Worried about the security of people working from home? You should be, says the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). In late April, it released a website dedicated to helping companies protect employees working remotely. The Telework Guidance and Resources site features a set of video conferencing tips that complement those provided by NIST earlier this year. It also includes a set of teleworking best practices from both CISA and the NSA.
Some of these guidelines are more relevant to federal employees than to regular companies, such as only using agency-approved collaboration tools and file access methods, along with the use of Government Furnished Equipment and agency-approved cloud services. Even then, it points to a need for private sector companies to put their own approval methods in place for tools and techniques that support working from home.
Some other advice is more generic, such as only connecting from networks that you’re in complete control of, and logging off of your remote connection at the end of the working day.
Other advice issued by CISA last month also targets federal agencies but definitely applies to the broader IT community. It is taking teleworking security seriously enough to restate its guidelines for securing Office 365 during the pandemic. In late April it published an advisory warning federal CISOs about security elements in Microsoft's cloud productivity suite that admins often ignore, leaving them open to potential attack.
One ‘gotcha’ is the use of Global Administrator accounts, which offer unparalleled privileges for Microsoft Office 365 admins. Admins should avoid using these excessively and instead opt for other accounts that still offer privileged access to resources but still feature some restrictions.
The other big step to take is implementing multi-factor authentication (MFA), both for regular users and admins, CISA says. This is turned off by default. To take advantage of MFA and help prevent phishing attacks, admins will also need to move away from Basic Authentication. This is an outdated authentication mechanism that sends user login credentials in an HTTP header, and it’s open to exploits including brute force attacks. Email protocols like IMAP, POP3, and SMTP all use it, and it’s time to purge these protocols from your network, says CISA. Active Directory and MFA are a far more secure combination for access and authentication, it says.
If you’re an admin daunted by this prospect, then Microsoft offers a secure defaults capability that let you turn off basic authentication and apply a baseline of other security measures all at once. Just ensure that you’ve briefed your users and told those with legacy email clients about it in advance.
