Tag Archives: Secure teleworking

Telework Security Checklist

Standard
Image: National Institute of Standards And Technology.gov

WASHINGTON TECHNOLOGY

“What are the compliance implications of mass telework? Six questions to ask (and answer) to help you stay compliant while your employees are working remotely”

______________________________________________________________________________

“Government and contractors were unprepared for COVID-19 to so abruptly push so many employees to remote work. Even now, as businesses start to contemplate how to reopen their offices, the continued need for social distancing means many employees will be choosing or required to continue remote work for the foreseeable future. It’s a fundamental change in how organizations operate, fraught with inconsistencies, challenges and distractions.

Yet, while the pandemic is causing modifications and deviations to contracts and regulations, it will not serve as a “Get Out of Jail FREE” card. Government contractors must still comply with their contracts and protect government information.

What are the compliance implications of mass telework? Here are six questions to ask (and answer) to help you stay compliant while your employees are working remotely:

  1. Are your telework policies and procedures up to date?

Resist the temptation to ignore telework policies that are suddenly impractical. In the absence of clear guidance, employees will be inconsistent in their behavior and performance. Take the guesswork out of the mix by updating and publishing revised policies. Provide clear, concise direction for what employees should do under current conditions (and new conditions, as government guidance evolves).

  1. Is your IT infrastructure ready and secure?

A cyber-secure IT infrastructure built to support thousands of employees from a few offices will have vastly different loads and threats when most workers are suddenly piping in remotely. Is your VPN set up for the additional traffic? Do your security models and controls need to be adapted for the increased number of employees working remotely? Consider allowing access into the system for extended hours, so employees with family obligations have flexibility about when to do their work. Be sure your team fully appreciates the risks of relaxing some security controls (such as reducing keystroke monitoring) to improve your system’s responsiveness.


  1. Do employees have the technology and guidelines to work securely from home?

Most employees will do their best to serve government customers and be productive, even if they don’t have the same technology at home as at work. But the bad guys in cyberspace are exploiting this crisis and are increasingly determined to test the security boundaries of governments, businesses and citizens. Some employee “best effort” behaviors could introduce unwanted compliance and security issues.

Remind employees of how to protect sensitive information at home. Re-publish policies about home network security, strong passwords, use of personal email accounts, unknown email attachments and other best practices. Consider home burn bags to store confidential papers until employees return to the office. Remind employees to disengage smart speakers in spaces where work-related conversations are happening. Use passwords and other added security measures for all video conferencing.

  1. How are you managing and monitoring the productivity of remote workers?

Even veteran teleworkers have been disrupted by the sudden appearance of a spouse, children and/or roommates who are all competing for space, time, attention and internet bandwidth. Employees who are teleworking for the first time may have a home environment that is more casual, less vigilant, and filled with more distractions than an office setting.

It’s important, though, to proactively manage and document the work employees are doing. Be sure employees understand policies about work hours, time tracking and status updates. Share tips and expectations for productive and professional telework. Task your managers to understand obstacles their employees are facing – and to communicate clearly about whether any temporary job accommodations are approved. Then, closely monitor performance to ensure that you’re delivering on your contracts and billing the government appropriately for the completed work.

  1. Are key employees cross-trained?

Anticipate that key personnel may become unavailable to perform mission-critical duties at some point in the pandemic. If you haven’t already, identify and cross-train employees who can step in should the need arise. Remember to obtain your customer’s approval of these key employees, so work can continue uninterrupted. Keep an updated and centralized list or database to consult as your situation changes.

  1. Are you monitoring your procedures and controls, especially the updated ones?

When so much is new and changing, monitoring your controls is a must to ensure timely corrective actions and prevent material non-compliances. Periodically test your company compliance hotlines to verify that they are accessible, appropriately staffed and supported. Keep your governance program (board of directors and executive committees) active, engaged, and available to address anything that might go awry.

