During the first year of the pandemic, most of us went to remote working and now we don't want to go back. For Chief Security Officers this is a complete mess. If they don't have control of the people and the devices that access to the company resources, how can they ensure the security of the company?
"Extend perimeter to home". This is the expression that I have heard many times during the last year, but what does it really mean?
After talking with some security officers, I made a list of the questions that are disturbing their nights.
- Are employees using personal devices to connect to the company network remotely?
- Do you have different defined profiles for employees and providers to connect to the company network remotely?
- Do employees have access to the local administrator user on their device?
- Are USB ports locked on the employee device?
- Are remote control tools installed on the employee device?
- Are cloud storage tools installed on the employee device?
- Are virtualization tools installed on the employee device?
- Can you verify changes on registry keys?
- Can you verify security settings of the network where is connect the employee device?
- Can you verify the web traffic on the employee device?
- Can you verify compliance of the security baseline on computers that connect to the corporate network remotely?
- Can you visualize all this data in a central dashboard?
- Can you take automatic action on the employee device with all the information that you get before?
- Can you take automatic actions on the network devices with all the information that you get before?
Now with an idea about their needs, let's take a look at potential solutions.
Setup Basic Security Policies on Company Devices
- Assign the user a non-administrator account on the device
- Disable USB ports
- Disable SMBv1
- Disable user permission to install software
- Define a strong password policy
Remote Access
- Setup a VPN with a strong cypher
- Enable 2FA on your VPN connection or at least the certificate verification
- Create different VPN profiles between different business areas
- Create different VPN profiles between employees and providers
- Establish a periodic VPN security testing
Monitor and Control User Devices
- Take advantage of installed endpoints on the devices to get the most information you can and take action based on that.
- If you don't have endpoints, install an endpoint solution like Wazuh, Comodo EDR, Symantec Endpoint Protection that allow you to know what happens on the device and take action on it
Humans are the weakest link in the information security chain, so training is always needed to create awareness of the risk and the prevention methods. It will improve your company security, so I hope this article was useful to identify those opportunities.
Remember if you are not thinking about this topic, your company is seriously late to the game.