security guide on setting up and operating a remote work … · 2020. 7. 21. · ·security level...
TRANSCRIPT
Security Guide on Setting up and Operating a Remote Work Environment (Telework, Video conferencing)
2020. 6.
※ When quoting all or part of this guide, please credit as [Source: Korea Internet & Security Agency (KISA)].
Contents
1. Overview ····················································································································································· 1
2. Understanding the remote work environment ················································································ 2
A. Telework ················································································································································· 2
B. Video conference ································································································································· 3
3. Security threats in the remote work environment ··········································································· 5
A. Telework security threats ··················································································································· 5
B. Examples of telework incidents ········································································································· 6
C. Video conference security threats ··································································································· 6
D. Examples of video conference incidents ························································································· 7
4. Strengthening the security of remote work ····················································································· 9
A. Security for setting up and operating telework environment ·················································· 9
B. Security for setting up and operating video conference environment ······························ 13
[Annex 1] Telework Environment Security Checklist ········································································· 16
[Annex 2] Video Conference Environment Security Checklist ························································ 18
[Annex 3] Examples of telework security training materials ····························································· 20
1. Overview
1) Background
o The spread of COVID-19, implementation of social distancing, and the occurrence of confirmed cases in the workplace has proliferated remote work situations
- The Ministry of Personnel Management(MPM) of the Republic of Korea released
guidance to enforce telework from home on a rotating basis and promote a
remote work culture for public officials1)
- Various enterprises, regardless of size and industry, implemented work from home
measures.3)4)
o This guide defines the characteristics and security threats of remote work
environments (telework, video conferencing) and provides guidance on how to strengthen security to prevent security incidents
2) Main content
o (Understanding the remote work environment) Definition of and introduction to the
remote work environment
- Define the remote working environment
- Introduce the components of the remote work environment and relevant cases from other countries
o (Introduction of major security threats) remote work environments security threats
and examples
- Physical/human/technical security threats in remote work environment
- Security incidents in the remote work environment
o (Guide to strengthening security) Detailed security guidelines and security check list
- Security rules for workers (teleworker, system administrator)
- Security checklist for telework and video conferencing environments
1) Ministry of Personnel Management “Overcoming Challenges amid COVID-19“ “http://www.mpm.go.kr/english/news/latestNews/?boardId=bbs_0000000000000078&mode=view&cntId=36&category=&pageIdx=
3) 대기업도 ‘코로나19’초비상..“직원 감염 막아라” 재택근무 확산, 시사주간, https://www.sisaweekly.com/news/articleView.html?idxno=308744) [좋은 기업 리스트 박제] 재택근무 현황!, 잡플래닛, https://www.jobplanet.co.kr/companies/351293/story/컴퍼니%20타임스?content_id=486
2. Understanding the remote work environment
A. Telework
1) Telework definition
o Telework commonly refers to work done in a space outside of the designated office space in an enterprise or organization
- Performing work by externally accessing the internal systems of an enterprise or organization due to working from home or a business trip also falls under telework
- For telework, it is crucial to provide a method to safely connect to the enterprise's processing system from outside the enterprise
- Groupware and enterprise resource management(ERP) systems are the the systems that are usually accessed when teleworking
- Remote work and telework has been steadily increasing abroad. In Korea, telework has rapidly increased due to the impact of COVID-19
< Status of telework around the world>
·(USA) According to the 2018 U.S. Bureau of Labor Statistics survey, approximately 26.4
million people teleworked (working from home), an increase of 159% compared to 20075)
·(UK) According to the Office for National Statistics, 8.7 million people (about 30% of
the total workforce) were homeworking in 2019
·(Australia) An Indeed.com survey showed that 68% of companies allowed telework6)
2) Components of the telework environment
o In teleworking, the following components are needed to access the enterprise‘s processing system through the Internet
- User terminal: PC or laptop, tablet or smartphone
- Secure access program: Connect to the enterprise’s internal network using a VPN
※ VPN(Virtual Private Network): By providing encrypted communication between the user terminal and
enterprise‘s network, individual users in effect use a dedicated line on the Internet
- Enterprise‘s processing system: Computerized work system of companies/ organizations such as groupware, enterprise resource planning(ERP), email, and video conferencing
5) https://www.bls.gov/news.release/atus.t06.htm6) http://blog.au.indeed.com/2019/01/29/report-68-australian-employers-allow-remote-working-attitudes-divided/
< Telework environment >
B. Video conference
1) Definition of video conference
o Video conference refers to physically remote people who use dedicated equipment/programs to conduct a conference
- Operates on the same principle as video calls and provides various functions (multi-party conference function, right to speak, designating a conference room manager, etc.)
