Assume ‘malicious parties’ are waiting to pounce on telework traffic, NIST tells agencies

The National Institute of Standards and Technology is advising agencies to ensure the cybersecurity of any internal resources they make available to teleworkers through remote access during the COVID-19 pandemic.

Remote access technologies are, by nature, exposed to more external threats, notes the NIST Information Technology Laboratory bulletin issued Thursday. The advisory follows a separate guidance Wednesday by the Office of Management and Budget for agencies minimize face-to-face interactions as the coronavirus spreads.

The lab’s Computer Security Division suggested limiting remote access to as few teleworkers as possible to decrease the risk of compromise. The typical civilian agency worker is accessing their agency’s network with desktops, laptops, smartphones and tablets via remote access software like virtual private networks (VPNs) and portals.

“An organization should assume that external facilities, networks, and devices contain hostile threats that will attempt to gain access to the organization’s data and resources,” reads the bulletin. “Organizations should assume that malicious parties will gain control of telework client devices and attempt to recover sensitive data from them or leverage the devices to gain access to the enterprise network.”

Based on that assumption, NIST made four recommendations to improve telework security:

• Plan telework-related security policies and controls based on the assumption that external environments contain hostile threats.
• Develop a telework security policy that defines telework, remote access, and bring-your-own-device (BYOD) requirements.
• Ensure that remote access servers are secured effectively and configured to enforce telework security policies.
• Secure organization-controlled telework client devices against common threats, and maintain their security regularly.

Remote access tech like laptops and cellphones are more likely to be lost or stolen once they leave the office. Unsecured networks used to access any organization’s internal resources are susceptible to eavesdropping and “man-in-the-middle” attacks to intercept and alter communications.

NIST advised either encrypting device storage, encrypting all sensitive data stored on client devices or not storing sensitive data on those devices at all. Strong multi-factor identification deters people from handing their devices to unapproved people for use, the bulletin notes.

Anti-virus tech, verifying a device’s security posture before allowing remote access or establishing a separate network for BYOD all mitigate malware, which has more avenues to infect teleworkers’ devices, according to the bulletin.

NIST identified four remote access methods by architecture: tunneling, portals, direct application access, remote desktop access.

Tunneling establishes secure communications between a telework device and a remote access server, typically a VPN gateway, and protects them through cryptography.

A portal server allows access to applications through a, generally web-based, central interface that telework devices access. Most portals are secure sockets layer VPNs.

Direct application access doesn’t use remote access software but instead lets teleworkers access a single, secure application directly like webmail. Teleworkers use a web browser to connect using a hypertext transfer protocol secure to a web server that authenticates them before granting email access.

Remote desktop access — where a teleworker remotely controls their office desktop from an outside device — is the least secure.

“Generally, remote desktop access solutions, such as those using the Microsoft Remote Desktop Protocol (RDP) or Virtual Network Computing (VNC), should only be used for exceptional cases after a careful analysis of the security risks,” reads the bulletin. “The other types of remote access solutions described in this bulletin offer superior security capabilities.”