The National Institute of Standards and Technology has guidelines on how to secure devices before they’re used for telework. We provide three best practices for agencies to follow to ensure that telework devices are safe to use when they return to onsite facilities and networks.
1. Require Returning Devices to Use Quarantine Networks
Dedicated quarantine networks isolate returning telework devices from an agency’s other devices and networks, often by using virtual LANs. Quarantine networks prevent anything malicious on the devices connected to them from spreading elsewhere.
By forcing each returning device to connect to a quarantine network, an agency can look for possible security incidents on the devices and initiate incident response processes as needed.
Here are some signs that agencies should look for:
- Current malware infections are obviously a major concern, especially with ransomware becoming so commonplace.
- Signs of prior compromise are also a concern. If a device has been compromised, it shouldn’t be trusted, even if there’s no sign that an attacker or malware is still present.
- Unauthorized software installed on the device could indicate many things, such as an employee acquiring legitimate software independently to meet a critical agency need, an employee family member using the device for personal purposes — or an attacker installing tools to use against other agency systems.
- Deactivated, uninstalled or misconfigured security and maintenance software could be a sign of trouble. Attackers and the malware and tools they use frequently shut off security and maintenance software so their activities will go unnoticed. Also, users may shut off software that they think is slowing down or interfering with their work, thus increasing the risk of compromise.
2. Decide How to Handle Each Device’s Reentry
Another reason to use a quarantine network is that it gives the agency the opportunity to assess the overall state of each asset and determine how to handle its re-entry into agency facilities.
Three possible re-entry options are:
- Correct any device security problems. On the quarantine network, an agency can examine each device for problems and correct them before allowing the device to access other agency networks and systems. Examples of potential problems include missing patches, incorrect configuration settings and missing software (e.g., uninstalled tools).
- Wipe and re-image the device. Transfer any data stored locally on the device to another location, then wipe and re-image. It might not be practical to do this for every device, but it could be prudent for devices that have experienced problems during telework or that have signs of compromise, malware infection, deactivated security software, etc.
- Replace the device. Because devices have been away from the office for more than a year, some of them probably need to be replaced for reasons other than security, such as operational problems or hardware failures that can’t immediately be fixed. Other devices may need to be retired because they are no longer supported by their manufacturers, meaning that new vulnerabilities won’t be patched.
3. Use This Opportunity to Shift to Zero-Trust Architecture
In May, the White House released an executive order that includes detailed guidance on next steps. Section 3 requires agencies to develop and implement plans for adopting zero-trust architecture. Those plans will certainly include all end-user devices.
The re-entry process for telework devices could provide a great opportunity to alter them so that they follow zero-trust principles and thus have stronger security.
Examples of what might be done include adding new security controls, changing existing security configuration settings, replacing existing credentials and tightening access control policies.