Watch to learn how businesses can avoid the common pitfalls of remote workforces.
Having issues accessing the video above? Watch the video here.
Michael Simpson helps attendees understand the enemies those of us work with sensitive data face. He brought up the fact that drastic changes can make us more susceptible to these enemies and their attacks, in many ways that we may not even be aware of.
"Due to the pandemic, there's been an unprecedented shift to a remote workforce. Much of this shift happened practically overnight."
Michael Simpson outlines how businesses can avoid the common pitfalls of remote workforces, how they can best protect themselves and their data, and what important risks they should be sure not miss in all of the chaos of the pandemic.
This webinar was hosted on September 23rd, 2020, as part of SecurityMetrics Summit 2020.
Hello. Welcome to Summit twenty twenty. From SecurityMetrics, this is Michael Simpson. Today, I'll be presenting COVID nineteen lessons for a secure remote workplace.
Due to the COVID nineteen pandemic, there's been an unprecedented shift to a remote workforce. Much of this shift happened practically overnight. Today, I want to discuss some of the common pitfalls in implementing a secure remote workforce and how we can avoid those pitfalls.
But first, a little bit about who we are. SecurityMetrics is here to close your data security and compliance gaps and to avoid data breach. If you need any help, give us a call.
So with that, let's move on to the agenda for today's presentation. We'll be covering three major areas.
First is understanding your environment.
Like I said, with the COVID nineteen pandemic, there's been a shift for many companies' processing environment.
In order to protect that data, we need to make sure that we understand what our new environment is. After we talk about understanding the environment, we'll then move into how do we how we secure that remote workforce or the remote environment.
And then we're gonna spend a little bit of time on discussing how we manage risk in the environment.
In The Art of War, Sun Tzu says that we need not fear the battle if we understand ourselves and our enemy.
In the world of data security, we're facing a wide array of ever present enemies seeking to capture or destroy the data that we're responsible to protect. A common pitfall we've seen accompanying the rapid shift to an at home workforce is the lack of understanding of the data processing environment.
Before the shift, many companies managed all of the data collection and processing within the walls of their organization and on equipment that was owned and managed by the organization.
Because of these unforeseen and mostly unplanned events, businesses have had to make drastic changes to their processing environment and often are unaware of the devices and the networks that are being used to process, transmit, and store this data.
PCI DSS requires that companies undergo an annual scoping exercise.
This scoping exercise is focused on identifying the people, the systems, and processes that are involved in the collection, transmission, processing, and storage of credit card data. While a scoping exercise is mandatory for merchants dealing with cardholder data, these can be equally beneficial to health care organizations working with HIPAA protected data or any organization working to protect any type of data. Whatever data is critical to your organization is worth protecting.
And probably the best place to start is by understanding where that data is and on what system it resides.
The first step in coming to know your environment is to identify what data needs to be protected as this will guide your flow analysis at the As this presentation is focused on securing the remote workforce, we're not gonna spend a lot of time on this. Likely, the data that you're trying to protect, post COVID is the data that you are trying to protect before, the COVID pandemic.
In order so once we identify what we're trying to protect, the type of data we're protecting, in order to adequately protect it, we need to understand where that data resides.
A flow analysis is a method for analyzing where the data enters the environment, what systems and network segments it traverses, and where it's stored.
As companies have shifted to a work at home environment, the flow of sensitive data has likely shifted. To perform a flow analysis, you'll likely need to speak with multiple groups across your organization to identify all the ways the organization receives and processes data, whether this is, like I said, cardholder data or health care data or other types of data. Now the goal of this flow analysis is to find how protected data enters the environment and where it goes while it's within, the environment's control.
What systems are involved in the transmission and storage of data? You may need to work with your IT and networking teams to identify the systems and the network zones involved in the transmission.
And once you've performed and completed this flow analysis and have an understanding of how data enters the environment and what systems are involved in the transmission storage of sensitive data, the next step is to document the results of that investigation.
Having accurate network and data flow diagrams that identify the systems in the critical path will help you to guide your security efforts. This critical path is where system security will be most focused.
Proper documentation will not only help you in the securing or resecuring of the critical path now, but it'll help you ensure the internal knowledge is not lost due to employee turnover or employee reassignment.
Alright. Now that we have a better understanding of our data processing environment and what systems are part of the newly defined scope, We now get to go to work on securing these systems and networks.
We're gonna focus on three main sections here.
We could spend all day talking about how to secure an environment, but let's specifically look at how to secure the telecommunications network security, how to secure the devices that are actually being used to enter and process that data, and then how to secure the human aspect or your your workforce, those that are involved in the collection and processing of data.
The typical at home worker will have two primary communication channels to protect. The primary communication channel will likely be the network communication used by the employee's workstation or laptop to connect to company or third party provided resources.
These are several reasons, there are several reasons why we'll want to focus on securing this communication channel. If an attacker is able to get a foothold into your network or, in this case, your employee's home network, there's a possibility that they may be able to capture sensitive data as it's being transmitted to and from the home environment.
