Remote Work

I originally drafted this at the beginning of April. But given how crazy things have been, I haven't had time to finish and publish. Better late than never.

First, I would like to give my appreciation and thanks to my team and IT teams all over the globe. The work required by these teams is often unseen and unheard, yet is essential to the functioning of companies. My team went from less than 2 dozen VPN users to over 100 users in a single day. Kudos to all!

Company Best Practices

Companies must ensure they have policies in place for remote work, video conferencing, and operational security (opsec). This is a good opportunity for companies to re-train employees on these policies or create these policies if they don't exist. Employees must understand and follow the policies and all corporate policies and procedures even while away from the office. I find that oftentimes users are lax in following some policies, such as locking their computer, while in a comfortable environment such as home.

• Remote Work: Policies should exist defining whether personal devices may be used to connect to corporate networks via VPN; what networks may be used to connect; and secure methods to connect.
• Multi-Factor Authentication: I've written about this previously in my "Back to Basics" post, so I won't belabor the point here. It is a great time to review MFA policies; this could be included in the remote work policy.
• Video and audio conferencing: Policies should define what video conferencing and audio services are allowed and disallowed, and procedures should define appropriate usage of these systems.
• Operational Security: Policies should define basic operational security concerns, especially surrounding video conferencing while working remote. The policy should remind users to be conscious of background audio and video, and who may be listening or watching video conferences.

This is also a good opportunity for companies to provide security awareness training, as there has been a significant uptick in phishing campaigns.

Performance

While not necessarily a security topic, I thought this might be a good place to address split-tunneling, especially if done incorrectly it can introduce security risks. Since many companies are now seeing a significant influx of VPN traffic, they must find ways to alleviate the burden on their infrastructure such as bandwidth, routers, firewalls, and load balancers. Split tunneling could be implemented simply by trusting video conferencing traffic such as Webex, Teams, or Zoom; but should be done carefully. The point of this isn't to discuss best practices or make explicit suggestions, so do your own research and take appropriate precautions.

Employee Best Practices

• Update router firmware - Users should always keep their home router firmware up to date regardless, but oftentimes they aren't aware of this. This is a good time for companies to provide guidance to their employees on this. At a minimum, an infected router will be a part of a botnet, such as with Mirai; or on the more nefarious spectrum, an infected router could steal data, such as VPNFilter. A compromised home router can easily lead the way to a corporate compromise.
• Secure Wi-Fi - Employees should ensure their home Wi-Fi is secured with a good password and only their household is connected. An open network or a network with a weak password can allow nosy neighbor, wardriver, or passer-by access to your network.

I'm sure I've missed other good practices, so please provide your comments and feedback. Stay healthy, secure, and vigilant.