Agencies might need to rethink telework security

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://fcw.com/articles/2014/11/21/telework-vpn-breaches.aspx

In light of recent breaches at the U.S. Postal Service, White House and
State Department, agencies might need to take a closer look at the security
of the virtual private networks (VPNs) their employees use while
teleworking.

Although the breaches remain under investigation and no official culprit
has been named, the hack at USPS prompted the agency to suspend its
telework program.

According to USPS spokeswoman Sue Brennan, telework remained suspended as
of Nov. 21, more than a week after the breach was announced, and upgrades
and changes to the system are still in progress.

“Shutting down the USPS VPN should only be considered a treatment for a
symptom of the problem, and my guess is [it] will only be a temporary
move,” wrote Mark Seward, vice president of marketing at security analytics
company Exabeam, in a blog post. “Addressing the larger problem requires
adopting a mindset that the attacker is already inside.”

USPS officials announced the breach on Nov. 10 and said they believed it
compromised some customer data, including names, addresses, telephone
numbers and email addresses. It also exposed sensitive employee data,
including Social Security numbers, email addresses and hiring information.

Officials have not concluded that a VPN was responsible for the breach, but
if that turns out to be the case, major changes could be in store for the
hundreds of thousands of federal employees who telework.

“We must plan and make our systems more secure to enable telework,” Office
of Personnel Management CIO Donna Seymour said. “Yes, there are very good
ways that make remote access more secure, and we employ those capabilities
in many areas. As our networks become more secure and our remote access
features become more secure, our adversaries also become smarter, and the
reality is, these breaches are becoming more frequent. The goal is to
detect quickly, react quickly and limit the potential damage.”

The Defense Information Systems Agency is one of those agencies that have
an aggressive approach to securing its sensitive information for
teleworkers. DISA developed special centers from which employees who handle
sensitive information can telework. And, by all accounts, DISA has been
generous in sharing best practices about running such centers with other
agencies.

Most agencies devise their own telework and remote-access security
policies, but they are expected to follow guidance from the National
Institute of Standards and Technology, OPM and the Office of Management and
Budget, all of which stress that teleworkers must remain vigilant.

“By focusing on specific manager security responsibilities and reinforcing
the roles and responsibilities of participating teleworkers, agencies can
ensure that the workforce is educated, aware and in compliance with the
latest policies to safeguard information in a mobile environment,” an OPM
spokesperson said.

According to the USPS Information Security Network Connectivity Process
handbook, employees who telecommute must have the latest
pattern-recognition antivirus software and a USPS-approved firewall on
their remote computers.

“It’s not normal for a USPS employee to try and connect to certain
databases, connect from a strange device, or connect from Uruguay,” Seward
said. “Agencies have to keep a sharp eye on those types of user behaviors.”

Some agency VPNs require only a username and password for access while
others require multifactor authentication, such as a Common Access Card or
other smart card, RSA SecurID, eToken or biometric fingerprint sensor.

"Two-factor authentication is now widely available. It's a commercial best
practice," Ron Ross, leader of NIST's Federal Information Security
Management Act Implementation Project, told FCW. So many breaches start
with compromised credentials, so when an agency implements two-factor
authentication, "that can close down a whole bunch of attack vectors."

As far back as 2006, OMB issued a memo recommending that remote access be
allowed only with two-factor authentication, with one of the factors
provided by a device separate from the computer.

“This option, as well as others, is important to couple with effective
training and program management to ensure telework is more secure overall,”
the OPM spokesperson said.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!