CIS Telework Guidance
The folks over at the Center for Internet Security, whose core mention is to secure online experiences, have authored security guidance for teleworkers. The CIS recently released a whitepaper on securing the remote network, a Telework Security Guide (TSG). Given the dizzying array of remote work jargon out there, the CIS TSG stands out as a solid collection of practical advice for organizations to secure their teleworkers’ converged workspaces. The short guide is full of practical help, ranging in technical glossaries, small business helps, purchasing equipment, and the configuration of the same. We list a subset of network security recommendations from the CIS TSG here:
- Enable two-factor authentication wherever possible. This may include accessing the ISP web portal, the router/modem, or a mobile app
- Enable automatic updates for all routers and modems
- Turn off the 2.4 GHz or 5GHz if you are not using one of them.
- Turn on WPA2 or WPA3
- Enable NAT
- Disable UPnP
One caveat concerning purchasing. Where it is possible, we recommend that organizations continue to maintain purchase and management responsibility of assets. Lares also offers additional defensive guidance for those responsible for securing and monitoring activity to and from remote home networks.
Telework Security Guidance and the CIS 20
The guide offers insight into how the guidance stacks up to the CIS 20 Critical Security Controls (CSC). Although the controls’ efficacy is under constant debate, I am excited to see the prescriptive controls of the TSG mapped to the CIS CSC 20. As a result, security practitioners have a way to rate the effectiveness of their telework controls against the widely used CIS 20 benchmarks. At a high level, TSG recommendations map to 6 CIS critical security controls:
- Control 3: Continuous Vulnerability Management
- Control 4: Controlled Use of Administrative Privileges
- Control 11: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
- Control 12: Boundary Defense
- Control 13: Data Protection
- Control 15: Wireless Access Control
Four of the TSG recommendations have no control mapping:
- Restrict accessibility to routers and modems,
- Create unique WIFI network names (e.g., Service Set Identifiers (SSIDs),
- Ensure WIFI network names are not too revealing, and
- Register one’s devices with manufacturers.
The four items, however, meet best practice standards and demand attention on those tasked with security remote home networks. What the mappings do provide for managing the risk of telework spaces is the ability to measure the effectiveness of telework security controls to a certain degree. Further, if organizations have mapped the CIS CSC 20 controls to other existing frameworks, one could theoretically measure converged workspaces’ compliance to different/extended regulatory compliance regimes.
Securing Teleworkers is Top of Mind at Lares
Lares continues to advise its clients faced with the decision to transition workers to remote status given the prolonged pandemic’s impact on businesses and the economy. We have offered our own guidance on making converged workspaces secure and defensible. We have also enumerated the various challenges to achieving defensibility of corporate brands and assets where it concerns remote work. To that end, the TSG in our opinion is a welcome addition to the list of aids toward securing teleworkers.
Lares COO Andrew Hay has coined this new reality the “Forcibly Converged Network“. Please join us on today, October 14th, 2020 at 12 pm ET for a roundtable where we discuss the technical challenges of securing and monitoring work-from-home (WFH) converged networks and management challenges of the same. We will also consider how helps like the CIS TSG can help in achieving some modicum measurable assurance.
There’s still time to sign up for the free webinar here and join the conversation: https://attendee.gotowebinar.com/register/775648688884026384
Mark Arnold has a 15+ cybersecurity career, serving 8 of those years in leadership roles. As a transformational leader, Mark has built security teams and programs, authored maturity model blueprints to optimize risk management processes, and implemented security domain practices at large enterprises and service providers. Mark’s areas of interest include cloud security, threat intelligence, and vulnerability research, nation-state attack methods and related activities (e.g. information operations and disinformation campaigns) and their collective impact on nations and society. Mark recently completed an executive education cohort on the intersection of cybersecurity and technology at Harvard’s Kennedy School.