Cyber SecurityRemote Work

Sudden Remote Work: The Ultimate Checklist to Maintain Operations on this COVID-19 Crisis

The recent outbreak is becoming a nightmare for IT managers and sysadmins. Is your organization ready for the technical complexity of remote work?

It may be a change in management or even an emergency, like a worldwide pandemic. It could be a couple of employees taking their PCs home, or hundreds of them. The fact that remote work is becoming mandatory for a large percentage of people can be dangerous for any organization, big or small, prepared or not prepared.

And not really dangerous because of its nature –after all, here at Prey we know about remote work– but because operations, regardless of their scale, have to keep running with no failures. That’s where our IT managers and Sysadmins excel, especially in this COVID-19 crisis. A world where it’s becoming difficult to work together can be a nightmare for the ones who secure and manage the devices we use to work.

In the corporate world there are a couple of concepts that usually go together: Business Continuity and Disaster Recovery. On one hand, Business Continuity is all about keeping the show running, regarding any factor that can disrupt our day to day work; on the other hand, Disaster Recovery cares about the vital infrastructure of your business’s operations. Both go side-by-side when disaster strikes. And while DR can be somewhat of a hassle on a viral crisis like the one we’re having today, the plan every CIO or IT management office is focused on right now is Business Continuity. It may be even worse: there could be no plan.

In that scenario, where a large number of people have to work from home unexpectedly, is where questions arise. How are we managing our remote teams and equipment? How about our servers? Our security? Our access to a private network? What about Jim from Accounting, who has a huge PC and can’t take it home? Even one of those questions can be a nightmare for any admin out there and has several ramifications over security and management. We know. We’ve been there.

That’s why we’ve compiled a very general guide on those topics we -and some other angry and stressed Sysadmins on Reddit and other platforms- think are important to keep around: because things are going to get bad very, very soon. Best case scenario, you become the hero of your office; worst-case scenario, everything crashes inevitably, but at least you thought about it beforehand. Not sure you’re getting your photo framed in that case, though.

Can Staff Work Remotely?

This should be on your checklist first and foremost. Modern offices have a myriad of professionals: management, development, finance & accounting, design, marketing and so on, so their needs regarding devices are very broad. Although, if you leave out of the equation the ones with specific technological needs (no Brad, we can’t relocate the office’s plotter printer to your apartment) you may realize your remote workforce is very homogenous in needs. We’ll handle equipment later; first you have to think about remote access, securing devices, and physical barriers to critical equipment.

Is your system built to support remote access? Most IT managers are used to physical configurations: a secure network, policies, RDP/VNC (to access and handle a device remotely) and communication, all between computers usually connected to the same network. ¿What happens when everyone takes their device home? You lose the privileges of controlling the network from the inside, so everyone –especially you– grabs their hair when even a minor change needs to be done.

The best advice for this, given the time constraint, is to limit as much as possible who can connect to your secure network for remote work, and always using encryption protocols -such as SSH- if you’re dealing with sensible information.

The same principle can be applied to third party solutions to remote access. For example, if you want to set up a VNC alternative –like the dreaded Teamviewer– make sure it’s at least on a secure connection on both ends, and totally encrypted.

Is there enough capacity for our remote access needs? Chances are if you’re dealing with devices on a medium or large scale organization, you probably have a secure VPN for any remote users to connect to. Likewise, that VPN may come from known providers, like Cisco or Citrix, who sometimes vary their fees based on the amount of devices connected or the total bandwidth. Keep that in mind.

Speaking of bandwidth, and especially if you have servers or critical devices there, is the office’s internet connection capable of sustaining multiple connections from your remote workers? A short call with your ISP can solve a lot of issues moving forward.

Are your employees connected to the internet at home? We know: internet access is kind of ubiquitous at this point. Nevertheless, certain ISPs around the world deliver substandard connections, which can put a grapple on any demanding service, like videoconference, file transfer or even VPN connections. Make sure your end-users have a stable wired connection, or make space in the budget for untethered internet, like 4G dongles, for key users.