- Video conferences can save travel time and reduce travel expenses, and can improve productivity by facilitating faster decision making
- Video conferences are mainly used for business meetings between corporate headquarters and branch offices (or overseas offices), and also used for distance learning in-country
- Recently, there have been cases where video conferencing technology is used for job interviews or telemedicine
- Overseas, video conferencing is recognized as a fundamental work system
< Video Conferencing in the U.S. >
·About 11 million video conferences are held every day, and about 220 million
video conferences are held per year. The time spent in video conferencing has
increased by 10% every year since 2000.7) 51% of Fortune 1000 companies, 58%
of Fortune 500 companies, and 96% of the top 200 U.S. universities use the video
communications service, Zoom8)
2) Components of video conferencing
o The following are the basic components for smooth communication in the video conference environment
- Video conferencing platform: For the meeting, participants can access and use it as a medium for access or set up a service
< Setting up dedicated equipment directly in a enterprise/institution >
·Install and operate a video conferencing system in the enterprise’s computer system
·Customized development, such as syncing with the enterprise’s existing internal
work systems
·Security level depends on the security of the enteprise’s computer system
·There are constraints on the usage as it can be used only where the video
conference system is installed
< Using a cloud SaaS service >
·Provides video conference software available for PC/laptop, smartphone, etc.
·Compatibility limits may exist depending on the participant’s terminal environment
·Security level depends on the security of the participant’s terminal
·There are additional security considerations such as communication encryption and
control to access of the video conference rooms because this method uses an
Internet connection rather than a dedicated line
- User terminal: PC/laptop, tablet or smartphone to use the video conference system
- Video conference camera, mic: cameras are embedded in the laptop, tablet, smartphone, or a separate webcam needs to be added to the PC
- Secure access program: A program to ensure secure access when a video conference system is installed inside a company/institution
※ Not applicable when using cloud service based video conferencing
7) https://highfive.com/blog/10-video-conferencing-statistics8) https://www.uctoday.com/collaboration/video-conferencing/video-success-empowering-the-channel-with-zoom/
3. Security threats in the remote work environment
A. Telework security threats
1) Physical threats
o In general, teleworking spaces cannot guarantee the secure working environment provided at the workplace (such as protection against terminal loss and defacing countermeasures)
o There is a risk of theft in cafes, libraries, etc., where a large number of people are gathered
o There is also the risk of loss or theft of computer equipment or devices for business while their teleworker is in transit
2) Human threats
o Working in a remote manner may expose one to various social engineering attacks, and unintentional abnormal actions(acts) may occur
o Critical company data can be leaked externally through a user terminal used for telework
o When working from home, family, visitors, or children accessing the work computer
could modify or delete data
3) Technical threats
o If the user's terminal is vulnerable and is infected with malicious code, unauthorized users (hackers) could infiltrate the company's internal network and spread damage
o If the network environment (such as Wi-Fi equipment) used for remote work is not secure, communication content or data may be leaked
o If the authentication procedure of the work processing system is inadequate, unauthorized terminals can access the company's network
B. Examples of telework incidents
o Security company Avast announces network breach9) (2019. 10. 21)
·Hackers compromised an employee’s VPN credentials used for telework and successfully accessed the corporate internal network by using a security weakness that did not use multi-factor authentication
·Avast detected the intrusion on September 23, but found evidence that the attack began in May of the same year
·Avast intentionally did not respond to the incident for two weeks in order to observe the behavior of the attacker, and confirmed that the attacker's goal was to attempt to deface the company’s CCleaner tool
·A similar incident occurred in 2017.10)
<Potential teleworking security threats>
C. Video conference security threats
1) Physical threats
o When connecting to a video conference, the video camera and microphone act as a channel to transmit information about the participant and conference
9) https://www.zdnet.com/article/avast-says-hackers-breached-internal-network-through-compromised-vpn-profile/10) https://www.zdnet.com/article/hackers-hid-malware-in-ccleaner-pc-tool-for-nearly-a-month/
o The user's personal information may be exposed through the location of the office or identifying information such as a diploma hanging on the wall
o Because the microphone can pick up nearby voices as well, additional unintended confidential information may be transmitted through the microphone
2) Human threats
o Unauthorized users can gain access to the conference room if the video conference host does not implement adequate security settings
3) Technical threats
o If the video conference communication is not E2E (End to End) encrypted, there is a possibility of video and audio content being leaked
o If there is a vulnerability in the video conference program or service, it may be exploited for additional attacks (taking over the screen, unauthorized participation, etc.)