COVID-19 has created a remote working scenario that most government contractors never could have envisioned. While it’s different from anything we’ve experienced before, the government will not consider these changes an excuse for significant noncompliance. It is more challenging, but with planning, creativity and vigilance, companies, employees, and customers will be well served. In fact, you may find that some changes you make to accommodate the pandemic ultimately improve your operations and should endure after the crisis has resolved.”

https://washingtontechnology.com/articles/2020/04/30/insights-telework-compliance-questions.aspx

Telework Guidance from CISA (Cybersecurity and Infrastructure Security Agency)

Standard
Image: FCW

FCW

The Cybersecurity and Infrastructure Security Agency has released new emergency guidance detailing how federal agencies can safely navigate the surge in telework following the COVID-19 outbreak.

____________________________________________________________________________

“CISA wants to manage web traffic and align data connections with authorized activities, protect the confidentiality and integrity of that traffic, promote the use of applications and services that ensure continuity of operations and allow for timely reaction and adaptation by agencies to newly discovered threats. The document also offers telework-specific guidance on capabilities like backup and recovery, log management, configuration management, incident response, authentication, vulnerability assessment, shared services and others.

“Agencies are making risk-based decisions in an environment that is completely different than it was 3-4 weeks ago,” Ross Nodurft, Senior Director for Cybersecurity Services at Venable told FCW. “Telework is now something that has to happen quickly and in order to do that you’re going to see more and more workloads put in a cloud environment and agencies will be interacting with them in a more robust way than before.”

The guidance offers three options for federal agencies to consider during the crisis, noting that “teleworkers require access to resources on the agency campus, agency-sanctioned cloud services and on the public web” and each choice presents “unique risks and corresponding security capabilities.”

The first option allows teleworkers to directly access cloud service provider (CSP) resources, with certain capabilities normally handled by the agency through an internal TIC or service provider being duplicated and policy enforcement done at the CSP level.

The second option involves teleworkers establishing a protected connection to agency networks and accessing cloud resources from there, with the agency, CSP and worker all involved in enforcement. This method could result in increased latency, network congestion and other performance issues.

The third option allows teleworkers to connect through a cloud access broker to access agency-sanctioned CSP resources. CISA advises that both the agency and teleworker should use the same broker or Security-as-a-Service to ensure enforcement parity.

The new guidance warns agencies that the shift to a largely remote workforce will open up new possibilities for malicious hackers and make it harder to ensure compliance.

“Telework environments, can present significant challenges associated with mitigating email-based threats (e.g., phishing). This challenge is amplified by the reality that agencies have limited visibility or control over remote user devices as the email service may be the only opportunity for meaningfully policy enforcement,” the document reads.

The guidance is temporary and explicitly states will expire at the end of the year. However, an email from an CISA spokesperson said that agency officials will look to incorporate lessons learned in future iterations of the TIC program.”

https://fcw.com/articles/2020/04/08/tic-telework-guide-johnson.aspx?oly_enc_id=

FBI Warns On Zoom Conference Security

Standard
Image: “Threatpost.com

FCW

As telework expands across the U.S., new users unfamiliar with security precautions can unintentionally expose their videoconferences to unauthorized participants.

__________________________________________________________________________

“The FBI is warning Zoom video-conferencing platform users to guard against “VTC hijacking” and “Zoom-bombing” by outsiders intent on making threats and offensive displays.

According to the FBI’s Boston Division, two Massachusetts high schools reported separate instances of individuals breaking into online classes in late March being conducted via Zoom teleconferencing software. In one incident, said the FBI, an unidentified individual dialed into a videoconference class, yelled out a profanity and the teacher’s home address. In the other, a school reported an unidentified individual with swastika tattoos dialing into a Zoom videoconference class.

FBI Special Agent Doug Domin told FCW that unauthorized participants are not just an issue on the Zoom platform. “Other providers have similar platforms,” he said, that are just as vulnerable to such intrusion if they’re misused.

“Organizations should have policies for VTC” and its associated software, as well as training on how to use it, said Domin. Individual session passwords should be used, even for audio bridges, he said. “The bigger the group, the bigger the possibilities” for unauthorized entry.

