Editor's note: this article originally appeared in SC Magazine here.
With all the talk about “turning the economy back on” we need to think about what that looks like from an information security perspective.
Whether it’s this summer or after the first of the new year, at some point, computers that have been in home offices will return to the workplace. Security pros will have a lot to think about, and now it’s time to do some early planning.
It’s likely best to use a risk-based approach combined with a careful re-integration onto the corporate network. Capacity planning and thinking through the processes will also pay dividends later.
Examine Devices Coming Back to the Office for Ransomware
Clearly, we’re not in a normal situation. In many instances, it’s plausible that laptops and desktops sent home for remote work have been used for purposes other than company work, used by other members of the employee’s family and been connected to unknown networks with nonexistent controls.
Bringing the computers used at home during the shutdown into a corporate or government environment may introduce compromised systems into the network and result in undesirable outcomes. This situation resembles a supply chain attack in which bad threat actors will compromise a poorly protected entity and leverage networks of trust to gain access to the actual target.
It makes sense to thoroughly examine returning systems. Prior to bringing these systems back to the corporate network, forensic analysis can determine if any have already been used as points of entry into the network. Security pros should also examine patterns of infection across devices to gain greater insight into the security issues around work-from-home, they will offer new, and highly relevant data for empirical threat modeling.
Assess Compromised Assets in the Field with a User Survey
In parallel with the gradual return of our employees in the public and private sector, we propose that security teams employee IT re-entry processes that will provide insight into human-related threats.
Giving returning employees a questionnaire to identify risks before they begin working offers an opportunity to address risks before they are realized and to assess the change in the overall risk level, which may indicate priorities need to be adjusted. The results will help categorize resources and risks while moving the process along. We also suggest a quarantine process for technologies and credentials whenever questionnaire results align relevant threats and vulnerabilities with business operations, staffing and capabilities.
Don't Neglect the Social Issues with Non-IT Users
Before engaging with returning staff assume that everyone has just gone through the same stay-at-home ordeal, so exercise some empathy. Set aside techno-judgementalism and accept that not everyone knows exactly how computers work. The laptops will arrive in all different conditions. Employers and employees were forced to ramp up remote work resources and skills with little notice. It’s important that the IT and security staff go easy with employees who found themselves building a home office for the first time.
"The Great Return" IT Security Questionnaire for Users
Since no two organizations are the same, here are our lists of considerations to use in planning, prior to implementing a risk-based approach to device receipt, quarantine, evidence preservation, restoration and return-to-service.
Security and Capacity Concerns
- Is staging necessary rather than a single return-to-work day to manage capacity?
- Does security need to reposition tools and staffing to handle volume? Customer-friendly and speedy processes will encourage compliance and participation.
- Should IT security partner with risk management, HR and operations on the staggered return of teams to control intake?
- Does the service desk have ample number of “hot swaps” ready for assets that cannot be returned to service and must get replaced?
- Do you have a training program for device evaluation, data preservation, device cleanup/restoration?
- Does IRT/SOC have a plan expecting to see a potential spike in events as devices are added back to the network?
- Have you verified if resources on retainer are ready (e.g. forensic, incident response).
- Have DLP tools been tuned for possible exfiltration attempts?
- Have all assets on the organization’s internal networks received their regularly scheduled security updates before allowing previously remote assets back onto the network?
- Do you have a system for recordkeeping?
- Will you establish a quarantine network and what does the clean-bill-of- health look like?
- Should the company reset all credentials as policy?
- Should the staggered return get tied to data classification as well as role-in- company?
- Is there a shredder campaign for all the printed materials at home?
- Should the company distribute data-gathering questionnaires prior to asset return?
- Should an audit of data controls occur and how?
- Have you checked for compromised BIOS or fileless malware?
- Will the company collect data for research or preservation for potential forensic value?
Questions used for “scoring” the risk, to determine process routing. Develop a questionnaire that users/managers complete and submit prior to returning assets.
- Did the user have access to information classified by the organization as confidential or secret?
- Was the device under management?
- Has this device been connected to wireless networks?
- Have any of those been public networks?
- Were any files stored locally that must be preserved?
- Were any files preserved/stored/backed-up on a removable device?
- Has the device received regular endpoint detection signatures?
- How long has the asset been running without a restart?
- Was the device monitored for security events while remote, and were any detected?
- Are there physical documents to preserve or destroy?
- Was any device not issued by the organization plugged into a USB port while remote?
Intake Steps for InfoSec Teams Working on "The Great Return"
Preserve running memory and/or images for research and/or forensic value
- Image memory contents, if possible.
- Perform a forensically sound image process.
- Attach chain of custody form.
High-Risk Intake Process
- Create images for analysis.
- If possible, image each one for research purposes and reimage – especially for executives and key personnel.
- If it’s not possible, or there are too many, perform a reboot with a sniffer to ensure a bios-mod does not exist.
Low-Risk Intake Process
- Run a malware scan using at least one different tool/agent than the one that’s currently installed.
- Remove all cookies.
Return to Service Under Quarantine
- Add the computers to the network under Active Directory quarantine or an equivalent process, such that they have limited network access to required services but can still be evaluated by help desk/security ops.
- Observe for aberrational behavior.
This information was developed by Mike Hamilton and the security experts who volunteered with InfraGard to advise the Washington State Emergency Operation Center during the COVID-19 response when it first hit on the West Coast earlier this year. This article was based on a guide that was developed for the Seattle InfraGard chapter. Special thanks to Jenifer Clarke of Puget Sound InfraGard.