BACKGROUND AND KEY RISKS: The COVID-19 pandemic has resulted in an increased remote workforce across Penn. This resulted in organizations implementing new technology solutions, or enhanced existing solutions, to enable personnel to conduct business securely. Configuration settings of remote solutions, system software (e.g., Microsoft’s Windows Active Directory), and firewall rules also needed to be reviewed and modified to prevent unauthorized access to organization resources and systems and, where applicable, restrict what personnel could do with data (e.g., prevent printing to a home printer).
Common risks due to a more remote workforce relate to use of insecure networks, insecure personal devices, and data leakage.
WHAT MANAGEMENT CAN DO:
- Verify that documented remote work procedures address expected security requirements and provide tailored security training or guidance to users
- Ensure remote devices are required to authenticate to the network using a secure mechanism (e.g., VPN) and/or require strong authentication (e.g., 2FA, complex passwords)
- Review potentially vulnerable, unnecessary ports and services that allow for remote connectivity and disable them at the firewall
- Determine whether security “posture checking” (checking patching, anti-virus, O/S status/versions) can be enabled through the VPN solution prior to allowing personal devices to connect to the network
- If a remote desktop “gateway” service is implemented, ensure all devices connecting to it are identified and monitored for appropriateness
- Evaluate the feasibility of implementing “data leakage” controls, such as limiting the ability to download sensitive data* and printing across devices
- Implement effective VPN logging controls:
- Having logs that indicate all connection and authentication attempts
- Have a mechanism in place to “review” VPN logs in real-time for any anomalies
- Ensure logs are sent to a log collector (e.g., Splunk)
- Define rules that alert you in case of anomalous behavior
*On the University side, sensitive data is considered within the context of Penn’s Data Risk Classification Framework