1. Newsletter
2. Archive

NJCCIC COVID-19 Cyber Security Resources 3/17/20
For many organizations, telework programs have been in practice for years –  whether as part of the organization’s everyday work program or as a component of their business continuity plans. For those organizations, policies, educational programs, technologies, and support services for the remote workforce are well established. For organizations engaging in telework for the first time, defining expectations is a good starting point. First, create a telework policy that addresses the following: the  scope of the telework program, roles and responsibilities, eligibility to telework (not all jobs can be performed remotely), work hours and  paid time-off, the suitability of the alternate workplace and its  related safety requirements, responsibility for equipment and supplies, operating costs and expenses, and requirements for physical and information security.   
 
Remote Access
 
In traditional virtual private networks (VPNs), individuals use VPN client  software to establish a secure connection to an internal network. While still widely used, many remote users only require access to a set of web applications hosted within the organization’s network, not the entire internal network. IT departments should consider providing access to internal web applications via a portal where remote users can authenticate. Similarly, software-as-a-service (SaaS) applications hosted in the cloud and virtualized applications hosted on premise are  often good options for limiting remote access to only what is necessary for that user. Organizations should scope VPN access accordingly to ensure the principle of least privilege is maintained. Regardless of which remote access method you offer, multi-factor authentication (MFA) should be mandatory. Additionally, if remote devices are allowed to connect to your internal network, consider implementing a Network Access Control (NAC) solution to ensure only authorized devices are permitted to connect.
 
Organization-Owned vs Personal Devices
 
Many SaaS and virtualized applications may be securely accessed by remote users through their personal devices if certain security controls are implemented. To reiterate, MFA should be mandatory for remote access to any application, network, or service your organization provides to teleworkers. In addition, organizations must implement controls to  ensure sensitive files and information are not downloaded or stored on personal devices or personal cloud storage services. Sensitive data should only be stored on organizationally-controlled devices or authorized cloud storage services. Cloud service providers often offer conditional access controls to prevent the download of data to  unauthorized devices. IT departments are advised to enforce these controls. For cloud services that do not provide the option to restrict the download of sensitive data, organizations are advised to implement a Cloud Access Security Broker (CASB) solution that provides these security controls.
 
Device Security
 
Irrespective of whether a device is personally owned or organizationally owned, they are exposed to numerous risks when connecting to networks not controlled by the organization. Therefore, implementing strong security controls is paramount. This includes controls such as strong authentication, hardening the operating system, and applying the principle of least functionality to limit services, ports, and protocols to only those that are necessary. Protective technologies should be implemented, including anti-virus/anti-malware software, endpoint detection and response software, web content filtering software, host-based firewalls, device and file encryption, and the latest security patches. With a remote workforce, IT departments face a myriad of challenges in providing support, pushing security updates, and providing continuous monitoring and incident reporting and response services for remote devices and users. 
 
Home Network Security
 
Employees’ home networks, and devices connected to these networks, may be vulnerable to attack via unsecured wireless routers. Employees are advised to ensure that they have changed the router’s default password to a strong password and that they do not share it with people outside of their home. All devices connected to the home Wi-Fi should be updated with the latest security patches and anti-virus/anti-malware software. Removing unnecessary devices and services from home networks reduce the attack surface and free up bandwidth necessary for a positive telework experience. Additional guidance on home network security can be found in the NJCCIC post “How to Configure and Secure Your Home Wi-Fi Router” and on the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency’s website.
 
Conference Call Security
 
In order to enable communications with remote workers, many use conference calling services.  These services provide a common dial-in number and conference code for users to connect to a call. They also provide a special host code for the organizer of the conference call to use. The host code should not be shared with anyone as it would allow unauthorized individuals to set up their own conference calls, thereby running up unauthorized charges. Conference call hosts should also confirm that all callers who have dialed in to the call are invited attendees before discussing any confidential or sensitive information.
 
Reporting Suspicious Activity
 
Report suspicious activity and security incidents to cyber.nj.gov/report or 1-833-4-NJCCIC.

For COVID-19 Cybersecurity Resources visit https://cyber.nj.gov/threat-center/covid-19-cybersecurity-resources/