Guidance for InfoSec Teams Preparing for a Return to the Office

As organizations shift back to in-person working arrangements, it’s important that security teams make plans to perform vulnerability assessments and endpoint analyses, update security awareness and employee training, and revisit remote access and authentication/authorization models and tools in use. In this piece we outline the key steps to take and pain points to watch when returning to in-office work after the pandemic.

Key Issues for InfoSec Teams

When planning a company’s transition back to an in-person working environment, security teams should focus on several key issues. Based on many conversations with other clients and industry professionals, we outline five key steps security teams should consider focusing on as they return to the office following the pandemic.

1. Perform Vulnerability Assessments. Devices coming back to the office should be thoroughly assessed for vulnerabilities (primarily missing patches and configuration weaknesses). Devices that have been remote for any length of time may have out-of-date anti-malware signatures and endpoint security agents, as well as new/updated applications such as browsers and other clients. Some major points to consider:
   • Start with corporate-owned systems. They are likely more up to date through virtual private network (VPN) connections and automated agent upgrades, etc.
   • Prioritize assessments of known BYOD endpoints to expedite a successful return to in-person work. This may require some shuffling of vulnerability management schedules to accommodate.
   • Prepare in-house systems for those who had to rely on personal systems unexpectedly. Work to migrate any data or assets that may have been locally stored, and avoid allowing personal systems into the office environment, if possible.
2. Plan for Device Quarantines. Some types of devices will require a short-term quarantine while full vulnerability assessments, and additional security screening and preparation processes are performed. This should be planned and implemented for any users handling sensitive data, and accessing or managing critical systems, as well as those without up-to-date corporate devices.
3. Update Security Awareness Training. As many employees move back to in-person work, they may be exposed to new phishing campaigns and other attacks that could be more impactful, depending on the network segments their systems can access. Additionally, attackers will likely start up new campaigns and attacks that tie into the theme of “moving back into the office.” These should all be included in updates to security awareness training and discussion.
4. Update Access Control Models. Any employees who don’t currently have multifactor authentication (MFA) enabled or may have “temporary” mobile device access or VPN access granted due to extenuating circumstances must now become better aligned with a strong, consistent approach to access control, authentication and authorization. Consider using a central single sign-on (SSO) and federation strategy for access to cloud applications (and potentially on-premises apps).
5. Review Suspect Accounts and Behaviors. During the remote work period, some accounts may have exhibited unusual or suspicious behavior (account hijacking has been rampant from late 2019 to the current day). Ensure you plan to implement and enforce additional monitoring or zero trust segmentation for accounts and systems that may be suspect until vulnerability assessments and other investigations prove otherwise.

Potential Pain Points for InfoSec Teams

Security teams can expect several possible pain points when migrating back to office work environments:

• Beware of users who likely took shortcuts. It’s likely some power users made short-term (non-policy-conforming) decisions to keep important work moving forward during the pandemic. In particular, developers and DevOps teams may have prioritized progress and innovation over some controls and security requirements to keep business initiatives on track. Security teams and IT leadership should expect this type of behavior and plan to accommodate some that may seem somewhat atypical, such as local system development for some scenarios, more privileged access to virtual machines and containers, and use of cloud-native services. Moving toward more standardized and controlled practices is desirable, as soon as possible, of course.
• Prep for the inevitable issues/infections. There will likely be missed infections and other security gaps that come back with all the workers. Prepare by updating short-term security operations center (SOC) monitoring and incident response processes to focus more heavily on returning users and equipment.

READ: Risk Management Terminology for InfoSec Teams

Plan for a Successful Return to the Office

All security teams should start planning now for the changes that will occur when organizations come back to the office. Some are short-term, and others will take longer. Keep these important initiatives in mind:

• Revisit remote access tools and strategies. As most organizations will see a hybrid work model emerge for many employees, it’s a great time to revisit remote access tools and services, along with policies and governance around remote access. The traditional VPN is still common, but newer models like zero trust network access (ZTNA) may offer more current network access control (NAC) capabilities, along with cloud-based services for access to both in-house and cloud applications.
• Develop a project for vulnerability scanning and (possibly) system forensic assessment. For systems coming back to internal networks (not just via VPN), a full scan and assessment is warranted in many cases. For systems that are less (or not) controlled by corporate IT departments, a more thorough forensic analysis may be warranted. These processes and scheduling will take time and operational investment.
• Plan to migrate BYOD back to managed systems. For employees who ended up relying on personal systems during remote work, plan to shift back to more controlled systems (possibly including virtual desktops) if possible. This can be a long and expensive process, so starting earlier will be important.
• Many organizations will plan a transition back to on-site work in some capacity. Security teams can facilitate this transition by preparing for vulnerability review, employee training, and updates to remote access and overall access control programs.
  

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.