4 min read
With all the talk about “turning the economy back on” we need to think about what that looks like from an information security perspective.
Whether it’s this summer or after the first of the new year, at some point, computers that have been in home offices will return to the workplace. Security pros will have a lot to think about, and now it’s time to do some early planning.
It’s likely best to use a risk-based approach combined with a careful re-integration onto the corporate network. Capacity planning and thinking through the processes will also pay dividends later.
Clearly, we’re not in a normal situation. In many instances, it’s plausible that laptops and desktops sent home for remote work have been used for purposes other than company work, used by other members of the employee’s family and been connected to unknown networks with nonexistent controls.
Bringing the computers used at home during the shutdown into a corporate or government environment may introduce compromised systems into the network and result in undesirable outcomes. This situation resembles a supply chain attack in which bad threat actors will compromise a poorly protected entity and leverage networks of trust to gain access to the actual target.
It makes sense to thoroughly examine returning systems. Prior to bringing these systems back to the corporate network, forensic analysis can determine if any have already been used as points of entry into the network. Security pros should also examine patterns of infection across devices to gain greater insight into the security issues around work-from-home, they will offer new, and highly relevant data for empirical threat modeling.
In parallel with the gradual return of our employees in the public and private sector, we propose that security teams employee IT re-entry processes that will provide insight into human-related threats.
Giving returning employees a questionnaire to identify risks before they begin working offers an opportunity to address risks before they are realized and to assess the change in the overall risk level, which may indicate priorities need to be adjusted. The results will help categorize resources and risks while moving the process along. We also suggest a quarantine process for technologies and credentials whenever questionnaire results align relevant threats and vulnerabilities with business operations, staffing and capabilities.
Before engaging with returning staff assume that everyone has just gone through the same stay-at-home ordeal, so exercise some empathy. Set aside techno-judgementalism and accept that not everyone knows exactly how computers work. The laptops will arrive in all different conditions. Employers and employees were forced to ramp up remote work resources and skills with little notice. It’s important that the IT and security staff go easy with employees who found themselves building a home office for the first time.
Since no two organizations are the same, here are our lists of considerations to use in planning, prior to implementing a risk-based approach to device receipt, quarantine, evidence preservation, restoration and return-to-service.
Questions used for “scoring” the risk, to determine process routing. Develop a questionnaire that users/managers complete and submit prior to returning assets.
This information was developed by Mike Hamilton and the security experts who volunteered with InfraGard to advise the Washington State Emergency Operation Center during the COVID-19 response when it first hit on the West Coast earlier this year. This article was based on a guide that was developed for the Seattle InfraGard chapter. Special thanks to Jenifer Clarke of Puget Sound InfraGard.