ITL BULLETIN MARCH 2020 Security for Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Solutions

With the COVID-19 outbreak upon us, people are being advised to work from home.  In this month’s ITL Bulletin, the focus is on telework, remote access and BYOD (bring your own device) solutions.

Telework or Telecommuting is the ability for employees or other providers to perform work other than at an Organization’s facility.  Teleworkers use remote access to access private computing resources external to the Organization’s facility.

Remote access commonly used by teleworkers include:

Tunneling – Using a VPN (virtual private network) gateway. Communication is encrypted.  Email clients and web browsers can communicate securely with Organization servers.  The most common types of VPN used for teleworking include IPsec (internet protocol security) and SSL (secure sockets layer).

Portal – Most portals are web based and most portal clients are regular web browsers.  The portal protects communication between client devices and the portal.  Most portals today are SSL VPNs.

Direct application access – A teleworker can access an application directly, with the application providing its own security.  Direct application access can be used from almost any client device.

Remote desktop access – A teleworker can control a desktop at the Organization remotely from a telework client device.  Remote desktop resources may include RDP (Microsoft remote desktop protocol) or VNC (virtual network computing).  The other remote access solutions mentioned above offer superior security to that of remote desktop access.

Security concerns include:

Lack of physical security controls – Telework client devices are used in various locations outside of the Organization.  This makes them more likely to be stolen, placing the data on the devices at risk of compromise.

Unsecured networks – May be used for remote access.  Broadband and cellular networks are susceptible to eavesdropping and man-in-the-middle attacks.

Providing external access to internal only resources – May expose sensitive internal servers to threats and being compromised.

Recommendations for improving the security of telework and remote access solutions:

Plan telework-related security policies and controls based on the assumption that external environments contain hostile threats – encrypt sensitive data stored on client devices.  Use a separate network at the Organization for telework client devices.

Develop a telework security policy that defines telework, remote access and BYOD requirements.  

The telework security policy should define:

-          Which forms of remote access the Organization permits

-          Which types of telework devices are permitted to be used and

-          The type of access each teleworker is granted

Ensure that remote access servers are secured effectively and configured to enforce telework security policies.  Remote access servers should be kept fully patched and managed from trusted hosts by authorized administrators.

Secure organization-controlled telework client devices against common threats and maintain their security regularly.  Maintain operation system updates and encrypt sensitive data stored on devices.

In conclusion, ensure internal resources remotely accessed are hardened against external threats and access to resources are kept to a minimum.  

A copy of the NIST bulletin can be found at the following location:

https://csrc.nist.gov/publications/detail/itl-bulletin/2020/03/security-for-enterprise-telework-remote-access-and-byod/final

RRit Security can provide greater guidance on this topic: https://www.rritconsultants.com/

DNS Infrastructure Hijacking Campaign

RRIT Security Consultants

According to the National Cyber security and Communications Integration Center (NCCIC), a DNS (domain name system) infrastructure hijacking campaign is currently underway. An attacker can redirect user traffic to an attacker controlled infrastructure by modifying the location to which an Organization's domain name resolve, that is, where internet style names are converted to IP addresses. If an attacker gains access by using compromised credentials, goes unnoticed, obtains the Organization's valid encryption certificates, a "man-in-the-middle" attack can be launched.

According to Norton A man-in-the-middle attack is like eavesdropping. When data is sent between a computer and a server, a cyber criminal can get in between and spy.

An extract of the open source indicators of compromise can be seen below:

RRIT Security Consultants

How attackers intercept and redirect mail and web traffic:

a) Attacker compromises credentials of user account that can make changes to DNS records

b) Once inside, the attacker alters DNS records such as Address (A), Mail Exchange (MX) or Name Server (NS), replacing the valid address with an address the attacker controls. User traffic is directed to the attacker's infrastructure for manipulation/inspection before passing it to the legitimate service (if they choose). 

c) The attacker can not only set DNS record values but also obtain valid encryption certificates for the Organization’s domain names. Redirected traffic can be decrypted, exposing user-submitted data. Since the certificate is valid for the domain, end users do not receive any error warnings.

RRIT Security Consultants

The following best practices have been recommended by the NCCIC to help safeguard networks:

• Passwords for accounts that can change DNS records should be updated regularly
• Multi-factor authentication should be set on domain registrar accounts or on other systems which are used to modify DNS records
• Public DNS records should be audited to ensure they are resolving to the intended location
• Perform a search for encryption certificates related to domains and revoke fraudulent requested certificates

Source:

US CERT - Alert (AA19-024A) DNS Infrastructure Hijacking Campaign