o If the video conference room address is released on the Internet, DDoS attacks on the server could impede business operations
D. Video Conference Infringement Case
o In March 2020, non-students entered and disrupted an online lecture at a Korean university11)
o Zoom Bombing: An unauthorized user enters the video conference room and interferes with the meeting. The US FBI reported the following incidents (2020. 3)
·An unauthorized individual entered an online high school Zoom class, yelled a
profanity, and disclosed the teache’s home address
·An individual accessed another Zoom class, and the individuals’s swastika tattoos
were visible on the video camera12)
o An attack that steals user accounts with an invitation to a fake video conference
11) https://news.joins.com/article/2373316912) https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classr
oom-hijacking-during-covid-19-pandemic
·Video conference invitation emails have the following format, including the address of the conference room and the password for entering the conference
<Example of a video conference invite email>
·An attacker could induce user login using an invitation containing a fake URL (steal account and password) or install malware on the user's PC13)
o The UK Ministry of Defence and the American electric vehicle company, Tesla, forbids using Zoom for video conferencing
·Zoom, a representative video conferencing service, does not support E2E
·Zoom facilitates video conferencing in the form of user ↔ Zoom server ↔
user, and only the user and zoom server connection is encrypted
·In other words, there is a risk of data leakage because there is unencrypted
video conference content in the Zoom server
·Zoom announced support for E2E, the encryption method between users and
users, to solve this problem14)
13) https://mashable.com/article/zoom-phishing-email-hack-coronavirus-unemployment/14) https://blog.zoom.us/wordpress/2020/04/01/facts-around-zoom-encryption-for-meetings-webinars/
4. Strengthening the security of remote work
A. Security for setting up and operating teleworking environment
1) Security rules for teleworkers
o (Secure a dedicated space) Perform telework in a secure space, not in open spaces such as a cafe or park
o (Terminal security) Connect to the enterprise's network using only the equipment(terminals) provided by the enterprise, and do not use them for other purposes
ü Keep security up to date on laptops, smartphones, tablets, etc.