Do you need physical access to our servers? Most IT managers have workarounds about this, especially in terms of virtualization: most racks can be managed remotely and can be scaled accordingly. Although, others may have a different problem: backups. Some data centers and law-compliant enterprises have LTOs: machines that backup critical information on high capacity tapes (yes, tapes!).

cassette tapes
Okay, not these tapes.

Most tape-reliant backups are manual, so you have to remove one or several tapes from the rack and store them on a secure location, usually a safe. If your organization relies on this backup method -and if you’re the one in charge- probably you have a protocol for this. Due to our recent viral circumstances, you could still be the chosen one to perform that task.

In any other case, and if you’ve been remotely managing servers for years, go home. And if your boss says otherwise, you can always ask him for a little help like this sysadmin on Reddit.

Does your staff have everything it needs to perform remote work?

This is a cornerstone of remote work: how can we work from home if we don’t have the equipment to do it? In most cases, this equipment comes from the office, so several –or all, for that matter– employees got to work on Monday, took laptops, monitors and accessories, and drove home. In other cases, especially in small businesses, there may be a ‘Bring Your Own Device’ approach: work with what you have at home. We’ll tackle the first one, since there is no sure policy on BYOD, particularly on most zero trust models.

In the office equipment scenario, the two most concerning questions are clear: Do we have enough devices to satisfy demand? And second, are we securing the ones we have?

Concerning device demand, it’s important to be as transparent as possible with device and software acquisition, spare parts and repairs. Does everyone have a device to work with? If you don’t, someone should buy the needed equipment. Do you handle that budget, or someone else? You need to work very closely with that person and/or team, to ensure everyone has the tools they need. Of course, there are a couple of loose cases where management will acquire devices without consulting IT. Nevertheless, if there’s any kind of issue with those devices they will seek your help anyway, so beware.

Speaking of help, there is a great chance that a lot of devices will be damaged over time. Wear and tear is pretty normal for any device, but a remote work environment can pose other threats. Drinks, pets, unorthodox usage –a badly ventilated laptop being used in bed comes to mind as an example– and household accidents are much more common, especially if the end-user isn’t very careful, or not accustomed to the remote work culture.

A rule of thumb for a medium or large organization: have one spare device for every ten workers. Make sure these replacements are available to your employees: it’s no use if our IT guy has all of them on the other side of town. And if you’re that IT guy, consider leaving at least a couple backup PCs in the office and getting a local permit to move around and help people. In most countries, total quarantines are being enforced by law, but probably -and depending on your location- you may ask for one based on the Business Continuity Plan of your organization.

The same principle can be applied to spare parts. You still have time to hoard hard drives, RAM memory sticks, screens, and cables, so you can distribute them if trouble arises.

All those admins who hoarded DDR2 memory modules can rejoice.

As with devices, apps and data are also an issue. A lot of the present headaches in the sysadmin community are the lack of computer knowledge of most remote work users, to the point that ITs are banging their heads against the wall trying to get an employee to update their firewall and permissions, mostly over the phone. We can’t stress this enough: send every PC absolutely ready.

Consider it needs to face the challenges posed by a heavy –and sometimes brain-lacking– user. That covers every nook and cranny: antivirus solution installed and updated, VPN configured, firewall set up, the apps needed by the employee installed and updated, and, if possible, a persistent rollback.

The last challenge of having devices for everyone comes with a price: as a systems administrator, IT Manager or even CIO, you have the responsibility of taking care of equipment on different levels. That’s where a more granular approach is needed, especially on teams that are still fearful of their employees working from home. For example, a small real estate firm wants to control where the devices are, at what times they’re being used, and how.

This issue can be solved with a Mobile Device Management solution, depending on the specific needs of your workforce. If the Administration tier only wants to check in on devices, networks they’re connected and usage, Prey has a lightweight solution available for free. Otherwise, you may need pricier and robust options, like Prey Enterprise.

