Special Considerations for Securing Remote Work in High-Security Jobs | #itsecurity | #infosec | #education | #technology | #infosec



COVID-19 forced employers in virtually every industry to rethink how and where employees work. Suddenly, remote work became the order of the day for literally millions of workers – many of whom found they really enjoyed the greater freedom and flexibility made possible by working from home or the nearest Starbucks.

Unfortunately, while working remotely may have its benefits, the increase in technology dependency, devices, and connectivity such work requires also greatly increases the potential for cyberattacks and security breaches that could compromise the security of confidential information, as well as the safety of individuals in the field.

What kinds of vulnerabilities might workers be facing, particularly if they work in a high-security setting? Since remote work typically depends on the regular use of a desktop or laptop and a smartphone, let’s start with the fact that home Wi-Fi routers and Internet modems are an obvious target that potentially could be compromised.

There is no consistent standard for consumer appliance security design. Moreover, most Wi-Fi routers and modems are manufactured in Asia at the lowest possible cost. When you couple those facts to the realization that consumer devices regularly receive software updates that are installed automatically without the end-user’s knowledge or ability to validate the security of these patches, you’re left to conclude that even if a device came from a reputable source, it may not be running trustworthy software.

Even if you could guarantee that trustworthy(ish) Wi-Fi was in use, other parties could be listening in if good encryption is not being run. The user could also fall victim to a man-in-the-middle attack in which someone sets up a Wi-Fi device with the same name as your own network, but no password. Should this occur, a remote worker could innocently connect to the bogus network without ever realizing it.

In particularly high-stakes scenarios, it is possible users themselves will be targeted by adversaries with significant interest and resources. If someone gains physical access to your house when you are not there, for example, numerous spying scenarios become possible. Your Wi-Fi display, keyboard, computer, and mouse could be “augmented” with additional listening equipment. A hidden camera can view everything that appears on your screen and see what you’re typing without the need to break any encryption. Hidden or remote microphones can hear your work-related phone conversations.

Wireless devices open the door to additional vulnerabilities. A wireless keyboard and mouse, for example, is already broadcasting your usernames and passwords to anyone with the right listening equipment. Specialized equipment, meanwhile, can pick up and reproduce a view of your display at a distance. An open or even a closed window allows adversaries to simply look at what you’re doing, or listen in.

Consumer electronics in your home add yet another dimension of potential threats. Siri, Alexa, Google, Cortana, and any other voice assistants in your home are constantly listening to everything that is being said. In addition, some IoT equipment, such as thermostats, use standardized circuit boards that may contain unused microphones which adversaries potentially could hack and activate. Similarly, home phones and consumer-grade cell phones contain microphones, while home security systems have cameras and other sensors – all of which can be turned on remotely. Even your webcam could be on without you knowing it since hackers can potentially disable the indicator light.

Beyond these risks, workers in high-security jobs such as defense and homeland security face an even broader set of physical threats. Consumer and even most government-issued smartphones, for example, leak an enormous amount of personal data that will allow adversaries to target individuals who work at certain agencies. The same data streams let remote analysts determine where you work, where you live, how much you make, what kind of car you drive, what your online interests are, what you like to buy, and with whom you associate. This kind of comprehensive user profile allows individuals to be targeted in real life and online with effective spear-fishing attacks.

Given these and other vulnerabilities, what can be done to protect an increasingly remote workforce? Clearly, nefarious forces will always be at work, devising new ways to undermine whatever security measures have been put in place.

Despite this, there are simple measures employers can put into place to protect data security. These include establishing complex passwords for all workers, changing them regularly, and using a password manager to allow workers to log on/off through a simple PIN; setting up firewalls to control inbound and outbound internet traffic; installing encryption software and reliable antivirus and anti-malware protection; and establishing a VPN to funnel data through another secure connection between the website you need to access and your own internet connection.

Beyond these basic security steps, employers in defense and other high-security settings should consider deploying the following:

  • TSG-certified USB isolation devices provide a positive disconnect for any device utilizing USB Type-A connections for smartphones and web cameras. Typically, these can be controlled manually to disable or enable the positive disconnect security.
  • Phones that are TSG-certified and contain a positive disconnect audio capability reduce insider threats and eavesdropping vulnerabilities that are inherent in standard IP phone technologies.
  • Solutions that mitigate electromagnetic emissions inherent in many COTS computer, voice, network, and peripheral devices protect data from environmental compromise, including unintentional leaks of sensitive information to hostile countermeasures.
  • Smartphones containing a secure mode capability strike a balance between security and usability by employing a geo-fenced, policy-controlled setting that locks down all radios, cameras, and microphones in the device.
  • Secure containers operating as an isolated Android phone instance can be deployed on-demand to a phone to enable mission-specific tasks. These containers can be encrypted to cloud storage, and deleted from the device and restored later allowing anonymity and safety for individuals traveling while conducting high-security business.
  • Centralized policy management enables employers to put device management and provisioning under their control through the use of a dashboard, policy editor, and QR code-based provisioning. Capable of provisioning new devices in a matter of seconds, this management server provides organizations with real-time visibility on device status, location, security posture, and policy compliance.

These and other measures can be customized to meet the exact needs of employers and their employees, as well as the requirements of mobile access and VPN compatibility packages.

Equally important, though, are the steps that can be taken to ensure security and data privacy remain top-of-mind within the entire organization. Because employees can be the biggest threats to security, employers should hold regular training sessions concerning malware, phishing, securing home networks, and the importance of avoiding public or open networks. Regular vulnerability testing and a risk-based approach for testing data security are also essential.

Bottom line: properly configured, layered solutions can provide the kind of high-level security needed to maintain classified data in a variety of different applications. This includes protecting confidential information across untrusted networks or networks of a different classification, and supporting multiple security levels and centrally managed or independently managed sites.



Source link