ü Do not use unauthorized devices/equipment for telework
ü Restrict others' access to telework terminals
o (Program security) Use only authorized programs and do not arbitrarily install additional programs
ü Do not use external messanger programs, instead use only the companys
internal messanger program
ü Keep all programs up to date with security updates
ü Use device and data protection programs such as vaccines, DLP, DRM
ü Use only properly licensed programs approved by the enterprise
o (External media security such as USB) Restrict use of USB as much as possible, and apply security measures such as virus infection scans as necessary
ü Do not copy/share files between the telework terminal and other computers
using a USB
ü Set the USB port in the telework terminal to read-only, and apply
countermeasures against data copying and leakage
o (Network security) Do not use unreliable or open Wi-Fi; only use a secure internet network
ü Set a secure administrator account/password for the router when using a
home network
ü Apply a security policy so that only authorized users can access the home
network
ü When connecting via wireless, select strong authentication and encryption
methods and use a WPA2 or stronger password15)
ü When accessing the enterprise network, be sure to use only the secure
access method provided by the enterprise
o (Password security) Use a strong password with at least 10 characters, mixture of upper and lower case letters, numbers, and special characters
ü Accounts used for work must be separate from those used for personal purposes
ü Do not autosave the password in the browser regardless of the security level of the terminal
ü Work in a dedicate secure space, as passwords can be exposed in an open environment such as a cafe or outdoors
o (E-mail security) Telework relies on email for communication email, and as a result social engineering attacks (phishing, etc.) that exploit this fact have increased
ü Be careful when clicking links to websites in the body of the email
ü Be careful when opening attachments in an email
ü When connecting to the corporate e-mail server as a teleworker, be sure
to connect through a secure channel such as VPN or cryptographic communication
ü When using a commercial mail service (provided through portal sites) take
additional security measures such as 2-factor authentication
15) 알기쉬운 무선랜 보안안내서, 한국인터넷진흥원, https://www.kisa.or.kr/public/laws/laws3.jsp
2) Security rules for telework operator/administrators
o (Integrated authentication system) All access to the work computing environment is managed with integrated authentication through a single account
ü Secure user access history and behavior traceability through integrated
management of accounts such as VPN access and business application login
ü Secure user history and behavior traceability by restricting account sharing
and granting separate permissions to individual users
ü Detect abnormal signs by continuously monitoring user access history, access
origin and destination, etc
o (Teleworker authentication security) When teleworkers access the company's network, use strong authentication methods such as multi-factor authentication
ü In addition to the account/password for authenticating teleworker access, use
multi-factor authentication such as OTP and mobile phone authentication
ü Do not allow multiple access channels for teleworkers; use only one authenticated access
ü Apply intensive monitoring of access status to key user accounts such as system
administrators
o (Remote access security) Establish a dedicated access environment so that only authorized users and terminals can access the work network (using VPN, etc.)
ü Allow only terminals designated by the company to VPN access and service access
ü Be able to check the security status (whether antivirus software is installed or the
latest security update is applied) of the terminal accessing the VPN
ü Require multi-factor verifcation in addition to account/password for users connecting
through VPN access
ü Secure visibility of monitoring by unifying the traffic path to access the external
Internet through the internal network when connecting with VPN
o (Remote access resource management) Securing VPN operation stability, which is the access route of teleworkers
ü Its necessary to have a measure to secure availability since the remote access
path itself may be blocked if there is a DDoS attack on the VPN IP band
ü Establish and apply a blocking policy against types of DDoS attack
ü Consider using cloud-based VPNs for corporate emergency access
o (Strengthen monitoring of internal network) Strengthen security activities, such as detecting abnormal signs by monitoring internal system logs at all times
ü Teleworkers connected via VPN have the same privileges as those in the corporate
internal network, so it is essential to monitor the security of the entire internal network
ü Use a different address band for telework networks to ensure ease of monitoring
ü Enhance security of internal servers (install antivirus software, latest security updates,
monitor internal resources)
ü Strengthen access control by minimizing unnecessary access between servers and
limiting the work scope by granting permissions for each account as necessary
ü Implement measures to detect anomalous signs, such as monitoring VPN connection
status and user behavior history
o (Operation of emergency response procedures) Operate security procedures that immediately respond to loss and theft of remote terminals or detection of system abnormalites
ü The storage device of the terminal used in telework should be encrypted in case
of loss or theft of the terminal
ü Establish a control method to centrally lock/unlock telework user accounts, and
continuously monitor infiltration attempts using lost/stolen accounts
ü Operate terminal protection function that deletes or remotely locks data on the
terminal if necessary
