Providing staff with the privilege of access to data when working remotely is standard practice across schools. Staff will often access the school network during a break at a conference facility, while working in a cafe, hotel lobby, or while using public transport. You need to be confident that your remote users understand that free WiFi is often unsecured and can easily be configured to capture all users’ traffic. Providing your staff with clear guidelines around acceptable remote use (for example: which networks are and are not safe to connect to, how they should connect and applying the appropriate security controls), is vital in protecting your school’s assets.
In this eighth blog in the series which builds upon every stage of the NCSC's 10 Steps to Cyber Security, we outline how you can protect your school's assets when accessed remotely by applying appropriate security controls to both users and devices.
What are the risks associated with staff accessing the school network remotely?
If the connection is unsecured, an attacker could set up a man-in-the-middle (MITM) attack to capture data traffic and use this for a variety of nefarious means. In addition to data traffic interception attacks by malicious users, there are some less technical or complex risks associated with remote working. School assets can be lost through theft or misplacement of a device or simply through a user being overlooked while working. By following the below recommended steps, you will be able to evidence that your school has proactive mechanisms in place to protect your systems, users and the data they have access to when users are working at home or remotely.
How can I secure remote access?
There are many ways to ensure both the user and the data in transit are safe from prying eyes or malicious interception. Below are ten key steps to help combat against or alert you to a variety of cyber security attacks and protect your school's assets when they are being accessed from outside the security provided by the school's network.1. Strong password security
Attackers will use brute force attacks, dictionary attacks and rainbow tables to make short work of weak passwords or systems where a password hash (scrambled representation of itself) is able to be captured.
2. Two-Factor Authentication
Implementing two-factor-authentication is a must for any system or services that contain sensitive information. These additional factors come in many forms and usually are a combination of two of the below:
- Something you know - generally a password, passphrase or PIN.
- Something you have - generally physical devices such as synchronous/asynchronous hardware token that generates a unique number, an RFID card or smartcard.
- Something you are - common ones being a fingerprint, voice print, retina scans, hand geometry and face shapes.
- Somewhere you are - these tend to be based on specific IP addresses from a determined geographic
3. Virtual Private Network (VPN)
Using a school ratified and provided VPN will ensure that users authentication and data is sent securely over the internet.
4. Encrypted traffic
Ensure that the VPN uses a secure protocol such as SSL/TLS, L2TP/IPSec or IKEv2/IPSec. The inclusion of IPSec is becoming the standard for most VPN solutions but is not always the default.
5. Constrained interfaces
Limit what users can access. Many applications have the ability to restrict views or access to components of the program based on the user privileges or group membership. These constrained interfaces can also be put to good effect when users access resources from remote locations. Also, look at content and context-dependant controls.
6. Provide direct links to services/network
Provide staff with links accessible directly from the school website, portal or app.
Attackers can manipulate the resolution of domains and devices through DNS and ARP poisoning.
7. On-demand remote access
Only enable remote access upon receipt of the authorised request. This will ensure that time of use and end of use are agreed. Remove access once time period has elapsed.
8. Periodic account review
Ensure that users who no longer need access have had the privilege revoked and confirm that those who need access can only access what is required and that there has been no privilege creep.
9. Use inbuilt account options
For example, within Microsoft Active Directory user properties users can be restricted to the days and hours they are permitted to log in.
10. Privileged user access alerts and logging
The review and receipt of privileged access is key to spotting any suspicious or malicious account activity. You can read more about the importance of having the appropriate alerts configured on privileged accounts in our previous blog, Cyber Security in Schools - Event Log Monitoring.
Tune in to a free webinar, How Ready Are You To Support Your School's Data Subjects. We'll walk you through the key tasks to help you understand your own breach readiness and what you can do to address any gaps or weaknesses you identify.
What are the main ways in which an attacker can take advantage of a remote worker?
- Man-in-the-Middle (MITM) attacks: These attacks occur when a malicious user places themselves/their device between you and the systems/solution you are communicating with. The attacker can utilise the captured traffic for a variety of means.
- Impersonation/masquerading attacks (MITM): These can involve the capturing of authentication/credentials or the falsifying of credentials during a MITM attack. These attacks involve the attacker pretending to be someone/something they are not.
- Session replay attacks (a type of masquerading attack) - The attacker intercepts an encrypted message (authentication messages) and “replays” these messages to open their own new, authenticated session.
- Modification attacks (a type of masquerading attack) - The attacker modifies the captured data packets in order to bypass restrictions to elevate their rights.
- ARP spoofing (resolution attack) - These attacks involve the attacker misdirecting the user’s traffic via spoofing/falsifying MAC address for requested IP addresses.
- DNS poisoning and spoofing (resolution attack) - As with ARP attacks, DNS poisoning involves the alteration of the domain name to IP address mappings or the falsifying of responses to requests for resolution. Both types of DNS attacks allow an attacker to redirect the user to a malicious system or website.
How do I protect a mobile device?
There are several ways to mitigate the loss or theft of data and assets. The implementation of the security controls listed below will vary depending on the device type and the way the device is managed.
- Use a privacy screen
- Enable encryption
- Use a screen lock / ensure a strong password or PIN
- Enable 2FA
- Install VPN client
- Install and maintain anti-virus/anti-malware
- Enrol device in Mobile-Device-Management solution
- Enable remote lock and remote wipe
- Disable Bluetooth |WiFi |location services when not in use
- Only install validated and authorised software and applications
The above list is by no means exhaustive and there are other ways in which application vendors and security professionals can and do protect against loss, theft or technological attack. In this blog we’ve outlined the most common types of attack, security controls and mitigating actions.
It’s inevitable that your school’s staff will be working remotely at some point and it’s essential that you have a secure remote access solution in place and that you have issued your users with a remote working policy and procedure. By understanding who needs access and why, defining what they do and do not need access to and implementing the appropriate technical and organisational security controls you are well on the way to protecting your users and your school’s assets from attack when your users work remotely.
ABOUT THE AUTHOR:
Dan Cleworth has worked in education for over 20 years. He is a Senior Technical Consultant and certified GDPR practitioner. Dan heads up 9ine's cyber security team and currently works with schools in the UK, Europe and the Middle East to evaluate and secure systems and services to meet data protection and cyber security compliance.