The other danger that needs to be addressed is the increased attack surface made available to attackers when multiple home networks are included in the company's data processing environment.
When when employees were working in the office, there's likely controls such as firewalls, intrusion detection, or prevention devices, other controls that were there to help limit the scope or the attack surface, that someone could use to gain access, unauthorized access into your environment.
As we've moved a lot of that away from the home office, we may have lost some of those central controls.
So there's rarely a one size solution to any security or IT problem. But one common way to secure the network from an at home workforce is through the use of a virtual private network or a VPN.
VPNs use encrypted communication tunnels to bring the user's home based workstation into a corporate network. It's almost like you're taking their workstation and bringing it back into the office.
When configuring your VPN, it's highly recommended that two factor authentication is required to gain access to the VPN and that split tunneling is enabled.
While there may be some cost and resource reasons to allow for for split tunneling, this will reduce your ability to monitor network traffic at the perimeter and will allow data exfiltration through these unmonitored connections.
So what but that basically means is split tunneling, allows some traffic from your employee's computer to go through the VPN tunnel and out through, the corporate network, while other traffic goes straight out to the Internet.
Split tunneling usually in a PCI environment is is something of concern, maybe challenging to maintain PCI compliance because, we need to make sure we have control over all inbound and outbound communication from the CDE or the cardholder data environment.
That same security concern is there for all data that that you would like to protect. So so you wanna be very cautious about using split tunneling on the VPN. It can be done. It can be done securely, but there's definitely controls that need to be put in place to make that make that happen.
Let's see. If sensitive data is being collected over the phone, it's also important that we consider protecting that phone communication as well. Most companies are leveraging VoIP or voice over IP to route calls from the corporate office systems to the employee's home. This can be accomplished, through physical network connection, handset network connected handsets, or softphones installed on the user's computer.
If VoIP communications are used, realize that these are just standard IP networks that are carrying voice traffic over that IP network. And a lot of those same security requirements that we were dealing with with their computer, as far as people being able to gain access to that traffic if they have a foothold on the network, is going to be in place in a VoIP environment as well. So we need to make sure that we are protecting that VoIP traffic.
And this can be accomplished through the use of, the either a VPN. So you're sending all of that voice traffic through a VPN, keeping that encrypted during transmission, or there's other protocols, such as TLS or SRTP that can be used to encrypt that voice traffic. So there's a couple of things that we need to be aware of when we're looking at our network communications or telecommunications to the at home environment.
One other thing I wanna mention really quickly when it comes to voice, and voice over IP, if you're sending that data to the home, make sure if you are recording those phone calls, realize that that recording, if it contains that sensitive information that you're trying to protect, especially cardholder data, those voice recordings and the systems that are being used to record those calls are also in scope, for peep when it comes to PCI, and they're also, you know, part of that critical infrastructure path that needs to be secured.
From a PCI perspective, if there's call recordings, you need to make sure that those, are encrypted and that you're following all other PCI DSS requirements related to the storage of credit card data.
Although protecting the communication channel used by the at home workforce is important, we also need to ensure that protections are in place on the systems that they will be using to interact with that sensitive data.
So let's go through a few options for securely handling sensitive data outside of the office.
Number one, perhaps the simplest way to ensure the devices used to handle sensitive authentication data are appropriately secured would be to issue laptops or other hardened devices to the mobile work. For the device that are handling sensitive authentication or, sorry, sensitive data, have been properly hardened. And they're using company mandated security protocols, to protect the system and the data that that system, is is going to be, used to collect or to transmit.
Another option, if if that's not a possible option in your environment, would be to keep control over the systems that are used to process sensitive data you by using a virtual desktop desktop or a VDI environment, or Citrix implementation.
With this solution, employees would give an, preconfigured thin client that would be used to interact with virtual desktops that are running on servers that are back in your IT, your your central office.
Using thin clients in the home office minimizes that attack surface that we talked about earlier and keeps the majority of the data processing on systems that are centrally controlled and monitored.
Some solutions like Citrix have the ability, some security controls in place that can be used to prevent screen captures or key loggers from gaining access to that data as it's being entered.
If the at home employees are processing payments, it may be useful.
Another option is to see if there's validated point to point encrypted terminals that can be used, for the employees to enter that, data. There are several P2B solutions where it's a a almost like a ten keypad with a little swiper that's connected to the workstation over a USB cable. If that is a validated point to point encryption solution, even if that solution or that terminal is plugged into the employee's home computer, the that ten key terminal, that validated p two p e terminal encrypts the data strongly prior to that data being sent through the workstation and out to the Internet for processing.
So from a PCI compliant standpoint, that may be easy solution for dealing with credit card data at the home. The your home worker can receive credit card information, over the phone. They can enter it into that point to point encrypted terminal, and that terminal would handle all of the data security and encryption. And you don't have to relay on the workstation that's being used by, the the at home workforce.
If all else fails and situations where all of the above are not possible and a bring your own device or a BYOD must be supported, there are some ways, to verify the device that the employee is using meet the company's hardening standard.
