NIST Gives Agencies Guidance on Boosting Cybersecurity for BYOD, Telework
IT leaders at federal agencies have embraced increased use of mobility to transform their enterprises. However, as more offices have offered telework options and embraced bring-your-own-device (BYOD) policies to varying degree, security vulnerabilities have also cropped up.
If IT workers are connecting to federal networks over their home or public Wi-Fi service and are using their personal mobile devices, they could potentially be exposing themselves and their agencies to security risks. As a result, the National Institute of Standards and Technology has issued draft guidelines last month for both users and organizations on best practices for improving security in telework and BYOD policies.
“Organizations are realizing that many data breaches occur when attackers can steal important information from a network by first attacking computers used for telework,” Murugiah Souppaya, a NIST computer scientist and author of the guidelines, told Federal Times. “To prevent breaches when people are teleworking, organizations need to have stronger control over their sensitive data that can be accessed by — or stored on — telework devices.”
Public comments on the draft guidance were due on April 15.
What Users Need to Know
BYOD policies have become more common among agencies since 2009, when NIST last issued teleworking guidelines, as smartphones have become much more prevalent. “[Bring your own device] is becoming the new buzzword these days,” Souppaya told FedScoop. “The adoption of BYOD and mobile devices is seeing a huge surge. Most of our recommendations from 2009 are still valid, but we made tweaks and changes. This is a new technology gap that we are trying to fill out.”
The guidelines for users include some common-sense recommendations, noting that users should back up all data and verify the validity of the backups, and also “understand not only their organization’s policies and requirements, but also appropriate ways of protecting the organization’s information that they may access.”
Teleworkers need to make sure that “devices on their wired and wireless home networks are properly secured, as well as the home networks themselves.” The guidelines offer users basic recommendations like “using a combination of security software, such as antivirus software, personal firewalls, spam and web content filtering, and popup blocking, to stop most attacks, particularly malware” and limiting access to devices by setting passwords or PINs after leaving the devices idle.
As FierceGovernmentIT notes, the guidelines also provide more technical security recommendations, such as changing the default service set identifier of a wireless access point. “If this default SSID is not changed, and another nearby wireless network has the same default SSID, then the teleworker’s device might accidentally attempt to join the wrong wireless network,” the guidelines note.
How Organizations Can Enhance Security
Agencies, the guidelines recommend, should “plan telework-related security policies and controls based on the assumption that external environments contain hostile threats.”
Agencies should assume that telework client devices will be “acquired by malicious parties who will either attempt to recover sensitive data from them or leverage the devices to gain access to the enterprise network.”
To guard against that, agencies should be “encrypting the device’s storage, encrypting all sensitive data stored on client devices, and not storing sensitive data on client devices. For mitigating device reuse threats, the primary option is using strong authentication — preferably multi-factor — for enterprise access.”
Agencies should also use anti-malware technologies — network access control solutions that verify a user’s security posture before granting access — and a “separate network at the organization’s facilities for telework client devices brought in for internal use.”
Agencies also should make their own risk-based decisions about what levels of remote access should be permitted from which types of telework client devices.
“For example, an organization may choose to have tiered levels of remote access, such as allowing organization-owned personal computers to access many resources, BYOD PCs and third-party-controlled client devices to access a limited set of resources, and BYOD smartphones and tablets to access only one or two lower-risk resources, such as webmail,” the guidelines note. “Having tiered levels of remote access allows an organization to limit the risk it incurs by permitting the most-controlled devices to have the 262 most access and the least-controlled devices to have minimal access.”
Among many other recommendations, the guidance states that agencies need to “ensure that remote access servers are secured effectively and are configured to enforce telework security policies” and make sure that telework client devices “include all the local security controls” that are used for nontelework devices.
The guidelines add that if agencies do permit BYOD or third party–controlled devices, they should “strongly consider establishing a separate, external, dedicated network for this use.”