Quick Guide to Teleworking Safely - Good

QUICK GUIDE TO WORK WITH SECURITY

Due to the state of alarm caused by the coronavirus many administrations and public bodies are promoting telework to ensure the continuity of their functions and services. Telework, however, can pose cybersecurity risks if not planned in time, properly trained staff, and securely configured equipment and connections. Given the current context, all of this may not have been possible in many cases; for this reason we offer you one selection of the main basic protection measures to be taken into account which can help you telecommute by minimizing security risks in the processing of your organization’s information.

Keep in mind that the current situation is very attractive for cybercriminals to steal passwords and hijack confidential information in exchange for a ransom. Such cases have occurred in recent months in public administrations with severe economic and reputational damage.

This selection was made with the aim of facilitating a practical and executive guide, aimed at non-expert users of medium and small public administrations, who do not have resources to implement a comprehensive and advanced security plan. We want to avoid over-information and make unviable recommendations in the circumstances we find ourselves in. For users who are interested in delving into this topic, we provide additional links at the end of the guide.

These recommendations are of a general nature. If your organization has its own cybersecurity guide, pay attention to it.
 

1. Organizational aspects

Your organization is very likely to already have a protocol and cybersecurity manager. Check with him the points we offer you below.

Follow the security instructions on technological manager of your organization.

Make use of tools and applications authorized by your organization. If you need to use other solutions, be careful and use only trusted applications.

And also…

Validates that corporate documents that you will be working from home are backed up.

Find out well what is the channel of communication of incidences and resolution of doubts.

Notify any cybersecurity incident immediately to your organization's technology manager.

2. Work team

From your home work team you will have access to the confidential information of your organization. Whether you are using a corporate computer or a personal computer, a series of protective and preventive measures must be considered. If you use a corporate work team, it is most likely that you already meet most or all of the recommendations through the security policies that your administrator enforced.

Make sure the system and applications are updated with the latest versions and that automatic version updating is enabled.

Check that your computer has a system ofactive anti-virus and anti-malware.

Apply the auto lock screen after ten minutes.

And also…

Create a separate account for your family and for telecommuting in your operating system. Any unauthorized access to confidential information should be avoided.

Activate a firewall on your computer.

3. Internet connection and remote access

Home WiFi networks do not usually have the same security controls, such as firewalls, that are implemented in corporate offices. Therefore, when working remotely you must pay special attention to the characteristics of the network through which you connect, either to surf the Internet or to access the systems and data of your organization.

Avoid using unreliable and unreliable WiFi public networks to remotely access the organization's services.

And also…

Use, where applicable, the VPN (virtual private network) remote connection services your organization recommends to access corporate information systems.

Check that the Internet Connection Router does not use the factory default password. You will find many tutorials on the Internet and YouTube. You can use the procedure recommended by the Consumer and User Organization.

Configure the Router password with secure encryption systems: WPA3 (preferably) or WPA2.

4. Backups

All office documentation that you generate on the private computer that you use for teleworking and is not stored on the organization's server will probably not have an automated backup system. Therefore, it is recommended that you take the precaution of backing up.

Back up locally generated documents through one of the following mechanisms:

  • USB Flash Drives - You should have cleaned or formatted them beforehand to ensure that they are free of risk
  • External hard disk
  • Cloud storage service authorized by the organization

5. Passwords and authentication

When you telecommute, the way you authenticate yourself in systems and applications is especially critical, as with a stolen password you could access confidential information and / or take control of a service in your organization. Here are some recommendations to authenticate yourself more securely, as well as to define and use more robust passwords.

Use, whenever possible, access to digital certificate information systems (preferably T-CAT P) or dual factor authentication systems to prevent theft of your password. (Dual-factor systems are based on disposable codes that are sent via SMS or to an APP)

Uses complex passwords: combination of special characters, upper and lower case letters and numbers.

Don't write corporate passwords anywhere.

Si install digital certificates in software on your personal computer (TCAT-P, idCAT Certificate) uses the option "Enter the Password for the private key": this way only the digital certificate can be used if the password is known.

And also…

If you have to use many accounts with different users and passwords, use an application to securely manage different passwords. There are several solutions that offer a free version (Lastpass, Dashlane, etc). Apple - iOS devices have a password manager integrated with the operating system.

And also…

The web browsers of the computers must be updated and configured with the latest version and software patches.

Periodically delete browsing history, cookies, remembered passwords, and other temporary files. This way you avoid potential spyware.

7. Secure video conferencing

To ensure the security and privacy of conversations during les video conferencinges with your work or project team, cal consider the following aspects:

Convene the meeting safely. Allow only users who know the meeting data to join the video conferencing session. to do so:

  1. Crea a meeting to which only people can join guests.
  2. Approxand by invitation via private email partly participants or baby and you walk of a platform or channel secured.
    • Make lare people to whom it hasgis guest by email hagin d 'log in through d'this mate address or,
    • uses a sdual factor authentication system, for example generating the meeting link (or meeting ID, in the case of Zoom) and requirent a clau to unite.
    • The waiting room it is also a very useful feature for hosts to control who enters and who leaves the meeting.
  3. Do not share the link to join the meeting through social media or other public forums. ANYONE with the link could join the session.

Manage participants.

  • Set up in advance who will be able to share screen or send files via chat during the meeting.
  • In the case of large meetings, remember that the host can silence individual participantsment or all at once, to avoid echoes, background noise, and parallel distractions or conversations.
  • Assess if necessary bgo crazyr the meeting when already all participants are present, so that new participants cannot join unwanted.

And also…

Get acquainted previously with the settings and functions of the video conferencing tool that usessatin converted to know how to protect the virtual space where the meeting will take place.

At the end of the session, make sure the virtual space where the meeting took place it is closed o accessible only for the meeting participants, as there may be notes, files and private information.

8 Phishing

Phishing is a type of cybercrime that involves sending fraudulent emails with the goal of stealing your password or other personal information. It is one of the most used scams by cybercriminals. The operation of phishing is simple: you receive an email, with a legitimate appearance asking to update, validate or confirm information via a link. After clicking on it, you will be redirected to a fake web page, where the password or other data is stolen.

Do not click on links, or download any attachments from suspicious emails. Suspected emails asking for unusual actions to reset passwords. Check the sender's address (not the alias) for seemingly legitimate emails.

And also…

When you connect via web, verify in the browser bar that the destination web address is correct. Cybercriminals can completely replicate a website and steal your password.

9. At the end of the job

From your home work team you will have access to the confidential information of your organization.

Closes all connections to corporate information systems and websites.

Back up any local documents that you worked on that are not covered by the corporate backup.

And also…

It removes your browsing history, cookies, reminders and other temporary files.

10. More information

Users who wish to expand the information in this guide recommend that you visit the following web pages with specialized content:

Acknowledgments

This set of recommendations has been prepared from the AOC's own resources, from the guidelines of the Catalan Cybersecurity Agency, the Catalan Association of Telecommunications Engineers (Telecos.cat), the consultants Genís Margarit Contel and Cristina Ribas Casademont, and the documents in the "More information" section.

From the AOC we would like to thank all the selfless and proactive contributions we have received which are very useful and valuable at the moment to ensure the security of public sector information systems.

Notes

  1. This guide is open to suggestions, suggestions for improvement and corrections. Your comments will be most welcome - you can send them to innovacio@aoc.cat.
  2. We have asked two free software community entities and four users who have given us critical comments to help us complete this guide with specific recommendations for Linux-based operating systems. We have not received a response at the moment.