SANS INSTITUTE WHITEPAPER
Sponsored by: BlackBerry, Infoblox, Menlo Security, Pulse Secure.
Written by John Pescatore
Shutdown orders driven by the coronavirus pandemic resulted in an immediate need for most businesses to support full-time work-at-home employees and in some cases, customers. SANS had to move from 70% in-person training to 100% online training in a matter of weeks for all instructors and thousands of students.
The goal of this paper is to pass on the lessons learned by SANS on how to reach “safe enough while productive enough” levels of remote work, and then determine how to move forward as the “new normal” for both work and protection from emerging threats. We emphasize the importance of an honest and detailed assessment of your starting point, focusing first on a basic security hygiene foundation and a people focused awareness campaign. From there, using the supplied guidelines, we discuss the importance of maintaining performance and collaboration while reducing risk.
With every transition there is always an opportunity to take advantage of change and raise the security bar. Use this crisis as an opportunity to increase the strength of user authentication, the rigor of privilege management, the focus on application security, and the frequency of software updates and critical backups. Security teams that have the skills and the focus to move up the “secure work-at-home maturity model” levels can do this without requiring a large (or often any) increase in budget.
Where Are You on the Safe and Productive Remote Work Journey?
While it is no surprise that the stay-at-home orders issued to combat the COVID-19pandemic caused an immediate increase in employees working from home, the numbers from a recent survey conducted by Iometrics and Global Workplace Analytics are staggering. According to the survey, prior to COVID-19, 31% of employees reported working from home at least one day per week and only 9% were working from home full time, compared with 77% doing so after the stay-at-home orders. In addition, only 27% of companies had formal full-time work-at-home programs in 2019, while 42% had part-time work-at-home programs. The bottom line is that more than half of the companies that had employees currently working from home were not formally prepared for this transition.
However, the bad guys are always ready to attack, with phishing attacks that are easily tailored for the latest crisis or other headline-worthy event. The World Health Organization (WHO) reported a significant increase in attacks directed at WHO employees: “Scammers impersonating WHO in emails have also increasingly targeted the general public in order to channel donations to a fictitious fund and not the authentic COVID-19 Solidarity Response Fund. The number of cyberattacks is now more than five times the number directed at the Organization in the same period last year.” The U.S. Department of Homeland Security (DHS), Cybersecurity and Infrastructure Security Agency (CISA), and the United Kingdom’s National Cyber Security Centre (NCSC) issued a joint alert: “Both CISA and NCSC are seeing a growing use of COVID-19-related themes by malicious cyber actors. At the same time, the surge in teleworking has increased the use of potentially vulnerable services, such as virtual private networks (VPNs), amplifying the threat to individuals and organizations.”
Based on SANS interactions with enterprises and users, many organizations were prepared or were able to react quickly, to take preventive measures, and enable safe and secure work-at-home operations. They did this by having a solid foundation of basic security hygiene supported by a mixture of skilled staff, thorough and repeatable processes, and effective security controls. SANS has observed some common patterns of maturity in supporting safe and secure work-at-home operations:
Some of the key technical elements of success include:
• Educate the users on the new risks in terms that will cause them to change their behavior.
• Confirm that VPNs and other remote access methods have the capacity to meet the increased demand and can enable security visibility as well as rapid detection and response to attacks.
• Enhance web, email and DNS protections and make use of these services for threat intelligence. Attackers move rapidly to modify phishing and ransomware campaigns to take advantage of confusion and crises.
• Improve mobile device management of personally owned devices and isolation/ segmentation of those devices to reduce exposure—this is key to enabling business while reducing risk.
• Leverage increased management attention to the security issues that are getting daily press coverage. Use it to get support for stronger authentication and privilege management, faster patching and backups, and more use of persistent data encryption.
SANS Director of Emerging Security Trends John Pescatore, SANS Director of Security Awareness Lance Spitzner, and Virginia Tech CISO and SANS Senior Instructor Randy Marchany presented their views of the most important elements of a secure, effective and efficient remote work and collaboration program during a SANS webcast, titled “Making and Keeping Work at Home Operations Safe and Productive.” The remainder of this paper details those findings.
Speaking the Right Language to Increase Awareness and Drive Change – Lance Spitzner
Lance Spitzner pointed out that the COVID-19 pandemic created an overwhelming sense of urgency and uncertainty for customers, employees, and business staff and management— exactly the two conditions that attackers are continually looking to take advantage of. For many organizations, the problem was then exacerbated not only by a shortage of skilled cybersecurity staff, or lack of other resources, but also by an inability to effectively communicate the key security issues to the user base in a way that would both inform them and induce them to change their behavior.
