[BreachExchange] How to Secure Your Data, Network and Employees Remotely
Audrey McNeil
audrey at riskbasedsecurity.com
Fri Mar 9 14:53:07 EST 2018
https://www.rtinsights.com/how-to-secure-your-data-network-and-employees-
remotely/
Allowing employees to work remotely is a common occurrence today, but there
are issues around real-time data needs.
Business demands are rapid and pervasive these days. More and more
enterprises allow employees to work remotely—and may suffer losses without
the flexibility for mobile productivity and connectivity. Preparing your
enterprise to provide seamless and secure connectivity for remote employees
can require a variety of considerations.
What constitutes a remote employee can take different shapes and may be
someone who works from home full-time, is traveling or on vacation or
simply working from a coffee shop for the afternoon. Whatever your remote
employee situation is, security begins in the corporate headquarters with a
general operational security and security awareness culture. A properly
equipped and secured workforce will build the foundation for a secure and
productive enterprise.
Before considering how to securely facilitate remote or mobile employees,
examine your network and security infrastructure.
The concept of “least privilege” applies whether the employee is remote or
in the office. No employee should be granted access to systems, networks or
data beyond what is necessary for them to perform their job. This includes
executives and senior staff!
Email remains the top mechanism for most corporate communications. An
encryption policy using certificates or other encryption will reduce the
risk of sensitive communications being read by unauthorized or third-party
recipients.
Any third-party services such as chat applications should provide
encryption to prevent man-in-the-middle eavesdropping. Some enterprises may
prefer no logging of chats or conversations for privacy issues. Others may
need full logging of conversations for incident response purposes.
Conversation or chat logging policies should be understood and meet the
privacy needs of the enterprise.
Compromise of credentials is one of the biggest security risks to any
enterprise. Having a strong password creation and change enforcement policy
for all assets is still one of the best defenses against sustained
unauthorized access. No user should use the same password across different
assets. Some enterprises may find password managers are a good solution to
minimize password reuse across more than one asset.
To further reduce the damage resulting from credential compromise,
two-factor authentication (2FA) can be effective. Even if password
credentials are stolen, the extra layer of security with a 2FA model will
in most cases eliminate unauthorized access, allowing an enterprise to
respond with minimal or no loss of data.
Documents and spreadsheets can contain sensitive data that, if stolen or
accidentally emailed to unauthorized recipients, could cause substantial
damage to an enterprise. Employ an encryption policy for securing documents
with a high business impact from accidental disclosure or unauthorized
access. Major office productivity applications such as Adobe Acrobat and
Microsoft Office support document encryption or file classification
infrastructures that enable management of sensitive document encryption for
any sized enterprise.
Many organizations with sensitive proprietary information or which handle
sensitive customer and other private information can suffer serious damage
from a malicious or accidental insider breach. Deploying a User Activity
Monitoring (UAM) or User Behavior Analytics (UBA) solution will help
identify internal risks, detect fraudulent employees, alert to unauthorized
transmission or offline storage of intellectual property and make incident
response and damage assessment more effective.
Whatever your industry, you have data that if lost would cause serious
disruption to the organization. Leverage a data protection and backup
solution to reduce downtime resulting from data theft or destruction,
system failures and malicious attacks such as a ransomware infection.
Your enterprise firewall and anti-virus solutions should handle the amount
of traffic your enterprise will generate and seamlessly integrate and
cooperate with your full security architecture. Some traditional security
technologies are better than others at protecting you from cyber threats,
reducing system and network latency, and interoperating with your complete
enterprise needs. Consider your entire security architecture and discuss
your infrastructure needs with an anti-virus or firewall vendor before
investing in these expensive solutions.
Preparing for secure remote employee access
Once the foundation of a secure infrastructure and security culture are in
place, managing secure remote employees will be easier.
Secure remote access generally starts with a virtual private network (VPN)
solution that provides reliable uptime and flexible connectivity when
shifting from one location to another. Ensuring and managing least
privilege access for VPN connections is vital to ensuring access controls
are in place. Also, consider the strength any VPN solution offers against
man-in-the-middle or replay attacks to minimize the risk of unauthorized
access or eavesdropping. Most commercial and open source VPN solutions will
protect against these types of known attacks. However, selecting the wrong
VPN could put your network and data at risk.
Using full disk or device encryption for any laptop or mobile devices is
vital to protecting data if a device is lost or stolen. Most modern mobile
phones and tablets now support full device encryption that enterprises can
manage with any mobile employees. Full disk encryption for laptops and
computers is integrated into most modern file systems such as Microsoft’s
NTFS file system as well as file systems used on Mac and Linux. Plan to
configure any computers with full disk encryption for remote or mobile
employees.
Beyond anti-virus blocking malicious applications, further protection from
employees installing unnecessary software might be needed. If this fits
your security model, computers and laptops should be configured to prevent
installation of unapproved software. A software restriction policy
architecture can help reduce unapproved software from being installed on
corporate systems. Additionally, consider restricting access to Google
Play, Microsoft App and Apple App stores to admins only.
Some enterprises should be concerned with the unauthorized use of external
devices such as CD/DVD ROMs, SD Cards, and USB devices. While some of these
are on the way out (e.g., CD/DVD drives), most laptops and mobile devices
will support external devices that can be used for unauthorized download or
storage of sensitive data or intellectual property. If external devices are
an increased risk to your enterprise, consider corporate equipment that
does not include these or deactivate them prior to deploying to mobile or
remote employees.
If data backup for remote employees is still a concern, choose a secure
cloud backup as an alternative to external drives or devices. A corporate
cloud storage solution can provide secure upload, encrypted storage, and
manageability by your organization.
Having too many computers for remote employees can be expensive and
increase the risk of stolen, compromised or damaged data due to hardware
failure. To reduce the amount of costly hardware, your employees could use
cloud-hosted computers that can be easily deployed or decommissioned.
Leveraging cloud-based systems can be just as secure as a physical system
while keeping control of corporate information and assets in the hands of
your corporate IT or information security team.
Most connected employees use a mobile phone or tablet to communicate with
other employees and business contacts via email, Skype, chat or other apps.
Since business contacts – whether internal or external to the enterprise –
may be considered sensitive, use an encryption and security policy for
mobile devices to protect the devices from unauthorized access to email,
documents, conversations, call logs and contacts if it is lost or stolen.
Most mobile devices now offer security profiles that can be set by your
security team to provide VPN access and enforce device encryption as well
as password policies. Additionally, security software can also destroy
(wipe) all data remotely on a mobile device once determined it is lost or
stolen.
Customize any security model to your enterprise. Your security and mobile
needs may go beyond what we discussed. Thoroughly evaluate your
infrastructure and security needs internally before deploying employees
remotely. Having a secure foundation for your enterprise infrastructure and
deploying a well-planned model for secure remote employees will ensure
minimal risk and increased security for all of your intellectual property
and digital assets.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180309/0e185681/attachment.html>
More information about the BreachExchange
mailing list