B. Security for setting-up and operation of video conference environment
< Enhancing security by platform type >
o There are two types of video conferencing platforms: built-in type and service-type, and
security measures differ according to the type
- (Build-in type) Video conference equipment is installed in the corporate network and used only by employees
· Participants connect using the internet network provided by the company, as the
equipment for video conferencing is located in the company's internal network
· Video conference software for teleworkers can be provided, so terminal security is
very important
※ The built-in type is operated in a closed corporate network, so it is easier to
operate security than the service-type because it is not exposed to external
influences
- (Service type) How to subscribe to and use the video conference service provided in the cloud environment
· Participants access the video conference service through the Internet, and use
dedicated software rather than dedicated equipment
※ Service type is easy to introduce and operate, but security is limited to the
level provided by the service provider, thus there is the risk of being
exposed to cyber threats if the provider's security response is insufficient
1) Video conference organizer/participant security
o (Video conference organizer) When setting up a video conference, set security and verify participants
ü When setting up a video conference, be sure to set a password to enter the conference room
ü Do not use a fixed address for the video conference room, but rather use a new
address or a new conference room number when starting a new conference
ü The video conference host checks whether the invitee and participant match
ü Keep the host’s laptops, smartphones, and tablets up to date with the latest
security updates
o (Video Conference Participants) Participants in the video conference check the security of the space from which they access the conference, the software, and the Internet environment
ü Do not use automatic login to the dedicated video conference software
ü Routinely inspect and remove security vulnerabilities in video conferencing equipment
and access software
ü Video conference must be established with encrypted communication
ü Participants in video conferencing should have a dedicated space to the extent po
ssible to prevent the content of the meeting from being leaked externally
ü If it is difficult to secure a dedicated space, be sure to use headphones during m
eetings so that the conference content is not heard by others
2) Video conference platform administrator security
o (Built-in type) Establish a dedicated access environment so that only authorized users can access the video conferencing system within the company (using VPN, etc.)
ü Set the security so that only the terminal designated by the enterprise is allowed
to remote access, and afterwards internal service access
ü Be able to check the security status (whether antivirus software is installed or if
the latest security update is up to date) of the terminal which is accessing remotely
ü Users who access remotely must apply additional authentication methods in addition
to account/password
ü Continuously perform the vulnerability management provided by the manufacturer
of the video conferencing equipment
ü Secure user access history and behavior traceability through integrated management
of accounts such as VPN access and business application login
ü Continuously monitor user access history and origin of access to detect user anomalies
o (Service type) When using cloud-based service, the in-house manager directly sets security
ü Use a program dedicated to companies that is different from free user services
ü Proactively use data protection services provided by the service provider such as
data encryption for each user
ü Continuously apply the security vulnerability patches of video conferencing program
provided by service provider
ü Promptly notify the video conference service’s security notice to conference hosts/users
ü Provide the security setting for service type video conferencing to the organizer/users in
a document format
ü Use E2E (End-to-End) encrypted communication for video conferencing service and
terminals
Annex1 Telework Environment Security Checklist
Responsibility Type Inspection contentsInspection
result
Teleworker
Workplace Is it a work place dedicated for remote/telework, not an open place?
Terminalsecurity
management
Can only the terminal provided by the enterprise access the in-house network?
Are the remote work terminals (laptops, smartphones, tablets, etc.) up to date with the latest security updates?
Is it impossible for others, such as a family member or guest, to use a remote work terminal?
Terminal installation
program
Are employees not allow to install new programs on remote work terminals?
Does employees use only dedicated, in-house messengers for communicating each other?
Do all the application programs periodically apply the latest security updates?
Are data protection programs such as antivirus software and DLP/DRM being used?
Are only legitimately licensed programs approved by the enterprise being used?
USBexternal media
Is a USB external storage device being used to copy/transfer data?
Is the terminal scanned for viruses and is autorun for USB not allowed when using the USB external storage device?
Is the USB port of the remote work terminal set to read-only?
Is enterprise data being stored on a public cloud service such as Google Drive or iCloud?
Network
When working remotely, is it not allowed to access to intranet through open Wi-Fi?
Is the router's administrator account/password secure when using a home network?
Is there a security policy in place so that only authorized users can access the home network?
When using wireless access, is the encryption method using WPA2 or higher?
Are you connecting using only the secure connection method provided by the enterprise?