IT security teams are often focused on the technical aspects of threats and security controls and often use language that mirrors the complexity of attack and defense mechanisms. To users and business managers, this is akin to the directions on a medicine bottle explaining biochemistry and epidemiology versus simply stating, “To reduce the pain, take two tablets every four hours.” Spitzner pointed to a large body of research that supports the avoidance of cognitive and choice overload. Rather, explaining issues using intuitive versus analytical approaches has proven to be key in connecting with people in a way that reduces obstacles to behavior changes. The key is to prioritize a small number of the most important actions from a risk reduction viewpoint and communicate them clearly and precisely. That sounds simple, but many security people are perfectionists and believe everyone should do everything the right way to reach 100% security.
Spitzner recommends an initial focus in work-at-home security awareness on three priority actions:
Social engineering— Make sure people understand they will be the target, not the company’s technology. No one in management, a government agency or in the medical community will ever send them an urgent email requiring an immediate response or asking for their password or other sensitive information. Fear, crises, curiosity and urgency are the attacker’s greatest weapons. The more urgent the message is, or the more it’s pressuring a person to ignore or bypass company policies, the more likely it is an attack.
Passwords— Reusable passwords will always be the Achilles’ heel of security, but because of the resources required to do so successfully, organizations are unlikely to be able to make the move to two-factor authentication during this crisis. Don’t force people to use long strings of computer-generated digits that are impossible to remember, and don’t force them to change passwords regularly. These are costly, painful behaviors that ultimately increase risk. Use of passphrases and password managers has proven to be an effective way to simplify security for the workforce while also improving security for the organization.
Updating— IT operations still control work laptop operating system updates for most organizations, but it’s important to also tell employees to turn on auto-updates on their home PCs, work computer browsers, phones and tablets. Using the latest version of apps or browser extensions, such as Zoom, will not only ensure the latest security features are available, but also invariably raise the bar against attackers.
While those are three relatively simple concepts, it’s important to speak the language of users so that it sinks in. Spitzner recommends partnering with your marketing, communications and graphic design teams to create visual materials to get those key points across clearly and intuitively. Maximize the use of well-designed graphics and always keep newsletters under 700 words in length. When developing your awareness materials, always start with this in mind: “Why should they care?” Spitzner recommends the book Start with Why by Simon Sinek, as well as his Golden Circle video presentation as a starting point. Spitzner used this approach in creating the SANS Video Conferencing Tips for Attendees.
As organizations and individuals rush to work from home, video conferencing has become a key part of staying connected and working together.
Here are key tips to making certain you are securely attending a video conference.
Update software: Make sure you are always using the latest version of the software. The more recent and updated your software, the more secure you will be. Enable automatic updating, and always quit your program when you are done as some programs update when you restart.
Configure audio/video settings: Set your preferences to mute your microphone and turn off your video when joining a meeting and enable them only when you want. You may want to consider placing a webcam cover or tape over your computer’s camera.
Double-check your background: If you want to enable your webcam, be aware of what is behind you. Ensure you do not have any personal information or family members walking behind you during the call. Some video conferencing software lets you set up your own virtual background or blur your background, so people can’t see what is behind you.
Don’t share invites: The invite link to a call is the ticket to enter the meeting; others can join if you share. Even if a trusted coworker needs the link, it’s much better to tell the conference organizer who can give the individual access to ensure changes to the conference are automatically shared with everyone.
Chief Information Security Officer Viewpoint: Moving Rapidly and Managing Security with a Scattered Security Team.
Randy Marchany, the Chief Information Security Officer (CISO) at Virginia Tech, the largest research university in Virginia with over 33,000 students, and a SANS instructor since 1992, walked through the timeline of Virginia Tech’s rapid reaction to the pandemic shutdown orders:
The last day of spring break was extended from March 11 to March 22.
The security office went remote the week of March 15. Virginia Tech went into reduced operations mode.
Approximately 4,500 classes converted to a 100% online format by March 22.
The state of Virginia went Stay-at-Home on March 30. Virginia Tech went into essential operations mode.
Virginia Tech ended up with about 33,000 students taking classes online and about 8,000 faculty and staff working from home.
In addition to his CISO duties, Marchany had been teaching a class with 93 students and had to move to online teaching himself. His class materials were already available online, but he had to add a video component to replace in-person teaching. He estimates that overall, only 10% of the university’s courses were already online—moving to all online
teaching was an enormous effort for its staff.
Marchany’s security staff consists of seven full-time employees that run all cyber defense operations for the main campus in Blacksburg, Virginia, and the northern Virginia campuses in Alexandria, Falls Church and Arlington. Two of his staff were already full-time teleworkers, so the team already had some experience in collaborating and communicating online. The university uses Zoom, so security staff one-on-one meetings were already happening on Zoom. Once everyone went full time to remote work, the team established a weekly Zoom security staff happy hour as a way to share the events of the day, maintain camaraderie and reduce the overall stress level.
