As more and more organisations request staff to work from home, security over remote access (i.e. “teleworking”) will be as important as ever. Unfortunately, we anticipate that adversaries will focus on remote access attacks during this period.
What should you do?
The following is by no means a comprehensive list of all controls that should be applied. We have listed the very minimum basic controls that any remote access capability should enforce:
1. Enforce a VPN.
Any type of remote access to corporate resources should be enabled via a Virtual Private Network that enforces stringent authentication (see next control) and end to end encryption. If classified information is being accessed, higher levels of encryption should be enforced.
2. Enable two-factor authentication (2FA) where possible.
This includes accessing the administrative router/modem, Internet Service Provider (ISP) web portal, or a mobile app used for home network management. Anyone with the ability to access these platforms may be able to access sensitive information traversing the home network and modify critical security settings within the network.
3. Enable audit trails
Configured VPN solutions and certain internal hosts to record audit trails of who accessed what, when and from where. Look for anomalies.
4. Ensure routers and firewalls are patched and current.
Software updates are extremely important as new security flaws are constantly discovered. Simply installing updates from the device manufacturer mitigates many of these problems. This is best accomplished by enabling “auto-update” with the device’s administration page.
5. Disable WPS and UPnP.
Wireless Protected Setup (WPS) was initially designed as a user-friendly method for new devices to connect to a WiFi network. Unfortunately, it’s been found to allow attackers to connect to WiFi networks without permission. Universal Plug and Play (UPnP) is a network protocol suite that allows devices on a network to easily communicate but has been found to contain numerous and severe security flaws. Getting these two settings correct can have a large positive impact on home network security.
6. Enable WPA2 or WPA3.
Old and ineffective types of cryptography plague older network devices. Ensuring strong forms of cryptography are in use within home networks can thwart others from viewing sensitive information without authorization. At a minimum, configure WPA2 for home use.
7. Secure the endpoints.
Home environments are unlikely to be as secure as work environments. This is true for both logical and physical security. If staff are using their own devices (e.g. home computers, iPads etc), enforce hardened operating environments and controls. Remind staff to maintain physical security as well. This includes protection over non digital assets (e.g. paper records, removable media and the like), as well as locking their screens with a password protected screen saver when leaving their work areas.
8. Educate staff.
Remind staff about what they should look out for in terms of potential threats. This includes phishing, malware and other threats.
9. Be response-ready.
Things will go wrong. Have a plan ready (and rehearsed) to enact should there be a breach.