Can we maintain an acceptable level of cybersecurity?

Okay, we’re almost done! While the first two questions can be resolved by a vast majority of IT professionals, this is the one that requires the most patience and technical skill. Most of these issues are ubiquitous: for example, having an antivirus solution, as long as you’re not using Linux, should be required by law. However, there have been a bunch of questions and issues raising on forums and chats that can be a problem for you as well.

As such, we’ll list the most common issues we’ve seen, with their possible solutions.

Is my critical infrastructure secure from insecure remote work? With a lot of devices going home, cracks begin to appear on the security dike. As such, everything must be checked beforehand: device encryption, identity and access management (IAM), file permissions and access policies. The use of a secure VPN is strongly suggested (see below). From the end-user point of view, it’s critical for us to reduce any road a hacker can take to come inside our framework. Create a guide for your employees that includes storing passwords in a safe location, revisiting or improving their router security and internet connection, and using Multi-Factor Authentication for most, if not all, accesses. Establishing a Zero Trust Model on your organization beforehand is always a very safe step.

Is my employee’s internet connection susceptible to attacks? Extending the first case, you can take care of every imperfection on an endpoint, and it could still be insecure if the internet connection is insecure. The same concern can be applied to IoT –Internet of Things– devices. What if our organization gets hacked because of an intelligent lamp bulb?

“Why did you betray me, bulb?”

The key to solving this is the router’s security. Most disasters can be averted with a strong WPA2 password and limited access to any IoT device in the employee’s home. If the employee handles critical information, you will need to go deeper: if you can, check the router for default logins, weird DMZ rules, and connected devices with strange MAC addresses.

Is it safe to control my employee’s computer while he’s doing remote work? As we said earlier, any RDP or VNC access through the internet –and not on a secure, internal network– is risky and considered a bad practice among sysadmins. Nevertheless, you will need a remote tool for servicing, patching, and even authorizing or performing new installations. If you’re compelled to do it, be careful: always use encrypted peer-to-peer protocols, and limit your remote access to short sessions.

Are VPNs totally secure? Not by a long shot. Recent reports indicate that certain ports, associated with providers like OpenVPN or SSL VPN are at risk of being exploited: 1194 (OpenVPN), TCP/UDP 443 and IPsec/IKEv2 UDP 500/4500 (SSL VPN). Over the coming days, check the logs to see if those ports are not accessed or compromised by malicious individuals.

Is multi-factor authentication worth the investment? If any malicious breach would risk your business, it’s imperative you use MFA for everything you can. Multi-factor is the use of several ‘factors’ to prove your identity to a server, meaning every time an employee logins, it’s him and not somebody else. There are several auth providers that support MFA, using free tools like Google Authenticator, proprietary mobile services, and other factors like SMS, emails and verification codes. Just make sure your employees know how to use it, so they don’t fall to any social engineering scam.

Am I breaking compliance if we go remote? You would, but you shouldn’t. Depending on what certification we’re referring to, the requirements can be different. For example, SOC 2 needs strict web filtering measures that are easy to control on the office, but harder to block when everyone’s working from home. Having said that, there are several Web Application Firewalls (WAF) that can be installed and configured on devices beforehand, so to ensure compliance. Chances are, you did most of the work already trying to get certified.

Takeaways

Most of what we’ve compiled on this guide may be general knowledge for most sysadmins. It’s possible that you’ve read this entire piece and said: “but man, I know this already!”. And still, even the most keen people have to be reminded: securing devices is hard, lonely and sometimes ungrateful.

The world is amidst a huge pandemic right now, and it’s times like these when the heroes behind the curtain step to the challenge. Being a systems admin is a thankless job, so we hope these general steps for maintaining peace and order in these times of remote work crises are helpful. And hey, maybe show this to your boss so he can finally get an idea of how hard it is what you do.

Godspeed.

Norman Gutiérrez