the role, responsibility and company policies 
5. Segregate and define productive applications
6. Check readiness of access of all critical application over on Web/VPN
7. Use messenger, file sharing, VC Meeting and screen sharing solution to avoid the travelling. (i.e. Team, Webex, GoTo Meeting, Skype etc.)
8. Use WhatsApp so that people get update for the quick task
9. Refer all organization email communications very seriously
10. Vendor, Buyers/Suppliers should also enable for digital platform like VC meeting and emails
11. Organizations must enable digital payment capability immediately if it is not there
12. Use Wifi/Data Card/Hot Spot for the network connectivity
13. To support above action items data Security and access management must be reviewed and validated by IT Team

14. Single source of information handled by HR & Corporate

15. Communication Team: Organization should have dedicated hotline/email id for emergency services (Employees can share their health condition and seek emergency support and care services) in case of any emergency

Agree with Ashish...

Is anyone doing anything relating to communications related to pivots related to Social Engineering? Thinking attackers using increased phishing for crednetial theft/malware delivery (already seen that from Krebs/Forbes) but also increasing awareness around calls potentially pretending to be the company's helpdesk e.g. attack calls "Hi, I'm from the Service Desk - you would have recieved a code and we need it to verify our email systems are working correctly" etc.?

Hi

As organizations prepare for possible impacts of Coronavirus Disease 2019 (COVID-19), many may consider alternate workplace options for their employees. Remote work options—or telework—require an enterprise virtual private network (VPN) solution to connect employees to an organization’s information technology (IT) network. As organizations elect to implement telework, the Cyber security and Infrastructure Security Agency (CISA) encourages organizations to adopt a heightened state of cyber-security.

The following are cyber-security considerations regarding telework.

  • As organizations use VPNs for telework, more vulnerabilities are being found and targeted by malicious cyber actors.
  • As VPNs are 24/7, organizations are less likely to keep them updated with the latest security updates and patches.
  • Malicious cyber actors may increase phishing emails targeting teleworkers to steal their usernames and passwords.
  • Organizations that do not use multi-factor authentication (MFA) for remote access are more susceptible to phishing attacks.
  • Organizations may have a limited number of VPN connections, after which point no other employee can telework. With decreased availability, critical business operations may suffer, including IT security personnel’s ability to perform cyber-security tasks.

More reference available at 

https://www.us-cert.gov/ncas/alerts/aa20-073a - Enterprise VPN Security

https://www.cisa.gov/sites/default/files/publications/20_0306_cisa_...

https://www.us-cert.gov/ncas/tips/ST04-010 - Using caution with  mail attachment.

https://www.us-cert.gov/ncas/tips/ST04-014 - Covid-19 Phishing mail awareness.

Based on your security policy and BCP plan you can enable the users to work from home. most of the companies are using VPN to enable the access with secure.

Zero trust solution will be a good option to run the WFH for critical application.

Yogesh Mugoderya

Use VPN
Use laptop lock to secure your laptop
Avoid going out of home
Avoid data intensive tasks like streaming if not is for business purpose

While companies are encouraged to use VPN connections, VPNs also have security risks.

One aspect is that of a split tunnel where traffic to the corporate network travels over the VPN while the traffic to general Internet exits the user's home network.  The danger here is the corporate entity will have difficulty managing the Internet traffic.  For example, if a user visits a malicious website, they could end up downloading something to their device that could then be uploaded to the corporate environment.  If bandwidth allows, it is best to have a whole tunnel for VPN access.

Zero Trust model is much secure as well as scalable in today's scenario. VPN isn't cutting enough in 2020.

Moved one of my client to complete zero trust infrastructure and they are happily achieving 98% WFH.

Information Security Tips when Working from Home (gathered from our ISMS ISO 27001 policies).

Connection & Access

  1. Avoid connecting to unsecured Wi-Fi / networks for internet.
  2. Use only company provided VPN / Citrix connection. Avoid use of any other utility for accessing applications / data.
  3. Check & ensure latest antivirus updates on our laptop regularly.
  4. Strictly avoid sharing our usernames and passwords to others.

 Data sharing & Collaboration

  1. Adopt all proper & sensible precautions when handling Company data.
  2. Save & share data from Company O365 One Drive.
  3. Use Company O365 Teams to conduct meetings, to share information, screens etc.
  4. Avoid use of social media like WhatsApp while discussing / sharing sensitive business information.
  5. Do not give PRINTs at default printer of office, where the print-out may remain unattended (in absence of secure print) & may be misused.
  6. Ensure adequate security provisions of your mobile phones to protect Company information being accessed.
  7. Ensure that Company confidential information is not shared with unauthorised users, vendors, family, friends or members of the public.

 Phishing Emails and Websites

  1. Strictly avoid opening e-mails, URLs & file attachments received from unsolicited or unreliable sources.
  2. Fake emails are sent by hackers about Corona virus. Do not open such mails / URLs / attachments. Forward suspicious mails to _____ ID
  3. Also avoid the use of various maps / graphics showing the spread of Corona. There are incidents of computer hacking through them.

 Physical protection

  1. Avoid eating or drinking in the vicinity of our laptops / computers.
  2. Avoid exposing the laptop / computer to sudden impacts or shocks, humidity, sunlight, water etc.
  3. Do not repair, configure or change of system settings of the laptop / computer. Report to IT.
  4. Lock laptop / computer screen when left unattended, to prevent alteration / deletion of data.
  5. Ensure the physical protection of our laptops / computers.

 Other important points

  1.  Do not install any software on any Company computer. Do not download / copy any type of unauthorised / pirated software.
  2. Do not access Internet sites containing foul / obscene / illegal / unethical / adult / violence / rumours related content from Company computers
  3. Do not use external, web-based e-mail services (e.g. gmail.com, yahoo.com, hotmail.com) for Company business communication.
  4. Ensure to have written approval from Business authorities, prior to transferring the business information to anyone.
  5. Do not copy Business data on removable media like USB storage.
  6. Do not access others’ emails directly by using their passwords.
  7. IT continuously monitors the technical & security usage of the IT Resources, to prevent & correct any performance issues & any misuse.
  8. If you come across any misuse of Company information / asset, then bring to the notice of our business authorities, Functional Risk Officer (FRO), IT & HR; or mail to _____ email ID.
  9. Use our IT resources in a legal, ethical & responsible manner. Do not use them for unauthorised commercial activities or unauthorised personal gain.
  10. Report the Security incidents through IT tool / sending mail to _____ email ID.

RSS

© 2020   Created by CISO Platform.   Powered by

Badges  |  Report an Issue  |  Privacy Policy  |  Terms of Service