Operationally, all of the sensors and security operations center (SOC) back-end systems were already accessible securely and remotely; there was no change in visibility or access. The movement to work at home was the major issue with a potentially significant loss in visibility into endpoints due to the increase in usage of personally owned PCs on home networks.
Virginia Tech had a split tunneling VPN solution (full IPSec VPN, SSL VPN support) in place before the pandemic hit. Faculty and staff accessed VPN services using their university credentials. The university doubled its VPN capacity to support the work and teaching business processes for a fully online mode. The university could run vulnerability scans against endpoints over the end-to-end VPN connection, but when other connection methods were used, local ISPs would sometimes interfere with the scanning, because it looked malicious to them. Home machines that were “dual-homed” could also be doing direct internet connections without going through the university network, meaning that abuse or dangerous connections/activity might be detected by the local ISP rather than Virginia Tech. Similarly, NetFlow data could still be collected from endpoints that entered the campus network from VPNs but not from other connection methods.
Another point to consider is that very few homes have as fast or as reliable an Internet connection as a business or campus network. Many employees live in areas with marginal connections or have their entire family accessing their internet connection at the same time, thus saturating it. Some employees have no wired internet connections at home and rely on cellular data services with limited bandwidth. Virginia Tech provided easy-to-understand tech tips for optimizing connectivity from slow-speed home connections. To meet their employees’ need for higher bandwidth connectivity, Virginia Tech set up Wi-Fi parking lots. Employees could drive up with their laptops in their vehicles and use their university credentials to connect and get their work done.
For employees that did not have a university-issued laptop, the university had existing minimum-security standards for all endpoints and required employees to change the settings on their home computers as required. Marchany recommends that users set up a separate work ID/account on all personally owned PCs being used for work connectivity. This will at least keep browser histories and new file storage separate and provide some limited mitigation of a ransomware attack, because home files are not easily accessible from the work login and vice versa. The final major area Marchany addressed was teleconferencing security. The rapid growth in Zoom use attracted attackers and headlines about Zoom security issues, but in reality, attackers were active against every major videoconferencing application—which all had vulnerabilities.
The university published detailed security guidelines and best practices for secure use of Zoom and other services. (Zoom has published a good set of recommendations as well.)
Marchany highlighted his top recommendations:
Update software—Security enhancements are being rapidly pushed out; users should always use the latest version of the application or web agent.
Audio/video settings—Turn on storage and screen sharing services only if needed for business purposes and inform everyone if a recording is being made. Organizers have many controls to help prevent disruption or abuse by attendees. Educate users to NOT leave sensitive information on their work surface that will be in the camera’s view.
Background—Where possible, take advantage of Zoom’s ability to project a virtual background behind the user. Not all PCs can support this, but it prevents inadvertent disclosure of sensitive information that might be visible behind the user.
Don’t share invitations—If you are invited to a meeting, don’t share your personal invitation with anyone. Users should contact the organizer for an individual invitation to ensure individual accountability. If you are organizing a meeting, don’t share your own Personal Meeting Identifier.
Screenshots—Be aware that on all teleconferences, even when end-to-end encryption is used, participants have a variety of ways to take screenshots of any sensitive information exposed.
Transitions and hard times often enable, if not force, change. In cybersecurity, we largely know the important basic security controls required to enable business while limiting risk, but we’ve been unable to convince management and other organizations to support the necessary changes. The COVID-19 pandemic has dramatically illustrated to CEOs and boards of directors how important reliable and safe IT systems and access are to limit the impact of crises and the inevitable wave of attacks that follow.
Many organizations have been forced to quickly invest in support for increased remote access capacity, increased use of online teleconferencing and high levels of use of employee-owned devices. Some have been able to build enhanced security through
stronger VPNs, and better mobile device management and visibility. Now is the time to institutionalize those gains and take advantage of increased management attention; increase the strength of security controls for email, internet access and downloading executables; utilize threat information to better prepare for attacks; and move to a more advanced and aggressive form of endpoint security.
About the Author: John Pescatore joined SANS as director of emerging security trends in January 2013 after more than 13 years as lead security analyst for Gartner, running consulting groups at Trusted Information Systems and Entrust, 11 years with GTE, and service with both the National Security Agency, where he designed secure voice systems, and the U.S. Secret Service, where he developed secure communications and surveillance systems and “the occasional ballistic armor installation.” John has testified before Congress about cybersecurity, was named one of the 15 most-influential people in security in 2008 and is an NSA-certified cryptologic engineer.
The SANS Institute was established in 1989 as a cooperative research and education organization. Its programs now reach more than 165,000 security professionals around the world. At the heart of SANS are the many security practitioners in varied global organizations from corporations to universities working together to help the entire information security community. SANS is the most trusted and by far the largest source for information security training and security certification in the world.
For more information please visit: www.sans.org