by Arturo Romero, Senior Security Engineer, Secur-Serv
The technology world changed drastically in the last few months. As organizations move to a work from home environment, it is important to revisit security practices to ensure organizational needs are met. This Quick Read covers four areas of interest:
Wireless Access Points
Wireless technology enables devices to become more mobile in nature, allowing workers to traverse from the couch during morning meetings to the kitchen table for more hands-on work activities (not that I’m speaking from experience 😊). How these connections are administered is the key to the success of a network’s security. Here are some quick actions to take to ensure connections are properly set.
- Change the standard admin name and password so no one can log in and take over.
- Use a unique password for at-home employees to use to connect. If the wireless access point is newer, take advantage of the networking capabilities that allow for segmenting personal network activity from work activity. Also ensure that the wireless access point’s firewall is enabled. Disabling broadcasting the company’s access point is also an option, so only devices used within the company can connect to the access point.
- Make sure to update the wireless access point’s firmware so it isn’t prone to any critical vulnerabilities.
With corporate workstations at home, it is important that organizations revisit the following items.
- Make sure that security mechanisms such as endpoint security, patching, and device firewalls are running as intended.
- This is also a great time to revisit the corporate workstation networking capabilities such as Bluetooth or wifi to ensure they are disabled when not in use; this can be done by rules or by training staff on how to properly disable them.
- Does the ability exist to remotely wipe or lock the devices in case of loss, theft or otherwise?
- Are devices set with session time outs or automatic screen locks?
- Check to see whether corporate workstations have data encryption or file encryption to secure that data.
From an internal standpoint, a good way to keep data and networks secure is to segment corporate devices when remote access such as a VPN or RDS Gateway is in use; this gives internal IT teams better visibility of devices that are in house versus those that are remotely working.
Finally, as an organization, revisit user permissions to corporate workstations to ensure users aren’t able to disable or bypass security mechanisms because the user has permissions they should not have.
For those without corporate workstations, how is use of personal computers safe? Is this recommended? Not really, but it is an option for many organizations. If the organization has a Bring Your Own Device (BYOD) policy or is allowing staff to use personal computers for work, there are items to take into account when advising staff on using personal devices.
First, use VPN or RDS Gateway with MFA enabled to help secure connections for those telecommuting.
Second, recommend that users’ personal computers are patched and up-to-date and not using an end-of-life (EoL) operating system such as Windows 7.
Remind users to keep anti-virus software up to date and to ensure their firewall is turned on. Again, I want to emphasize segmenting personal devices from corporate devices as this could assist in the ability to quarantine devices in case of a malware attack. Also, recommend the use of session time outs or automatic screen locks to avoid leaving personal devices open to any passerby.
Finally, with respect to teleconferencing and all the benefits that come with it. Even though there has been negative press regarding some teleconferencing tools such as Zoom, they are a great tool to have and they will improve. That being said, here are some basic things to do to secure your meetings going forward if you are not already doing so:
- Set passwords for your meetings
- Use waiting rooms to filter unwanted attendees
- Control who can and cannot share in your meetings
- Mute everyone who is not a host
- Use random generated meeting IDs, not your personal meeting ID.
All these items in tandem will help to ensure your organization’s teleconferencing experience is a good one, all the while increasing the its security.