« NIST SP 800-124 Rev. 2(Draft) Guidelines for Managing the Security of Mobile Devices in the Enterprise | Main | Oregon FBI Tech Tuesday: Building a Digital Defense When You Are On-the-Go »

2020.03.25

ENISA Tips for cybersecurity when working from home

こんにちは、丸山満彦です。

ENISAもリモートワークのセキュリティについて公表していますので、共有しておきます。雇用主側と雇用者側、それぞれに記載がありますね。。。あと、COVID-19関係のPhisingについても触れていますね。。。

ENISA

・2020.03.24 Tips for cybersecurity when working from home

<詳細>

 

【参考】

Europol

MAKE YOUR HOME A CYBER SAFE STRONGHOLD Public awareness and prevention

 

-----

1- Recommendations for employers and staff

The following recommendations for maintaining an adequate level of cybersecurity when teleworking are divided into those for employers and for staff on teleworking.

Recommendations for employers

  1. Ensure that the corporate VPN solution scales and is able to sustain a large number of simultaneous connections.
  2. Provide secure video conferencing for corporate clients (both audio/video capabilities).
  3. All the corporate business applications must be accessible only via encrypted communication channels (SSL VPN, IPSec VPN).
  4. Access to application portals should be safeguarded using multifactor authentication mechanisms.
  5. Prevent the direct Internet exposure of remote system access interfaces (e.g. RDP).
  6. Mutual authentication is preferred when accessing corporate systems (e.g. client to server and server to client).
  7. Provide where possible corporate computers/devices to staff while on teleworking; ensure that these computers/devices have up-to-date security software and security patch levels and that users are regularly reminded to check patch levels. It is advisable that a replacement scheme for failing devices is also in place.
  8. BYOD (Bring your own device) such as personal laptops or mobile devices must be vetted from the security standpoint using NAC, NAP platforms. (e.g. patch check, configuration check , AV check etc.).
  9. Ensure that adequate IT resources are in place to support staff in case of technical issues while teleworking; provide relevant information, e.g. on contact points, to staff.
  10. Ensure policies for responding to security incidents and personal data breaches are in place and that staff is appropriately informed of them.
  11. Ensure that any processing of staff data by the employer in the context of teleworking (e.g. time keeping) is in compliance with the EU legal framework on data protection.

 Recommendations for staff on teleworking

  1. Use corporate (rather than personal) computers where possible - unless BYOD has been vetted as per relevant point under Section 1 above. As far as possible, do not mix work and leisure activities on the same device and be particularly careful with any mails referencing the corona virus.
  2. Connect to the internet via secure networks; avoid open/free networks. Most wifi systems at home these days are correctly secured, but some older installations might not be. With an insecure connection, people in the near vicinity can snoop your traffic (more technical people might be able to hijack the connection). That having been said, the risk is not that much higher than when using public 'open networks' except for the fact that presumably people will be in the same place for a long time. The solution is to activate the encryption if it hasn't been done already and/or to adopt a recent implementation. Note that this risk is somewhat mitigated by using a secure connection to the office.
  3. Avoid the exchange of sensitive corporate information (e.g. via email) through possibly insecure connections.
  4. As far as possible use corporate Intranet resources to share working files. On the one hand, this ensures that working files are up-to-date and at the same time, sharing of sensitive information across local devices is avoided.
  5. Be particularly careful with any emails referencing the corona virus, as these may be phishing attempts or scams (see below). In case of doubt regarding the legitimacy of an email, contact the institution’s security officer.
  6. Data at rest, e.g. local drives, should be encrypted (this will protect against theft / loss of the device).
  7. Antivirus / Antimalware must be installed and be fully updated.
  8. The system (operating system and applications used, as well as anti-virus system) needs to be up to date.
  9. Lock your screen if you work in a shared space (you should really avoid co-working or shared spaces at this moment. Remember, social distancing is extremely important to slow down the spread of the virus).
  10. Do not share the virtual meeting URLs on social media or other public channels. (Unauthorized 3rd parties could access private meetings in this way.

|

« NIST SP 800-124 Rev. 2(Draft) Guidelines for Managing the Security of Mobile Devices in the Enterprise | Main | Oregon FBI Tech Tuesday: Building a Digital Defense When You Are On-the-Go »

Comments

Post a comment



(Not displayed with comment.)




« NIST SP 800-124 Rev. 2(Draft) Guidelines for Managing the Security of Mobile Devices in the Enterprise | Main | Oregon FBI Tech Tuesday: Building a Digital Defense When You Are On-the-Go »