“We take the security of Zoom meetings seriously and we are deeply upset to hear about the incidents involving this type of attack,” a Zoom spokesman told FCW in an email. “For those hosting large, public group meetings, we strongly encourage hosts to review their settings and confirm that only the host can share their screen. For those hosting private meetings, password protections are on by default and we recommend that users keep those protections on to prevent uninvited users from joining,” they said.

The Zoom for Government platform is on the General Services Administration’s buying schedule and also has that agency’s Federal Risk and Authorization Management Program moderate level approval. Zoom was sponsored in the FedRAMP approval process by the Department of Homeland Security, according to the company. The authorization allows federal agencies and contractors to securely use Zoom for government video meetings and API integrations, according to the company.

Typically, government-approved versions of commercial off-the-shelf products to not allow for data collection for marketing purposes.

Zoom’s standard product has many newer users in public school environments, since company CEO Eric Yuan removed time limits on the app for elementary and high schools as the COVID-19 pandemic closed down the facilities across the U.S.

The company’s video teleconferencing offering has raised the hackles of some privacy experts, including Consumer Reports, who say it collects and sells user data to online advertisers. It revised its privacy policy on March 29 to say it does not sell personal data.

Additionally, a company official told the Intercept in a March 31 report that Zoom does not offer end-to-end encryption as it is commonly understood – that is encrypting data between user end points. The content of a video conference hosted by Zoom is potentially visible to the company itself.

An IT manager FCW spoke with about Zoom said they were confident that with the FedRAMP moderate rating that conforms services to FISMA standards, a federal Authority to Operate, and familiarity with the platform, most federal users could be reasonably confident with the platform’s integrity.”

https://fcw.com/articles/2020/03/31/zoom-bombers-fbi-rockwell.aspx

Secure Teleworking Guidance From National Institute Of Standards And Technology (NIST)

Standard

“FCW”

The National Institute of Standards and Technology has issued  advice for organizations that must communicate remotely, warning that the lackadaisical security policies of the past will no longer cut it as hackers and spies seek to take advantage of the increased attack surface created by the surge in nationwide remote work.

______________________________________________________________________________

“Workers across the country are being sent home and told to telework as the coronavirus outbreak continues to spread. As virtual meetings and other online interactions become a reality for many federal agencies and businesses, so too do the related cybersecurity threats.

“Unfortunately, if virtual meetings are not set up correctly, former coworkers, disgruntled employees, or hackers might be able to eavesdrop,” wrote Jeff Greene, director of NIST’s National Cybersecurity Center of Excellence. “Using some basic precautions can help ensure that your meetings are an opportunity to collaborate and work effectively — and not the genesis of a data breach or other embarrassing and costly security or privacy incident.”

Greene laid out a number of suggestions for keeping virtual work discussions private and safe, most of which are simple and likely to already be specified (if not always heeded) in an organization’s existing policies.

Limiting reuse of access codes for phone meetings along with one-time PINs and multifactor authentication can help ensure that only authorized users are on more sensitive calls. For virtual or web meetings, waiting rooms and dashboards can help monitor attendees and keep track of unnamed or generic visitors. They can also help an organization keep track of who is (and isn’t) supposed to be connected.

Not every work meeting will require the use of every step. Greene encouraged organizations to use different protocols for low-, medium- and high-risk calls, and NIST developed an easy-to-use graphic to help workers determine when to use what option. More sensitive work may require tactics like distributing PINs at the last minute, identifying all attendees and then locking the meeting and ensuring that all attendees are connecting from approved devices.

The Cybersecurity and Infrastructure Security Agency has also warned that widespread telework could open up new opportunities for digital compromise. The agency put out its own security guidance last week for organizations relying on enterprisewide virtual private networks, including testing VPNs for mass usage; ensuring VPNs, network infrastructure devices and end-user devices are patched and up to date; ramping up log reviews, attack detection and incident response and recovery activities; and implementing multifactor authentication wherever possible.”

https://fcw.com/articles/2020/03/17/nist-advice-virtual-online-meetings.aspx?oly_enc_id=