It’s 6am and you just received a call saying that your company’s IT resources are unavailable. VPN is offline, email isn’t working, and now people can’t login to their computers. This is turning into a complete disaster and you haven’t even had your first sip of coffee. What could have happened to cause such a major outage? There wasn’t any IT maintenance scheduled. Come to think of it, the only thing happening this week is that people are starting to come back into the office. That couldn’t be related…. or could it?
After 2 days of system restores, very late nights, and expensive Incident Response consultants, you have identified the root cause. It turns out that Taylor from accounting brought in an infected personal computer after working from home for the last 12 months. Apparently, “someone in IT” setup their personal laptop as a temporary solution in the scramble to work from home back in March. Now this compromised laptop has encrypted all internal servers, including Exchange, File Services, and Active Directory services. How could you have prevented this mess from happening in the first place? What could you have done to prevent your organization from this IT security nightmare situation?
Before having your users return to the office with their laptops and mobile devices, review the following list to ensure you have the necessary technology, processes, and procedures in place. “An ounce of prevention is worth a pound of cure” has never been more true. And given the average cost of a security breach was $4 Million in 2020, we’re guessing you’d prefer to stick to the prevention route.
Return to Office Security Guidelines
- Validate inventory of IT assets. This includes employee technology (monitors, keyboards, computers) that may have grown legs in the last 12 months as well as infrastructure such as networking equipment, IoT devices, and servers / systems. Ensure you have a clear understanding of management IP address, software version, hardware model, and physical location information. An accurate inventory is the basis for all subsequent steps.
- Ensure all on-prem infrastructure is has up-to-date security patches.
- Decommission unsupported or end-of-life systems that could be exploited by an infected user’s computer or mobile device.
- There are many known exploits for IoT devices such as doorbells, cameras, power switches, and others. These devices are often not tracked as part of patch management processes. Attackers leverage IoT devices to gain a foothold by exploiting a vulnerable device and leap frogging further into your network. These devices should be actively patched for security updates. Extra credit for moving IoT devices into an isolated network with firewall segmentation.
- Validate all company data is being backed up and is replicated to an offsite location.
- Validate each user’s computer security posture before allowing the device to connect to the internal office network:
- Confirm Operating System updates are current
- Confirm endpoint protection software is active and current
- Run malware scan (we highly recommend an EDR tool – see subsequent section)
General Best Practices
- Leverage Mobile Device Management (MDM) tools that allow for consistent enforcement of company policies regardless of whether you are on-prem or fully remote.
- Use Endpoint Detection & Response (EDR) technology to identify unknown and zero-day malware threats.
- Disable wireless-to-wireless communications. There is seldom a need for wireless clients to communicate with each other. This change prevents lateral attacks and is typically an easy checkbox to configure.
- Ensure host-based firewalls are enabled for computer systems.
- At office location, segment user networks from servers / Internet using next-gen firewall (zero-trust architecture).
- Only allow managed devices to connect to corporate wired or wireless networks. Use Network Access Control (NAC) to enforce this policy. At a minimum, leverage MAC address filtering to reduce the likelihood of an employee connecting a personal device onto the company network (like Taylor above).
- Ensure Guests and BYOD devices are isolated onto separate networks and receive Internet-only access. If not 100% possible, limit access via firewall to using least privilege.
- Leverage Security information and event management (SIEM) and a Security Operation Center (SOC) to aggregate threat and telemetry data and escalate potential threats.
Policy & Procedures
- Implement a return to office validation process. Perform isolated-network scans to identify potential malware and ensure user devices are patched and running active security scanning software prior to allowing endpoints to connect to the internal corporate network.
- Do you have an IT security policy and have your employees signed it?
- Change and Problem Management – Part of good IT governance is managing changes so that they can be performed systematically and efficiently and getting to the root cause of reoccurring incidents so they do not reoccur.
- Incident Response plan – If there is a security related event, having an established plan and team in place ahead of time greatly reduces the business impact of a security event.
- Disaster Recovery (DR) plan – Having a plan in place identifying the critical business applications, team members, recovery objectives, and recovery procedures is essential to restore technology systems in the event of a disaster.
How can Xterra help my business?
Xterra has developed the people, process, and technology to deliver white glove IT services for a fraction of the cost of hiring a full-time staff. We are focused on helping San Francisco Bay Area clients accelerate their adoption of technology solutions to create measurable business value. If you are interested in learning more about how Xterra can help your business, enter your contact information and we will reach out to schedule a free consultation.