This may be really difficult. BYOD environment at a work at home workforce, from a PCI standpoint, it's really difficult to bring into compliance because there's a lot of requirements that have to be validated.
But one solution that may be helpful is is, the use of a NAC or network authentication control device.
With a NAC device and this is usually put in place with the VPN. So when a a user using their home computer connect to the work VPN, what the NAC would do is they check the security of that at home system. So and you can define what security checks it does. Usually, there's either some type of a client installed on the computer, or it could be a Java based, agent that can look at the computer to see, you know, has this computer, been patched?
What are the password requirements to apply to the system? Does it have antivirus? Has the antivirus been updated recently? So so you can create kind of a baseline standard that says if if a system does not meet our baseline security requirements, don't let it on the network.
And that way, you can kind of weed out the the employees' computers that are really struggling and may need some some more one on one help with your IT, to get them to a secure point where they can start processing data without putting your company at undue risk.
Securing the at home environment is not complete without properly, implementing employee training. For many of you, you probably already have, some type of annual employee training in place, especially if you're dealing with cardholder data as that's a PCIe, DSS requirement.
But is your, is your training set up to be able to be managed remotely? Are employees that are working from home able to receive that training?
The other thing to be aware of, whenever a significant change is made to your data processing environment and the procedures that you're following, it's important to ensure that you go through your policies and procedures and that those have been updated to match these new processes.
A documented policies and procedures provide guidance to the employees to ensure that they follow a consistent safe practices to secure the data that they're entrusted with. These are only effective if they're accurate. So if you haven't updated your policies and procedures, but your environment has had a dramatic shift, likely your policies and procedures are almost worthless. So go through those, make sure they're up to date, and then take some time to make sure your employees are aware of the new policies and procedures.
So with with that, you know, be sure you go through your training materials. Make sure your training materials have also been updated.
Remember that these employees are at the front lines of of data protection in this data security battle. The criminal elements of society will try to use, these systematic disruptions, to find new ways to to gain access to this sometimes lucrative data. By providing employees with up to date security awareness training, you can empower them to help the organization to work to protect your client data.
For companies that have been reliant on in person training, this work from home shift may also necessitate necessitate a change in the way that this that, employee training is performed.
Online training portals or webinars may be needed to to help fill this gap.
Alright. And then I wanted to spend just a little bit of time here on discussing how we manage risk in the environment.
One thing we've learned from this pandemic is how difficult it can be to predict the future.
While we may know what the comp but while we may not know what the future will bring or how future events will affect the company, a well executed business continuity plan, or BCP, can help companies respond quickly and effectively to difficult situations.
Even if a company's BCP does not contain exact blueprints blueprints for how to cope with any possible circumstance, it does create a framework that can be used to quickly deploy, that can be quickly deployed and modified to fit the situation at hand. A well crafted and often tested BCP will make your company more resilient and better prepared to handle informed decisions that will be have that will have to be made, sorry, during trying times.
If you've not already had an opportunity to review your company's BCP since the COVID pandemic, it may be useful to review it now and discuss how well your BCP was able to help your company to respond to the pandemic.
Do changes need to be made to your BCP to make it better protect your company in the future?
The BCP should be tested and reviewed often, at least annually, to be sure that it evolves to help address the needs of a changing company and an evolving threat landscape.
Another thing to consider is how well your BCP takes into account third party service, services or business partners. Many companies have been severely impacted due to challenges faced by their customers or business partners.
Some some examples recently that we've seen, farmers and commercial commercial fishing industries, ranchers, these have been, drastically affected by their business relationship and their customers.
Commercial fishing operations and ranches have had difficulty getting their product to market, because of processing plant closures caused by COVID nineteen. You know, are are events like this as your company, have these outside party relationships defined? And is your BCP adequately addressing the risks that face that your company faces based on these third party relationships?
Along with having a well tested business continuity plan, it's important that you have an updated incident response plan that can be used to guide your response to security incidents that your business may face. If you don't have an incident response plan currently, now is a great time to put one in place. And if you have one, here's a few questions to review.
If you have employees working at home, are they aware of how to report a security security incident? If their if their computer, has a virus and that virus could very well, put your company at risk, are your employees aware of who to contact? Or are they just going to try to fix it themselves and not let anyone know that anything happened?
Does your incident response need to be modified to address the new risks that are posed by the environment due to this at home workforce shift?
Couple of questions to keep in mind. And then to ensure members of the incident response team are aware of their responsibilities and familiar with the incident response plan, similar to the need to, annually test your BCP plan or your business continuity plan, the incident or incident response plan should be tested at least annually and definitely after a significant change in the environment.
So if you haven't had the opportunity to test your incident response plan since the COVID related changes were made, now may be, the great time to do that.
Alright. If you have any questions, here's my contact information. Feel free to contact me with those questions or contact our sales department if you need a little more assistance.
Thank you for being part of the SecurityMetrics Summit, twenty twenty. I hope you enjoy the rest of the conference.
.svg)