Password security
Are you using passwords that contain more than 8 characters, uppercase and lowercase letters, numbers, and special characters?
Are you using different accounts for intranet from personal use?
Are there separate passwords for each service account?
Is it disabled to auto-save password feature of browser?
E-mailsecurity
Is there a security system in place to automatically check the security of URLs in the body of emails?
Do teleworkers use VPN to connect to the corporate mail server?
When the teleworker downloads email from the server through client, does it support encrypted communication?
Is two-step user authentication in place when using commercial e-mail?
Is the mail system separately divided into internal and external network?
Company
Networksecurity
Can only specified terminals access the corporate network?
Are you checking the security status of the remote terminal when you connect to the VPN (antivirus installation, latest security update)?
Is multi-factor authentication(MFA) applied when using VPN?
Is there constant monitoring of the status of VPN and connection resources?
Is there a measure for emergency access in case of DDos attacks targeting VPN?
Userauthentication
Is all access to the corporate computing environment performed through integrated authentication with a single account?
Can you secure user access history and traceability through integrated VPN access authentication?
Is multi-factor authentication(MFA) applied to sensitive server login/administrator accounts?
Is there continuous monitoring of user access history and origin of access to detect user abnormalities?
Reinforcecorporate network
monitoring
Is there monitoring at all times of the enterprise IT systems’ system logs to detect external threats through SIEM operation etc.?
Is a dedicated network address assigned to teleworkers?
Is the security of the work system accessed by remote work users enhanced through Antivirus installation, latest security update, internal resource monitoring, etc.?
Is unnecessary server-to-server access minimized, and privileges granted to each account as necessary?
Annex2 Video conferencing Environment Security Checklist
Responsibility Type Inspection contentsInspection
result
Videoconference
systemmanager
Video conference
(Built-intype )
o Is the security vulnerability of the video conference system checked regularly?
o Is the security of the teleworker’s terminal which connects to the video conference checked regularly?
o Can only the terminals designated by the enterprise access the video conference system?
o Are the telework terminals (laptops, smartphones, tablets, etc.) managed with with the latest security updates?
Video conference
(Service type )
o Is automatic login for the dedicated video conference software prohibited?
o Does the video conference service and terminal support E2E (End-to-End) encrypted communication?
o Are video conference program security vulnerabilities regularly checked for?
o Are you using a program dedicated to enterprises that is different from free users and regular users?
o Are you using data protection services provided by service providers such as encryption of individual data of users?
Network Security
o Do you provide a dedicated access environment where only authorized users can access the company's internal network such as users accessing via VPN, etc.?
o Is access controlled so that only authorized terminals can access remotely and access the internal service.
o Do you check the security status of the remotely access terminal (antivirus installation, latest security update)?
o Do users connecting to the video conference use multi-factor authentification(MFA) in addition to their account/ passwords?
Videoconference
host
o Do you set a password for the conference room when you open a video conference?
o Do you use a new address/conference room number every time you open a conference, instead of using a fixed address?
o Do you check that the invitee and the participant match?
o Is it possible in the video conference system for the host to control the participants?
Video conferenceParticipant
o Do you regularly inspect for security vulnerabilities in the video conference terminal and access software?
o Do you participate in video conferences through encrypted communication?
o Are you participating in the video conference in a space that prevents the conference information from being leaked externally?
o If it is difficult to secure a dedicated space, do you participate in the conference by using head phones so that the conference information can not be heard externally?
Annex3 Examples of telework security training materials
o Below are various technical guides provided by KISA for strengthening both teleworking and video conferencing security
Reference : https://www.kisa.or.kr/public/laws/laws3.jsp
▣ Security Guide for Wireless LAN
▣ Security Guide for Public wireless LAN
▣ Commentary on Data Protection Recommendation for Promoting Smart Work
▣ Mobile Office Information Protection Guide
o SMEs who cannot obtain educational material for teleworking can use the following content for employee training
▣ Telework information protection training video16)
16) https://www.sans.org/security-awareness-training/deployment-kit-videos